Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 22 November 2024, 09:45:03 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14258 Posts in 4377 Topics by 6516 Members
Latest Member: DaveH
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  [EFW 3.0 IPSEC] connection made but no traffic
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: [EFW 3.0 IPSEC] connection made but no traffic  (Read 42539 times)
efwhelp987
Jr. Member
*
Offline Offline

Posts: 2


« on: Tuesday 08 April 2014, 11:21:34 pm »

Our old (2.4.1) endian was able to have a net to net vpn connection with a clients cisco 5555-x.

Recently we upgraded it to 3.0 and reconfigured the vpn with same remote/local subnet, preshared key, ike/esp settings, etc.

It was able to connect successfully, they see us connected. but we could not ping anything in their subnet.

thanks.
Logged
mauroreggio
Jr. Member
*
Offline Offline

Posts: 6


« Reply #1 on: Wednesday 09 April 2014, 01:42:43 am »

Hi, my name is Mauro.
I've the same problem.
I read many posts here about VPN IPSEC problem ... how is possible that there is so many bug?
I try follow this suggest efwsupport.com/index.php/topic,3934.0.html (sorry i can't post clickable link) but not works for me.
Anyone have ideas?
Thanks.
Mauro.

Logged
efwhelp987
Jr. Member
*
Offline Offline

Posts: 2


« Reply #2 on: Wednesday 09 April 2014, 09:48:10 pm »

i have tried that too and it did not work  Embarrassed
Logged
wbrambati
Jr. Member
*
Offline Offline

Posts: 5


« Reply #3 on: Friday 11 April 2014, 09:06:56 am »

I'm having the same problem and have not had to solve
Logged
Bobybarns
Jr. Member
*
Offline Offline

Posts: 4


« Reply #4 on: Saturday 12 April 2014, 09:53:40 am »

Ithink that IPSEC setup in 3.0 is broken, after my fix, (efwsupport.com/index.php/topic,3934.0.html) you have to login via ssh to EFW an then du "ipsec start" to get the IPSEC going :-(

/Bo
Logged
wbrambati
Jr. Member
*
Offline Offline

Posts: 5


« Reply #5 on: Sunday 13 April 2014, 07:09:13 am »

I did as ordered more when I run ipsec start shows this error.

Starting weakSwan 5.1.0 IPsec [starter]...
charon is already running (/var/run/strongswan/charon.pid exists) -- skipping daemon start
# deprecated keyword 'leftnexthop' in conn 'NAME'
# deprecated keyword 'leftnexthop' in conn 'NAME'
### 2 parsing errors (0 fatal) ###
Logged
mauroreggio
Jr. Member
*
Offline Offline

Posts: 6


« Reply #6 on: Thursday 15 May 2014, 03:38:04 am »

No anyone have good news?

I try write here what is my point (maybe i repeat something that other just write, but excuse me in this way we have all here).
1) in my opinion, the config web interface, related to the IPSec VPN Config, is very poor in this version: if you make a change in web interface, the configuration files not change
2) ipsec configuration option is based on 1 file: /etc/ipsec/ipsec.conf
3) all the time that the system reboot, /etc/ipsec/ipsec.conf is recreated from /etc/ipsec/ipsec.conf.tmpl ... so, if you desire modify the /etc/ipsec/ipsec.conf structure, you must modify /etc/ipsec/ipsec.conf.tmpl first
4) if you change some configuration parameter of the VPN connection, the Web Interface is not able to change the configuration file of the connection, from where /etc/ipsec/ipsec.conf.tmpl pick-up all the parameter for create /etc/ipsec/ipsec.conf ... this file is /var/efw/vpn/config ... one-line for any VPN Connection configured

