Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 15 November 2024, 08:24:17 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14255 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  Ipsec vpn from 2.5.2 to 3.0.0 no more works
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Ipsec vpn from 2.5.2 to 3.0.0 no more works  (Read 60369 times)
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« on: Monday 14 July 2014, 10:33:46 pm »

what the hell....

I installed endian 3, imported 2.5.2 backup and vpn no more works
I tried to reconfigure, and nothing changes
In GUI 3des is missing, but in /var/efw/vpn/config it's ok
in log I've this error:

Quote
received NO_PROPOSAL_CHOSEN error notify

f**k, f**k, f**k !!!
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
mdalpe2212
Jr. Member
*
Offline Offline

Posts: 2


« Reply #1 on: Sunday 20 July 2014, 08:15:38 am »

just upgrade 2 appliances from 2.5 to 3... have 4 in total, they where all connected with ipsec net 2 net.

since the upgrade, it's not working anymore, the 2 with version 2.5 are rock solid.

so , on the version 3, I deleted all configure connection... recreate only 1 between both version 3... and guess what... not working

I have another version 3 ( spare ) so decided to connect it... and create  new connection to 1 of the 'not working' unit... the ipsec connection work for about 10 to 15 min ( guessing ) then it drop dead.. and not able to get it working any more...

I notice on some forum tread that you can modify the config file... but since the result is not working for all , I'm guessing that it still not the root cause.

any one.. any idea ?
Logged
mdalpe2212
Jr. Member
*
Offline Offline

Posts: 2


« Reply #2 on: Sunday 20 July 2014, 11:22:20 am »

on both endian, the connections are connected ( status )

after a while ( 1 hours ) it goes to Close status.

when I check the informations button of the connection, everything look fine.

both green zone are unable to see each other

( remember, in version 2.5, everything was working fine )

so, is it a bug in the upgrade process ?  are the new appliance delivered with version 3 have the same bug ?

what I'm trying to do is IPSec vpn net-to-net connection ( endian to endian ) , the only exemple is on version 2.5, so I guess this has not change.

am I thinking the wrong way here ?
Logged
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #3 on: Sunday 20 July 2014, 05:20:36 pm »

I think that there is a bug in new ipsec used in endian 3
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #4 on: Monday 21 July 2014, 05:56:32 pm »

in jira.endian.com (official endian bugtracker), issue #UTM-875

this should be the final fix:
http://share.endian.com/luca/public/efw-ipsec-3.0.52-1.endian9.noarch.rpm
http://share.endian.com/luca/public/jobsengine-3.0.26-1.endian5.i586.rpm
Basically we just removed the leftsourceip since it was needed for a previous ipsec version.

I hope it works, I'll try
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #5 on: Wednesday 23 July 2014, 05:18:18 pm »

no, it doesn't work
I surrender, I'll try IPFire or pfSense
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
leonardobp
Jr. Member
*
Offline Offline

Posts: 1


« Reply #6 on: Sunday 17 August 2014, 02:12:49 am »

Hi mmiat!!

We tried those packages you suggested and they worked just fine!! Which version of Endian Community are you using right now?
Even we tried rebooting both firewalls (they are a lab setup, precisely on purpose before we make an upgrade to all 5 of our Endian firewalls)
I must say, from Endian 2.5 it's a mayor MAYOR upgrade since IKEv2 allows us to specify several SA and simplify IPsec VPN with our customers.

Between our offices we're using openVPN since it already did that. Our business needs are quite particular. From HQ we stablish IPsec with our customers and from our branches we NAT the network so our customer sees us as only one single block of IPs.

I guess right now we could go ahead and use IPsec instead of openVPN...

What would you suggest?

When I get to the office I'll let you know which specific version/build of Endian are we using in the lab.

Thank very much!

