EFW Support

Support => VPN Support => Topic started by: robert on Thursday 28 February 2013, 09:39:56 am



Title: VPN Beta Testers Needed
Post by: robert on Thursday 28 February 2013, 09:39:56 am
I'm just finishing up changes to the VPN support in EFW Community 2.5.1.

It includes the following improvements:
  • Add Xauth support to IPsec for host-net connections
  • Proper IPsec operation when initiator is behind NAT
  • L2TP PSK and Certificate
  • Xauth/L2TP User configuration page

With these changes I'm able to connect from my phone behind a NATed connection using IPsec with certificate and Xauth as well as L2TP using a certificate or a PSK.

This not only adds a new package for the L2TP support it also modifies the existing efw-ipsec package.  As a result I would like to get as much testing as possible before releasing it and possible breaking someone's IPsec connection.

If you are interested in giving this a try (and can access your firewall even without your IPsec connection :-)) please let me know.


Title: Re: VPN Beta Testers Needed
Post by: sota on Saturday 09 March 2013, 04:55:01 am
OK Robert, I'll give it a try.


Title: Re: VPN Beta Testers Needed
Post by: robert on Wednesday 13 March 2013, 02:47:37 pm
Ok, you can install it from my repositories, instructions for the repositories are at http://repo.opensource-sw.net/efw (http://repo.opensource-sw.net/efw).

The package you need to install using the smart package manager is ossw-l2tp.  That will also install updated versions of strongswan and efw-ipsec.


Title: Re: VPN Beta Testers Needed
Post by: dda on Wednesday 20 March 2013, 04:23:09 am
Very interested in this as I have a VPN up now passing thru to a windows server, but don't know how to install the packages.


Title: Re: VPN Beta Testers Needed
Post by: sota on Sunday 24 March 2013, 12:25:37 am
Hi Robert,

Thank you for that. I have run your script and enabled the additional channels. However, smart install returns "matches no packages" if I use ossw-l2tp or the full package name. If I give it the http path to package, it comes back with "no package provides efw-ipsec >= 1:2.7.6

I assume it's a mistake on my part?

Thanks,

Pat


Title: Re: VPN Beta Testers Needed
Post by: dda on Thursday 04 April 2013, 03:50:04 am
Hi can someone explain to me how to run this script please?


Title: Re: VPN Beta Testers Needed
Post by: oleg31337 on Thursday 25 April 2013, 08:00:05 pm
Hi Robert,
I'm struggling in getting your L2TP to work on EFW Community but with no luck so far :(
Could you please assist in configuring it?
I'm trying to connect from Windows7 machine and have tried different configs.
I'm not sure what am I doing because I have very poor VPN background knowledge.


Title: Re: VPN Beta Testers Needed
Post by: oleg31337 on Thursday 25 April 2013, 08:16:19 pm
i think pre-shared key authentication doesn't work.
I have configured authentication using self-signed certificate (generated it in efw interface) and vpn connection worked ok.


Title: Re: VPN Beta Testers Needed
Post by: sota on Monday 17 June 2013, 03:21:17 am
I'm also have problems getting this to work with PSK authentication. What I see in the logs is the following:

ipsec_starter (17513) Starting strongSwan 4.6.4 IPsec [starter]...
ipsec_starter (17513) # duplicate "rightsubnet" option
ipsec_starter (17513) bad argument value in conn "MacSweeney-nat"
ipsec_starter (17513) ### 1 parsing error (1 fatal) ###
ipsec_starter (17513) unable to start strongSwan -- fatal errors in config

Anyone got any ideas?


Title: Re: VPN Beta Testers Needed
Post by: sota on Wednesday 19 June 2013, 09:24:55 pm
OK, so to answer my own question I had an e-mail from Robert about this:

You need to patch /etc/ipsec/ipsec.conf.tmpl with the following patch:

--- ipsec.conf.tmpl-orig        2013-06-17 16:28:38.000000000 -0700
+++ ipsec.conf.tmpl     2013-06-17 16:28:42.000000000 -0700
@@ -59,9 +59,11 @@
     #end for
   #end for

+#if $conn.connection_type != 'net'
 conn $conn.name-nat
        rightsubnet=vhost:%priv,%no
        also=$conn.name
+#end if

 conn $conn.name
        dpdaction=$conn.dpd_action



Title: Re: VPN Beta Testers Needed
Post by: sota on Wednesday 19 June 2013, 09:27:57 pm
I ran smart install patch and then tried to patch /etc/ipsec/ipsec.conf.tmpl but it failed for some reason, so I patched it manually. All my VPNs are now back .

