Title: VPN Beta Testers Needed Post by: robert on Thursday 28 February 2013, 09:39:56 am I'm just finishing up changes to the VPN support in EFW Community 2.5.1.
It includes the following improvements:
With these changes I'm able to connect from my phone behind a NATed connection using IPsec with certificate and Xauth as well as L2TP using a certificate or a PSK. This not only adds a new package for the L2TP support it also modifies the existing efw-ipsec package. As a result I would like to get as much testing as possible before releasing it and possible breaking someone's IPsec connection. If you are interested in giving this a try (and can access your firewall even without your IPsec connection :-)) please let me know. Title: Re: VPN Beta Testers Needed Post by: sota on Saturday 09 March 2013, 04:55:01 am OK Robert, I'll give it a try.
Title: Re: VPN Beta Testers Needed Post by: robert on Wednesday 13 March 2013, 02:47:37 pm Ok, you can install it from my repositories, instructions for the repositories are at http://repo.opensource-sw.net/efw (http://repo.opensource-sw.net/efw).
The package you need to install using the smart package manager is ossw-l2tp. That will also install updated versions of strongswan and efw-ipsec. Title: Re: VPN Beta Testers Needed Post by: dda on Wednesday 20 March 2013, 04:23:09 am Very interested in this as I have a VPN up now passing thru to a windows server, but don't know how to install the packages.
Title: Re: VPN Beta Testers Needed Post by: sota on Sunday 24 March 2013, 12:25:37 am Hi Robert,
Thank you for that. I have run your script and enabled the additional channels. However, smart install returns "matches no packages" if I use ossw-l2tp or the full package name. If I give it the http path to package, it comes back with "no package provides efw-ipsec >= 1:2.7.6 I assume it's a mistake on my part? Thanks, Pat Title: Re: VPN Beta Testers Needed Post by: dda on Thursday 04 April 2013, 03:50:04 am Hi can someone explain to me how to run this script please?
Title: Re: VPN Beta Testers Needed Post by: oleg31337 on Thursday 25 April 2013, 08:00:05 pm Hi Robert,
I'm struggling in getting your L2TP to work on EFW Community but with no luck so far :( Could you please assist in configuring it? I'm trying to connect from Windows7 machine and have tried different configs. I'm not sure what am I doing because I have very poor VPN background knowledge. Title: Re: VPN Beta Testers Needed Post by: oleg31337 on Thursday 25 April 2013, 08:16:19 pm i think pre-shared key authentication doesn't work.
I have configured authentication using self-signed certificate (generated it in efw interface) and vpn connection worked ok. Title: Re: VPN Beta Testers Needed Post by: sota on Monday 17 June 2013, 03:21:17 am I'm also have problems getting this to work with PSK authentication. What I see in the logs is the following:
ipsec_starter (17513) Starting strongSwan 4.6.4 IPsec [starter]... ipsec_starter (17513) # duplicate "rightsubnet" option ipsec_starter (17513) bad argument value in conn "MacSweeney-nat" ipsec_starter (17513) ### 1 parsing error (1 fatal) ### ipsec_starter (17513) unable to start strongSwan -- fatal errors in config Anyone got any ideas? Title: Re: VPN Beta Testers Needed Post by: sota on Wednesday 19 June 2013, 09:24:55 pm OK, so to answer my own question I had an e-mail from Robert about this:
You need to patch /etc/ipsec/ipsec.conf.tmpl with the following patch: --- ipsec.conf.tmpl-orig 2013-06-17 16:28:38.000000000 -0700 +++ ipsec.conf.tmpl 2013-06-17 16:28:42.000000000 -0700 @@ -59,9 +59,11 @@ #end for #end for +#if $conn.connection_type != 'net' conn $conn.name-nat rightsubnet=vhost:%priv,%no also=$conn.name +#end if conn $conn.name dpdaction=$conn.dpd_action Title: Re: VPN Beta Testers Needed Post by: sota on Wednesday 19 June 2013, 09:27:57 pm I ran smart install patch and then tried to patch /etc/ipsec/ipsec.conf.tmpl but it failed for some reason, so I patched it manually. All my VPNs are now back .