Best regards,

LBP
Logged
SerFingolfin
Jr. Member
*
Offline Offline

Posts: 9


« Reply #7 on: Tuesday 07 October 2014, 07:38:50 pm »

Suggested packages worked for me!
Logged
tctcbrent
Jr. Member
*
Offline Offline

Posts: 5


« Reply #8 on: Tuesday 09 December 2014, 07:47:40 am »

Any update on this?  I still can't seem to get this working.
Logged
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #9 on: Monday 22 December 2014, 09:25:58 pm »

I'm still using 2.5.2, I don't trust in 3.0
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
nico.1976
Jr. Member
*
Offline Offline

Posts: 2


« Reply #10 on: Tuesday 01 March 2016, 09:17:30 am »

I've the same problem.
any solutions?
thanks
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #11 on: Thursday 03 March 2016, 04:18:42 am »

I had many problems with EFW 3.0.5 trying to connect to some Juniper IPSEC.
It was constant drops, and only one segment was connecting. I tried each and every possible config for Strongswan, and no one worked.

In the end what I did was a dirty manual installation of OpenSwan, replacing StrongSwan.
I extracted all files from the Openswan rpm, and manually copy over the 3.0.5. The I replace all startup/stop scripts to match what Openswan needs.
Also I replaced the templates to force the good config for Openswan.
It was ugly, but t works indeed, and Openswan works way better that Strongswan. I have some hiccups from time to time (each N days, or N weeks), but overall works fine.

It seems that they sell us Strongswan as a better package, but in the end it failed miserably.
I can't exactly suggest you anything, I just warn you that Strongswan in Endian 3.0.5 is a POS, it doesn't work for me. After I changed to Openswan it worked from the first attempt.
But I did all manually and with custom files, it can't be replicated easily.
Logged
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #12 on: Thursday 05 January 2017, 07:44:00 pm »

yesterday I've tried to upgrade again, from 2.5.2 to 3.2.2
now vpn goes up, but after a while (a  of minutes or a  of hours) it goes down, it doesn't restart automatically and I've to restart it manually
has someone fixed this problem?
thanks
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
Dark-Vex
Sr. Member
****
Offline Offline

Posts: 105


« Reply #13 on: Monday 09 January 2017, 07:34:56 pm »

Maybe can be a rekey issue, please paste the output of "ipsec statusall" when there is the issue
Logged
mmiat
Sr. Member
****
Offline Offline

Gender: Male
Posts: 236


WWW
« Reply #14 on: Friday 20 January 2017, 07:31:34 pm »

Maybe can be a rekey issue, please paste the output of "ipsec statusall" when there is the issue

no problems for a week, then twice last two days Sad

here the output (I've hidden the public ip addresses):

Quote
Status of IKE charon daemon (weakSwan 5.3.5, Linux 4.1.17.e12, x86_64):
  uptime: 17 hours, since Jan 19 15:57:53 2017
  malloc: sbrk 2543616, mmap 0, used 487632, free 2055984
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon ldap aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp agent xcbc cmac hmac curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-pam dhcp lookip addrbl ock
Listening IP addresses:
  185....57
  185....58
  93....230
  192.168.200.254
  192.168.10.254
Connections:
         AAA:  185....57...151....3  IKEv1, dpddelay=30s
         AAA:   local:  [185....57] uses pre-shared key authentication
         AAA:   remote: [151....3] uses pre-shared key authentication
         AAA:   child:  10.143.144.112/29 === 10.0.0.0/8 TUNNEL, dpdaction=restart
        XXXX:  185....57...78....81  IKEv1, dpddelay=30s
        XXXX:   local:  [185....57] uses pre-shared key authentication
        XXXX:   remote: [172.25.242.1] uses pre-shared key authentication
        XXXX:   child:  172.29.246.240/28 === 172.25.0.0/16 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
        XXXX[13]: ESTABLISHED 90 minutes ago, 185....57[185....57]...78....81[172.25.242.1]
        XXXX[13]: IKEv1 SPIs: 485691cb2411827e_i* 372dec3866a52699_r, pre-shared key reauthentication in 14 minutes
        XXXX[13]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
        XXXX{7}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: cc11d855_i 8c409953_o
        XXXX{7}:  3DES_CBC/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying in 5 hours
        XXXX{7}:   172.29.246.240/28 === 172.25.0.0/16
Logged

---------------------
IT Consultant
www.fsw.it
Hardware & Software
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.125 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com