Is there any kind of tutorial around for connecting Untangle to a USG?

**jlficken** · 05-25-2019, 08:34 AM

I have my bosses convinced to replace our main office USG with Untangle (paid version) if I can get some things to work.

The first is that I'm trying to get S2S working with the remote office USG but am having trouble getting traffic to pass.

Untangle shows a green light as if it's connected but I can't seem to get it working right.

I have created the WAN_LOCAL rules on the USG for AH, ESP, NAT-T, and L2TP as well as LAN_IN and LAN_OUT rules for the remote (Untangle) network.

Any thoughts would be appreciated. I can post any screenshots that may help I'm just at a loss as to the issue.

Next is trying to get a remote user L2TP VPN working on Android as well as getting it so that clients can see the main network over the VPN.

**jlficken** · 05-26-2019, 09:05 AM

Well, I've made some progress.

I can get the 192.168.5.0/24 subnet on Untangle and the 192.168.15.0/24 subnet on the USG to communicate, however, weird stuff happens when I try to add more subnets.

For example if I add 192.168.100.0/24 from Untangle and then ping the gateway from a machine connected to the USG the tunnel immediately drops all ICMP traffic going to the USG 192.168.15.0/24 subnet.

The only way to get it back is to restart the IPSec service on Untangle but it will happen every time I try it and I Have no idea why.

I also can't see anything on the 192.168.30.0/24 subnet on the USG side from Untangle no matter what I do and I don't know why.

This is driving me crazy!!!!

**jlficken** · 05-26-2019, 04:47 PM

Here's the USG settings as well as status:

Code:

admin@USG-3P:~$ sudo cat /etc/ipsec.conf
# generated by /opt/vyatta/sbin/vpn-config.pl

config setup

conn %default
        keyexchange=ikev1


conn peer-96.31.181.XX-tunnel-0
        left=96.31.181.XXX
        right=96.31.181.XX
        leftsubnet=192.168.15.0/24
        rightsubnet=192.168.5.0/24
        ike=aes256-sha1-modp2048!
        keyexchange=ikev2
        reauth=no
        ikelifetime=28800s
        esp=aes256-sha1-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-96.31.181.XX-tunnel-0

conn peer-96.31.181.XX-tunnel-1
        left=96.31.181.XXX
        right=96.31.181.XX
        leftsubnet=192.168.15.0/24
        rightsubnet=192.168.100.0/24
        ike=aes256-sha1-modp2048!
        keyexchange=ikev2
        reauth=no
        ikelifetime=28800s
        esp=aes256-sha1-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-96.31.181.XX-tunnel-1

conn peer-96.31.181.XX-tunnel-2
        left=96.31.181.XXX
        right=96.31.181.XX
        leftsubnet=192.168.30.0/24
        rightsubnet=192.168.5.0/24
        ike=aes256-sha1-modp2048!
        keyexchange=ikev2
        reauth=no
        ikelifetime=28800s
        esp=aes256-sha1-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-96.31.181.XX-tunnel-2

conn peer-96.31.181.XX-tunnel-3
        left=96.31.181.XXX
        right=96.31.181.XX
        leftsubnet=192.168.30.0/24
        rightsubnet=192.168.100.0/24
        ike=aes256-sha1-modp2048!
        keyexchange=ikev2
        reauth=no
        ikelifetime=28800s
        esp=aes256-sha1-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-96.31.181.XX-tunnel-3

