Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 33
  1. #21
    Untanglit
    Join Date
    Apr 2016
    Posts
    17

    Default

    Quote Originally Posted by sky-knight View Post
    If memory serves, the IPSec module is built off of StrongSwan... perhaps it's simply a limit of that project?
    Nope, its definitely a shortcoming of Untangle.
    StrongSwan is used in our work Sophos UTM9 and my home Edgerouter Lite - both these can 'follow' WAN address perfectly well...

    At work we renewed our Sophos contract and didn't move to Untangle due this.
    In the corporate world, where everything has a cost associated, installing and maintaining extra software (OpenVPN) isn't the answer if you want to seriously compete in the market, especially if your competitor does it without issues...

  2. #22
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,412

    Default

    Well... duh... if another product completes your use case better that's what you use. That's why we have a marketplace of product to choose from.

    And you use an Edgerouter at home? You must like extra work... powerful toys, but that UI... man... you have to work to be that bad.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #23
    Untanglit
    Join Date
    Apr 2016
    Posts
    17

    Default

    Quote Originally Posted by sky-knight View Post
    Well... duh... if another product completes your use case better that's what you use. That's why we have a marketplace of product to choose from.
    Agreed, and we did chose the best product for the use-case we had in question.
    I was responding to those saying that you could just install OpenVPN software; thats fine for home, but in the corporate world, we have governance and such malarky to content with

    Quote Originally Posted by sky-knight View Post
    And you use an Edgerouter at home? You must like extra work... powerful toys, but that UI... man... you have to work to be that bad.
    The old GUI was very rough, but its been updated over the last few years and it's not bad at all now.
    That said, I use the CLI to administer; most of my career has been at Cisco CLI prompts, so I'm one of those strange people who actually prefer CLI to GUI

  4. #24
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,412

    Default

    If you're an IOS guy, then yeah edge router being Vyatta based is pretty much your friend. And I know they've improved the UI a ton over the last few years, but that doesn't mean it's sane. It's still not very good. I've got many in the field, I love how fast they are, especially for the price! But they are giant pains in the kiester to manage. Fortunately, like Cisco devices once configured they don't need much attention.

    And for the record I didn't say just install OpenVPN, I was simply pointing out that if you need a site-to-site with Untangle that's dynamic address friendly, that's what you're stuck with. And if you've got a corporate mess to worry about, why are you even messing with routers? The SSTP VPN tech built into Server 2012 is much better for that sort of thing. One group policy later and all domain machines are on a VPN all the time when needed with zero user interaction.
    Last edited by sky-knight; 06-01-2016 at 01:25 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #25
    Untanglit
    Join Date
    Apr 2016
    Posts
    17

    Default

    Quote Originally Posted by sky-knight View Post
    And if you've got a corporate mess to worry about, why are you even messing with routers? The SSTP VPN tech built into Server 2012 is much better for that sort of thing. One group policy later and all domain machines are on a VPN all the time when needed with zero user interaction.
    Sorry, not understanding this - our use case is for iPad connectivity using the in-built iOS VPN functionality using a dynamic IP address at the remote office site.
    We were looking if Untangle could replace our suite of remote office Sophos UTM9, but they cannot achieve this without extra software installed on the iPads, which will turn into a governance headache.

    I'm not understanding your point about Group Policy here?
    In any case, we use Redhat Linux for our infrastructure rather than Windows...

  6. #26
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,412

    Default

    Quote Originally Posted by harrymcbean View Post
    In any case, we use Redhat Linux for our infrastructure rather than Windows...
    Ahh... I see you like doing things the hard way!

    So now that you've tossed IPSec out the window and landed specifically on the L2TP feature, have you considered configuring the server listen address with 0.0.0.0 ? That means ALL addresses on the server. Then you can make a public dynamic DNS record and configure your VPN clients to use that. IPSec is IP bound, but L2TP is just a service, running out in the ether.

    On the off chance that 0.0.0.0 doesn't work, you could set it to listen on the LAN IP address, and configure a port forward rule for L2TP traffic to be forwarded off "destined local" to the LAN IP, it's ugly and counter-intuitive but it should work.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #27
    Untanglit
    Join Date
    Apr 2016
    Posts
    17

    Default

    Quote Originally Posted by sky-knight View Post
    Ahh... I see you like doing things the hard way!
    Some might say the proper way

    Quote Originally Posted by sky-knight View Post
    So now that you've tossed IPSec out the window and landed specifically on the L2TP feature, have you considered configuring the server listen address with 0.0.0.0 ? That means ALL addresses on the server. Then you can make a public dynamic DNS record and configure your VPN clients to use that. IPSec is IP bound, but L2TP is just a service, running out in the ether.

    On the off chance that 0.0.0.0 doesn't work, you could set it to listen on the LAN IP address, and configure a port forward rule for L2TP traffic to be forwarded off "destined local" to the LAN IP, it's ugly and counter-intuitive but it should work.
    Good idea - I didn't realise 0.0.0.0 could be used...
    I did try port forward to 127.0.0.1 and listen there, but didn't get any luck.

    The Sophos contract has been resigned, so its no-use at work, but out of interest I'll spin up a VM in my test lab and see what happens...

  8. #28
    Master Untangler
    Join Date
    May 2016
    Location
    Singapore
    Posts
    101

    Default

    Quote Originally Posted by sky-knight View Post
    Ahh... I see you like doing things the hard way!

    So now that you've tossed IPSec out the window and landed specifically on the L2TP feature, have you considered configuring the server listen address with 0.0.0.0 ? That means ALL addresses on the server. Then you can make a public dynamic DNS record and configure your VPN clients to use that. IPSec is IP bound, but L2TP is just a service, running out in the ether.

    On the off chance that 0.0.0.0 doesn't work, you could set it to listen on the LAN IP address, and configure a port forward rule for L2TP traffic to be forwarded off "destined local" to the LAN IP, it's ugly and counter-intuitive but it should work.
    THANK YOU!!!

    Finally after 3 pages of back and forth we get some form of "forum community spirit" with some suggestion on configuration changes that might allow Untangle VPN IPSec implementation to work with a dynamic IP.

    I'll certainly try this out and report back if any luck!

  9. #29
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,412

    Default

    I didn't mean to drag my feet on that... the idea just struck me.

    I haven't been able to test the idea either, so if it works please let us know! This is the sort of thing that needs to be in the wiki.

    Furthermore, L2TP isn't IPSec, though it is in the IPSec module on Untangle. I don't think you're going to be able to get IPSec tunnels built on dynamic addresses. I do think you should be able to get L2TP clients to work connecting to a DHCP WAN.
    Last edited by sky-knight; 06-02-2016 at 02:58 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #30
    Master Untangler
    Join Date
    May 2016
    Location
    Singapore
    Posts
    101

    Default

    Quote Originally Posted by sky-knight View Post
    So now that you've tossed IPSec out the window and landed specifically on the L2TP feature, have you considered configuring the server listen address with 0.0.0.0 ? That means ALL addresses on the server. Then you can make a public dynamic DNS record and configure your VPN clients to use that. IPSec is IP bound, but L2TP is just a service, running out in the ether
    YES! I can confirm that configuring IPSec to listen on 0.0.0.0 does work for me!

    I have tried Internal (192.168.2.1) and loopback (127.0.0.1) which do not work but configuring IPSec with Manual IP address of 0.0.0.0 does allow me to connect from external via dynamic host name no matter what the public IP address is.

    Thanks for the suggestion this solves a big problem for me to be able to use Untangle!
    Last edited by anschmid; 06-02-2016 at 09:50 PM.

Page 3 of 4 FirstFirst 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2