Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 22 November 2019, 01:07:29 pm

Login with username, password and session length

Download the latest community FREE version  HERE
13961 Posts in 4250 Topics by 6018 Members
Latest Member: fbalanda
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  IPSec net2net not working in 3.3.0
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: IPSec net2net not working in 3.3.0  (Read 1543 times)
soletmod
Jr. Member
*
Offline Offline

Posts: 2



« on: Tuesday 05 March 2019, 06:42:03 pm »

I have attempted to set up an ipsec connection between a 3.3.0 box that is directly on a modem as the public interface and a 3.3.0 box that is behind a nat but is on the DMZ i cannot get a connection and the only error is:

Code:
Security Associations (0 up, 0 connecting):
  no match

any ideas?
Logged
Dark-Vex
Sr. Member
****
Offline Offline

Posts: 105


« Reply #1 on: Monday 11 March 2019, 07:17:46 pm »

Hello,

from the output it seems that the ipsec configuration file was not generated, try from SSH this command:

restartipsec --force

Daniele
Logged
soletmod
Jr. Member
*
Offline Offline

Posts: 2



« Reply #2 on: Tuesday 12 March 2019, 04:42:11 am »

the force restart did not fix the issue. the one thing i am questioning most is that the certificate that these machines are using show a red-interface ip address different than what they are actually using. the machines were built in a test environment then put into production with their then-updated external ip addresses. do i need to generate new certs? if so, i have no idea what i'm supposed to use for PKCS12 file passwords (full disclosure, i am more of a software writer than a network person). below is the full (redacted) output from connection details after running the force restart:

Code:
Status of IKE charon daemon (weakSwan 5.3.5, Linux 4.4.145.e2.1, x86_64):
  uptime: 4 minutes, since Mar 11 12:35:35 2019
  malloc: sbrk 2859008, mmap 0, used 539584, free 2319424
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon ldap aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp agent xcbc cmac hmac curl attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-pam dhcp lookip addrblock
Listening IP addresses:
  RED
  GREEN
Connections:
      Name:  LOCAL...REMOTE  IKEv1/2, dpddelay=30s
      Name:   local:  [LOCAL] uses pre-shared key authentication
      Name:   remote: [REMOTE] uses pre-shared key authentication
      Name:   child:  192.168.84.0/24 === 192.168.19.0/24 TUNNEL, dpdaction=restart
Security Associations (0 up, 0 connecting):
  no match
Logged
Dark-Vex
Sr. Member
****
Offline Offline

Posts: 105


« Reply #3 on: Monday 18 March 2019, 07:34:44 pm »

Yes it can be a certificate problem but you should see it in the logs
What's the output of:

ipsec up <your-tunnel-name>

and the output of:

cat /var/log/ipsec/ipsec.log

after trying to bring up the tunnel?
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.062 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com