admin@USG-3P:~$ show vpn ipsec sa
peer-96.31.181.XX-tunnel-0: #4, ESTABLISHED, IKEv2, 31a50de4f241862a:15e5fe2b9d932d16
  local  '96.31.181.XXX' @ 96.31.181.XXX
  remote '96.31.181.XX' @ 96.31.181.XX
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 12527s ago, rekeying in 15520s
  peer-96.31.181.XX-tunnel-0: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_2048
    installed 2099 ago, rekeying in 540s, expires in 1501s
    in  cdc1c07b,   8185 bytes,    80 packets,    47s ago
    out c95f076c,   9030 bytes,    66 packets,    47s ago
    local  192.168.15.0/24
    remote 192.168.5.0/24
admin@USG-3P:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64):
  uptime: 4 hours, since May 26 11:27:12 2019
  malloc: sbrk 376832, mmap 0, used 292672, free 84160
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
  loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock
Listening IP addresses:
  96.31.181.XXX
  192.168.15.1
  192.168.30.1
Connections:
peer-96.31.181.XX-tunnel-0:  96.31.181.XXX...96.31.181.XX  IKEv2
peer-96.31.181.XX-tunnel-0:   local:  [96.31.181.XXX] uses pre-shared key authentication
peer-96.31.181.XX-tunnel-0:   remote: [96.31.181.XX] uses pre-shared key authentication
peer-96.31.181.XX-tunnel-0:   child:  192.168.15.0/24 === 192.168.5.0/24 TUNNEL
peer-96.31.181.XX-tunnel-1:   child:  192.168.15.0/24 === 192.168.100.0/24 TUNNEL
peer-96.31.181.XX-tunnel-2:   child:  192.168.30.0/24 === 192.168.5.0/24 TUNNEL
peer-96.31.181.XX-tunnel-3:   child:  192.168.30.0/24 === 192.168.100.0/24 TUNNEL
Routed Connections:
peer-96.31.181.XX-tunnel-3{4}:  ROUTED, TUNNEL
peer-96.31.181.XX-tunnel-3{4}:   192.168.30.0/24 === 192.168.100.0/24
peer-96.31.181.XX-tunnel-2{3}:  ROUTED, TUNNEL
peer-96.31.181.XX-tunnel-2{3}:   192.168.30.0/24 === 192.168.5.0/24
peer-96.31.181.XX-tunnel-1{2}:  ROUTED, TUNNEL
peer-96.31.181.XX-tunnel-1{2}:   192.168.15.0/24 === 192.168.100.0/24
peer-96.31.181.XX-tunnel-0{1}:  ROUTED, TUNNEL
peer-96.31.181.XX-tunnel-0{1}:   192.168.15.0/24 === 192.168.5.0/24
Security Associations (1 up, 0 connecting):
peer-96.31.181.XX-tunnel-0[4]: ESTABLISHED 3 hours ago, 96.31.181.XXX[96.31.181.XXX]...96.31.181.XX[96.31.181.XX]
peer-96.31.181.XX-tunnel-0[4]: IKEv2 SPIs: 31a50de4f241862a_i 15e5fe2b9d932d16_r*, rekeying in 4 hours
peer-96.31.181.XX-tunnel-0[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
peer-96.31.181.XX-tunnel-0{1}:  INSTALLED, TUNNEL, ESP SPIs: cdc1c07b_i c95f076c_o
peer-96.31.181.XX-tunnel-0{1}:  AES_CBC_256/HMAC_SHA1_96, 8257 bytes_i (81 pkts, 33s ago), 9102 bytes_o (67 pkts, 33s ago), rekeying in 8 minutes
peer-96.31.181.XX-tunnel-0{1}:   192.168.15.0/24 === 192.168.5.0/24
admin@USG-3P:~$ sudo swanctl --log
06[NET] received packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
06[ENC] parsed INFORMATIONAL request 189 [ ]
06[ENC] generating INFORMATIONAL response 189 [ ]
06[NET] sending packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
04[NET] received packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
04[ENC] parsed INFORMATIONAL request 190 [ ]
04[ENC] generating INFORMATIONAL response 190 [ ]
04[NET] sending packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
06[NET] received packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
06[ENC] parsed INFORMATIONAL request 191 [ ]
06[ENC] generating INFORMATIONAL response 191 [ ]
06[NET] sending packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)

**jlficken** · 05-26-2019, 04:48 PM

Here are the Untangle settings and status:
UntangleVPN1.JPG
UntangleVPN2.JPG

Code:

IPsec State:
src 96.31.181.XX dst 96.31.181.XXX
	proto esp spi 0xc9dcc31a reqid 1 mode tunnel
	replay-window 0 flag af-unspec
	auth-trunc hmac(sha1) 0x4db7a9c8db3781e4aa3091bee5428d1dd956f7bb 96
	enc cbc(aes) 0xe61ad5878f02cca7c7917757fddd0b771f93a4de97d5d2b02f4742816f8e1487
	anti-replay context: seq 0x0, oseq 0x1e, bitmap 0x00000000
src 96.31.181.XXX dst 96.31.181.XX
	proto esp spi 0xcda993be reqid 1 mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0xb35fc0cf274061e566d284c7a0460fc3ff501557 96
	enc cbc(aes) 0x0ab47ff1c9a41e22725bf56e6dfc7e5d421f16f82132a0c7d0ecdf570c1fa9bd
	anti-replay context: seq 0x1e, oseq 0x0, bitmap 0x3fffffff






