EFW Support

Support => VPN Support => Topic started by: ricardo.claus on Friday 25 August 2017, 05:37:16 am


Title: Difficult VPN connection with IPsec
Post by: ricardo.claus on Friday 25 August 2017, 05:37:16 am
Hello guys,
I'm having trouble closing a Lan-to-LAN VPN connection with IPsec.

My scenery:
Endian 3.2 Community which is the gateway of my network, connecting to a remote IPsec server, Palo Alto UTM.

My Endian could not connect.
I need to release some output port for IPsec to connect?
I released the doors 50, 51 and 500.
Strange is that in the firewall log, I do not see any connection going out to the remote IP. Is it correct that the IPsec outgoing connection does not appear in the firewall log?

The following is the IPsec log:

Every 1.0s: ipsec statusall                                                                                                                                                                                                                           Thu Aug 24 16:28:39 2017

Status of IKE charon daemon (weakSwan 5.3.5, Linux 4.1.35.e13.1, x86_64):
  uptime: 111 minutes, since Aug 24 14:37:39 2017
  malloc: sbrk 2723840, mmap 0, used 473600, free 2250240
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon ldap aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp agent xcbc cmac hmac curl attr kernel-netlink resolve socket-default farp stroke updown eap-i
dentity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-pam dhcp lookip addrblock
Listening IP addresses:
  IPWAN
  IPLAN

Connections:
  vpnremoto:  IPWAN...IPREMOTE  IKEv1, dpddelay=30s
  vpnremoto:   local:  [vpnlocal] uses pre-shared key authentication
  vpnremoto:   remote: [vpnremoto] uses pre-shared key authentication
  vpnremoto:   child:  10.10.14.96/30 === 10.14.11.40/32 TUNNEL, dpdaction=clear
Security Associations (0 up, 1 connecting):
  vpnremoto[5]: CONNECTING, MY IPWAN [vpnlocal]...IPREMOTE[%any]
  vpnremoto[5]: IKEv1 SPIs: 553fd867b9f3a47e_i* aa3664da7e01e79a_r
  vpnremoto[5]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
  vpnremoto[5]: Tasks queued: QUICK_MODE
  vpnremoto[5]: Tasks active: ISAKMP_VENDOR MAIN_MODE



Title: Re: Difficult VPN connection with IPsec
Post by: Dark-Vex on Monday 04 September 2017, 05:24:42 pm
Hi, you don't need to open any ports on the outgoing firewall, because the connections generated by the firewall are always allowed. On the router (if filter the outgoing traffic) you need to open the port UDP 500 and UDP 4500
Check the ipsec logs under /var/log/ipsec/ipsec.log for errors


Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media