With this 4 point in mind, the first i realize is that the "leftnexthop" parameter in the /etc/ipsec/ipsec.conf is deprecated (i realize this because i try start and stop ipsec from the shell, and see the messages).
So, i must change mannually /etc/ipsec/ipsec.conf.tmpl and remove all the "leftnexthop" line and add "modeconfig=push" line (follow an extract of the new section):
Code:
conn $conn.name
    dpdaction=$conn.dpd_action
  #if $conn.interface == 'GREEN'
    left=$GREEN_ADDRESS
    modeconfig=push
  #end if
  #if $conn.interface == 'BLUE'
    left=$BLUE_ADDRESS
    modeconfig=push
  #end if
  #if $conn.interface == 'ORANGE'
    left=$ORANGE_ADDRESS
    modeconfig=push
  #end if
  #if $conn.interface.startswith('UPLINK:')
    left=$conn.uplink.IP
    modeconfig=push
  #end if

All the "if entry" are usefull for retrive parameter about the "Uplink" you choose from the web interface when you configure the VPN Connection (or from the /var/efw/vpn/config file)

Code:
1,on,yyyyyyyy,,net,psk,xxxxxxxxxxxxxx,,LLLLLLLLLLL,ll.ll.ll.ll/24,RRRRRRRRR,rr.rr.rr.rr,rr.rr.rr.rr/24,off,off,off,off,1,8,aes128|3des,sha1|md5,1536|1024,aes128|3des,sha1|md5,1536|1024,off,Comment,UPLINK:main,restart,off,,1

After all this, i can see from ssh shell, with ipsec statusall command, that the VPN Connection is "Established" from all two the Endian:

Code:
Status of IKE charon daemon (weakSwan 5.1.1, Linux 2.6.32.43-57.e51.i586, i686):
  uptime: 26 minutes, since May 14 18:57:13 2014
  malloc: sbrk 262144, mmap 0, used 173776, free 88368
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 11
  loaded plugins: charon curl ldap aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp agent xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-pam dhcp lookip addrblock
Listening IP addresses:
  xx.xx.xx.xx
  yy.yy.yy.yy
  zz.zz.zz.zz
Connections:
      name:  xx.xx.xx.xx ...right IP  IKEv1, dpddelay=30s
      name:   local:  [left] uses pre-shared key authentication
      name:   remote: [right] uses pre-shared key authentication
      name:   child:  local network/24 === remote network/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
      name[1]: ESTABLISHED 24 minutes ago, xx.xx.xx.xx[left]...remote Ip[right]
      name[1]: IKEv1 SPIs: jjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjj, pre-shared key reauthentication in 22 minutes
      name[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
      name[1]: Tasks queued: QUICK_MODE

.... but all this is not sufficient, i continue to not be able to ping the remote side (i try ping all GREEN interface from one firewall shell to the other, and not works).
I hope that anyone that know IPSec VPN better than me, can understand what else the Web Interface not setup correctly.

P.S. another thing is: i try make Net-Net VPN Ipsec from an Endian Mercury 50 and one of this Community version. At the start i've the same problem. I open a ticket, the support team was connect ONLY TO THE MERCURY, make some settings and the VPN start work. They say that only force the IKE protocol on version 1 and all start work .... but here is not the solution.
Logged
mauroreggio
Jr. Member
*
Offline Offline

Posts: 6


« Reply #7 on: Monday 19 May 2014, 11:56:23 pm »

Hi, i've one news update:
- In one of the two side i install an Endian Community Firewall Ver. 2.5.2
- Leave in the other side Endian Community Firewall Ver. 3.0
- Configure IPSEC Vpn Net-to-Net (in Ver. 2.5.2 from Web Interface, normally)
- All works good
 Undecided
Mauro
Logged
NELSON-TI
Jr. Member
*
Offline Offline

Posts: 2


« Reply #8 on: Tuesday 20 May 2014, 01:10:07 am »

Efw 3.0 firewall for connections to the main host and I connect laptop through emi d OPEN VPN client with gui 1.0.3 YES I CAN DO Ping crando appropriate rules in the firewall but when opening files from my server is too slow


.ovpn files estructure is:

client
remote ..xx. 1194     
dev tap
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca c:\\keys\\cacertIPsec.pem
comp-lzo
verb 3
auth-user-pass
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.141 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com