Thanks, Robert! Title: Re: VPN Beta Testers Needed Post by: barracksbuilder on Thursday 20 June 2013, 11:12:22 am I've installed your ossw-l2tp package and can see additional tabs in vpn. I think i am having trouble configuring the tunnel.
IPsec Tab => Enabled: checked, Zone: green, Dynamic IP pool: 192.168.9.1/24 (outside of any zones), I clicked Add. Select L2TP Host-to-Net Virtual Private Network. Name: L2TP, Authentication: Use a pre-share key: password. All other settings left to default or blank. (Save) L2TP Tab => Check L2TP server enabled, Zone: Green, IP pool start 192.168.8.2, IP pool end 192.168.8.10 (This ip is outside of my zones), All debugging options checked. (Save and restart) IPsec / L2TP Users Tab => Add account, username: test, password: password2, Authentication Methods: L2TP checked. (Save) I then click Restart IPsec / L2TP server Android Phone (S4 with Wifi off, connecting through sprint) New VPN => Name: Test, Type L2TP/IPSec PSK, Server Address: My red IP from comcast, IPsec pre-shared key: password (Same from IPSec Tab L2TP that I created) [Save] Click to connect => username: test, password: password2, save account info: checked [Connect] Sits and connects for a while, I do see some logging going on in the system log. I removed my remote IP (endian) you can have my phones IP sprint will rotate it soon as i reconnect to their network. Code: System 2013-06-19 19:58:08 pluto (11718) | removing 20 bytes of padding System 2013-06-19 19:58:08 pluto (11718) | peer client is 29.41.67.41 System 2013-06-19 19:58:08 pluto (11718) | peer client protocol/port is 17/0 System 2013-06-19 19:58:08 pluto (11718) | our client is {removed} System 2013-06-19 19:58:08 pluto (11718) | our client protocol/port is 17/1701 System 2013-06-19 19:58:08 pluto (11718) cannot respond to IPsec SA request because no connection is known for {removed}:4500[{removed}]:17/1701...68.24.131.41:359 53[29.41.67.41]:17/%any===29.41.67.41/32 System 2013-06-19 19:58:08 pluto (11718) sending encrypted notification INVALID_ID_INFORMATION to 68.24.131.41:35953 ... System 2013-06-19 19:58:08 pluto (11718) INVALID_ID_INFORMATION System 2013-06-19 19:58:08 pluto (11718) | emitting 0 raw bytes of spi into ISAKMP Notification Payload System 2013-06-19 19:58:08 pluto (11718) | spi System 2013-06-19 19:58:08 pluto (11718) 12 System 2013-06-19 19:58:08 pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message System 2013-06-19 19:58:08 pluto (11718) 76 System 2013-06-19 19:58:10 pluto (11718) | System 2013-06-19 19:58:10 pluto (11718) | *received 348 bytes from 68.24.131.41:35953 on eth4 System 2013-06-19 19:58:10 pluto (11718) | **parse ISAKMP Message: System 2013-06-19 19:58:10 pluto (11718) | initiator cookie: System 2013-06-19 19:58:10 pluto (11718) | 38 31 dc 09 36 b9 2f ed System 2013-06-19 19:58:10 pluto (11718) | responder cookie: System 2013-06-19 19:58:10 pluto (11718) | 54 fa 96 07 87 77 58 15 System 2013-06-19 19:58:10 pluto (11718) ISAKMP_NEXT_HASH System 2013-06-19 19:58:10 pluto (11718) ISAKMP Version 1.0 System 2013-06-19 19:58:10 pluto (11718) ISAKMP_XCHG_QUICK System 2013-06-19 19:58:10 pluto (11718) ISAKMP_FLAG_ENCRYPTION System 2013-06-19 19:58:10 pluto (11718) b2 9b aa 69 System 2013-06-19 19:58:10 pluto (11718) 348 System 2013-06-19 19:58:10 pluto (11718) Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x69aa9bb2 (perhaps this is a duplicated packet) System 2013-06-19 19:58:10 pluto (11718) sending encrypted notification INVALID_MESSAGE_ID to 68.24.131.41:35953 ... System 2013-06-19 19:58:20 pluto (11718) | ***emit ISAKMP Notification Payload: System 2013-06-19 19:58:20 pluto (11718) ISAKMP_NEXT_NONE System 2013-06-19 19:58:20 pluto (11718) ISAKMP_DOI_IPSEC System 2013-06-19 19:58:20 pluto (11718) 1 System 2013-06-19 19:58:20 pluto (11718) 0 System 2013-06-19 19:58:20 pluto (11718) INVALID_MESSAGE_ID System 2013-06-19 19:58:20 pluto (11718) | emitting 0 raw bytes of spi into ISAKMP Notification Payload System 2013-06-19 19:58:20 pluto (11718) | spi System 2013-06-19 19:58:20 pluto (11718) 12 System 2013-06-19 19:58:20 pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message System 2013-06-19 19:58:20 pluto (11718) 76 System 2013-06-19 19:58:22 pluto (11718) | ... System 2013-06-19 19:58:35 pluto (11718) | emitting 12 zero bytes of encryption padding into ISAKMP Message System 2013-06-19 19:58:35 pluto (11718) 76 Had to trim down the logs things that stuck out to me i kept. Any help is appreciative. Title: Re: VPN Beta Testers Needed Post by: svoelker on Friday 28 June 2013, 01:32:24 am Somehow the openvpn user tab is gone now.
i mean i can still open it in the browser manualy when i enter /cgi-bin/openvpn_users.cgi But it whould be more comfortable to get it back into the menu. No idea why its gone tho and i doubt the ipsec / l2tp users are used for openvpn aswell. Title: Re: VPN Beta Testers Needed Post by: membrane on Friday 26 July 2013, 04:53:14 am How exatly do you apply the patch?
Title: Re: VPN Beta Testers Needed Post by: dda on Wednesday 14 August 2013, 08:47:08 am Check out this thread Membrane
http://www.efwsupport.com/index.php/topic,3101.msg10089.html#msg10089 Title: Re: VPN Beta Testers Needed Post by: mmiat on Wednesday 18 September 2013, 01:30:42 am uauh! this seems very interesting! is it compatible with ALL versione of Endian 2.5 ?
thanks Title: Re: VPN Beta Testers Needed Post by: mmiat on Wednesday 18 September 2013, 01:47:04 am I replay to myself: it doesn't work with 2.5.2
Code: Traceback (most recent call last): File "/usr/bin/smart", line 200, in ? main(sys.argv[1:]) File "/usr/bin/smart", line 173, in main exitcode = iface.run(opts.command, opts.argv) File "/usr/lib/python2.4/site-packages/smart/interface.py", line 53, in run result = _command.main(self._ctrl, opts) File "/usr/lib/python2.4/site-packages/smart/commands/update.py", line 81, in main ctrl.reloadChannels() File "/usr/lib/python2.4/site-packages/smart/control.py", line 388, in reloadChannels if not channel.fetch(self._fetcher, progress): File "/usr/lib/python2.4/site-packages/smart/channels/rpm_md.py", line 287, in fetch fetcher.run(progress=progress) File "/usr/lib/python2.4/site-packages/smart/fetcher.py", line 201, in run self.runLocal() File "/usr/lib/python2.4/site-packages/smart/fetcher.py", line 182, in runLocal handler.runLocal() File "/usr/lib/python2.4/site-packages/smart/fetcher.py", line 750, in runLocal if not valid and fetcher.validate(item, localpath): File "/usr/lib/python2.4/site-packages/smart/fetcher.py", line 408, in validate from smart.util.sha256 import sha256 ImportError: No module named sha256 Title: Re: VPN Beta Testers Needed Post by: mmiat on Wednesday 18 September 2013, 07:33:52 pm it seems ok with Windows 7, with Windows XP I've 789 error: "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiantions with the remote computer"
Title: Re: VPN Beta Testers Needed Post by: dda on Thursday 19 September 2013, 02:33:28 am Are you connecting to the firewall or to a server behind the firewall?
