Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: iPSEC

  1. #1
    Untangler aboyce's Avatar
    Join Date
    Oct 2010
    Posts
    85

    Default iPSEC

    I am happy to see the existence of ipsec.. but what is the deal non of the standard ipsec options and settings are available. now i know it is untangles intention to make this brain dead simple but we need to be able to plug in the basic options to do a connection to another ipsec device.. !!

    I am trying to test the ipsec connecting to sonicwall! no successes. endian firewall no successes. cannot figure out what to set or where to look to see why it does not work..


    anyone have any information i can use to get this to work ?

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Perhaps you can provide some information?

    We use freeswan which is the standard linux IPsec core technology. What "standard ipsec options" are you referring to?

    You can configure IPsec tunnels with both sonicwall and endian.
    Lots of information here: http://wiki.untangle.com/index.php/IPsec_VPN
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,497

    Default

    And PIX, and ASA...

    OP can be translated into "It's broken, and it's all your fault!"

    But, we haven't defined what "it" is!

    To give the OP the benefit of the doubt, I think he's just run face first into why I hate IPSec.

    It's a "standard" that isn't very standard, and there are so many moving parts it's a real pain to get it to work cross vender.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,678

    Default

    Quote Originally Posted by aboyce View Post
    I am trying to test the ipsec connecting to sonicwall! no successes. endian firewall no successes. cannot figure out what to set or where to look to see why it does not work..

    anyone have any information i can use to get this to work ?
    As the person who tested UT IPsec against multiple other IPsec devices, I know it can be frustrating configuring IPsec. The major reason is the wide assortment of labels for the same configuration options.

    If you search the forum, you can see that we have helped with several people other device's configuration but posting it doesn't work with no details is not going to resolve your issue.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangler aboyce's Avatar
    Join Date
    Oct 2010
    Posts
    85

    Default

    Well how do i know what Internet Key Exchange protocol configuration "IKE" encryption to use or IKE integrity and what Group type is used? also can these be changed if needed ? and if we want to set the Encapsulating security payload configuration (ESP). how woud we do this ?

  6. #6
    Untangler aboyce's Avatar
    Join Date
    Oct 2010
    Posts
    85

    Default

    I am trying to setup an ipsec connection to an endan firewall and have tried the "Can I connect IPsec from Untangle to M0n0wall, and the IPsec from Untangle to Cisco RV series" found in the wiki as far as setting the endian vpn. i cannot get much in the way of information from the logs nor can i change any settings on the untangle or look and see what the settings should be.

    The configuration on the untangle is .

    static wan setup with multiple IP public ip addresses. i have the connection type on the untangle set to Tunnel and the mode to Start. the interface is set to external but i have tried Custom. the remote ip is the public ip of the Endian and the Local network is the private network address of the untangle box in this case it is 10.10.10.0/24 the local ip is set to 10.10.10.254 which is the ip address of the untangle box on the lan. the remote network is the ip address on the lan side of the endian which is 172.16.13.0/24, i have tried PFS on and off. setting it on bot devices.

    On the endian i have set the following
    IKE encryption is 3DES, IKE integrity is SHA and the IKE group is DH group 2 (1024 bits) the IKE lifetime is 1 hour


    i have the Shared secret set on both devices as well.
    the ESP encryption is 3DES and the ESP integrity is SHA1 and the ESP key life is 24 hours. i have PFS turned on. i have tried IKE agressive mode on and off. and tried payload compression on and off.
    Last edited by aboyce; 08-23-2011 at 06:03 AM.

  7. #7
    Untangler aboyce's Avatar
    Join Date
    Oct 2010
    Posts
    85

    Default

    Untangle log..


