VPN Beta Testers Needed

[Guest]

[robert]

I'm just finishing up changes to the VPN support in EFW Community 2.5.1.

It includes the following improvements:

• Add Xauth support to IPsec for host-net connections
• Proper IPsec operation when initiator is behind NAT
• L2TP PSK and Certificate
• Xauth/L2TP User configuration page

With these changes I'm able to connect from my phone behind a NATed connection using IPsec with certificate and Xauth as well as L2TP using a certificate or a PSK.

This not only adds a new package for the L2TP support it also modifies the existing efw-ipsec package.  As a result I would like to get as much testing as possible before releasing it and possible breaking someone's IPsec connection.

If you are interested in giving this a try (and can access your firewall even without your IPsec connection :-)) please let me know.

[sota]

OK Robert, I'll give it a try.

[robert]

Ok, you can install it from my repositories, instructions for the repositories are at http://repo.opensource-sw.net/efw.

The package you need to install using the smart package manager is ossw-l2tp.  That will also install updated versions of strongswan and efw-ipsec.

[dda]

Very interested in this as I have a VPN up now passing thru to a windows server, but don't know how to install the packages.

[sota]

Hi Robert,

Thank you for that. I have run your script and enabled the additional channels. However, smart install returns "matches no packages" if I use ossw-l2tp or the full package name. If I give it the http path to package, it comes back with "no package provides efw-ipsec >= 1:2.7.6

I assume it's a mistake on my part?

Thanks,

Pat

[dda]

Hi can someone explain to me how to run this script please?

[oleg31337]

Hi Robert,
I'm struggling in getting your L2TP to work on EFW Community but with no luck so far
Could you please assist in configuring it?
I'm trying to connect from Windows7 machine and have tried different configs.
I'm not sure what am I doing because I have very poor VPN background knowledge.

[oleg31337]

i think pre-shared key authentication doesn't work.
I have configured authentication using self-signed certificate (generated it in efw interface) and vpn connection worked ok.

[sota]

I'm also have problems getting this to work with PSK authentication. What I see in the logs is the following:

ipsec_starter (17513) Starting strongSwan 4.6.4 IPsec [starter]...
ipsec_starter (17513) # duplicate "rightsubnet" option
ipsec_starter (17513) bad argument value in conn "MacSweeney-nat"
ipsec_starter (17513) ### 1 parsing error (1 fatal) ###
ipsec_starter (17513) unable to start strongSwan -- fatal errors in config

Anyone got any ideas?

[sota]

OK, so to answer my own question I had an e-mail from Robert about this:

You need to patch /etc/ipsec/ipsec.conf.tmpl with the following patch:

--- ipsec.conf.tmpl-orig        2013-06-17 16:28:38.000000000 -0700
+++ ipsec.conf.tmpl     2013-06-17 16:28:42.000000000 -0700
@@ -59,9 +59,11 @@
     #end for
   #end for

+#if $conn.connection_type != 'net'
 conn $conn.name-nat
        rightsubnet=vhost:%priv,%no
        also=$conn.name
+#end if

 conn $conn.name
        dpdaction=$conn.dpd_action

[sota]

I ran smart install patch and then tried to patch /etc/ipsec/ipsec.conf.tmpl but it failed for some reason, so I patched it manually. All my VPNs are now back .

Thanks, Robert!

[barracksbuilder]

I've installed your ossw-l2tp package and can see additional tabs in vpn. I think i am having trouble configuring the tunnel.

IPsec Tab => Enabled: checked, Zone: green, Dynamic IP pool: 192.168.9.1/24 (outside of any zones), I clicked Add. Select L2TP Host-to-Net Virtual Private Network. Name: L2TP, Authentication: Use a pre-share key: password. All other settings left to default or blank. (Save)

L2TP Tab => Check L2TP server enabled, Zone: Green, IP pool start 192.168.8.2, IP pool end 192.168.8.10 (This ip is outside of my zones), All debugging options checked. (Save and restart)

IPsec / L2TP Users Tab => Add account, username: test, password: password2, Authentication Methods: L2TP checked. (Save)

I then click Restart IPsec / L2TP server

Android Phone (S4 with Wifi off, connecting through sprint)
New VPN => Name: Test, Type L2TP/IPSec PSK, Server Address: My red IP from comcast, IPsec pre-shared key: password (Same from IPSec Tab L2TP that I created) [Save]
Click to connect => username: test, password: password2, save account info: checked [Connect]

Sits and connects for a while, I do see some logging going on in the system log. I removed my remote IP (endian) you can have my phones IP sprint will rotate it soon as i reconnect to their network.

