EFW Support
Welcome,
Guest
. Please
login
or
register
.
Did you miss your
activation email?
Monday 30 December 2024, 10:53:23 pm
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
The Latest Endian Firewall is now available for download
HERE
14262
Posts in
4377
Topics by
6517
Members
Latest Member:
Sandro
Search:
Advanced search
EFW Support
Support
VPN Support
Ipsec vpn from 2.5.2 to 3.0.0 no more works
0 Members and 2 Guests are viewing this topic.
« previous
next »
Pages:
[
1
]
Author
Topic: Ipsec vpn from 2.5.2 to 3.0.0 no more works (Read 69187 times)
mmiat
Sr. Member
Offline
Gender:
Posts: 236
Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
on:
Monday 14 July 2014, 10:33:46 pm »
what the hell....
I installed endian 3, imported 2.5.2 backup and vpn no more works
I tried to reconfigure, and nothing changes
In GUI 3des is missing, but in /var/efw/vpn/config it's ok
in log I've this error:
Quote
received NO_PROPOSAL_CHOSEN error notify
f**k, f**k, f**k !!!
Logged
---------------------
IT Consultant
www.fsw.it
Hardware & Software
mdalpe2212
Jr. Member
Offline
Posts: 2
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #1 on:
Sunday 20 July 2014, 08:15:38 am »
just upgrade 2 appliances from 2.5 to 3... have 4 in total, they where all connected with ipsec net 2 net.
since the upgrade, it's not working anymore, the 2 with version 2.5 are rock solid.
so , on the version 3, I deleted all configure connection... recreate only 1 between both version 3... and guess what... not working
I have another version 3 ( spare ) so decided to connect it... and create new connection to 1 of the 'not working' unit... the ipsec connection work for about 10 to 15 min ( guessing ) then it drop dead.. and not able to get it working any more...
I notice on some forum tread that you can modify the config file... but since the result is not working for all , I'm guessing that it still not the root cause.
any one.. any idea ?
Logged
mdalpe2212
Jr. Member
Offline
Posts: 2
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #2 on:
Sunday 20 July 2014, 11:22:20 am »
on both endian, the connections are connected ( status )
after a while ( 1 hours ) it goes to Close status.
when I check the informations button of the connection, everything look fine.
both green zone are unable to see each other
( remember, in version 2.5, everything was working fine )
so, is it a bug in the upgrade process ? are the new appliance delivered with version 3 have the same bug ?
what I'm trying to do is IPSec vpn net-to-net connection ( endian to endian ) , the only exemple is on version 2.5, so I guess this has not change.
am I thinking the wrong way here ?
Logged
mmiat
Sr. Member
Offline
Gender:
Posts: 236
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #3 on:
Sunday 20 July 2014, 05:20:36 pm »
I think that there is a bug in new ipsec used in endian 3
Logged
---------------------
IT Consultant
www.fsw.it
Hardware & Software
mmiat
Sr. Member
Offline
Gender:
Posts: 236
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #4 on:
Monday 21 July 2014, 05:56:32 pm »
in jira.endian.com (official endian bugtracker), issue #UTM-875
this should be the final fix:
http://share.endian.com/luca/public/efw-ipsec-3.0.52-1.endian9.noarch.rpm
http://share.endian.com/luca/public/jobsengine-3.0.26-1.endian5.i586.rpm
Basically we just removed the leftsourceip since it was needed for a previous ipsec version.
I hope it works, I'll try
Logged
---------------------
IT Consultant
www.fsw.it
Hardware & Software
mmiat
Sr. Member
Offline
Gender:
Posts: 236
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #5 on:
Wednesday 23 July 2014, 05:18:18 pm »
no, it doesn't work
I surrender, I'll try IPFire or pfSense
Logged
---------------------
IT Consultant
www.fsw.it
Hardware & Software
leonardobp
Jr. Member
Offline
Posts: 1
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #6 on:
Sunday 17 August 2014, 02:12:49 am »
Hi mmiat!!
We tried those packages you suggested and they worked just fine!! Which version of Endian Community are you using right now?
Even we tried rebooting both firewalls (they are a lab setup, precisely on purpose before we make an upgrade to all 5 of our Endian firewalls)
I must say, from Endian 2.5 it's a mayor MAYOR upgrade since IKEv2 allows us to specify several SA and simplify IPsec VPN with our customers.
Between our offices we're using openVPN since it already did that. Our business needs are quite particular. From HQ we stablish IPsec with our customers and from our branches we NAT the network so our customer sees us as only one single block of IPs.
I guess right now we could go ahead and use IPsec instead of openVPN...
What would you suggest?
When I get to the office I'll let you know which specific version/build of Endian are we using in the lab.
Thank very much!
Best regards,
LBP
Logged
SerFingolfin
Jr. Member
Offline
Posts: 9
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #7 on:
Tuesday 07 October 2014, 07:38:50 pm »
Suggested packages worked for me!
Logged
tctcbrent
Jr. Member
Offline
Posts: 5
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #8 on:
Tuesday 09 December 2014, 07:47:40 am »
Any update on this? I still can't seem to get this working.