IPsec Policy:
src 192.168.15.0/24 dst 192.168.5.0/24 
	dir fwd priority 187712 ptype main 
	tmpl src 96.31.181.XXX dst 96.31.181.XX
		proto esp reqid 1 mode tunnel
src 192.168.15.0/24 dst 192.168.5.0/24 
	dir in priority 187712 ptype main 
	tmpl src 96.31.181.XXX dst 96.31.181.XX
		proto esp reqid 1 mode tunnel
src 192.168.5.0/24 dst 192.168.15.0/24 
	dir out priority 187712 ptype main 
	tmpl src 96.31.181.XX dst 96.31.181.XXX
		proto esp reqid 1 mode tunnel
src 192.168.30.0/24 dst 192.168.96.0/20 
	dir fwd priority 288736 ptype main 
	tmpl src 96.31.181.XXX dst 96.31.181.XX
		proto esp reqid 1 mode tunnel
src 192.168.30.0/24 dst 192.168.96.0/20 
	dir in priority 288736 ptype main 
	tmpl src 96.31.181.XXX dst 96.31.181.XX
		proto esp reqid 1 mode tunnel
src 192.168.96.0/20 dst 192.168.30.0/24 
	dir out priority 288736 ptype main 
	tmpl src 96.31.181.XX dst 96.31.181.XXX
		proto esp reqid 1 mode tunnel
src 192.168.15.0/24 dst 192.168.96.0/20 
	dir fwd priority 288736 ptype main 
	tmpl src 96.31.181.XXX dst 96.31.181.XX
		proto esp reqid 1 mode tunnel
src 192.168.15.0/24 dst 192.168.96.0/20 
	dir in priority 288736 ptype main 
	tmpl src 96.31.181.XXX dst 96.31.181.XX
		proto esp reqid 1 mode tunnel
src 192.168.96.0/20 dst 192.168.15.0/24 
	dir out priority 288736 ptype main 
	tmpl src 96.31.181.XX dst 96.31.181.XXX
		proto esp reqid 1 mode tunnel
src 192.168.30.0/24 dst 192.168.5.0/24 
	dir fwd priority 287712 ptype main 
	tmpl src 96.31.181.XXX dst 96.31.181.XX
		proto esp reqid 1 mode tunnel
src 192.168.30.0/24 dst 192.168.5.0/24 
	dir in priority 287712 ptype main 
	tmpl src 96.31.181.XXX dst 96.31.181.XX
		proto esp reqid 1 mode tunnel
src 192.168.5.0/24 dst 192.168.30.0/24 
	dir out priority 287712 ptype main 
	tmpl src 96.31.181.XX dst 96.31.181.XXX
		proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src ::/0 dst ::/0 
	socket in priority 0 ptype main 
src ::/0 dst ::/0 
	socket out priority 0 ptype main 
src ::/0 dst ::/0 
	socket in priority 0 ptype main 
src ::/0 dst ::/0 
	socket out priority 0 ptype main 