Thanks, Robert!


Title: Re: VPN Beta Testers Needed
Post by: barracksbuilder on Thursday 20 June 2013, 11:12:22 am
I've installed your ossw-l2tp package and can see additional tabs in vpn. I think i am having trouble configuring the tunnel.

IPsec Tab => Enabled: checked, Zone: green, Dynamic IP pool: 192.168.9.1/24 (outside of any zones), I clicked Add. Select L2TP Host-to-Net Virtual Private Network. Name: L2TP, Authentication: Use a pre-share key: password. All other settings left to default or blank. (Save)

L2TP Tab => Check L2TP server enabled, Zone: Green, IP pool start 192.168.8.2, IP pool end 192.168.8.10 (This ip is outside of my zones), All debugging options checked. (Save and restart)

IPsec / L2TP Users Tab => Add account, username: test, password: password2, Authentication Methods: L2TP checked. (Save)

I then click Restart IPsec / L2TP server

Android Phone (S4 with Wifi off, connecting through sprint)
New VPN => Name: Test, Type L2TP/IPSec PSK, Server Address: My red IP from comcast, IPsec pre-shared key: password (Same from IPSec Tab L2TP that I created) [Save]
Click to connect => username: test, password: password2, save account info: checked [Connect]

Sits and connects for a while, I do see some logging going on in the system log. I removed my remote IP (endian) you can have my phones IP sprint will rotate it soon as i reconnect to their network.

Code:
System 2013-06-19 19:58:08 pluto (11718) | removing 20 bytes of padding
System 2013-06-19 19:58:08 pluto (11718) | peer client is 29.41.67.41
System 2013-06-19 19:58:08 pluto (11718) | peer client protocol/port is 17/0
System 2013-06-19 19:58:08 pluto (11718) | our client is {removed}
System 2013-06-19 19:58:08 pluto (11718) | our client protocol/port is 17/1701
System 2013-06-19 19:58:08 pluto (11718) cannot respond to IPsec SA request because no connection is known for {removed}:4500[{removed}]:17/1701...68.24.131.41:359 53[29.41.67.41]:17/%any===29.41.67.41/32
System 2013-06-19 19:58:08 pluto (11718) sending encrypted notification INVALID_ID_INFORMATION to 68.24.131.41:35953
...
System 2013-06-19 19:58:08 pluto (11718) INVALID_ID_INFORMATION
System 2013-06-19 19:58:08 pluto (11718) | emitting 0 raw bytes of spi into ISAKMP Notification Payload
System 2013-06-19 19:58:08 pluto (11718) | spi
System 2013-06-19 19:58:08 pluto (11718) 12
System 2013-06-19 19:58:08 pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message
System 2013-06-19 19:58:08 pluto (11718) 76
System 2013-06-19 19:58:10 pluto (11718) |
System 2013-06-19 19:58:10 pluto (11718) | *received 348 bytes from 68.24.131.41:35953 on eth4
System 2013-06-19 19:58:10 pluto (11718) | **parse ISAKMP Message:
System 2013-06-19 19:58:10 pluto (11718) | initiator cookie:
System 2013-06-19 19:58:10 pluto (11718) | 38 31 dc 09 36 b9 2f ed
System 2013-06-19 19:58:10 pluto (11718) | responder cookie:
System 2013-06-19 19:58:10 pluto (11718) | 54 fa 96 07 87 77 58 15
System 2013-06-19 19:58:10 pluto (11718) ISAKMP_NEXT_HASH
System 2013-06-19 19:58:10 pluto (11718) ISAKMP Version 1.0
System 2013-06-19 19:58:10 pluto (11718) ISAKMP_XCHG_QUICK
System 2013-06-19 19:58:10 pluto (11718) ISAKMP_FLAG_ENCRYPTION
System 2013-06-19 19:58:10 pluto (11718) b2 9b aa 69
System 2013-06-19 19:58:10 pluto (11718) 348
System 2013-06-19 19:58:10 pluto (11718) Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x69aa9bb2 (perhaps this is a duplicated packet)
System 2013-06-19 19:58:10 pluto (11718) sending encrypted notification INVALID_MESSAGE_ID to 68.24.131.41:35953
...
System 2013-06-19 19:58:20 pluto (11718) | ***emit ISAKMP Notification Payload:
System 2013-06-19 19:58:20 pluto (11718) ISAKMP_NEXT_NONE
System 2013-06-19 19:58:20 pluto (11718) ISAKMP_DOI_IPSEC
System 2013-06-19 19:58:20 pluto (11718) 1
System 2013-06-19 19:58:20 pluto (11718) 0
System 2013-06-19 19:58:20 pluto (11718) INVALID_MESSAGE_ID
System 2013-06-19 19:58:20 pluto (11718) | emitting 0 raw bytes of spi into ISAKMP Notification Payload
System 2013-06-19 19:58:20 pluto (11718) | spi
System 2013-06-19 19:58:20 pluto (11718) 12
System 2013-06-19 19:58:20 pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message
System 2013-06-19 19:58:20 pluto (11718) 76
System 2013-06-19 19:58:22 pluto (11718) |
...
System 2013-06-19 19:58:35 pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message
System 2013-06-19 19:58:35 pluto (11718) 76