Title: Re: VPN Beta Testers Needed Post by: mmiat on Thursday 19 September 2013, 03:55:04 am I installed ossw-l2tp and trying to connect to EFW
Title: Re: VPN Beta Testers Needed Post by: dda on Thursday 19 September 2013, 07:02:01 am Did you install 2.52? I have mine running connecting to a windows server behind the firewall. I had a lot of problems with Endian itself. Did you say Windows 7 is connecting but xp is not? Did you make the changes in the registry for L2TP in the Windows XP machine?
Title: Re: VPN Beta Testers Needed Post by: mmiat on Thursday 19 September 2013, 08:33:40 am I've EFW 2.5.1, ossw repository is not compatible with 2.5.2
I've not made changes in XP registry, what I have to do? thanks Title: Re: VPN Beta Testers Needed Post by: mmiat on Thursday 19 September 2013, 05:29:28 pm iPad works too
Title: Re: VPN Beta Testers Needed Post by: mmiat on Thursday 19 September 2013, 05:37:22 pm yeahhhhhhh it works!!!
I downloaded DrayTek Smart VPN Client that modify registry for me, and now with XP I can connect awesome! Title: Re: VPN Beta Testers Needed Post by: mmiat on Thursday 19 September 2013, 07:38:05 pm unbelievable....
now I try to configure a net-to-net ipsec VPN, but I've same error of sota: Code: Sep 19 11:35:27 ipsec_starter[13899] Starting strongSwan 4.6.4 IPsec [starter]... Sep 19 11:35:27 ipsec_starter[13899] # duplicate 'rightsubnet' option Sep 19 11:35:27 ipsec_starter[13899] bad argument value in conn 'SNAM-nat' Sep 19 11:35:27 ipsec_starter[13899] ### 1 parsing error (1 fatal) ### Sep 19 11:35:27 ipsec_starter[13899] unable to start strongSwan -- fatal errors in config but I don't understand how apply the patch Title: Re: VPN Beta Testers Needed Post by: mmiat on Thursday 19 September 2013, 10:01:40 pm maybe I solved.... in case later I post the solution :)
Title: Re: VPN Beta Testers Needed Post by: mmiat on Friday 20 September 2013, 01:19:36 am if I add more then 1 user in L2TP users (https://ip:10443/cgi-bin/vpn_users.cgi) layout goes wrong
Title: Re: VPN Beta Testers Needed Post by: mmiat on Saturday 21 September 2013, 08:23:10 pm nothing to do... XP and W7 works with Q818043 and Q240262, but Android and iOS doesn't
I tried with PSK and with Certificate, I changed leftid and rightid, I tried manually modify ipsec.conf but nothing works Title: Re: VPN Beta Testers Needed Post by: mmiat on Monday 23 September 2013, 03:08:57 am everything works well with Windows XP and Windows 7, but iOS (iphone/ipad) and Android don't connect. OSX and Ubuntu I don't try for the moment.
The part of log that I think is useful: Code: Sep 22 19:05:48 pluto[2692] "L2TP"[1] 87.0.178.18 #1: Peer ID is ID_IPV4_ADDR: '192.168.82.100' Sep 22 19:05:48 pluto[2692] "L2TP"[2] 87.0.178.18 #1: deleting connection "L2TP" instance with peer 87.0.178.18 {isakmp=#0/ipsec=#0} Sep 22 19:05:48 pluto[2692] | NAT-T: new mapping 87.0.178.18:500/15587) Sep 22 19:05:48 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: sent MR3, ISAKMP SA established [...] Sep 22 19:05:49 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: byte 7 of ISAKMP NAT-OA Payload must be zero, but is not Sep 22 19:05:49 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: malformed payload in packet Sep 22 19:05:49 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: sending encrypted notification PAYLOAD_MALFORMED to 87.0.178.18:15587 [...] Sep 22 19:06:44 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4d5e5fb1 (perhaps this is a duplicated packet) Sep 22 19:06:44 