Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21
  1. #11
    Untangler
    Join Date
    Oct 2015
    Posts
    54

    Default

    Quote Originally Posted by sky-knight View Post
    That would be my question too, because I just found a document describing what settings to use to get a Barracuda connected, which if I remember correctly is using the same IPSec implementation, and all of those settings are in the Untangle UI already.
    Can you post a link to that document?

  2. #12
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,768

    Default

    There is a bit of caution that should be taken with older forum post. In this case the post is referring to OpenSwan IPsec in the older Untangle. The current version of Untangle uses StrongSwan. Also many of these settings are available on the advanced authentication and key exchange portion of the IPsec settings.

    There is a possibility that not all the settings fields needed are present and in the end we all just want it working. If the files are manually changed, just turn off upgrades.

    12.0-ipsec-advance-settings.jpg
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #13
    Untangler
    Join Date
    Oct 2015
    Posts
    54

    Default

    Let me ask a few simple questions.

    First, the shared secrets provided by AWS are strings, not hex characters. Should I enter them in the GUI as "string-text" or string-text without the surrounding quotes?

    When should I enable the L2TP/Xauth server?

  4. #14
    Untangler
    Join Date
    Oct 2015
    Posts
    54

    Default

    Does this snippet from the log give a better sense of what's going wrong?

    Feb 11 18:34:21 gateway charon: 00[JOB] spawning 16 worker threads
    Feb 11 18:34:21 gateway charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
    Feb 11 18:34:21 gateway charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
    Feb 11 18:34:21 gateway charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
    Feb 11 18:34:21 gateway charon: 00[CFG] loaded 0 RADIUS server configurations
    Feb 11 18:34:21 gateway charon: 00[CFG] loading secrets from '/etc/xauth.secrets'
    Feb 11 18:34:21 gateway charon: 00[CFG] loaded IKE secret for [my public address removed from here] [aws-tunnel-1-public-address]
    Feb 11 18:34:21 gateway charon: 00[CFG] loaded IKE secret for [my public address removed from here] [aws-tunnel-2-public-address]
    Feb 11 18:34:21 gateway charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
    Feb 11 18:34:21 gateway charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
    Feb 11 18:34:21 gateway charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
    Feb 11 18:34:21 gateway charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
    Feb 11 18:34:21 gateway charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
    Feb 11 18:34:21 gateway charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
    Feb 11 18:34:21 gateway charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
    Feb 11 18:34:21 gateway charon: 00[CFG] HA config misses local/remote address
    Feb 11 18:34:21 gateway charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.2.0-4-untangle-amd64, x86_64)
    Feb 11 18:34:20 gateway charon: 00[DMN] signal of type SIGINT received. Shutting down

  5. #15
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,768

    Default

    Quote Originally Posted by RERobbins View Post
    First, the shared secrets provided by AWS are strings, not hex characters. Should I enter them in the GUI as "string-text" or string-text without the surrounding quotes?
    No quotes

    Quote Originally Posted by RERobbins View Post
    When should I enable the L2TP/Xauth server?
    I doubt it. I'm not that familiar with AWS but I doubt they are using Xauth.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #16
    Untangler
    Join Date
    Oct 2015
    Posts
    54

    Default

    Shared secrets entered without quotes, L2TP/Xauth server not enabled.
    Any suggestions as to how I might debug this?


