This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[6.300] - ipsec passthrough

Hi!

I'm trying to figure out how I can get this scenario working:

CISCO 831 (Router) --> ASG (gatekeeper1) --> DMZ --> ASG (gatekeeper2) --> LAN

My intention is to get a client-to-site VPN (ipsec) up and running (roardwarrior with dynamic ip should have access to my local LAN).

First of all the cisco has to be able to let ipsec packets through. I'm still on getting this to work, as it seems that packets still don't pass the cisco to gatekeeper1.

My question I would like to ask you is: what packet-rules do I have to set on gatekeeper1 to let all ipsec-related traffic pass through it?

What I did so far is: I created a servicegroup "SG-ipsec" with the following services included: ipsec_ah, ipsec_esp, ipsec_ip and ipsec_isakmp which have to following details:

ipsec_ah: proto: AH, source/dest-ports: 256:4294967295
ipsec_esp: proto: ESP, source/dest-ports: 256:4294967295
ipsec_ip: proto: IP, source/dest-ports: 50
ipsec_isakmp: proto: udp, sourceport: 500, destport: 500

All right, is this the way the gatekeeper1 could let all the ipsec-relatet packets pass??
Or are these rules wrong all the way?

gatekeeper2 is already configured to accept VPN connections, ipsec is set up already.

If I missed any important information pls let me know, I will then pass it on right away.

Hope anyone knows something... ;-)

Michael

This thread was automatically locked due to age.

Parents

0 tuxi over 19 years ago

I got the cisco part running - the packets (isakmp, port 500 udp) is now getting to gatekeeper1. Nothing shows up at gatekeeper2.
Any ideas?

Michael
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 19 years ago in reply to tuxi

Open up Port 4500 UDP... the roadwarrior connections use that port too.
Cancel
Vote Up 0 Vote Down

Cancel
0 tuxi over 19 years ago in reply to BrucekConvergent

Hi,

I now tried everything I could think of.
I opened port 4500 also, but I only get a green light at the ISAKMP SA - session status. The IPsec SA stays red all the time. VPN status tells me:

[gatekeeper2.net-waves.de] VPN Status: Auto refresh (Press F5 to refresh manually)

====================================================
000
000 "S_ipsec2__0": 172.16.10.0/23===212.60.137.254...%any; unrouted; eroute owner: #0
000 "S_ipsec2__0":     srcip=unset; dstip=unset; srcup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log; dstup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
000 "S_ipsec2__0":   ike_life: 7800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "S_ipsec2__0":   policy: PSK+ENCRYPT+TUNNEL; prio: 23,32; interface: eth1;
000 "S_ipsec2__0":   dpd: action:restart; delay:30; timeout:120;
000 "S_ipsec2__0":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "S_ipsec2__0":   IKE algorithms wanted: 5_000-1-5, flags=-strict
000 "S_ipsec2__0":   IKE algorithms found:  5_192-1_128-5,
000 "S_ipsec2__0":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "S_ipsec2__0":   ESP algorithms loaded: 3_000-1, flags=-strict
000 "S_ipsec2__0"[2]: 172.16.10.0/23===212.60.137.254...84.141.98.195[@nw-nblits]; unrouted; eroute owner: #0
000 "S_ipsec2__0"[2]:     srcip=unset; dstip=unset; srcup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log; dstup=/opt/_updown.strict_routing 2>/tmp/log 1>/tmp/log;
000 "S_ipsec2__0"[2]:   ike_life: 7800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "S_ipsec2__0"[2]:   policy: PSK+ENCRYPT+TUNNEL; prio: 23,32; interface: eth1;
000 "S_ipsec2__0"[2]:   dpd: action:restart; delay:30; timeout:120;
000 "S_ipsec2__0"[2]:   newest ISAKMP SA: #11; newest IPsec SA: #0;
000 "S_ipsec2__0"[2]:   IKE algorithms wanted: 5_000-1-5, flags=-strict
000 "S_ipsec2__0"[2]:   IKE algorithms found:  5_192-1_128-5,
000 "S_ipsec2__0"[2]:   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "S_ipsec2__0"[2]:   ESP algorithms wanted: 3_000-1, flags=-strict
000 "S_ipsec2__0"[2]:   ESP algorithms loaded: 3_000-1, flags=-strict
000
000 #8: "S_ipsec2__0"[2] 84.141.98.195:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 5521s; nodpd
000 #6: "S_ipsec2__0"[2] 84.141.98.195:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3685s; nodpd
000 #11: "S_ipsec2__0"[2] 84.141.98.195:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7306s; newest ISAKMP; nodpd
000 #10: "S_ipsec2__0"[2] 84.141.98.195:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 6131s; nodpd
000 #9: "S_ipsec2__0"[2] 84.141.98.195:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 5918s; nodpd
000 #7: "S_ipsec2__0"[2] 84.141.98.195:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 5164s; nodpd
000
====================================================

