Results 1 to 4 of 4
  1. #1
    Master Untangler
    Join Date
    Dec 2018
    Posts
    165

    Default Is there any kind of tutorial around for connecting Untangle to a USG?

    I have my bosses convinced to replace our main office USG with Untangle (paid version) if I can get some things to work.

    The first is that I'm trying to get S2S working with the remote office USG but am having trouble getting traffic to pass.

    Untangle shows a green light as if it's connected but I can't seem to get it working right.

    I have created the WAN_LOCAL rules on the USG for AH, ESP, NAT-T, and L2TP as well as LAN_IN and LAN_OUT rules for the remote (Untangle) network.

    Any thoughts would be appreciated. I can post any screenshots that may help I'm just at a loss as to the issue.


    Next is trying to get a remote user L2TP VPN working on Android as well as getting it so that clients can see the main network over the VPN.
    Last edited by jlficken; 05-25-2019 at 10:11 AM.

  2. #2
    Master Untangler
    Join Date
    Dec 2018
    Posts
    165

    Default

    Well, I've made some progress.

    I can get the 192.168.5.0/24 subnet on Untangle and the 192.168.15.0/24 subnet on the USG to communicate, however, weird stuff happens when I try to add more subnets.

    For example if I add 192.168.100.0/24 from Untangle and then ping the gateway from a machine connected to the USG the tunnel immediately drops all ICMP traffic going to the USG 192.168.15.0/24 subnet.

    The only way to get it back is to restart the IPSec service on Untangle but it will happen every time I try it and I Have no idea why.

    I also can't see anything on the 192.168.30.0/24 subnet on the USG side from Untangle no matter what I do and I don't know why.

    This is driving me crazy!!!!

  3. #3
    Master Untangler
    Join Date
    Dec 2018
    Posts
    165

    Default

    Here's the USG settings as well as status:


    Code:
    admin@USG-3P:~$ sudo cat /etc/ipsec.conf
    # generated by /opt/vyatta/sbin/vpn-config.pl
    
    config setup
    
    conn %default
            keyexchange=ikev1
    
    
    conn peer-96.31.181.XX-tunnel-0
            left=96.31.181.XXX
            right=96.31.181.XX
            leftsubnet=192.168.15.0/24
            rightsubnet=192.168.5.0/24
            ike=aes256-sha1-modp2048!
            keyexchange=ikev2
            reauth=no
            ikelifetime=28800s
            esp=aes256-sha1-modp2048!
            keylife=3600s
            rekeymargin=540s
            type=tunnel
            compress=no
            authby=secret
            auto=route
            keyingtries=%forever
    #conn peer-96.31.181.XX-tunnel-0
    
    conn peer-96.31.181.XX-tunnel-1
            left=96.31.181.XXX
            right=96.31.181.XX
            leftsubnet=192.168.15.0/24
            rightsubnet=192.168.100.0/24
            ike=aes256-sha1-modp2048!
            keyexchange=ikev2
            reauth=no
            ikelifetime=28800s
            esp=aes256-sha1-modp2048!
            keylife=3600s
            rekeymargin=540s
            type=tunnel
            compress=no
            authby=secret
            auto=route
            keyingtries=%forever
    #conn peer-96.31.181.XX-tunnel-1
    
    conn peer-96.31.181.XX-tunnel-2
            left=96.31.181.XXX
            right=96.31.181.XX
            leftsubnet=192.168.30.0/24
            rightsubnet=192.168.5.0/24
            ike=aes256-sha1-modp2048!
            keyexchange=ikev2
            reauth=no
            ikelifetime=28800s
            esp=aes256-sha1-modp2048!
            keylife=3600s
            rekeymargin=540s
            type=tunnel
            compress=no
            authby=secret
            auto=route
            keyingtries=%forever
    #conn peer-96.31.181.XX-tunnel-2
    