    Aug 23 09:04:27 firewall pluto[22587]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:22587
    Aug 23 09:04:27 firewall pluto[22587]: SAref support [enabled]
    Aug 23 09:04:27 firewall pluto[22587]: Setting NAT-Traversal port-4500 floating to off
    Aug 23 09:04:27 firewall pluto[22587]: port floating activation criteria nat_t=0/port_float=1
    Aug 23 09:04:27 firewall pluto[22587]: NAT-Traversal support [disabled]
    Aug 23 09:04:27 firewall pluto[22587]: using /dev/urandom as source of random entropy
    Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
    Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
    Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
    Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
    Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
    Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
    Aug 23 09:04:27 firewall pluto[22587]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
    Aug 23 09:04:27 firewall pluto[22587]: no helpers will be started, all cryptographic operations will be done inline
    Aug 23 09:04:27 firewall pluto[22587]: Using Linux 2.6 IPsec interface code on 2.6.26-2-untangle-686 (experimental code)
    Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
    Aug 23 09:04:28 firewall pluto[22587]: ike_alg_add(): ERROR: Algorithm already exists
    Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
    Aug 23 09:04:28 firewall pluto[22587]: ike_alg_add(): ERROR: Algorithm already exists
    Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
    Aug 23 09:04:28 firewall pluto[22587]: ike_alg_add(): ERROR: Algorithm already exists
    Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
    Aug 23 09:04:28 firewall pluto[22587]: ike_alg_add(): ERROR: Algorithm already exists
    Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
    Aug 23 09:04:28 firewall pluto[22587]: ike_alg_add(): ERROR: Algorithm already exists
    Aug 23 09:04:28 firewall pluto[22587]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
    Aug 23 09:04:28 firewall pluto[22587]: myid malformed: empty string ""
    Aug 23 09:04:28 firewall pluto[22587]: Changed path to directory '/etc/ipsec.d/cacerts'
    Aug 23 09:04:28 firewall pluto[22587]: Changed path to directory '/etc/ipsec.d/aacerts'
    Aug 23 09:04:28 firewall pluto[22587]: Changed path to directory '/etc/ipsec.d/ocspcerts'
    Aug 23 09:04:28 firewall pluto[22587]: Changing to directory '/etc/ipsec.d/crls'
    Aug 23 09:04:28 firewall pluto[22587]: Warning: empty directory
    Aug 23 09:04:28 firewall pluto[22587]: added connection description "UT5_PCS"
    Aug 23 09:04:28 firewall pluto[22587]: listening for IKE messages
    Aug 23 09:04:28 firewall pluto[22587]: adding interface tun0/tun0 172.16.16.1:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface utun/utun 192.0.2.43:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface dummy0/dummy0 192.0.2.42:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface eth1:1/eth1:1 10.10.10.200:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface eth1:0/eth1:0 192.168.50.254:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface eth1/eth1 10.10.10.254:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:5/eth0:5 12.200.65.162:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:4/eth0:4 12.200.65.163:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:3/eth0:3 12.200.65.164:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:2/eth0:2 12.200.65.165:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:1/eth0:1 12.200.65.166:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0:0/eth0:0 12.200.65.167:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface eth0/eth0 12.200.65.168:500
    Aug 23 09:04:28 firewall pluto[22587]: adding interface lo/lo 127.0.0.1:500
    Aug 23 09:04:28 firewall pluto[22587]: loading secrets from "/etc/ipsec.secrets"
    Aug 23 09:04:29 firewall pluto[22587]: "UT5_PCS" #1: initiating Main Mode

  8. #8
    Untangler aboyce's Avatar
    Join Date
    Oct 2010
    Posts
    85

    Default

    After a while i looked again at the logs and now i see the following I hope this may be more helpfull:

    message
    Aug 23 18:17:30 firewall pluto[22587]: "UT5_PCS" #42: starting keying attempt 43 of an unlimited number
    Aug 23 18:17:30 firewall pluto[22587]: "UT5_PCS" #43: initiating Main Mode to replace #42
    Aug 23 18:28:47 firewall pluto[22587]: initiate on demand from 10.10.10.5:8 to 172.16.13.54:0 proto=1 state: fos_start because: acquire
    Aug 23 18:30:40 firewall pluto[22587]: "UT5_PCS" #43: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE

  9. #9
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,678

    Default

    Quote Originally Posted by aboyce View Post
    Well how do i know what Internet Key Exchange protocol configuration "IKE" encryption to use or IKE integrity
    Have you looked over the FAQ in the IPsec Wiki?
    http://wiki.untangle.com/index.php/IPsec_VPN

    Directly from the FAQ:
    # Keying Mode : IKE with Preshared key

    Quote Originally Posted by aboyce View Post
    what Group type is used?
    # Phase1 DH Group : Group 2

    Quote Originally Posted by aboyce View Post
    also can these be changed if needed ?
    UT only supports Preshared key method at this time. There may be enhancements in the future.

    Quote Originally Posted by aboyce View Post
    and if we want to set the Encapsulating security payload configuration (ESP). how woud we do this ?
    ESP is part of IPsec. This is what hides the packets from reading with tcpdump.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Untangler aboyce's Avatar
    Join Date
    Oct 2010
    Posts
    85

    Default

    i have it working now.

    The endian firewall is set such....
    Remote host / IP: is the Public IP of the Untangle server
    Local Subnet: the local ip of the LAN side of the Endian firewall. in my case it is 172.16.13.0/24
    Remote Subnet The Lan side Subnet of the Untangle My setup is 10.10.10.0/24
    Local ID: the Public IP address of my Endian firewall.
    Remote ID: the Public IP of my Untangle Server
    Dead Peer detection is set to restart
    pre-shared key: is set to a string of my choosing.

    Advanced settings on Endian
    IKE encryption AES (128 bit) and 3DES
    IKE integrity: SHA and MD5
    IKE Group DH group 5 (1536 bits) and DH group 2 (1024 bits)
    IKE lifetime 1 hours

    ESP encryption AES (128 bit) and 3DES
    ESP integrity SHA1 and MD5
    ESP key life 8 hours

    IKE agressive mode allowed is not checked
    Perfect Forward Secrecy (PFS) is checked
    Negociate payload is not checked.


    Untangle box:
    Connection type : Tunnel
    Auto Mode: Start
    Interface: External
    External IP: shows external IP and is not changeable as External is selected
    Remote IP: set to the public IP address of the Endian firewall
    Local Network: set to the LAN Network address of the Untangle mine is 10.10.10.0/24
    Local IP set to the LAN Ip address of the Untangle mine is 10.10.10.254
    Remote Network: set to the IP Network address of the Endian mine is 172.16.13.0/24
    Perfect Forward Secrecy (PFS): checked
    Shared Secret set to my chosen word.


    The version of Endian firewall i am using is "Endian Firewall Community release 2.4.0" but i think it will work with any version just make sure you use the same settings where aplicable.

    I hope this helps someone else..
    Last edited by aboyce; 08-23-2011 at 05:57 PM.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2