Now I don't have any ideas left.
What's this all about? What am I doing wrong?

Would be great if someone could help me out here!

Michael
Cancel
Vote Up 0 Vote Down

Cancel
0 tuxi over 19 years ago in reply to tuxi

Hi,

I could fine the following in the debug log of ipsec:

================================================
2006:07:15-10:05:15 (none) pluto[22300]: "S_ipsec2__0"[2] 84.141.72.16 #2: cannot respond to IPsec SA request because no connection is known for 172.16.10.0/23===212.60.137.254...84.141.72.16[@nw-nblits]===192.168.154.65/32
2006:07:15-10:05:15 (none) pluto[22300]: "S_ipsec2__0"[2] 84.141.72.16 #2: sending encrypted notification INVALID_ID_INFORMATION to 84.141.72.16:4500
================================================

I searched nearly all posts corresponding that "cannot respond ... no connection" topic, but did not get further.
Router is a Netgear WGR614(v1) or (at another site) AVM FritzBox 7050. With both routers no connection is possible, it seems.
I must do anything wrong, but I don't know what...
I tried to set the computer behind the router to an exposed host (Netgear: DMZ server, AVM FritzBox: exposed host, whereby exposed host the more correct definition is as we all know) but nothing works.
Setting ipsec related ports to be forwarded to the computer behind the router doesn't help, too.

Please help, I think there must be a possibility to get this working - this almost seems to me to be a standard scenario - XP roadwarrior behind router which has to connect to an ASG machine...

I never though that this could become this difficult... :-/

Michael
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 tuxi over 19 years ago in reply to tuxi

Hi,

I could fine the following in the debug log of ipsec:

================================================
2006:07:15-10:05:15 (none) pluto[22300]: "S_ipsec2__0"[2] 84.141.72.16 #2: cannot respond to IPsec SA request because no connection is known for 172.16.10.0/23===212.60.137.254...84.141.72.16[@nw-nblits]===192.168.154.65/32
2006:07:15-10:05:15 (none) pluto[22300]: "S_ipsec2__0"[2] 84.141.72.16 #2: sending encrypted notification INVALID_ID_INFORMATION to 84.141.72.16:4500
================================================

I searched nearly all posts corresponding that "cannot respond ... no connection" topic, but did not get further.
Router is a Netgear WGR614(v1) or (at another site) AVM FritzBox 7050. With both routers no connection is possible, it seems.
I must do anything wrong, but I don't know what...
I tried to set the computer behind the router to an exposed host (Netgear: DMZ server, AVM FritzBox: exposed host, whereby exposed host the more correct definition is as we all know) but nothing works.
Setting ipsec related ports to be forwarded to the computer behind the router doesn't help, too.

Please help, I think there must be a possibility to get this working - this almost seems to me to be a standard scenario - XP roadwarrior behind router which has to connect to an ASG machine...

I never though that this could become this difficult... :-/

Michael
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data