    conn peer-96.31.181.XX-tunnel-3
            left=96.31.181.XXX
            right=96.31.181.XX
            leftsubnet=192.168.30.0/24
            rightsubnet=192.168.100.0/24
            ike=aes256-sha1-modp2048!
            keyexchange=ikev2
            reauth=no
            ikelifetime=28800s
            esp=aes256-sha1-modp2048!
            keylife=3600s
            rekeymargin=540s
            type=tunnel
            compress=no
            authby=secret
            auto=route
            keyingtries=%forever
    #conn peer-96.31.181.XX-tunnel-3
    
    admin@USG-3P:~$ show vpn ipsec sa
    peer-96.31.181.XX-tunnel-0: #4, ESTABLISHED, IKEv2, 31a50de4f241862a:15e5fe2b9d932d16
      local  '96.31.181.XXX' @ 96.31.181.XXX
      remote '96.31.181.XX' @ 96.31.181.XX
      AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
      established 12527s ago, rekeying in 15520s
      peer-96.31.181.XX-tunnel-0: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_2048
        installed 2099 ago, rekeying in 540s, expires in 1501s
        in  cdc1c07b,   8185 bytes,    80 packets,    47s ago
        out c95f076c,   9030 bytes,    66 packets,    47s ago
        local  192.168.15.0/24
        remote 192.168.5.0/24
    admin@USG-3P:~$ sudo ipsec statusall
    Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64):
      uptime: 4 hours, since May 26 11:27:12 2019
      malloc: sbrk 376832, mmap 0, used 292672, free 84160
      worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
      loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock
    Listening IP addresses:
      96.31.181.XXX
      192.168.15.1
      192.168.30.1
    Connections:
    peer-96.31.181.XX-tunnel-0:  96.31.181.XXX...96.31.181.XX  IKEv2
    peer-96.31.181.XX-tunnel-0:   local:  [96.31.181.XXX] uses pre-shared key authentication
    peer-96.31.181.XX-tunnel-0:   remote: [96.31.181.XX] uses pre-shared key authentication
    peer-96.31.181.XX-tunnel-0:   child:  192.168.15.0/24 === 192.168.5.0/24 TUNNEL
    peer-96.31.181.XX-tunnel-1:   child:  192.168.15.0/24 === 192.168.100.0/24 TUNNEL
    peer-96.31.181.XX-tunnel-2:   child:  192.168.30.0/24 === 192.168.5.0/24 TUNNEL
    peer-96.31.181.XX-tunnel-3:   child:  192.168.30.0/24 === 192.168.100.0/24 TUNNEL
    Routed Connections:
    peer-96.31.181.XX-tunnel-3{4}:  ROUTED, TUNNEL
    peer-96.31.181.XX-tunnel-3{4}:   192.168.30.0/24 === 192.168.100.0/24
    peer-96.31.181.XX-tunnel-2{3}:  ROUTED, TUNNEL
    peer-96.31.181.XX-tunnel-2{3}:   192.168.30.0/24 === 192.168.5.0/24
    peer-96.31.181.XX-tunnel-1{2}:  ROUTED, TUNNEL
    peer-96.31.181.XX-tunnel-1{2}:   192.168.15.0/24 === 192.168.100.0/24
    peer-96.31.181.XX-tunnel-0{1}:  ROUTED, TUNNEL
    peer-96.31.181.XX-tunnel-0{1}:   192.168.15.0/24 === 192.168.5.0/24
    Security Associations (1 up, 0 connecting):
    peer-96.31.181.XX-tunnel-0[4]: ESTABLISHED 3 hours ago, 96.31.181.XXX[96.31.181.XXX]...96.31.181.XX[96.31.181.XX]
    peer-96.31.181.XX-tunnel-0[4]: IKEv2 SPIs: 31a50de4f241862a_i 15e5fe2b9d932d16_r*, rekeying in 4 hours
    peer-96.31.181.XX-tunnel-0[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    peer-96.31.181.XX-tunnel-0{1}:  INSTALLED, TUNNEL, ESP SPIs: cdc1c07b_i c95f076c_o
    peer-96.31.181.XX-tunnel-0{1}:  AES_CBC_256/HMAC_SHA1_96, 8257 bytes_i (81 pkts, 33s ago), 9102 bytes_o (67 pkts, 33s ago), rekeying in 8 minutes
    peer-96.31.181.XX-tunnel-0{1}:   192.168.15.0/24 === 192.168.5.0/24
    admin@USG-3P:~$ sudo swanctl --log
    06[NET] received packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
    06[ENC] parsed INFORMATIONAL request 189 [ ]
    06[ENC] generating INFORMATIONAL response 189 [ ]
    06[NET] sending packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
    04[NET] received packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
    04[ENC] parsed INFORMATIONAL request 190 [ ]
    04[ENC] generating INFORMATIONAL response 190 [ ]
    04[NET] sending packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
    06[NET] received packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
    06[ENC] parsed INFORMATIONAL request 191 [ ]
    06[ENC] generating INFORMATIONAL response 191 [ ]
    06[NET] sending packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
    Last edited by jlficken; 05-26-2019 at 05:14 PM.

