Results 1 to 10 of 10

Thread: IPsec Problems

  1. #1
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,042

    Default IPsec Problems

    Hi,

    We have a issue with IPsec.

    It works well when we use "Local Catalog"
    But when we switch over to Radius it stops working Xauth still works but we would like to push out a GPO and just run the native windows vpn client.

    When we run the radius test in untangle it successfully authenticates users.

    Here is a logg snippet from a connection attempt:

    Code:
    Feb 12 11:52:02 ut xl2tpd[1086]: control_finish: Connection closed to 94.234.170.45, port 1701 (), Local: 1108, Remote: 7Feb 12 11:52:02 ut xl2tpd[1086]: Terminating pppd: sending TERM signal to pid 7123
    Feb 12 11:52:02 ut xl2tpd[1086]: control_finish: Connection closed to 94.234.170.45, serial 0 ()
    Feb 12 11:52:02 ut xl2tpd[1086]: call_close: Call 7543 to 94.234.170.45 disconnected
    Feb 12 11:52:02 ut xl2tpd[1086]: child_handler : pppd exited for call 1 with code 11
    Feb 12 11:52:01 ut xl2tpd[1086]: Call established with 94.234.170.45, Local: 7543, Remote: 1, Serial: 0
    Feb 12 11:52:01 ut xl2tpd[1086]: "/dev/pts/1" 
    Feb 12 11:52:01 ut xl2tpd[1086]: "/etc/ppp/options.xl2tpd" 
    Feb 12 11:52:01 ut xl2tpd[1086]: "file" 
    Feb 12 11:52:01 ut xl2tpd[1086]: "untangle-l2tp" 
    Feb 12 11:52:01 ut xl2tpd[1086]: "name" 
    Feb 12 11:52:01 ut xl2tpd[1086]: "auth" 
    Feb 12 11:52:01 ut xl2tpd[1086]: "172.20.200.1:172.20.200.2" 
    Feb 12 11:52:01 ut xl2tpd[1086]: "nodetach" 
    Feb 12 11:52:01 ut xl2tpd[1086]: "passive" 
    Feb 12 11:52:01 ut xl2tpd[1086]: "/usr/sbin/pppd" 
    Feb 12 11:52:01 ut xl2tpd[1086]: start_pppd: I'm running: 
    Feb 12 11:52:01 ut xl2tpd[1086]: handle_packet: bad control packet!
    Feb 12 11:52:01 ut xl2tpd[1086]: check_control: Received out of order control packet on tunnel 7 (got 3, expected 2)
    Feb 12 11:52:01 ut xl2tpd[1086]: Connection established to 94.234.170.45, 1701.  Local: 1108, Remote: 7 (ref=0/0).  LNS session is 'default'
    The Client reports Error: 691

    We have followed this guide to add the tunnel:
    https://support.untangle.com/hc/en-u...PN-to-L2TP-VPN

    Any help or suggestion would be appreciated :-)

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,655

    Default

    Thanks Björn, I will look into it today.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,042

    Default

    Let me know if you need more info.

    And if you like my UID to the box.

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,655

    Default

    It is working for me. What type of RADIUS server are you using? Also verify the password encryption matches the accepted types of your RADIUS server.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,042

    Default

    We are using Microsoft NPS.
    I bet thet there is a radius issue but the test in untangle get success.

    I can post the radius config on Monday.

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    The test uses the java radius connector, but I think the "xauth" daemon does radius directly.
    so unfortunately i don't think the test suceeded passing implies that the xauth daemon can do it.

    It doesn't support plugins so we had to use the integrated radius implementation. It cant call ours.
    So we just configure it with the same settings, but I would not at all be surprised if it has a different compatibility list.
    Last edited by dmorris; 02-13-2016 at 01:16 AM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,655

    Default

    Quote Originally Posted by WebFooL View Post
    We are using Microsoft NPS.
    I bet thet there is a radius issue but the test in untangle get success.
    I was afraid of that. We did have a previous bug which was fixed on 6/22/15 in Directory Connector that required MS-CHAP v2 if RADIUS is being provided by an Active Directory server. With Xauth using it's own RADIUS connector, I bet that MS-CHAP v2 is either not configured or not an option with Xauth.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,042

    Default

    Radiustest.PNG
    Test goes OK in Untangles WebUI
    Policy Configuration:
    Policy.PNG
    NetworkPolicy.PNG
    Windows 10 VPN error MSG
    Error MSG.PNG

    I bet that there is a Radius configuration.

  9. #9
    Untangle Ninja
    WebFooL's Avatar
    Join Date
    Jan 2009
    Location
    Sweden (Eskilstuna)
    Posts
    5,042

    Default

    Ahh Now I remember..

    We hade an issue with that the new rule matched with our WiFi so we disabled "MS-CHAP-v2" and testet to run with just PAP.

    So the more correct question here is has anyone gotten NPS configured so that "Contitions" works correctly.
    We have tested to add contion access client ip/mask untangle so that only questions from Untangle matches the policy.
    But still our wifi (Aruba) hits it.

    O well I can just build another Radius server until we figure it out.

  10. #10
    Untangler mahotz's Avatar
    Join Date
    Jun 2010
    Posts
    35

    Default

    I may have found a fix if you have some free time and want to make some manual tweaks and test.

    On Untangle, after you have everything configured and running, manually modify the /etc/ipsec.conf in the VPN-XAUTH-n section(s):

    CHANGE: rightauth2=xauth-radius
    BECOMES: rightauth2=xauth-eap

    Then use /etc/init.d/ipsec restart so the daemon picks up the change.

    On your Windows AD/RADIUS server, modify the Authentication Methods section of the appropriate NPS Network Policy, and in the list of EAP Types add "Microsoft: Secured Password (EAP-MSCHAP v2)" and "Microsoft: Protected EAP (PEAP)". You should be able to disable all the other "Less secure authentication methods" boxes.

    The crazy thing is... when I first started playing with this, it only worked if I added the second one (PEAP) but after more playing around it now only seems to work when I add the first one (EAP-MSCHAP v2).

    Once the changes are made, try connecting an Xauth client and see if you have any luck. I tested here with a Windows 2008 server and an old iPhone 4 running iOS 7.1.2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2