Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 01 November 2024, 04:21:47 pm

Login with username, password and session length

Visit the official Endian Community Mailinglist  HERE
14248 Posts in 4376 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  VPN Beta Testers Needed
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] 2 3 Go Down Print
Author Topic: VPN Beta Testers Needed  (Read 102994 times)
robert
Full Member
***
Offline Offline

Posts: 23


« on: Thursday 28 February 2013, 09:39:56 am »

I'm just finishing up changes to the VPN support in EFW Community 2.5.1.

It includes the following improvements:
  • Add Xauth support to IPsec for host-net connections
  • Proper IPsec operation when initiator is behind NAT
  • L2TP PSK and Certificate
  • Xauth/L2TP User configuration page

With these changes I'm able to connect from my phone behind a NATed connection using IPsec with certificate and Xauth as well as L2TP using a certificate or a PSK.

This not only adds a new package for the L2TP support it also modifies the existing efw-ipsec package.  As a result I would like to get as much testing as possible before releasing it and possible breaking someone's IPsec connection.

If you are interested in giving this a try (and can access your firewall even without your IPsec connection :-)) please let me know.
Logged
sota
Full Member
***
Offline Offline

Posts: 14


« Reply #1 on: Saturday 09 March 2013, 04:55:01 am »

OK Robert, I'll give it a try.
Logged
robert
Full Member
***
Offline Offline

Posts: 23


« Reply #2 on: Wednesday 13 March 2013, 02:47:37 pm »

Ok, you can install it from my repositories, instructions for the repositories are at http://repo.opensource-sw.net/efw.

The package you need to install using the smart package manager is ossw-l2tp.  That will also install updated versions of strongswan and efw-ipsec.
Logged
dda
Sr. Member
****
Offline Offline

Posts: 227


« Reply #3 on: Wednesday 20 March 2013, 04:23:09 am »

Very interested in this as I have a VPN up now passing thru to a windows server, but don't know how to install the packages.
Logged
sota
Full Member
***
Offline Offline

Posts: 14


« Reply #4 on: Sunday 24 March 2013, 12:25:37 am »

Hi Robert,

Thank you for that. I have run your script and enabled the additional channels. However, smart install returns "matches no packages" if I use ossw-l2tp or the full package name. If I give it the http path to package, it comes back with "no package provides efw-ipsec >= 1:2.7.6

I assume it's a mistake on my part?

Thanks,

Pat
Logged
dda
Sr. Member
****
Offline Offline

Posts: 227


« Reply #5 on: Thursday 04 April 2013, 03:50:04 am »

Hi can someone explain to me how to run this script please?
Logged
oleg31337
Jr. Member
*
Offline Offline

Posts: 2


« Reply #6 on: Thursday 25 April 2013, 08:00:05 pm »

Hi Robert,
I'm struggling in getting your L2TP to work on EFW Community but with no luck so far Sad
Could you please assist in configuring it?
I'm trying to connect from Windows7 machine and have tried different configs.
I'm not sure what am I doing because I have very poor VPN background knowledge.
Logged
oleg31337
Jr. Member
*
Offline Offline

Posts: 2


« Reply #7 on: Thursday 25 April 2013, 08:16:19 pm »

i think pre-shared key authentication doesn't work.
I have configured authentication using self-signed certificate (generated it in efw interface) and vpn connection worked ok.
Logged
sota
Full Member
***
Offline Offline

Posts: 14


« Reply #8 on: Monday 17 June 2013, 03:21:17 am »

I'm also have problems getting this to work with PSK authentication. What I see in the logs is the following:

ipsec_starter (17513) Starting strongSwan 4.6.4 IPsec [starter]...
ipsec_starter (17513) # duplicate "rightsubnet" option
ipsec_starter (17513) bad argument value in conn "MacSweeney-nat"
ipsec_starter (17513) ### 1 parsing error (1 fatal) ###
ipsec_starter (17513) unable to start strongSwan -- fatal errors in config

Anyone got any ideas?
Logged
sota
Full Member
***
Offline Offline

Posts: 14


« Reply #9 on: Wednesday 19 June 2013, 09:24:55 pm »

OK, so to answer my own question I had an e-mail from Robert about this:

You need to patch /etc/ipsec/ipsec.conf.tmpl with the following patch:

--- ipsec.conf.tmpl-orig        2013-06-17 16:28:38.000000000 -0700
+++ ipsec.conf.tmpl     2013-06-17 16:28:42.000000000 -0700
@@ -59,9 +59,11 @@
     #end for
   #end for

+#if $conn.connection_type != 'net'
 conn $conn.name-nat
        rightsubnet=vhost:%priv,%no
        also=$conn.name
+#end if

 conn $conn.name
        dpdaction=$conn.dpd_action

Logged
sota
Full Member
***
Offline Offline

Posts: 14


« Reply #10 on: Wednesday 19 June 2013, 09:27:57 pm »

I ran smart install patch and then tried to patch /etc/ipsec/ipsec.conf.tmpl but it failed for some reason, so I patched it manually. All my VPNs are now back .

Thanks, Robert!
Logged
barracksbuilder
Jr. Member
*
Offline Offline

Posts: 1


« Reply #11 on: Thursday 20 June 2013, 11:12:22 am »

I've installed your ossw-l2tp package and can see additional tabs in vpn. I think i am having trouble configuring the tunnel.

