iPSEC

**aboyce** · 08-21-2011, 08:48 AM

I am happy to see the existence of ipsec.. but what is the deal non of the standard ipsec options and settings are available. now i know it is untangles intention to make this brain dead simple but we need to be able to plug in the basic options to do a connection to another ipsec device.. !!

I am trying to test the ipsec connecting to sonicwall! no successes. endian firewall no successes. cannot figure out what to set or where to look to see why it does not work..

anyone have any information i can use to get this to work ?

**dmorris** · 08-21-2011, 09:32 AM

Perhaps you can provide some information?

We use freeswan which is the standard linux IPsec core technology. What "standard ipsec options" are you referring to?

You can configure IPsec tunnels with both sonicwall and endian.
Lots of information here: http://wiki.untangle.com/index.php/IPsec_VPN

**sky-knight** · 08-21-2011, 11:39 AM

And PIX, and ASA...

OP can be translated into "It's broken, and it's all your fault!"

But, we haven't defined what "it" is!

To give the OP the benefit of the doubt, I think he's just run face first into why I hate IPSec.

It's a "standard" that isn't very standard, and there are so many moving parts it's a real pain to get it to work cross vender.

**jcoffin** · 08-21-2011, 12:52 PM

Originally Posted by aboyce

I am trying to test the ipsec connecting to sonicwall! no successes. endian firewall no successes. cannot figure out what to set or where to look to see why it does not work..

anyone have any information i can use to get this to work ?

As the person who tested UT IPsec against multiple other IPsec devices, I know it can be frustrating configuring IPsec. The major reason is the wide assortment of labels for the same configuration options.

If you search the forum, you can see that we have helped with several people other device's configuration but posting it doesn't work with no details is not going to resolve your issue.

**aboyce** · 08-23-2011, 05:44 AM

Well how do i know what Internet Key Exchange protocol configuration "IKE" encryption to use or IKE integrity and what Group type is used? also can these be changed if needed ? and if we want to set the Encapsulating security payload configuration (ESP). how woud we do this ?

**aboyce** · 08-23-2011, 05:59 AM

I am trying to setup an ipsec connection to an endan firewall and have tried the "Can I connect IPsec from Untangle to M0n0wall, and the IPsec from Untangle to Cisco RV series" found in the wiki as far as setting the endian vpn. i cannot get much in the way of information from the logs nor can i change any settings on the untangle or look and see what the settings should be.

The configuration on the untangle is .

static wan setup with multiple IP public ip addresses. i have the connection type on the untangle set to Tunnel and the mode to Start. the interface is set to external but i have tried Custom. the remote ip is the public ip of the Endian and the Local network is the private network address of the untangle box in this case it is 10.10.10.0/24 the local ip is set to 10.10.10.254 which is the ip address of the untangle box on the lan. the remote network is the ip address on the lan side of the endian which is 172.16.13.0/24, i have tried PFS on and off. setting it on bot devices.

On the endian i have set the following
IKE encryption is 3DES, IKE integrity is SHA and the IKE group is DH group 2 (1024 bits) the IKE lifetime is 1 hour

i have the Shared secret set on both devices as well.
the ESP encryption is 3DES and the ESP integrity is SHA1 and the ESP key life is 24 hours. i have PFS turned on. i have tried IKE agressive mode on and off. and tried payload compression on and off.

**aboyce** · 08-23-2011, 06:07 AM

Untangle log..

