Results 1 to 7 of 7
  1. #1
    Newbie
    Join Date
    Aug 2014
    Posts
    5

    Default Need assistance setting up a VPN tunnel

    I have been given instructions on a VPN requirement for a vendor to implement an EDI system.

    I'm running a untangle NG firewall with the following build:

    Build: 9.4.2~svn20130830r35759release9.4-1lenny
    Kernel: 2.6.26-2-untangle-686

    Please forgive me because I'm about to betray my own ignorance in a big way.

    The vendor has sent me the following list of requirements for the IPsec tunnel:

    Please have the following setup for VPN

    Epicor Peer 205.173.226.150

    Epicor Remote Subnet 10.240.1.0 /24

    Phase 1
    Esp,md5,3des

    Phase 2
    MD5 , 3des, NO PFS

    When creating VPN Traffic must look like it is coming from 10.250.199.0/24

    Either create Network int on your firewall for 10.250.199.1 /24 and Alias on Server 10.250.199.2

    Also may need static route on server route add p 10.240.1.0 mask 255.255.255.0 10.250.199.1

    That is if you use alias IP on both.

    Or your firewall may allow NAT over VPN from network 192.168.1.0 /24 to 10.250.199.0/24 when traffic needs to go to 10.240.1.0 /24(Epicor)
    Here is how my setup currently looks in the rack app:
    unwiredipsec.PNG

    We have naught but a single subnet here (192.168.1.0/24)

    I believe the devices on the other end of this tunnel are Cisco but the guy has been very conservative with what he's willing to tell me about it, offering instead to sell me a new appliance for these purposes if I'm not smart enough to figure it out.

    The web admin IPsec gui seems rather threadbare but I'm sure this box is up to the task. I'm especially at a loss when it comes to creating the network interface objects and/or the static route. I'm also not sure how to meet his phase 1 and phase 2 requirements without laying eyes on a configuration page that makes explicit reference to those things.

    I guess my question is: Is the unwired up to the task at hand here (I'm sure it is, but who knows) and how do I configure the more advanced requirements specifically
    When creating VPN Traffic must look like it is coming from 10.250.199.0/24

    Either create Network int on your firewall for 10.250.199.1 /24 and Alias on Server 10.250.199.2

    Also may need static route on server route add p 10.240.1.0 mask 255.255.255.0 10.250.199.1
    and verifying the encryption phases?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,700

    Default

    Unfortunately version 9.4 does not have the ability to set phase 1 and 2 options. Version 10.2 has phase 1 and 2 manual configuration options. Otherwise your settings are correct.

    Version 10.2 IPsec tunnel screen

    10.2-ipsec-configuration.jpg
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Aug 2014
    Posts
    5

    Default

    Quote Originally Posted by jcoffin View Post
    Unfortunately version 9.4 does not have the ability to set phase 1 and 2 options. Version 10.2 has phase 1 and 2 manual configuration options. Otherwise your settings are correct.

    Version 10.2 IPsec tunnel screen

    10.2-ipsec-configuration.jpg
    I performed the upgrade and you're right, a bevvy of additional options opened up to me. Unfortunately, I'm still having a time getting this tunnel established.

    I spoke to the engineer of the EDI product I'm doing all this for. Somehow I need to make this:
    adcovpn.PNG
    Conform to this:

    edivpn.png

    Is there way I can get this working with the untangle or am I likely going to have to implement an additional sonicwall just for these purposes?
    Can I manually edit the policy or did even deeper with the command line to get it established?
    Attached Images Attached Images

  4. #4
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Your phase 2s are not configured correctly. (at least in the screenshot)
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Newbie
    Join Date
    Aug 2014
    Posts
    5

    Default

    I corrected the Phase 2 lifetime (seconds) to 28800 - that was the only obvious discrepency that I was able to correct (at least that was obvious to me)

    I do not know how to disable PFS specifically for phase 2. I see where I can disable PFS in the general tunnel config but, alas, I don't know if that accomplishes the same.

    The tunnel is still not established. Do you guys think I'm going to have to add a second firewall just to perform VPN?

