This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Open port for IKE Phase-2??

Hello,

I have SSH Sentinel 1.4 which has been working as a client to an Astaro 3.2.16 VPN. This configuration has worked via dialup/ISP, hotel room broadband (PSTN, etc) and ethernet to internet connections.

I have just installed a Linksys WRT54G router with NAT at home and cannot get the VPN to connect. Each time the process fails at IKE Phase-2. Phase-1 will complete fine as long as I have the IPSEC/VPN-Passthru mode on the Linksys enabled, its just that IKE Phase-2 fails after IKE Phase-1 passes.

I tried opening port 500/udp and port forwarding it to port 500/udp of the machine running the Sentinel client. Opening and forwarding port 500 didn't work either.

Can anyone tellme if there is a port that I need to open up or something else I can do to get Sentinel to ASL to work across the Linksys router?

So far all of the suggestions Linksys gave has not worked.

Thanks,

Jeff

This thread was automatically locked due to age.

Parents

0 jader_01 over 22 years ago

Originally posted by ElJefe:
Hello,

[...]

Can anyone tellme if there is a port that I need to open up or something else I can do to get Sentinel to ASL to work across the Linksys router?
Yes,

Phase 2 (Quickmode) in IPSec is IP-Protocol 50 (ESP, encapsulated security payload). This is not a TCP/UDP-Port, don't open TCP/UDP 50!

You have to define ESP (IP 50) with SPI of 256:4294967295 and create a rule to allow ESP.

Erik
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 jader_01 over 22 years ago

Originally posted by ElJefe:
Hello,

[...]

Can anyone tellme if there is a port that I need to open up or something else I can do to get Sentinel to ASL to work across the Linksys router?
Yes,

Phase 2 (Quickmode) in IPSec is IP-Protocol 50 (ESP, encapsulated security payload). This is not a TCP/UDP-Port, don't open TCP/UDP 50!

You have to define ESP (IP 50) with SPI of 256:4294967295 and create a rule to allow ESP.

Erik
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 ElJefe over 22 years ago in reply to jader_01

Erik,

Thanks for the reply. I am afraid I did not understand anything after "You have to define ESP (IP 50)".

Define where? In the Linksys router? I have not seen a place to make definitions like that. I can do port forwarding, and reactive ports (if outbound port X then open inbound port Y). I also tried DMZ mode which placed the laptop/sentinel client on the outside of the NAT/firewall and IKE Phase-2 failed as well. I took the same laptop and dialed an ISP over a modem and Sentinel connected to the ASL right away.

Thanks,

Jeff
Cancel
Vote Up 0 Vote Down

Cancel
0 futziz over 22 years ago in reply to ElJefe

[:S]

Same here Erik, i use a Linksys BEFVP41 1.40.4 dsl router and ssh 1.4 asl 3.216.

I do  have the same problems.Phase-2 not working.... anybody knows about that issue...???

HELP    [:S]
Cancel
Vote Up 0 Vote Down

Cancel
0 Andreas Steffen over 22 years ago in reply to futziz

Since you are now behind a NAT-box, the inner IP address assigned to your Sentinel client will be different from the outer tunnel address belonging to the Linksys box. Therefore you must configure in the Astaro Security gateway a subnet x.x.x.x/32 behind the roadwarrior which corresponds to the inner IP.

Regards

Andreas
Cancel
Vote Up 0 Vote Down

Cancel
0 futziz over 22 years ago in reply to Andreas Steffen

Thanks for the reply,

I'm not sure to understand what you mean. Do i need to create a new network in ASL with xxx.xxx.xxx.xxx/32 that match my lan behind the Linksys ??

And then create a rule...to allow it ??

Read you,
Cancel
Vote Up 0 Vote Down

Cancel
0 futziz over 22 years ago in reply to futziz

Do i need to change the type of vpn connectoin roadwarriror to standard.. it's the only way i can add a subnet... i'm right here ... ??

[:S]
Cancel
Vote Up 0 Vote Down

Cancel
0 Andreas Steffen over 22 years ago in reply to futziz

I'm not familiar with the Astaro GUI. I'm one of the FreeS/WAN developers. In vanilla FreeS/WAN you would have to define in ipsec.conf:

right=%any # roadwarrior (i.e.Linksys) with unknown IP
rightsubnet=x.x.x.x/32 # Sentinel host behind the Linksys

Regards

Andreas
Cancel
Vote Up 0 Vote Down

Cancel
0 futziz over 22 years ago in reply to Andreas Steffen

Ok Guys,

Just spoke to ASL tech. The problem is caused by FreeS/Wan. ASL Version 3 doesn't support UDP
encapsulation/NAT-T. It will be fixed in ASL 4.00

Read ya !
[;)]
Cancel
Vote Up 0 Vote Down

Cancel
0 oliver.desch over 22 years ago in reply to futziz

won't be fixed - it is a new feature

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel
0 ElJefe over 22 years ago in reply to oliver.desch

Any idea when ASL v4 will appear? If it is a free upgrade from licensed ASL v3.2xx users?

Jeff
Cancel
Vote Up 0 Vote Down

Cancel
0 futziz over 22 years ago in reply to ElJefe

Take a look at ASL ftp site....
Cancel
Vote Up 0 Vote Down

Cancel