Using IPsec VPN for UT to UT not working

I have configured IPsec VPN Tunnels on 2 UT servers and can't get them to connect. Both ends have a Static public IP.

Both ISP's provide a router so both UT servers are behind NAT. On both ends I have DMZ on the ISP's routers to the UT servers so I think that should take care of my port forwarding but not sure if there is anything else to it.

This is the error I get on both ends "We cannot identify ourselves with either end of this connection"

Here is the full log from one of the UT servers.

Code:

---

Jun 14 16:25:46 untangle ipsec__plutorun: Starting Pluto subsystem...
Jun 14 16:25:46 untangle pluto[30405]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:30405
Jun 14 16:25:46 untangle pluto[30405]: SAref support [disabled]: Protocol not available
Jun 14 16:25:46 untangle pluto[30405]: SAbind support [enabled]
Jun 14 16:25:46 untangle pluto[30405]: Setting NAT-Traversal port-4500 floating to on
Jun 14 16:25:46 untangle pluto[30405]:    port floating activation criteria nat_t=1/port_float=1
Jun 14 16:25:46 untangle pluto[30405]:    NAT-Traversal support  [enabled]
Jun 14 16:25:46 untangle pluto[30405]: using /dev/urandom as source of random entropy
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jun 14 16:25:46 untangle pluto[30405]: no helpers will be started, all cryptographic operations will be done inline
Jun 14 16:25:46 untangle pluto[30405]: Using Linux 2.6 IPsec interface code on 2.6.32-5-untangle-amd64 (experimental code)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_add(): ERROR: Algorithm already exists
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_add(): ERROR: Algorithm already exists
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_add(): ERROR: Algorithm already exists
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_add(): ERROR: Algorithm already exists
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_add(): ERROR: Algorithm already exists
Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jun 14 16:25:46 untangle pluto[30405]: myid malformed: empty string ""
Jun 14 16:25:46 untangle pluto[30405]: Changed path to directory '/etc/ipsec.d/cacerts'
Jun 14 16:25:46 untangle pluto[30405]: Changed path to directory '/etc/ipsec.d/aacerts'
Jun 14 16:25:46 untangle pluto[30405]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Jun 14 16:25:46 untangle pluto[30405]: Changing to directory '/etc/ipsec.d/crls'
Jun 14 16:25:46 untangle pluto[30405]:  Warning: empty directory
Jun 14 16:25:46 untangle pluto[30405]: added connection description "UT0_Altona"
Jun 14 16:25:46 untangle pluto[30405]: listening for IKE messages
Jun 14 16:25:46 untangle pluto[30405]: NAT-Traversal: Trying new style NAT-T
Jun 14 16:25:46 untangle pluto[30405]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Jun 14 16:25:46 untangle pluto[30405]: NAT-Traversal: Trying old style NAT-T
Jun 14 16:25:46 untangle pluto[30405]: adding interface tun0/tun0 172.16.135.1:500
Jun 14 16:25:46 untangle pluto[30405]: adding interface tun0/tun0 172.16.135.1:4500
Jun 14 16:25:46 untangle pluto[30405]: adding interface utun/utun 192.0.2.42:500
Jun 14 16:25:46 untangle pluto[30405]: adding interface utun/utun 192.0.2.42:4500
Jun 14 16:25:46 untangle pluto[30405]: adding interface eth0/eth0 192.168.2.11:500
Jun 14 16:25:46 untangle pluto[30405]: adding interface eth0/eth0 192.168.2.11:4500
Jun 14 16:25:46 untangle pluto[30405]: adding interface eth1/eth1 192.168.145.1:500
Jun 14 16:25:46 untangle pluto[30405]: adding interface eth1/eth1 192.168.145.1:4500
Jun 14 16:25:46 untangle pluto[30405]: adding interface lo/lo 127.0.0.1:500
Jun 14 16:25:46 untangle pluto[30405]: adding interface lo/lo 127.0.0.1:4500
Jun 14 16:25:46 untangle pluto[30405]: adding interface lo/lo ::1:500
Jun 14 16:25:46 untangle pluto[30405]: loading secrets from "/etc/ipsec.secrets"
Jun 14 16:25:46 untangle pluto[30405]: "UT0_Altona": We cannot identify ourselves with either end of this connection.

---

From the FAQ

Quote:

---

You will need to forward ESP, AH, and UDP port 500 from the public IP to the Untangle server

---

Not sure what I need to do to forward ESP and AH. What is that?

Quote:

---

Originally Posted by gpeters

From the FAQ
Not sure what I need to do to forward ESP and AH. What is that?

---

You missed the context of this FAQ "If I install Untangle behind a NAT device". There is no forward needed if the IPsec is on the Untangle itself and there is no firewall in front of it.

From the log you haven't even made a connection out. Can you post a screen shot of your settings?

Here are the setting from the main office UT
http://www.gpeters.ca/wp-content/upl...ice-server.gif

From the remote office
http://www.gpeters.ca/wp-content/upl...ote-server.gif

Two questions.
- I assume that you check Enable when testing the connection. Is that correct?

- On the Interface setting, I notice you have custom, is the IP address the main IP address of the External Interface?

Yes enabled them on both UT

No for the custom the IP addresses are the IPS' static public IPs

Like I said both UT are behind the modems form the IP's which are assigning the IP to the UT servers

Here is the screenshot from the main office using the IP form the external interface
http://www.gpeters.ca/wp-content/upl...ain-server.jpg

Quote:

---

Originally Posted by gpeters

From the FAQ


Not sure what I need to do to forward ESP and AH. What is that?

---

He is running behind NAT on both ends.
Since you are running behind NAT, you need to forward ESP, AH, and UDP port 500.

On both of the ISP modems I don't have anything related for forwarding ESP, AH. I can foreword ports but instead what I have done is DMZ both the UT servers.

Here is what the log looks like when I use the IP's form the external UT interfaces as per my last screenshot

Code:

---

Jun 15 15:38:59 untangle pluto[27862]: "UT0_Altona" #41: received and ignored informational message
Jun 15 15:39:19 untangle pluto[27862]: "UT0_Altona" #41: discarding duplicate packet; already STATE_MAIN_I3
Jun 15 15:39:19 untangle pluto[27862]: "UT0_Altona" #41: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Jun 15 15:39:19 untangle pluto[27862]: "UT0_Altona" #41: received and ignored informational message
Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #40: max number of retransmissions (2) reached STATE_MAIN_R2
Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [Openswan (this version) 2.6.28 ]
Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [Dead Peer Detection]
Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [RFC 3947] method set to=109
Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: responding to Main Mode
Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.11'
Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: no suitable connection for peer '192.168.0.11'
Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: sending encrypted notification INVALID_ID_INFORMATION to 99.228.64.220:500

---

Who is 192.168.0.11?
You don't have a configuration for that IP.

If thats the NGFW IP you need to configure it as such.
You've specified a custom external address (and not even a valid one at that). You need to put Untangle's IP here, not the IP from another server.

This is a bit difficult to explain.

Here is a network diagram
http://www.gpeters.ca/wp-content/upl...06/network.jpg