IPsec Tab => Enabled: checked, Zone: green, Dynamic IP pool: 192.168.9.1/24 (outside of any zones), I clicked Add. Select L2TP Host-to-Net Virtual Private Network. Name: L2TP, Authentication: Use a pre-share key: password. All other settings left to default or blank. (Save)

L2TP Tab => Check L2TP server enabled, Zone: Green, IP pool start 192.168.8.2, IP pool end 192.168.8.10 (This ip is outside of my zones), All debugging options checked. (Save and restart)

IPsec / L2TP Users Tab => Add account, username: test, password: password2, Authentication Methods: L2TP checked. (Save)

I then click Restart IPsec / L2TP server

Android Phone (S4 with Wifi off, connecting through sprint)
New VPN => Name: Test, Type L2TP/IPSec PSK, Server Address: My red IP from comcast, IPsec pre-shared key: password (Same from IPSec Tab L2TP that I created) [Save]
Click to connect => username: test, password: password2, save account info: checked [Connect]

Sits and connects for a while, I do see some logging going on in the system log. I removed my remote IP (endian) you can have my phones IP sprint will rotate it soon as i reconnect to their network.

Code:
System	2013-06-19 19:58:08	pluto (11718) | removing 20 bytes of padding
System 2013-06-19 19:58:08 pluto (11718) | peer client is 29.41.67.41
System 2013-06-19 19:58:08 pluto (11718) | peer client protocol/port is 17/0
System 2013-06-19 19:58:08 pluto (11718) | our client is {removed}
System 2013-06-19 19:58:08 pluto (11718) | our client protocol/port is 17/1701
System 2013-06-19 19:58:08 pluto (11718) cannot respond to IPsec SA request because no connection is known for {removed}:4500[{removed}]:17/1701...68.24.131.41:359 53[29.41.67.41]:17/%any===29.41.67.41/32
System 2013-06-19 19:58:08 pluto (11718) sending encrypted notification INVALID_ID_INFORMATION to 68.24.131.41:35953
...
System 2013-06-19 19:58:08 pluto (11718) INVALID_ID_INFORMATION
System 2013-06-19 19:58:08 pluto (11718) | emitting 0 raw bytes of spi into ISAKMP Notification Payload
System 2013-06-19 19:58:08 pluto (11718) | spi
System 2013-06-19 19:58:08 pluto (11718) 12
System 2013-06-19 19:58:08 pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message
System 2013-06-19 19:58:08 pluto (11718) 76
System 2013-06-19 19:58:10 pluto (11718) |
System 2013-06-19 19:58:10 pluto (11718) | *received 348 bytes from 68.24.131.41:35953 on eth4
System 2013-06-19 19:58:10 pluto (11718) | **parse ISAKMP Message:
System 2013-06-19 19:58:10 pluto (11718) | initiator cookie:
System 2013-06-19 19:58:10 pluto (11718) | 38 31 dc 09 36 b9 2f ed
System 2013-06-19 19:58:10 pluto (11718) | responder cookie:
System 2013-06-19 19:58:10 pluto (11718) | 54 fa 96 07 87 77 58 15
System 2013-06-19 19:58:10 pluto (11718) ISAKMP_NEXT_HASH
System 2013-06-19 19:58:10 pluto (11718) ISAKMP Version 1.0
System 2013-06-19 19:58:10 pluto (11718) ISAKMP_XCHG_QUICK
System 2013-06-19 19:58:10 pluto (11718) ISAKMP_FLAG_ENCRYPTION
System 2013-06-19 19:58:10 pluto (11718) b2 9b aa 69
System 2013-06-19 19:58:10 pluto (11718) 348
System 2013-06-19 19:58:10 pluto (11718) Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x69aa9bb2 (perhaps this is a duplicated packet)
System 2013-06-19 19:58:10 pluto (11718) sending encrypted notification INVALID_MESSAGE_ID to 68.24.131.41:35953
...
System 2013-06-19 19:58:20 pluto (11718) | ***emit ISAKMP Notification Payload:
System 2013-06-19 19:58:20 pluto (11718) ISAKMP_NEXT_NONE
System 2013-06-19 19:58:20 pluto (11718) ISAKMP_DOI_IPSEC
System 2013-06-19 19:58:20 pluto (11718) 1
System 2013-06-19 19:58:20 pluto (11718) 0
System 2013-06-19 19:58:20 pluto (11718) INVALID_MESSAGE_ID
System 2013-06-19 19:58:20 pluto (11718) | emitting 0 raw bytes of spi into ISAKMP Notification Payload
System 2013-06-19 19:58:20 pluto (11718) | spi
System 2013-06-19 19:58:20 pluto (11718) 12
System 2013-06-19 19:58:20 pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message
System 2013-06-19 19:58:20 pluto (11718) 76
System 2013-06-19 19:58:22 pluto (11718) |
...
System 2013-06-19 19:58:35 pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message
System 2013-06-19 19:58:35 pluto (11718) 76

Had to trim down the logs things that stuck out to me i kept. Any help is appreciative.
Logged
svoelker
Jr. Member
*
Offline Offline

Posts: 2


« Reply #12 on: Friday 28 June 2013, 01:32:24 am »

Somehow the openvpn user tab is gone now.

i mean i can still open it in the browser manualy when i enter /cgi-bin/openvpn_users.cgi

But it whould be more comfortable to get it back into the menu.

No idea why its gone tho and i doubt the ipsec / l2tp users are used for openvpn aswell.
Logged
membrane
Jr. Member
*
Offline Offline

Posts: 4


« Reply #13 on: Friday 26 July 2013, 04:53:14 am »

How exatly do you apply the patch?
Logged
dda
Sr. Member
****
Offline Offline

Posts: 227


« Reply #14 on: Wednesday 14 August 2013, 08:47:08 am »

Check out this thread Membrane
http://www.efwsupport.com/index.php/topic,3101.msg10089.html#msg10089
Logged
Pages: [1] 2 3 Go Up Print 
« previous next »
Jump to:  

Page created in 0.141 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com