  4. #4
    Master Untangler
    Join Date
    Dec 2018
    Posts
    165

    Default

    Here are the Untangle settings and status:
    UntangleVPN1.JPG
    UntangleVPN2.JPG


    Code:
    IPsec State:
    src 96.31.181.XX dst 96.31.181.XXX
    	proto esp spi 0xc9dcc31a reqid 1 mode tunnel
    	replay-window 0 flag af-unspec
    	auth-trunc hmac(sha1) 0x4db7a9c8db3781e4aa3091bee5428d1dd956f7bb 96
    	enc cbc(aes) 0xe61ad5878f02cca7c7917757fddd0b771f93a4de97d5d2b02f4742816f8e1487
    	anti-replay context: seq 0x0, oseq 0x1e, bitmap 0x00000000
    src 96.31.181.XXX dst 96.31.181.XX
    	proto esp spi 0xcda993be reqid 1 mode tunnel
    	replay-window 32 flag af-unspec
    	auth-trunc hmac(sha1) 0xb35fc0cf274061e566d284c7a0460fc3ff501557 96
    	enc cbc(aes) 0x0ab47ff1c9a41e22725bf56e6dfc7e5d421f16f82132a0c7d0ecdf570c1fa9bd
    	anti-replay context: seq 0x1e, oseq 0x0, bitmap 0x3fffffff
    
    
    
    
    