Code:

System	2013-06-19 19:58:08	pluto (11718) | removing 20 bytes of padding
System	2013-06-19 19:58:08	pluto (11718) | peer client is 29.41.67.41
System	2013-06-19 19:58:08	pluto (11718) | peer client protocol/port is 17/0
System	2013-06-19 19:58:08	pluto (11718) | our client is {removed}
System	2013-06-19 19:58:08	pluto (11718) | our client protocol/port is 17/1701
System	2013-06-19 19:58:08	pluto (11718) cannot respond to IPsec SA request because no connection is known for {removed}:4500[{removed}]:17/1701...68.24.131.41:359 53[29.41.67.41]:17/%any===29.41.67.41/32
System	2013-06-19 19:58:08	pluto (11718) sending encrypted notification INVALID_ID_INFORMATION to 68.24.131.41:35953
...
System	2013-06-19 19:58:08	pluto (11718) INVALID_ID_INFORMATION
System	2013-06-19 19:58:08	pluto (11718) | emitting 0 raw bytes of spi into ISAKMP Notification Payload
System	2013-06-19 19:58:08	pluto (11718) | spi
System	2013-06-19 19:58:08	pluto (11718) 12
System	2013-06-19 19:58:08	pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message
System	2013-06-19 19:58:08	pluto (11718) 76
System	2013-06-19 19:58:10	pluto (11718) |
System	2013-06-19 19:58:10	pluto (11718) | *received 348 bytes from 68.24.131.41:35953 on eth4
System	2013-06-19 19:58:10	pluto (11718) | **parse ISAKMP Message:
System	2013-06-19 19:58:10	pluto (11718) | initiator cookie:
System	2013-06-19 19:58:10	pluto (11718) | 38 31 dc 09 36 b9 2f ed
System	2013-06-19 19:58:10	pluto (11718) | responder cookie:
System	2013-06-19 19:58:10	pluto (11718) | 54 fa 96 07 87 77 58 15
System	2013-06-19 19:58:10	pluto (11718) ISAKMP_NEXT_HASH
System	2013-06-19 19:58:10	pluto (11718) ISAKMP Version 1.0
System	2013-06-19 19:58:10	pluto (11718) ISAKMP_XCHG_QUICK
System	2013-06-19 19:58:10	pluto (11718) ISAKMP_FLAG_ENCRYPTION
System	2013-06-19 19:58:10	pluto (11718) b2 9b aa 69
System	2013-06-19 19:58:10	pluto (11718) 348
System	2013-06-19 19:58:10	pluto (11718) Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x69aa9bb2 (perhaps this is a duplicated packet)
System	2013-06-19 19:58:10	pluto (11718) sending encrypted notification INVALID_MESSAGE_ID to 68.24.131.41:35953
...
System	2013-06-19 19:58:20	pluto (11718) | ***emit ISAKMP Notification Payload:
System	2013-06-19 19:58:20	pluto (11718) ISAKMP_NEXT_NONE
System	2013-06-19 19:58:20	pluto (11718) ISAKMP_DOI_IPSEC
System	2013-06-19 19:58:20	pluto (11718) 1
System	2013-06-19 19:58:20	pluto (11718) 0
System	2013-06-19 19:58:20	pluto (11718) INVALID_MESSAGE_ID
System	2013-06-19 19:58:20	pluto (11718) | emitting 0 raw bytes of spi into ISAKMP Notification Payload
System	2013-06-19 19:58:20	pluto (11718) | spi
System	2013-06-19 19:58:20	pluto (11718) 12
System	2013-06-19 19:58:20	pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message
System	2013-06-19 19:58:20	pluto (11718) 76
System	2013-06-19 19:58:22	pluto (11718) |
...
System	2013-06-19 19:58:35	pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message
System	2013-06-19 19:58:35	pluto (11718) 76

Had to trim down the logs things that stuck out to me i kept. Any help is appreciative.

[svoelker]

Somehow the openvpn user tab is gone now.

i mean i can still open it in the browser manualy when i enter /cgi-bin/openvpn_users.cgi

But it whould be more comfortable to get it back into the menu.

No idea why its gone tho and i doubt the ipsec / l2tp users are used for openvpn aswell.

[membrane]

How exatly do you apply the patch?

[dda]

Check out this thread Membrane
http://www.efwsupport.com/index.php/topic,3101.msg10089.html#msg10089