Had to trim down the logs things that stuck out to me i kept. Any help is appreciative.


Title: Re: VPN Beta Testers Needed
Post by: svoelker on Friday 28 June 2013, 01:32:24 am
Somehow the openvpn user tab is gone now.

i mean i can still open it in the browser manualy when i enter /cgi-bin/openvpn_users.cgi

But it whould be more comfortable to get it back into the menu.

No idea why its gone tho and i doubt the ipsec / l2tp users are used for openvpn aswell.


Title: Re: VPN Beta Testers Needed
Post by: membrane on Friday 26 July 2013, 04:53:14 am
How exatly do you apply the patch?


Title: Re: VPN Beta Testers Needed
Post by: dda on Wednesday 14 August 2013, 08:47:08 am
Check out this thread Membrane
http://www.efwsupport.com/index.php/topic,3101.msg10089.html#msg10089


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Wednesday 18 September 2013, 01:30:42 am
uauh! this seems very interesting! is it compatible with ALL versione of Endian 2.5 ?
thanks


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Wednesday 18 September 2013, 01:47:04 am
I replay to myself: it doesn't work with 2.5.2

Code:
Traceback (most recent call last):
  File "/usr/bin/smart", line 200, in ?
    main(sys.argv[1:])
  File "/usr/bin/smart", line 173, in main
    exitcode = iface.run(opts.command, opts.argv)
  File "/usr/lib/python2.4/site-packages/smart/interface.py", line 53, in run
    result = _command.main(self._ctrl, opts)
  File "/usr/lib/python2.4/site-packages/smart/commands/update.py", line 81, in main
    ctrl.reloadChannels()
  File "/usr/lib/python2.4/site-packages/smart/control.py", line 388, in reloadChannels
    if not channel.fetch(self._fetcher, progress):
  File "/usr/lib/python2.4/site-packages/smart/channels/rpm_md.py", line 287, in fetch
    fetcher.run(progress=progress)
  File "/usr/lib/python2.4/site-packages/smart/fetcher.py", line 201, in run
    self.runLocal()
  File "/usr/lib/python2.4/site-packages/smart/fetcher.py", line 182, in runLocal
    handler.runLocal()
  File "/usr/lib/python2.4/site-packages/smart/fetcher.py", line 750, in runLocal
    if not valid and fetcher.validate(item, localpath):
  File "/usr/lib/python2.4/site-packages/smart/fetcher.py", line 408, in validate
    from smart.util.sha256 import sha256
ImportError: No module named sha256


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Wednesday 18 September 2013, 07:33:52 pm
it seems ok with Windows 7, with Windows XP I've 789 error: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiantions with the remote computer"


Title: Re: VPN Beta Testers Needed
Post by: dda on Thursday 19 September 2013, 02:33:28 am
Are you connecting to the firewall or to a server behind the firewall?