IPSec Log:
May 26 18:11:22 5018D-FN8T charon: 08[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
May 26 18:11:22 5018D-FN8T charon: 05[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
May 26 18:11:22 5018D-FN8T charon: 05[ENC] generating INFORMATIONAL request 139 [ ]
May 26 18:11:22 5018D-FN8T charon: 05[IKE] sending DPD request
May 26 18:10:22 5018D-FN8T charon: 11[ENC] parsed INFORMATIONAL response 138 [ ]
May 26 18:10:22 5018D-FN8T charon: 11[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
May 26 18:10:22 5018D-FN8T charon: 08[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
May 26 18:10:22 5018D-FN8T charon: 08[ENC] generating INFORMATIONAL request 138 [ ]
May 26 18:10:22 5018D-FN8T charon: 08[IKE] sending DPD request
May 26 18:09:22 5018D-FN8T charon: 15[ENC] parsed INFORMATIONAL response 137 [ ]
May 26 18:09:22 5018D-FN8T charon: 15[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
May 26 18:09:22 5018D-FN8T charon: 09[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
May 26 18:09:22 5018D-FN8T charon: 09[ENC] generating INFORMATIONAL request 137 [ ]
May 26 18:09:22 5018D-FN8T charon: 09[IKE] sending DPD request
May 26 18:08:38 5018D-FN8T charon: 07[ENC] parsed INFORMATIONAL response 136 [ ]
May 26 18:08:38 5018D-FN8T charon: 07[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
May 26 18:08:38 5018D-FN8T charon: 15[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
May 26 18:08:38 5018D-FN8T charon: 15[ENC] generating INFORMATIONAL request 136 [ ]
May 26 18:08:38 5018D-FN8T charon: 15[IKE] sending DPD request
May 26 18:08:08 5018D-FN8T charon: 10[IKE] CHILD_SA closed
May 26 18:08:08 5018D-FN8T charon: 10[IKE] received DELETE for ESP CHILD_SA with SPI c463cd06
May 26 18:08:08 5018D-FN8T charon: 10[ENC] parsed INFORMATIONAL response 135 [ D ]
May 26 18:08:08 5018D-FN8T charon: 10[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
May 26 18:08:08 5018D-FN8T charon: 07[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
May 26 18:08:08 5018D-FN8T charon: 07[ENC] generating INFORMATIONAL request 135 [ D ]
May 26 18:08:08 5018D-FN8T charon: 07[IKE] sending DELETE for ESP CHILD_SA with SPI ccb6089b
May 26 18:08:08 5018D-FN8T charon: 07[IKE] closing CHILD_SA UT1_USG-Test{4} with SPIs ccb6089b_i (3096 bytes) c463cd06_o (3096 bytes) and TS 192.168.5.0/24 === 192.168.15.0/24
May 26 18:08:08 5018D-FN8T charon: 07[IKE] closing CHILD_SA UT1_USG-Test{4} with SPIs ccb6089b_i (3096 bytes) c463cd06_o (3096 bytes) and TS 192.168.5.0/24 === 192.168.15.0/24
May 26 18:08:08 5018D-FN8T charon: 07[IKE] CHILD_SA UT1_USG-Test{5} established with SPIs cda993be_i c9dcc31a_o and TS 192.168.5.0/24 === 192.168.15.0/24
May 26 18:08:08 5018D-FN8T charon: 07[IKE] CHILD_SA UT1_USG-Test{5} established with SPIs cda993be_i c9dcc31a_o and TS 192.168.5.0/24 === 192.168.15.0/24
May 26 18:08:08 5018D-FN8T charon: 07[ENC] parsed CREATE_CHILD_SA response 134 [ SA No KE TSi TSr ]
May 26 18:08:08 5018D-FN8T charon: 07[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (476 bytes)
May 26 18:08:07 5018D-FN8T charon: 05[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (508 bytes)
May 26 18:08:07 5018D-FN8T charon: 05[ENC] generating CREATE_CHILD_SA request 134 [ N(REKEY_SA) SA No KE TSi TSr ]
May 26 18:08:07 5018D-FN8T charon: 05[IKE] establishing CHILD_SA UT1_USG-Test{1}
May 26 18:08:07 5018D-FN8T charon: 05[IKE] establishing CHILD_SA UT1_USG-Test{1}
May 26 18:08:07 5018D-FN8T charon: 05[KNL] creating rekey job for CHILD_SA ESP/0xccb6089b/96.31.181.XX
May 26 18:07:22 5018D-FN8T charon: 10[ENC] parsed INFORMATIONAL response 133 [ ]
May 26 18:07:22 5018D-FN8T charon: 10[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
May 26 18:07:22 5018D-FN8T charon: 05[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
May 26 18:07:22 5018D-FN8T charon: 05[ENC] generating INFORMATIONAL request 133 [ ]
May 26 18:07:22 5018D-FN8T charon: 05[IKE] sending DPD request
May 26 18:06:22 5018D-FN8T charon: 07[ENC] parsed INFORMATIONAL response 132 [ ]
May 26 18:06:22 5018D-FN8T charon: 07[NET] received packet: from 96.31.181.XXX[4500] to 96.31.181.XX[4500] (76 bytes)
May 26 18:06:22 5018D-FN8T charon: 12[NET] sending packet: from 96.31.181.XX[4500] to 96.31.181.XXX[4500] (76 bytes)
May 26 18:06:22 5018D-FN8T charon: 12[ENC] generating INFORMATIONAL request 132 [ ]

Thread: Is there any kind of tutorial around for connecting Untangle to a USG?

LinkBack

Thread Tools

Is there any kind of tutorial around for connecting Untangle to a USG?

Posting Permissions