This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Ipsec ; no answer

Im trying to set up a VPN between an Astaro server and a windows (2000) client with SSH Sentinel.
I have done the whole guide from the docs.astaro.org site. When I try to connect (diagnostic for instance) I will get an error like this:

" Cannot run the diagnostics, The remote end does not respond to the IKE proposal (phase-1)./ Make sure that your filter rules bypass the IKE data packets. Also, verify that the remote end runs IPSec/IKE, and that it is not temporarily offline or unreachable due to network configuration."

I have tried several things such as open all the udp and tcp ports (set al the options in de packet traffic rules to allow "any" ) But this doesn't seems to work.

What is the best thing I can try now?

This thread was automatically locked due to age.

Parents

0 biapar over 22 years ago

I have the same problem!!!!
Cancel
Vote Up 0 Vote Down

Cancel
0 schraube over 22 years ago in reply to biapar

have the same problem. already tried w/ PSK und x.509 nothing works - always the same error as above - pls help !!!!
Cancel
Vote Up 0 Vote Down

Cancel
0 schraube over 22 years ago in reply to oliver.desch

in the vpn/howto "host to net" are both certs explained - one for the remote user and one for the firewall. actualy the cert for the firewall is the local x.509 certificate !

anyway - still problem using ssh sentinel (diagnostic) !!! phase-1 error !!!!

any other idea ?
Cancel
Vote Up 0 Vote Down

Cancel
0 biapar over 22 years ago in reply to schraube

I have the same problem of schraube [:(]th SSH.
I have read doc of setup vpn with X509, RSA and PPTP .pdf file! [:S]
Cancel
Vote Up 0 Vote Down

Cancel
0 oliver.desch over 22 years ago in reply to biapar

are you behind NAT?
Cancel
Vote Up 0 Vote Down

Cancel
0 schraube over 22 years ago in reply to oliver.desch

yes , i'm hehind NAT (zyxel wlan router)
is there any trick to use ssh sentinel softeare w/ ipsec (PSK or x.509) behind a NAT device ?

and if it's possible - what i have to configure ?

thnx4relay
Cancel
Vote Up 0 Vote Down

Cancel
0 grimmyreaper over 22 years ago in reply to schraube

so, many people have the same problem as I do, but when I read some howto's, they say that this is it, it has to work now but it don't, it sux
Cancel
Vote Up 0 Vote Down

Cancel
0 biapar over 22 years ago in reply to grimmyreaper

With ASL 2.0 and NAT PPTP and X509 worked, but now with 3.2 and NAT on don't work...
Cancel
Vote Up 0 Vote Down

Cancel
0 Rayzor over 22 years ago in reply to biapar

Hello all:

If your client machine is behind a Nat device....IPsec will not work.....the document on the web site states very clearly in the second paragraph

(***Note*** - This document is for a remote user connected directly to an ISP
network. If your remote user is behind a NAT device, this setup will not work.)

You will only be beating a dead horse if you are trying to use IPSec behind a NAT device.....

You can however use PPTP behind your Nat device...this will work just fine......and is the technology I use...and is very stable

Hope this helps

Rayzor
Cancel
Vote Up 0 Vote Down

Cancel
0 biapar over 22 years ago in reply to Rayzor

But PPTP don't work ,also.
Give us an example how you have setup PPTP, please [:S]
Cancel
Vote Up 0 Vote Down

Cancel
0 Rayzor over 22 years ago in reply to biapar

grimmyreaper

below is the Doc I wrote for PPTP connection....any other questions....just Ask

http://docs.astaro.org/docs_v3/vpn/PPTP_Road_Warrior.pdf

Hope this helps

Rayzor
Cancel
Vote Up 0 Vote Down

Cancel
0 oliver.desch over 22 years ago in reply to JensM

Hello again,

in version 2 you were lucky if you could run an
IPSEC or PPTP session - and only if ASL was connected
directly with a public IP adress.

Many vendors claim IPSEC NAT Traversal for their
products, but if you have a closer look at IPSEC
you'd find out that there is an IPSEC proposal
mismatch - the remote tunnel endpoint is different from
the real one.

We evaluate the possibility to encapsulate IPSEC
packets into UDP - this would solve the NAT problem.

Be keen on coming versions [;)]

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 oliver.desch over 22 years ago in reply to JensM

Hello again,

in version 2 you were lucky if you could run an
IPSEC or PPTP session - and only if ASL was connected
directly with a public IP adress.

Many vendors claim IPSEC NAT Traversal for their
products, but if you have a closer look at IPSEC
you'd find out that there is an IPSEC proposal
mismatch - the remote tunnel endpoint is different from
the real one.

We evaluate the possibility to encapsulate IPSEC
packets into UDP - this would solve the NAT problem.

Be keen on coming versions [;)]

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 grimphyre over 22 years ago in reply to oliver.desch

I really hope that NAT-travelsal problems will be solved in near future. As you know you need to pay extra to get that 'real' public ip-addr from ISP - at least here in Finland. I remember the times when my old ISP gave me static-ip from their pool+dns with 5 EUR - and I only had to pay that once. Unfortunately nowadays you must pay that 5-10 EUR extra per month to get same service - and still you are behind NAT with but with static mapping.
Cancel
Vote Up 0 Vote Down

Cancel