Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default Using IPsec VPN for UT to UT not working

    I have configured IPsec VPN Tunnels on 2 UT servers and can't get them to connect. Both ends have a Static public IP.

    Both ISP's provide a router so both UT servers are behind NAT. On both ends I have DMZ on the ISP's routers to the UT servers so I think that should take care of my port forwarding but not sure if there is anything else to it.

    This is the error I get on both ends "We cannot identify ourselves with either end of this connection"

    Here is the full log from one of the UT servers.


    Code:
    Jun 14 16:25:46 untangle ipsec__plutorun: Starting Pluto subsystem...
    Jun 14 16:25:46 untangle pluto[30405]: Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:30405
    Jun 14 16:25:46 untangle pluto[30405]: SAref support [disabled]: Protocol not available
    Jun 14 16:25:46 untangle pluto[30405]: SAbind support [enabled]
    Jun 14 16:25:46 untangle pluto[30405]: Setting NAT-Traversal port-4500 floating to on
    Jun 14 16:25:46 untangle pluto[30405]:    port floating activation criteria nat_t=1/port_float=1
    Jun 14 16:25:46 untangle pluto[30405]:    NAT-Traversal support  [enabled]
    Jun 14 16:25:46 untangle pluto[30405]: using /dev/urandom as source of random entropy
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
    Jun 14 16:25:46 untangle pluto[30405]: no helpers will be started, all cryptographic operations will be done inline
    Jun 14 16:25:46 untangle pluto[30405]: Using Linux 2.6 IPsec interface code on 2.6.32-5-untangle-amd64 (experimental code)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_add(): ERROR: Algorithm already exists
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_add(): ERROR: Algorithm already exists
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_add(): ERROR: Algorithm already exists
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_add(): ERROR: Algorithm already exists
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_add(): ERROR: Algorithm already exists
    Jun 14 16:25:46 untangle pluto[30405]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
    Jun 14 16:25:46 untangle pluto[30405]: myid malformed: empty string ""
    Jun 14 16:25:46 untangle pluto[30405]: Changed path to directory '/etc/ipsec.d/cacerts'
    Jun 14 16:25:46 untangle pluto[30405]: Changed path to directory '/etc/ipsec.d/aacerts'
    Jun 14 16:25:46 untangle pluto[30405]: Changed path to directory '/etc/ipsec.d/ocspcerts'
    Jun 14 16:25:46 untangle pluto[30405]: Changing to directory '/etc/ipsec.d/crls'
    Jun 14 16:25:46 untangle pluto[30405]:   Warning: empty directory
    Jun 14 16:25:46 untangle pluto[30405]: added connection description "UT0_Altona"
    Jun 14 16:25:46 untangle pluto[30405]: listening for IKE messages
    Jun 14 16:25:46 untangle pluto[30405]: NAT-Traversal: Trying new style NAT-T
    Jun 14 16:25:46 untangle pluto[30405]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
    Jun 14 16:25:46 untangle pluto[30405]: NAT-Traversal: Trying old style NAT-T
    Jun 14 16:25:46 untangle pluto[30405]: adding interface tun0/tun0 172.16.135.1:500
    Jun 14 16:25:46 untangle pluto[30405]: adding interface tun0/tun0 172.16.135.1:4500
    Jun 14 16:25:46 untangle pluto[30405]: adding interface utun/utun 192.0.2.42:500
    Jun 14 16:25:46 untangle pluto[30405]: adding interface utun/utun 192.0.2.42:4500
    Jun 14 16:25:46 untangle pluto[30405]: adding interface eth0/eth0 192.168.2.11:500
    Jun 14 16:25:46 untangle pluto[30405]: adding interface eth0/eth0 192.168.2.11:4500
    Jun 14 16:25:46 untangle pluto[30405]: adding interface eth1/eth1 192.168.145.1:500
    Jun 14 16:25:46 untangle pluto[30405]: adding interface eth1/eth1 192.168.145.1:4500
    Jun 14 16:25:46 untangle pluto[30405]: adding interface lo/lo 127.0.0.1:500
    Jun 14 16:25:46 untangle pluto[30405]: adding interface lo/lo 127.0.0.1:4500
    Jun 14 16:25:46 untangle pluto[30405]: adding interface lo/lo ::1:500
    Jun 14 16:25:46 untangle pluto[30405]: loading secrets from "/etc/ipsec.secrets"
    Jun 14 16:25:46 untangle pluto[30405]: "UT0_Altona": We cannot identify ourselves with either end of this connection.

  2. #2
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default

    From the FAQ
    You will need to forward ESP, AH, and UDP port 500 from the public IP to the Untangle server
    Not sure what I need to do to forward ESP and AH. What is that?

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,757

    Default

    Quote Originally Posted by gpeters View Post
    From the FAQ
    Not sure what I need to do to forward ESP and AH. What is that?
    You missed the context of this FAQ "If I install Untangle behind a NAT device". There is no forward needed if the IPsec is on the Untangle itself and there is no firewall in front of it.

    From the log you haven't even made a connection out. Can you post a screen shot of your settings?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default

    Here are the setting from the main office UT


    From the remote office

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,757

    Default

    Two questions.
    - I assume that you check Enable when testing the connection. Is that correct?

    - On the Interface setting, I notice you have custom, is the IP address the main IP address of the External Interface?
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default

    Yes enabled them on both UT

    No for the custom the IP addresses are the IPS' static public IPs

    Like I said both UT are behind the modems form the IP's which are assigning the IP to the UT servers

    Here is the screenshot from the main office using the IP form the external interface

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by gpeters View Post
    From the FAQ


    Not sure what I need to do to forward ESP and AH. What is that?
    He is running behind NAT on both ends.
    Since you are running behind NAT, you need to forward ESP, AH, and UDP port 500.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default

    On both of the ISP modems I don't have anything related for forwarding ESP, AH. I can foreword ports but instead what I have done is DMZ both the UT servers.

    Here is what the log looks like when I use the IP's form the external UT interfaces as per my last screenshot

    Code:
    Jun 15 15:38:59 untangle pluto[27862]: "UT0_Altona" #41: received and ignored informational message
    Jun 15 15:39:19 untangle pluto[27862]: "UT0_Altona" #41: discarding duplicate packet; already STATE_MAIN_I3
    Jun 15 15:39:19 untangle pluto[27862]: "UT0_Altona" #41: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
    Jun 15 15:39:19 untangle pluto[27862]: "UT0_Altona" #41: received and ignored informational message
    Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #40: max number of retransmissions (2) reached STATE_MAIN_R2
    Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [Openswan (this version) 2.6.28 ]
    Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [Dead Peer Detection]
    Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [RFC 3947] method set to=109 
    Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
    Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
    Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
    Jun 15 15:39:26 untangle pluto[27862]: packet from 99.228.64.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
    Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: responding to Main Mode
    Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
    Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: STATE_MAIN_R1: sent MR1, expecting MI2
    Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
    Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
    Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: STATE_MAIN_R2: sent MR2, expecting MI3
    Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.11'
    Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: no suitable connection for peer '192.168.0.11'
    Jun 15 15:39:26 untangle pluto[27862]: "UT0_Altona" #42: sending encrypted notification INVALID_ID_INFORMATION to 99.228.64.220:500

  9. #9
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Who is 192.168.0.11?
    You don't have a configuration for that IP.

    If thats the NGFW IP you need to configure it as such.
    You've specified a custom external address (and not even a valid one at that). You need to put Untangle's IP here, not the IP from another server.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default

    This is a bit difficult to explain.

    Here is a network diagram

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2