This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN problem: no connection is known for

I'm trying to use the IPSec VPN part of Astaro v3.2 together with Sentinel v. 1.3.2 (w2k, service pack 3).

Basic network setup is something like:

Company LAN: 192.168.100.0/255.255.255.192 (not the real one)
Company FW: 70.35.15.25 (public IP - but not the real one)
Roadwarrior: 90.30.10.20 (public IP - i.e. no NAT'ing - not the real address).

However, diagnosing the VPN connection I get:

Cannot run the diagnostics. The remote end does not respond to
the IKE proposal (phase-1). Make sure that you filter rules bypass
the IKE data packets. Also, verify that the remote end runs
IPSec/IKE, and that it is not temporarily offline or unreachable due
to network configuration.

From the Astaro log at least something seems to be working:

1. packet from 90.30.10.20:500: ignoring Vendor ID payload

2. "remote2company__vpn_1" 90.30.10.20 #1: responding to Main Mode from unknown peer 90.30.10.20

3. "remote2company__vpn_1" 90.30.10.20 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT

4. "remote2company__vpn_1" 90.30.10.20 #1: Peer ID is ID_IPV4_ADDR: '90.30.10.20'

5. "remote2company__vpn_1" 90.30.10.20 #1: Issuer CRL not found

6. "remote2company__vpn_1" 90.30.10.20 #1: Issuer CRL not found

7. "remote2company__vpn_1" 90.30.10.20 #1: sent MR3, ISAKMP SA established

8. "remote2company__vpn_1" 90.30.10.20 #2: cannot respond to IPsec SA request because no connection is known for

192.168.100.0/26===70.35.15.25...90.30.10.20

9. "remote2company__vpn_1" 90.30.10.20 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message

ID 0xb27e6dbb (perhaps this is a duplicated packet)

A few questions to the above:

Line 1: Is it ok that it ignores the Vendor ID?

Line 2:

Line 2: I guess unknown peer 90.30.10.20 is ok - since it is later "recognized" in line 4, correct?

Line 5: Issuer CRL not found. Is this the problem? And how do I correct it?

Line 7: What does this sent MR3? ISAKMP SA established - doesn't this at least indicate that something is working correctly?

Line 8: I've read about problems with 192.168.... subnets - are they still present? And how do I solve it?

*****************************
Setup on Sentinel:
*****************************

Security gateway: Public IP of company = external interface of Astaro firewall.

Remote network: Network on which internal interface of Astaro firewall is connected.

Auth. key: company certificate.

Proposal Parameters:

IKE proposal:
Encrypt. alg: 3des
Integrity function: MD5
IKE mode: main mode
IKE group: MODP 1024 ( group 2 )

IPSec proposal:
Encrypt alg: 3des
Integrity function: HMAC-md5
IPSec mode: tunnel (not selectable)
PFS group: MODP 1024 ( group 2)

*****************************
Setup on Astaro
*****************************

IPSec VPN connection:
Name: remote2company
Type: RoadWarrior
IPSec Policy: 3DES_PFS_COMP
Tunnel Endpoints: eth1
Remote Endpoint: Any
Subnet Definition (optional)
Remote Sunet: None
Authentication of remote station(s) -> Keys (the key I saved to disk and imported to client).

Connection is activated.

I used X.509 keys - all generated on ASL 3.2. I followed (or tried to follow) the host to net - static document from

http://docs.astaro.org

Hints, suggestions etc are very welcomed!

Thanks in advance,

Michael

This thread was automatically locked due to age.

Parents

0 Rayzor over 23 years ago

Some questions

"Company FW: 70.35.15.25 (public IP - but not the real one)
Roadwarrior: 90.30.10.20 (public IP - i.e. no NAT'ing - not the real address)."