    Feb 11 18:59:52 gateway charon: 00[JOB] spawning 16 worker threads
    Feb 11 18:59:52 gateway charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
    Feb 11 18:59:52 gateway charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
    Feb 11 18:59:52 gateway charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
    Feb 11 18:59:52 gateway charon: 00[CFG] loaded 0 RADIUS server configurations
    Feb 11 18:59:52 gateway charon: 00[CFG] loading secrets from '/etc/xauth.secrets'
    Feb 11 18:59:52 gateway charon: 00[CFG] loaded IKE secret for [addresses removed]
    Feb 11 18:59:52 gateway charon: 00[CFG] loaded IKE secret for [addresses removed]
    Feb 11 18:59:52 gateway charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
    Feb 11 18:59:52 gateway charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
    Feb 11 18:59:52 gateway charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
    Feb 11 18:59:52 gateway charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
    Feb 11 18:59:52 gateway charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
    Feb 11 18:59:52 gateway charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
    Feb 11 18:59:52 gateway charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
    Feb 11 18:59:52 gateway charon: 00[CFG] HA config misses local/remote address
    Feb 11 18:59:52 gateway charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.2.0-4-untangle-amd64, x86_64)
    Feb 11 18:59:51 gateway charon: 00[DMN] signal of type SIGINT received. Shutting down
    Feb 11 18:59:51 gateway charon: 00[JOB] spawning 16 worker threads
    Feb 11 18:59:51 gateway charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
    Feb 11 18:59:51 gateway charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
    Feb 11 18:59:51 gateway charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aes rc2 sha1 sha2 md5 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity
    Feb 11 18:59:51 gateway charon: 00[CFG] loaded 0 RADIUS server configurations
    Feb 11 18:59:51 gateway charon: 00[CFG] loading secrets from '/etc/xauth.secrets'
    Feb 11 18:59:51 gateway charon: 00[CFG] loaded IKE secret for [addresses removed]
    Feb 11 18:59:51 gateway charon: 00[CFG] loaded IKE secret for [addresses removed]
    Feb 11 18:59:51 gateway charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
    Feb 11 18:59:51 gateway charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
    Feb 11 18:59:51 gateway charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
    Feb 11 18:59:51 gateway charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
    Feb 11 18:59:51 gateway charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
    Feb 11 18:59:51 gateway charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
    Feb 11 18:59:51 gateway charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
    Feb 11 18:59:51 gateway charon: 00[CFG] HA config misses local/remote address
    Feb 11 18:59:51 gateway charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.2.0-4-untangle-amd64, x86_64)

  7. #17
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,768

    Default

    Not sure what is causing the "ha_plugin_create returned NULL" error.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #18
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,559

    Default

    This is the doc I was referring to: https://techlib.barracuda.com/ngx/co...azonvpngateway

    The only problem I see is it simply specifies AES, and Untangle has multiple AES versions to choose from.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #19
    Untangler
    Join Date
    Oct 2015
    Posts
    54

    Default

    I’m working from configuration instructions downloaded from AWS for a generic, static (no BGP) VPN. I want to share what I’ve done so far and ask some questions, just to see if there are any obvious mistakes.

    Untangle IPSec Tunnel Auto Mode

    I assumed that the AWS connection would be an on-demand tunnel. If that’s not the right way to proceed, then I will need to switch Auto Mode from Add back to Start.

    Phase 1 IKE/ISAKMP Manual Configuration

    Here are the relevant AWS instructions for Internet Key Exchange Configuration

    Configure the IKE SA as follows
    - Authentication Method : Pre-Shared Key
    - Pre-Shared Key : <text of key 1>
    - Authentication Algorithm : sha1
    - Encryption Algorithm : aes-128-cbc
    - Lifetime : 28800 seconds
    - Phase 1 Negotiation Mode : main
    - Perfect Forward Secrecy : Diffie-Hellman Group 2


    Based on that I entered the following, which seems to be consistent with the AWS instructions:

    image 1.jpg

    Phase 2 ESP Manual Configuration

    The next part of the AWS instructions are labelled as “IPSec Configuration”. I assume it’s referencing what the Untangle module identifies as Phase 2 ESP Configuration.

    Configure the IPSec SA as follows:
    - Protocol : esp
    - Authentication Algorithm : hmac-sha1-96
    - Encryption Algorithm : aes-128-cbc
    - Lifetime : 3600 seconds
    - Mode : tunnel
    - Perfect Forward Secrecy : Diffie-Hellman Group 2


    Here’s what I entered, hoping that hmac-sha1-96 is equivalent to the Untangle module setting of SHA-1

    image 2.jpg

    Dead Peer Detection

    The AWS instructions follow with:

    IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows:

    - DPD Interval : 10
    - DPD Retries : 3


    I assume those entries correspond to DPD Interval and DPD Timeout on the module page, leaving me with:


    image 3.jpg

    Encapsulating Security Payload Headers

    The AWS instructions include the following. I’m not at all sure what, if anything, I can do in response.

    IPSec ESP (Encapsulating Security Payload) inserts additional
    headers to transmit packets. These headers require additional space,
    which reduces the amount of space available to transmit application data.

    To limit the impact of this behavior, we recommend the following
    configuration on your Customer Gateway:
    - TCP MSS Adjustment : 1387 bytes
    - Clear Don't Fragment Bit : enabled
    - Fragmentation : Before encryption
    Last edited by RERobbins; 02-12-2016 at 07:31 AM.

  10. #20
    Untangler
    Join Date
    Oct 2015
    Posts
    54

    Default

    It appears that I have managed to get a tunnel working between the Untangle device and Amazon hardware VPN. Routing isn't working yet, but I will be sifting through that. If I can report success I will summarize the steps, if I get stuck, I will start a new thread with a more up to date snapshot and any questions.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2