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Thursday 19 September 2013, 03:55:04 am
I installed ossw-l2tp and trying to connect to EFW


Title: Re: VPN Beta Testers Needed
Post by: dda on Thursday 19 September 2013, 07:02:01 am
Did you install 2.52?  I have mine running connecting to a windows server behind the firewall.  I had a lot of problems with Endian itself.  Did you say Windows 7 is connecting but xp is not?  Did you make the changes in the registry for L2TP in the Windows XP machine?


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Thursday 19 September 2013, 08:33:40 am
I've EFW 2.5.1, ossw repository is not compatible with 2.5.2
I've not made changes in XP registry, what I have to do? thanks


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Thursday 19 September 2013, 05:29:28 pm
iPad works too


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Thursday 19 September 2013, 05:37:22 pm
yeahhhhhhh it works!!!
I downloaded DrayTek Smart VPN Client that modify registry for me, and now with XP I can connect
awesome!


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Thursday 19 September 2013, 07:38:05 pm
unbelievable....

now I try to configure a net-to-net ipsec VPN, but I've same error of sota:

Code:
Sep 19 11:35:27 ipsec_starter[13899] Starting strongSwan 4.6.4 IPsec [starter]...
Sep 19 11:35:27 ipsec_starter[13899] # duplicate 'rightsubnet' option
Sep 19 11:35:27 ipsec_starter[13899] bad argument value in conn 'SNAM-nat'
Sep 19 11:35:27 ipsec_starter[13899] ### 1 parsing error (1 fatal) ###
Sep 19 11:35:27 ipsec_starter[13899] unable to start strongSwan -- fatal errors in config

but I don't understand how apply the patch


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Thursday 19 September 2013, 10:01:40 pm
maybe I solved.... in case later I post the solution :)


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Friday 20 September 2013, 01:19:36 am
if I add more then 1 user in L2TP users (https://ip:10443/cgi-bin/vpn_users.cgi) layout goes wrong


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Saturday 21 September 2013, 08:23:10 pm
nothing to do... XP and W7 works with Q818043 and Q240262, but Android and iOS doesn't
I tried with PSK and with Certificate, I changed leftid and rightid, I tried manually modify ipsec.conf but nothing works


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Monday 23 September 2013, 03:08:57 am
everything works well with Windows XP and Windows 7, but iOS (iphone/ipad) and Android don't connect. OSX and Ubuntu I don't try for the moment.

The part of log that I think is useful:

Code:
Sep 22 19:05:48 pluto[2692] "L2TP"[1] 87.0.178.18 #1: Peer ID is ID_IPV4_ADDR: '192.168.82.100'
Sep 22 19:05:48 pluto[2692] "L2TP"[2] 87.0.178.18 #1: deleting connection "L2TP" instance with peer 87.0.178.18 {isakmp=#0/ipsec=#0}
Sep 22 19:05:48 pluto[2692] | NAT-T: new mapping 87.0.178.18:500/15587)
Sep 22 19:05:48 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: sent MR3, ISAKMP SA established

[...]

Sep 22 19:05:49 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not
Sep 22 19:05:49 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: malformed payload in packet
Sep 22 19:05:49 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: sending encrypted notification PAYLOAD_MALFORMED to 87.0.178.18:15587

[...]