Are these Static from you ISP or dynamically assigned from the ISP....if the roadwarrior is dynamic you should reference to
http://docs.astaro.org/docs_v3/vpn/X509_Host_to_Net_Dynamic.pdf

"Auth. key: company certificate"

This should be the remote or client certificate.... not company......also did you set up a local certificate??? when you create your CSR's you should create 2. company firewall certificate and remote client certificate company gets set up on your astaro local certificate....client gets exported to SSH

Subnet Definition (optional)

this is not optional this has to be the internal network of the firewall

Hope this helps

Rayzor
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Jenner over 23 years ago in reply to Rayzor

Originally posted by Rayzor:
Some questions

"Company FW: 70.35.15.25 (public IP - but not the real one)
Roadwarrior: 90.30.10.20 (public IP - i.e. no NAT'ing - not the real address)."

Are these Static from you ISP or dynamically assigned from the ISP....if the roadwarrior is dynamic you should reference to
http://docs.astaro.org/docs_v3/vpn/X509_Host_to_Net_Dynamic.pdf

They are static.

"Auth. key: company certificate"

This should be the remote or client certificate.... not company......also did you set up a local certificate??? when you create your CSR's you should create 2. company firewall certificate and remote client certificate company gets set up on your astaro local certificate....client gets exported to SSH

Yes, I'm using a bad word here What I meant by company certificate is actually company signed certificate. I did generate two certificates, one is used in Astaro as local certificate and the other was saved to file and imported into Sentinel.

Subnet Definition (optional)

this is not optional this has to be the internal network of the firewall

Ok.

Hope this helps

Rayzor

Thanks, but I'm still having the same problem.

Do I need to setup additional stuff in Astaro to get this working? A route? A packet filter?

Michael
Cancel
Vote Up 0 Vote Down

Cancel
0 LoosInt over 23 years ago in reply to Michael Jenner

Hello,

i had the same Problem with a Laptop which had installed 2 PCMCIA-Cards.
A LAN-Nic and a Modem/ISDN-Card.
Any IPSEC-Connection through the Modem/ISDN-Card failed.

I solved the Problem by deassigning the IP-Address of the LAN-Nic.

Hope this helps.

[:)]s
Thomas
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LoosInt over 23 years ago in reply to Michael Jenner

Hello,

i had the same Problem with a Laptop which had installed 2 PCMCIA-Cards.
A LAN-Nic and a Modem/ISDN-Card.
Any IPSEC-Connection through the Modem/ISDN-Card failed.

I solved the Problem by deassigning the IP-Address of the LAN-Nic.

Hope this helps.

[:)]s
Thomas
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Michael Jenner over 23 years ago in reply to LoosInt

Thanks for the input. It could have been the problem - but it wasn't.

I did a few experiments including running SSH Sentinel from a stationary with no modem - only a NIC ... all without luck. I'm still stuck.

Now, I expect the problem to be at the server - since I can ping it, and it seems to pick up packages on port 500.

Could someone please post a (detailed) log on how IPSec is supposed to work on the server (remember to remove sensitive information, e.g. IP addresses etc).

Thanks in advance,

Michael

Originally posted by LoosInt:
Hello,

i had the same Problem with a Laptop which had installed 2 PCMCIA-Cards.
A LAN-Nic and a Modem/ISDN-Card.
Any IPSEC-Connection through the Modem/ISDN-Card failed.

I solved the Problem by deassigning the IP-Address of the LAN-Nic.

Hope this helps.

[:)]s
Thomas
Cancel
Vote Up 0 Vote Down

Cancel
0 terrmite over 23 years ago in reply to Michael Jenner

Thanks! That was the way for me :-)

Originally posted by LoosInt:

Hello,

i had the same Problem with a Laptop which had installed 2 PCMCIA-Cards.
A LAN-Nic and a Modem/ISDN-Card.
Any IPSEC-Connection through the Modem/ISDN-Card failed.

I solved the Problem by deassigning the IP-Address of the LAN-Nic.

Hope this helps.