pluto[2692] "L2TP"[2] 87.0.178.18:15587 #1: sending encrypted notification INVALID_MESSAGE_ID to 87.0.178.18:15587 Sep 22 19:06:47 xl2tpd[9961] network_thread: recv packet from 87.0.178.18, size = 69, tunnel = 0, call = 0 ref=0 refhim=0 Sep 22 19:06:47 xl2tpd[9961] get_call: allocating new tunnel for host 87.0.178.18, port 17345. Sep 22 19:06:47 xl2tpd[9961] handle_avps: handling avp's for tunnel 43220, call 9005 Sep 22 19:06:47 xl2tpd[9961] message_type_avp: message type 1 (Start-Control-Connection-Request) Sep 22 19:06:47 xl2tpd[9961] protocol_version_avp: peer is using version 1, revision 0. Sep 22 19:06:47 xl2tpd[9961] hostname_avp: peer reports hostname 'anonymous' Sep 22 19:06:47 xl2tpd[9961] framing_caps_avp: supported peer frames: async sync Sep 22 19:06:47 xl2tpd[9961] assigned_tunnel_avp: using peer's tunnel 46540 Sep 22 19:06:47 xl2tpd[9961] receive_window_size_avp: peer wants RWS of 1. Will use flow control. Sep 22 19:06:47 xl2tpd[9961] control_finish: message type is Start-Control-Connection-Request(1). Tunnel is 46540, call is 0. Sep 22 19:06:47 xl2tpd[9961] control_finish: sending SCCRP Sep 22 19:06:49 xl2tpd[9961] network_thread: recv packet from 87.0.178.18, size = 36, tunnel = 0, call = 0 ref=0 refhim=0 Sep 22 19:06:49 xl2tpd[9961] get_call: allocating new tunnel for host 87.0.178.18, port 17345. Sep 22 19:06:49 xl2tpd[9961] check_control: Received out of order control packet on tunnel -1 (got 1, expected 0) Sep 22 19:06:49 xl2tpd[9961] handle_packet: bad control packet! Sep 22 19:06:49 xl2tpd[9961] network_thread: bad packet Sep 22 19:06:49 xl2tpd[9961] build_fdset: closing down tunnel 44636 Sep 22 19:06:50 xl2tpd[9961] network_thread: select timeout Sep 22 19:06:51 xl2tpd[9961] network_thread: select timeout Sep 22 19:06:52 xl2tpd[9961] network_thread: select timeout Sep 22 19:06:53 xl2tpd[9961] network_thread: select timeout Sep 22 19:06:54 xl2tpd[9961] network_thread: select timeout Sep 22 19:06:54 xl2tpd[9961] Maximum retries exceeded for tunnel 43220. Closing. Sep 22 19:06:54 xl2tpd[9961] Connection 46540 closed to 87.0.178.18, port 17345 (Timeout) Sep 22 19:06:55 xl2tpd[9961] network_thread: select timeout Sep 22 19:06:56 xl2tpd[9961] network_thread: select timeout Sep 22 19:06:57 xl2tpd[9961] network_thread: select timeout Sep 22 19:06:58 xl2tpd[9961] network_thread: select timeout Sep 22 19:06:59 xl2tpd[9961] network_thread: select timeout Sep 22 19:06:59 xl2tpd[9961] Unable to deliver closing message for tunnel 43220. Destroying anyway. Thanks for any help. Title: Re: VPN Beta Testers Needed Post by: mmiat on Tuesday 24 September 2013, 10:37:48 pm I've added a new ipsec net-to-net connection and either it doesn't work... "ipsec status" tells me that
Code: 000 #1: "VPN" STATE_MAIN_I2 (sent MI2, expecting MR2); EVENT_RETRANSMIT in 38s 000 #1: pending Phase 2 for "VPN" replacing #0 is it a problem with NAT-T? Title: Re: VPN Beta Testers Needed Post by: dda on Thursday 26 September 2013, 06:33:10 am Sorry didn't realise you responded. I upgraded my 2.51 with ossw to 2.52. Are you getting Windows 7 and XP to connect with Endian but not IOS and Android?
Title: Re: VPN Beta Testers Needed Post by: mmiat on Friday 27 September 2013, 05:33:08 am Hi
I connect with XP and W7 after disabling ipsec (Q818043 and Q240262), but iOS and Android can't I think something is wrong with NAT-T Title: Re: VPN Beta Testers Needed Post by: mmiat on Wednesday 02 October 2013, 08:29:12 pm any idea?
how I can connect my mobile devices? thanks |