Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 25 November 2024, 06:46:54 pm

Login with username, password and session length

Visit the Official Endian Reference Manual  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  Difficult VPN connection with IPsec
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Difficult VPN connection with IPsec  (Read 19428 times)
ricardo.claus
Full Member
***
Offline Offline

Posts: 30


« on: Friday 25 August 2017, 05:37:16 am »

Hello guys,
I'm having trouble closing a Lan-to-LAN VPN connection with IPsec.

My scenery:
Endian 3.2 Community which is the gateway of my network, connecting to a remote IPsec server, Palo Alto UTM.

My Endian could not connect.
I need to release some output port for IPsec to connect?
I released the doors 50, 51 and 500.
Strange is that in the firewall log, I do not see any connection going out to the remote IP. Is it correct that the IPsec outgoing connection does not appear in the firewall log?

The following is the IPsec log:

Every 1.0s: ipsec statusall                                                                                                                                                                                                                           Thu Aug 24 16:28:39 2017

Status of IKE charon daemon (weakSwan 5.3.5, Linux 4.1.35.e13.1, x86_64):
  uptime: 111 minutes, since Aug 24 14:37:39 2017
  malloc: sbrk 2723840, mmap 0, used 473600, free 2250240
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon ldap aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp agent xcbc cmac hmac curl attr kernel-netlink resolve socket-default farp stroke updown eap-i
dentity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-pam dhcp lookip addrblock
Listening IP addresses:
  IPWAN
  IPLAN

Connections:
  vpnremoto:  IPWAN...IPREMOTE  IKEv1, dpddelay=30s
  vpnremoto:   local:  [vpnlocal] uses pre-shared key authentication
  vpnremoto:   remote: [vpnremoto] uses pre-shared key authentication
  vpnremoto:   child:  10.10.14.96/30 === 10.14.11.40/32 TUNNEL, dpdaction=clear
Security Associations (0 up, 1 connecting):
  vpnremoto[5]: CONNECTING, MY IPWAN [vpnlocal]...IPREMOTE[%any]
  vpnremoto[5]: IKEv1 SPIs: 553fd867b9f3a47e_i* aa3664da7e01e79a_r
  vpnremoto[5]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
  vpnremoto[5]: Tasks queued: QUICK_MODE
  vpnremoto[5]: Tasks active: ISAKMP_VENDOR MAIN_MODE


Logged
Dark-Vex
Sr. Member
****
Offline Offline

Posts: 105


« Reply #1 on: Monday 04 September 2017, 05:24:42 pm »

Hi, you don't need to open any ports on the outgoing firewall, because the connections generated by the firewall are always allowed. On the router (if filter the outgoing traffic) you need to open the port UDP 500 and UDP 4500
Check the ipsec logs under /var/log/ipsec/ipsec.log for errors
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.063 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com