[:)]s
Thomas
Cancel
Vote Up 0 Vote Down

Cancel
0 Jesus Picornell Alsina over 23 years ago in reply to terrmite

I have the same problem. Have you solved it?

Thank you.
Cancel
Vote Up 0 Vote Down

Cancel
0 JensM over 23 years ago in reply to Jesus Picornell Alsina

Hi,

ignoring informational payload is not an issue.

Issuer CRL not found only means that there is no Certificate Revocation List, which is not an issue as long as you have not revoked any certificates.

Your problem is here:
8. "remote2company__vpn_1" 90.30.10.20 #2: cannot respond to IPsec SA request because no connection is known for

192.168.100.0/26===70.35.15.25...90.30.10.20

So you should check your IPSEC connections on the Astaro FW for IPSEC would let you in, but there is no connection defined for your connection request.

As already mentioned LAN-Cards may be a pain, if you want to use a dial-up connection and the LAN card still has got an IP. You will get that an error similar to the one mentioned above, so I suggest that you check that.

Kind regards,

Jens
Cancel
Vote Up 0 Vote Down

Cancel
0 Jerry Allen over 23 years ago in reply to JensM

192.168.100.0/26===70.35.15.25...90.30.10.20

should be

LEFT-IP...LEFT-publicIP===RIGHT-public-IP...RIGHT-IP

I had this problem and it was an error in the configuration of the IPSEC Configurations.
I had to edit the files manually to fix it. ASL picked up a subnet mask that was wrong from somewhere and would not allow it to be changed.

What are you VPNing with/to?
Cancel
Vote Up 0 Vote Down

Cancel
0 oliver.desch over 23 years ago in reply to Jerry Allen

Hi,

check all network settings, such as 192.168.100.0/26 -
do you really use 26 as bit mask, most common is 24 ;-)

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel
0 Peter Dissing over 22 years ago in reply to oliver.desch

What are you VPNing with/to?
A client with a static IP on a DSL-connection

Hi,

check all network settings, such as 192.168.100.0/26 -
do you really use 26 as bit mask, most common is 24 ;-)

read you
o|iver
You are right about the /26. We are using /24.

Still not working.

On www.doc.astaro.org there are no HowTo for VPN static to Static - or am I wrong here ?

Regards Peter & Michael
Cancel
Vote Up 0 Vote Down

Cancel
0 norwich over 22 years ago in reply to Peter Dissing

Just a thought...

Is the public NIC IP address that presented to the outside world? We have a similar problem here where our ISP has assigned us an IP address for the external interface but out 'public' IP address is different - they are translating IP addresses as traffic id routed through thier kit which screws up IPSEC.
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Jenner over 22 years ago in reply to norwich

Originally posted by Jerry Allen:
192.168.100.0/26===70.35.15.25...90.30.10.20

should be

LEFT-IP...LEFT-publicIP===RIGHT-public-IP...RIGHT-IP

I had this problem and it was an error in the configuration of the IPSEC Configurations.
I had to edit the files manually to fix it. ASL picked up a subnet mask that was wrong from somewhere and would not allow it to be changed.

What are you VPNing with/to?
It seems there is still a bug in Astaro. Could you detail what files you edited, and what I need to modify?

Thanks in advance,

Michael
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Jenner over 22 years ago in reply to Michael Jenner

Originally posted by norwich:
Just a thought...

Is the public NIC IP address that presented to the outside world? We have a similar problem here where our ISP has assigned us an IP address for the external interface but out 'public' IP address is different - they are translating IP addresses as traffic id routed through thier kit which screws up IPSEC.
The IP address they assigned us is outside the RFC1597 specified addresses:

10.0.0.0 -> 10.255.255.255
172.16.0.0 -> 172.31.255.255
192.168.0.0 -> 192.168.255.255

But I guess that isn't a proof. Any suggestions on how I do a better test of that?

Thanks,

Michael
Cancel
Vote Up 0 Vote Down

Cancel