Aug 23 09:04:27 firewall pluto[22587]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:22587
Aug 23 09:04:27 firewall pluto[22587]: SAref support [enabled]
Aug 23 09:04:27 firewall pluto[22587]: Setting NAT-Traversal port-4500 floating to off
Aug 23 09:04:27 firewall pluto[22587]: port floating activation criteria nat_t=0/port_float=1
Aug 23 09:04:27 firewall pluto[22587]: NAT-Traversal support [disabled]
Aug 23 09:04:27 firewall pluto[22587]: using /dev/urandom as source of random entropy
Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 23 09:04:27 firewall pluto[22587]: no helpers will be started, all cryptographic operations will be done inline
Aug 23 09:04:27 firewall pluto[22587]: Using Linux 2.6 IPsec interface code on 2.6.26-2-untangle-686 (experimental code)
Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Aug 23 09:04:28 firewall pluto[22587]: ike_alg_add(): ERROR: Algorithm already exists
Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Aug 23 09:04:28 firewall pluto[22587]: ike_alg_add(): ERROR: Algorithm already exists
Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Aug 23 09:04:28 firewall pluto[22587]: ike_alg_add(): ERROR: Algorithm already exists
Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Aug 23 09:04:28 firewall pluto[22587]: ike_alg_add(): ERROR: Algorithm already exists
Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Aug 23 09:04:28 firewall pluto[22587]: ike_alg_add(): ERROR: Algorithm already exists
Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Aug 23 09:04:28 firewall pluto[22587]: myid malformed: empty string ""
Aug 23 09:04:28 firewall pluto[22587]: Changed path to directory '/etc/ipsec.d/cacerts'
Aug 23 09:04:28 firewall pluto[22587]: Changed path to directory '/etc/ipsec.d/aacerts'
Aug 23 09:04:28 firewall pluto[22587]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Aug 23 09:04:28 firewall pluto[22587]: Changing to directory '/etc/ipsec.d/crls'
Aug 23 09:04:28 firewall pluto[22587]: Warning: empty directory
Aug 23 09:04:28 firewall pluto[22587]: added connection description "UT5_PCS"
Aug 23 09:04:28 firewall pluto[22587]: listening for IKE messages
Aug 23 09:04:28 firewall pluto[22587]: adding interface tun0/tun0 172.16.16.1:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface utun/utun 192.0.2.43:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface dummy0/dummy0 192.0.2.42:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface eth1:1/eth1:1 10.10.10.200:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface eth1:0/eth1:0 192.168.50.254:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface eth1/eth1 10.10.10.254:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:5/eth0:5 12.200.65.162:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:4/eth0:4 12.200.65.163:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:3/eth0:3 12.200.65.164:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:2/eth0:2 12.200.65.165:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:1/eth0:1 12.200.65.166:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:0/eth0:0 12.200.65.167:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0/eth0 12.200.65.168:500
Aug 23 09:04:28 firewall pluto[22587]: adding interface lo/lo 127.0.0.1:500
Aug 23 09:04:28 firewall pluto[22587]: loading secrets from "/etc/ipsec.secrets"
Aug 23 09:04:29 firewall pluto[22587]: "UT5_PCS" #1: initiating Main Mode

**aboyce** · 08-23-2011, 04:27 PM

After a while i looked again at the logs and now i see the following I hope this may be more helpfull:

message
Aug 23 18:17:30 firewall pluto[22587]: "UT5_PCS" #42: starting keying attempt 43 of an unlimited number
Aug 23 18:17:30 firewall pluto[22587]: "UT5_PCS" #43: initiating Main Mode to replace #42
Aug 23 18:28:47 firewall pluto[22587]: initiate on demand from 10.10.10.5:8 to 172.16.13.54:0 proto=1 state: fos_start because: acquire
Aug 23 18:30:40 firewall pluto[22587]: "UT5_PCS" #43: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE

**jcoffin** · 08-23-2011, 05:03 PM

Originally Posted by aboyce

Well how do i know what Internet Key Exchange protocol configuration "IKE" encryption to use or IKE integrity

Have you looked over the FAQ in the IPsec Wiki?
http://wiki.untangle.com/index.php/IPsec_VPN

Directly from the FAQ:
# Keying Mode : IKE with Preshared key

Originally Posted by aboyce

what Group type is used?

# Phase1 DH Group : Group 2

Originally Posted by aboyce

also can these be changed if needed ?

UT only supports Preshared key method at this time. There may be enhancements in the future.

Originally Posted by aboyce

and if we want to set the Encapsulating security payload configuration (ESP). how woud we do this ?

ESP is part of IPsec. This is what hides the packets from reading with tcpdump.

**aboyce** · 08-23-2011, 05:52 PM

i have it working now.

The endian firewall is set such....
Remote host / IP: is the Public IP of the Untangle server
Local Subnet: the local ip of the LAN side of the Endian firewall. in my case it is 172.16.13.0/24
Remote Subnet The Lan side Subnet of the Untangle My setup is 10.10.10.0/24
Local ID: the Public IP address of my Endian firewall.
Remote ID: the Public IP of my Untangle Server
Dead Peer detection is set to restart
pre-shared key: is set to a string of my choosing.

Advanced settings on Endian
IKE encryption AES (128 bit) and 3DES
IKE integrity: SHA and MD5
IKE Group DH group 5 (1536 bits) and DH group 2 (1024 bits)
IKE lifetime 1 hours

ESP encryption AES (128 bit) and 3DES
ESP integrity SHA1 and MD5
ESP key life 8 hours

IKE agressive mode allowed is not checked
Perfect Forward Secrecy (PFS) is checked
Negociate payload is not checked.

Untangle box:
Connection type : Tunnel
Auto Mode: Start
Interface: External
External IP: shows external IP and is not changeable as External is selected
Remote IP: set to the public IP address of the Endian firewall
Local Network: set to the LAN Network address of the Untangle mine is 10.10.10.0/24
Local IP set to the LAN Ip address of the Untangle mine is 10.10.10.254
Remote Network: set to the IP Network address of the Endian mine is 172.16.13.0/24
Perfect Forward Secrecy (PFS): checked
Shared Secret set to my chosen word.

The version of Endian firewall i am using is "Endian Firewall Community release 2.4.0" but i think it will work with any version just make sure you use the same settings where aplicable.

I hope this helps someone else..

Thread: iPSEC

LinkBack

Thread Tools

iPSEC

Posting Permissions