    
    IPsec Policy:
    src 192.168.15.0/24 dst 192.168.5.0/24 
    	dir fwd priority 187712 ptype main 
    	tmpl src 96.31.181.XXX dst 96.31.181.XX
    		proto esp reqid 1 mode tunnel
    src 192.168.15.0/24 dst 192.168.5.0/24 
    	dir in priority 187712 ptype main 
    	tmpl src 96.31.181.XXX dst 96.31.181.XX
    		proto esp reqid 1 mode tunnel
    src 192.168.5.0/24 dst 192.168.15.0/24 
    	dir out priority 187712 ptype main 
    	tmpl src 96.31.181.XX dst 96.31.181.XXX
    		proto esp reqid 1 mode tunnel
    src 192.168.30.0/24 dst 192.168.96.0/20 
    	dir fwd priority 288736 ptype main 
    	tmpl src 96.31.181.XXX dst 96.31.181.XX
    		proto esp reqid 1 mode tunnel
    src 192.168.30.0/24 dst 192.168.96.0/20 
    	dir in priority 288736 ptype main 
    	tmpl src 96.31.181.XXX dst 96.31.181.XX
    		proto esp reqid 1 mode tunnel
    src 192.168.96.0/20 dst 192.168.30.0/24 
    	dir out priority 288736 ptype main 
    	tmpl src 96.31.181.XX dst 96.31.181.XXX
    		proto esp reqid 1 mode tunnel
    src 192.168.15.0/24 dst 192.168.96.0/20 
    	dir fwd priority 288736 ptype main 
    	tmpl src 96.31.181.XXX dst 96.31.181.XX
    		proto esp reqid 1 mode tunnel
    src 192.168.15.0/24 dst 192.168.96.0/20 
    	dir in priority 288736 ptype main 
    	tmpl src 96.31.181.XXX dst 96.31.181.XX
    		proto esp reqid 1 mode tunnel
    src 192.168.96.0/20 dst 192.168.15.0/24 
    	dir out priority 288736 ptype main 
    	tmpl src 96.31.181.XX dst 96.31.181.XXX
    		proto esp reqid 1 mode tunnel
    src 192.168.30.0/24 dst 192.168.5.0/24 
    	dir fwd priority 287712 ptype main 
    	tmpl src 96.31.181.XXX dst 96.31.181.XX
    		proto esp reqid 1 mode tunnel
    src 192.168.30.0/24 dst 192.168.5.0/24 
    	dir in priority 287712 ptype main 
    	tmpl src 96.31.181.XXX dst 96.31.181.XX
    		proto esp reqid 1 mode tunnel
    src 192.168.5.0/24 dst 192.168.30.0/24 
    	dir out priority 287712 ptype main 
    	tmpl src 96.31.181.XX dst 96.31.181.XXX
    		proto esp reqid 1 mode tunnel
    src 0.0.0.0/0 dst 0.0.0.0/0 
    	socket in priority 0 ptype main 
    src 0.0.0.0/0 dst 0.0.0.0/0 
    	socket out priority 0 ptype main 
    src 0.0.0.0/0 dst 0.0.0.0/0 
    	socket in priority 0 ptype main 
    src 0.0.0.0/0 dst 0.0.0.0/0 
    	socket out priority 0 ptype main 
    src ::/0 dst ::/0 
    	socket in priority 0 ptype main 
    src ::/0 dst ::/0 
    	socket out priority 0 ptype main 
    src ::/0 dst ::/0 
    	socket in priority 0 ptype main 
    src ::/0 dst ::/0 
    	socket out priority 0 ptype main 
    
    
    