Sep 22 19:06:44 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4d5e5fb1 (perhaps this is a duplicated packet)
Sep 22 19:06:44 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: sending encrypted notification INVALID_MESSAGE_ID to 87.0.178.18:15587
Sep 22 19:06:47 xl2tpd[9961] network_thread: recv packet from 87.0.178.18, size = 69, tunnel = 0, call = 0 ref=0 refhim=0
Sep 22 19:06:47 xl2tpd[9961] get_call: allocating new tunnel for host 87.0.178.18, port 17345.
Sep 22 19:06:47 xl2tpd[9961] handle_avps: handling avp's for tunnel 43220, call 9005
Sep 22 19:06:47 xl2tpd[9961] message_type_avp: message type 1 (Start-Control-Connection-Request)
Sep 22 19:06:47 xl2tpd[9961] protocol_version_avp: peer is using version 1, revision 0.
Sep 22 19:06:47 xl2tpd[9961] hostname_avp: peer reports hostname 'anonymous'
Sep 22 19:06:47 xl2tpd[9961] framing_caps_avp: supported peer frames: async sync
Sep 22 19:06:47 xl2tpd[9961] assigned_tunnel_avp: using peer's tunnel 46540
Sep 22 19:06:47 xl2tpd[9961] receive_window_size_avp: peer wants RWS of 1. Will use flow control.
Sep 22 19:06:47 xl2tpd[9961] control_finish: message type is Start-Control-Connection-Request(1). Tunnel is 46540, call is 0.
Sep 22 19:06:47 xl2tpd[9961] control_finish: sending SCCRP
Sep 22 19:06:49 xl2tpd[9961] network_thread: recv packet from 87.0.178.18, size = 36, tunnel = 0, call = 0 ref=0 refhim=0
Sep 22 19:06:49 xl2tpd[9961] get_call: allocating new tunnel for host 87.0.178.18, port 17345.
Sep 22 19:06:49 xl2tpd[9961] check_control: Received out of order control packet on tunnel -1 (got 1, expected 0)
Sep 22 19:06:49 xl2tpd[9961] handle_packet: bad control packet!
Sep 22 19:06:49 xl2tpd[9961] network_thread: bad packet
Sep 22 19:06:49 xl2tpd[9961] build_fdset: closing down tunnel 44636
Sep 22 19:06:50 xl2tpd[9961] network_thread: select timeout
Sep 22 19:06:51 xl2tpd[9961] network_thread: select timeout
Sep 22 19:06:52 xl2tpd[9961] network_thread: select timeout
Sep 22 19:06:53 xl2tpd[9961] network_thread: select timeout
Sep 22 19:06:54 xl2tpd[9961] network_thread: select timeout
Sep 22 19:06:54 xl2tpd[9961] Maximum retries exceeded for tunnel 43220. Closing.
Sep 22 19:06:54 xl2tpd[9961] Connection 46540 closed to 87.0.178.18, port 17345 (Timeout)
Sep 22 19:06:55 xl2tpd[9961] network_thread: select timeout
Sep 22 19:06:56 xl2tpd[9961] network_thread: select timeout
Sep 22 19:06:57 xl2tpd[9961] network_thread: select timeout
Sep 22 19:06:58 xl2tpd[9961] network_thread: select timeout
Sep 22 19:06:59 xl2tpd[9961] network_thread: select timeout
Sep 22 19:06:59 xl2tpd[9961] Unable to deliver closing message for tunnel 43220. Destroying anyway.

Thanks for any help.


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Tuesday 24 September 2013, 10:37:48 pm
I've added a new ipsec net-to-net connection and either it doesn't work... "ipsec status" tells me that
Code:
000 #1: "VPN" STATE_MAIN_I2 (sent MI2, expecting MR2); EVENT_RETRANSMIT in 38s
000 #1: pending Phase 2 for "VPN" replacing #0

is it a problem with NAT-T?


Title: Re: VPN Beta Testers Needed
Post by: dda on Thursday 26 September 2013, 06:33:10 am
Sorry didn't realise you responded.  I upgraded my 2.51 with ossw to 2.52.  Are you getting Windows 7 and XP to connect with Endian but not IOS and Android?


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Friday 27 September 2013, 05:33:08 am
Hi
I connect with XP and W7 after disabling ipsec (Q818043 and Q240262), but iOS and Android can't
I think something is wrong with NAT-T


Title: Re: VPN Beta Testers Needed
Post by: mmiat on Wednesday 02 October 2013, 08:29:12 pm
any idea?

how I can connect my mobile devices?

thanks