  6. #6
    Newbie
    Join Date
    Aug 2014
    Posts
    5

    Default

    Here is a snippet of the IPSec log. Is there anything contained therein that would indicated how to correct my tunnel?
    Sep 4 05:13:31 untangle pluto[5507]: "UT2_TCPx-EDI" #2090: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW to replace #2089 {using isakmp#406 msgid:4e796fb3 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
    Sep 4 05:13:31 untangle pluto[5507]: "UT2_TCPx-EDI" #2090: ERROR: asynchronous network error report on eth1 (sport=500) for message to 205.173.226.150 port 500, complainant 209.12.175.250: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
    Sep 4 05:14:41 untangle pluto[5507]: "UT2_TCPx-EDI" #2090: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Sep 4 05:14:41 untangle pluto[5507]: "UT2_TCPx-EDI" #2090: starting keying attempt 2089 of an unlimited number
    Sep 4 05:14:41 untangle pluto[5507]: "UT2_TCPx-EDI" #2091: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW to replace #2090 {using isakmp#406 msgid:5bc61ff2 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
    Sep 4 05:15:12 untangle pluto[5507]: "UT2_TCPx-EDI" #2091: ERROR: asynchronous network error report on eth1 (sport=500) for message to 205.173.226.150 port 500, complainant 209.12.175.250: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
    Sep 4 05:15:51 untangle pluto[5507]: "UT2_TCPx-EDI" #2091: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Sep 4 05:15:51 untangle pluto[5507]: "UT2_TCPx-EDI" #2091: starting keying attempt 2090 of an unlimited number
    Sep 4 05:15:51 untangle pluto[5507]: "UT2_TCPx-EDI" #2092: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW to replace #2091 {using isakmp#406 msgid:cf9d96a9 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
    Sep 4 05:17:01 untangle pluto[5507]: "UT2_TCPx-EDI" #2092: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Sep 4 05:17:01 untangle pluto[5507]: "UT2_TCPx-EDI" #2092: starting keying attempt 2091 of an unlimited number
    Sep 4 05:17:01 untangle pluto[5507]: "UT2_TCPx-EDI" #2093: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW to replace #2092 {using isakmp#406 msgid:6fdd21b0 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
    Sep 4 05:18:11 untangle pluto[5507]: "UT2_TCPx-EDI" #2093: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Sep 4 05:18:11 untangle pluto[5507]: "UT2_TCPx-EDI" #2093: starting keying attempt 2092 of an unlimited number
    Sep 4 05:18:11 untangle pluto[5507]: "UT2_TCPx-EDI" #2094: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW to replace #2093 {using isakmp#406 msgid:178af1b1 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
    Sep 4 05:19:21 untangle pluto[5507]: "UT2_TCPx-EDI" #2094: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Sep 4 05:19:21 untangle pluto[5507]: "UT2_TCPx-EDI" #2094: starting keying attempt 2093 of an unlimited number
    Sep 4 05:19:21 untangle pluto[5507]: "UT2_TCPx-EDI" #2095: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW to replace #2094 {using isakmp#406 msgid:76058cc9 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
    Sep 4 05:20:31 untangle pluto[5507]: "UT2_TCPx-EDI" #2095: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    Sep 4 05:20:31 untangle pluto[5507]: "UT2_TCPx-EDI" #2095: starting keying attempt 2094 of an unlimited number
    Sep 4 05:20:31 untangle pluto[5507]: "UT2_TCPx-EDI" #2096: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW to replace #2095 {using isakmp#406 msgid:3299b044 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
    Sep 4 05:20:31 untangle pluto[5507]: "UT2_TCPx-EDI" #2096: ERROR: asynchronous network error report on eth1 (sport=500) for message to 205.173.226.150 port 500, complainant 209.12.175.250: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
    Sep 4 05:21:41 untangle pluto[5507]: "UT2_TCPx-EDI" #2096: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode

  7. #7
    Newbie
    Join Date
    Aug 2014
    Posts
    5

    Default

    I got this figured out! Thanks everyone for your help!
    eliaspizarro likes this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2