    
    IPSec Log:
    May 26 18:11:22 5018D-FN8T charon: 08[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
    May 26 18:11:22 5018D-FN8T charon: 05[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
    May 26 18:11:22 5018D-FN8T charon: 05[ENC] generating INFORMATIONAL request 139 [ ]
    May 26 18:11:22 5018D-FN8T charon: 05[IKE] sending DPD request
    May 26 18:10:22 5018D-FN8T charon: 11[ENC] parsed INFORMATIONAL response 138 [ ]
    May 26 18:10:22 5018D-FN8T charon: 11[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
    May 26 18:10:22 5018D-FN8T charon: 08[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
    May 26 18:10:22 5018D-FN8T charon: 08[ENC] generating INFORMATIONAL request 138 [ ]
    May 26 18:10:22 5018D-FN8T charon: 08[IKE] sending DPD request
    May 26 18:09:22 5018D-FN8T charon: 15[ENC] parsed INFORMATIONAL response 137 [ ]
    May 26 18:09:22 5018D-FN8T charon: 15[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
    May 26 18:09:22 5018D-FN8T charon: 09[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
    May 26 18:09:22 5018D-FN8T charon: 09[ENC] generating INFORMATIONAL request 137 [ ]
    May 26 18:09:22 5018D-FN8T charon: 09[IKE] sending DPD request
    May 26 18:08:38 5018D-FN8T charon: 07[ENC] parsed INFORMATIONAL response 136 [ ]
    May 26 18:08:38 5018D-FN8T charon: 07[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
    May 26 18:08:38 5018D-FN8T charon: 15[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
    May 26 18:08:38 5018D-FN8T charon: 15[ENC] generating INFORMATIONAL request 136 [ ]
    May 26 18:08:38 5018D-FN8T charon: 15[IKE] sending DPD request
    May 26 18:08:08 5018D-FN8T charon: 10[IKE] CHILD_SA closed
    May 26 18:08:08 5018D-FN8T charon: 10[IKE] received DELETE for ESP CHILD_SA with SPI c463cd06
    May 26 18:08:08 5018D-FN8T charon: 10[ENC] parsed INFORMATIONAL response 135 [ D ]
    May 26 18:08:08 5018D-FN8T charon: 10[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
    May 26 18:08:08 5018D-FN8T charon: 07[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
    May 26 18:08:08 5018D-FN8T charon: 07[ENC] generating INFORMATIONAL request 135 [ D ]
    May 26 18:08:08 5018D-FN8T charon: 07[IKE] sending DELETE for ESP CHILD_SA with SPI ccb6089b
    May 26 18:08:08 5018D-FN8T charon: 07[IKE] closing CHILD_SA UT1_USG-Test{4} with SPIs ccb6089b_i (3096 bytes) c463cd06_o (3096 bytes) and TS 192.168.5.0/24 === 192.168.15.0/24
    May 26 18:08:08 5018D-FN8T charon: 07[IKE] closing CHILD_SA UT1_USG-Test{4} with SPIs ccb6089b_i (3096 bytes) c463cd06_o (3096 bytes) and TS 192.168.5.0/24 === 192.168.15.0/24
    May 26 18:08:08 5018D-FN8T charon: 07[IKE] CHILD_SA UT1_USG-Test{5} established with SPIs cda993be_i c9dcc31a_o and TS 192.168.5.0/24 === 192.168.15.0/24
    May 26 18:08:08 5018D-FN8T charon: 07[IKE] CHILD_SA UT1_USG-Test{5} established with SPIs cda993be_i c9dcc31a_o and TS 192.168.5.0/24 === 192.168.15.0/24
    May 26 18:08:08 5018D-FN8T charon: 07[ENC] parsed CREATE_CHILD_SA response 134 [ SA No KE TSi TSr ]
    May 26 18:08:08 5018D-FN8T charon: 07[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (476 bytes)
    May 26 18:08:07 5018D-FN8T charon: 05[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (508 bytes)
    May 26 18:08:07 5018D-FN8T charon: 05[ENC] generating CREATE_CHILD_SA request 134 [ N(REKEY_SA) SA No KE TSi TSr ]
    May 26 18:08:07 5018D-FN8T charon: 05[IKE] establishing CHILD_SA UT1_USG-Test{1}
    May 26 18:08:07 5018D-FN8T charon: 05[IKE] establishing CHILD_SA UT1_USG-Test{1}
    May 26 18:08:07 5018D-FN8T charon: 05[KNL] creating rekey job for CHILD_SA ESP/0xccb6089b/96.31.181.XX
    May 26 18:07:22 5018D-FN8T charon: 10[ENC] parsed INFORMATIONAL response 133 [ ]
    May 26 18:07:22 5018D-FN8T charon: 10[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
    May 26 18:07:22 5018D-FN8T charon: 05[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
    May 26 18:07:22 5018D-FN8T charon: 05[ENC] generating INFORMATIONAL request 133 [ ]
    May 26 18:07:22 5018D-FN8T charon: 05[IKE] sending DPD request
    May 26 18:06:22 5018D-FN8T charon: 07[ENC] parsed INFORMATIONAL response 132 [ ]
    May 26 18:06:22 5018D-FN8T charon: 07[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
    May 26 18:06:22 5018D-FN8T charon: 12[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
    May 26 18:06:22 5018D-FN8T charon: 12[ENC] generating INFORMATIONAL request 132 [ ]
    Last edited by jlficken; 05-26-2019 at 04:54 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2