Logged
mmiat
Sr. Member
Offline
Gender:
Posts: 236
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #9 on:
Monday 22 December 2014, 09:25:58 pm »
I'm still using 2.5.2, I don't trust in 3.0
Logged
---------------------
IT Consultant
www.fsw.it
Hardware & Software
nico.1976
Jr. Member
Offline
Posts: 2
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #10 on:
Tuesday 01 March 2016, 09:17:30 am »
I've the same problem.
any solutions?
thanks
Logged
mrkroket
Hero Member
Offline
Posts: 495
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #11 on:
Thursday 03 March 2016, 04:18:42 am »
I had many problems with EFW 3.0.5 trying to connect to some Juniper IPSEC.
It was constant drops, and only one segment was connecting. I tried each and every possible config for Strongswan, and no one worked.
In the end what I did was a dirty manual installation of OpenSwan, replacing StrongSwan.
I extracted all files from the Openswan rpm, and manually copy over the 3.0.5. The I replace all startup/stop scripts to match what Openswan needs.
Also I replaced the templates to force the good config for Openswan.
It was ugly, but t works indeed, and Openswan works way better that Strongswan. I have some hiccups from time to time (each N days, or N weeks), but overall works fine.
It seems that they sell us Strongswan as a better package, but in the end it failed miserably.
I can't exactly suggest you anything, I just warn you that Strongswan in Endian 3.0.5 is a POS, it doesn't work for me. After I changed to Openswan it worked from the first attempt.
But I did all manually and with custom files, it can't be replicated easily.
Logged
mmiat
Sr. Member
Offline
Gender:
Posts: 236
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #12 on:
Thursday 05 January 2017, 07:44:00 pm »
yesterday I've tried to upgrade again, from 2.5.2 to 3.2.2
now vpn goes up, but after a while (a of minutes or a of hours) it goes down, it doesn't restart automatically and I've to restart it manually
has someone fixed this problem?
thanks
Logged
---------------------
IT Consultant
www.fsw.it
Hardware & Software
Dark-Vex
Sr. Member
Offline
Posts: 105
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #13 on:
Monday 09 January 2017, 07:34:56 pm »
Maybe can be a rekey issue, please paste the output of "ipsec statusall" when there is the issue
Logged
mmiat
Sr. Member
Offline
Gender:
Posts: 236
Re: Ipsec vpn from 2.5.2 to 3.0.0 no more works
«
Reply #14 on:
Friday 20 January 2017, 07:31:34 pm »
Quote from: Dark-Vex on Monday 09 January 2017, 07:34:56 pm
Maybe can be a rekey issue, please paste the output of "ipsec statusall" when there is the issue
no problems for a week, then twice last two days
here the output (I've hidden the public ip addresses):
Quote
Status of IKE charon daemon (weakSwan 5.3.5, Linux 4.1.17.e12, x86_64):
uptime: 17 hours, since Jan 19 15:57:53 2017
malloc: sbrk 2543616, mmap 0, used 487632, free 2055984
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon ldap aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp agent xcbc cmac hmac curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-pam dhcp lookip addrbl ock
Listening IP addresses:
185....57
185....58
93....230
192.168.200.254
192.168.10.254
Connections:
AAA: 185....57...151....3 IKEv1, dpddelay=30s
AAA: local: [185....57] uses pre-shared key authentication
AAA: remote: [151....3] uses pre-shared key authentication
AAA: child: 10.143.144.112/29 === 10.0.0.0/8 TUNNEL, dpdaction=restart
XXXX: 185....57...78....81 IKEv1, dpddelay=30s
XXXX: local: [185....57] uses pre-shared key authentication
XXXX: remote: [172.25.242.1] uses pre-shared key authentication
XXXX: child: 172.29.246.240/28 === 172.25.0.0/16 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
XXXX[13]: ESTABLISHED 90 minutes ago, 185....57[185....57]...78....81[172.25.242.1]
XXXX[13]: IKEv1 SPIs: 485691cb2411827e_i* 372dec3866a52699_r, pre-shared key reauthentication in 14 minutes
XXXX[13]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
XXXX{7}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: cc11d855_i 8c409953_o
XXXX{7}: 3DES_CBC/HMAC_MD5_96, 0 bytes_i, 0 bytes_o, rekeying in 5 hours
XXXX{7}: 172.29.246.240/28 === 172.25.0.0/16
Logged
---------------------
IT Consultant
www.fsw.it
Hardware & Software
Pages:
[
1
]
« previous
next »
Jump to:
Please select a destination:
-----------------------------
Announcements
-----------------------------
=> Project News
=> Latest News and Updates
-----------------------------
Support
-----------------------------
=> General Support
=> Installation Support
=> EFW SMTP, HTTP, SIP, FTP Proxy Support
=> VPN Support
=> Hardware Support
-----------------------------
Development
-----------------------------
=> EFW Wishlist
=> Contribute Your Customisations & Modifications
Page created in 0.188 seconds with 19 queries.
Powered by SMF 1.1 RC2
|
SMF © 2001-2005, Lewis Media
Design by
7dana.com