This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help with SSH Sentinel needed.

I am trying to VPN to ASL 4.007
I have created a Roadwarrior VPN connection in ASL IPSEC VPN connections.

I am using a certificate and have followed the instructions in the PDF file on this.

I think I am having the virtual IP issue, IKE Phase 1 goes OK, but it fails on IKE Phase 2.

How do you get this working ? Do I have to specify a virtual IP in the certificate ? Can I manually assign an IP on the SSH Sentinel client ? (Have tried but didnt seem to work).

Can we use DHCP ? If so, some tips would be nice.

The exact error is....

The remote end cannot find suitable IPSEC proposal (phase-2) parameters. Verify the IPSEC proposal parameters.

This thread was automatically locked due to age.

Parents

0 oliver.desch over 22 years ago

Simon,

you have to assign an address to the remote key (certificate) but from a different range
than your local network since ASL doesn't ProxyARP for connected IPSEC clients.
Enable NAT-T.
On the Sentinel side you have to checkmark 'Aquire virtual IP' and to manually specify
the IP address and netmask as well as your DNS servers. Please note that you should use
a netmask not a hostmask. Additionally you have to enable 'Pass NAT devices using' and NAT-T
under the advanced options.

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 oliver.desch over 22 years ago

Simon,

you have to assign an address to the remote key (certificate) but from a different range
than your local network since ASL doesn't ProxyARP for connected IPSEC clients.
Enable NAT-T.
On the Sentinel side you have to checkmark 'Aquire virtual IP' and to manually specify
the IP address and netmask as well as your DNS servers. Please note that you should use
a netmask not a hostmask. Additionally you have to enable 'Pass NAT devices using' and NAT-T
under the advanced options.

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Simon Shaw over 22 years ago in reply to oliver.desch

Fastest reply ever ! [:)] local net.
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to Simon Shaw

Well, I established a connection.

But how do I access the local LAN at the remote site ?

I cant seem to ping anything at the ASL end. Or from ASL to the SSH Sentinel client...
Cancel
Vote Up 0 Vote Down

Cancel
0 oliver.desch over 22 years ago in reply to Simon Shaw

Sentinel is supposed to connect roadwarriors/hosts.
It cannot act as an IPSEC gateway

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel
0 tony_01 over 22 years ago in reply to oliver.desch

Simon,

I though you said before that this was working just fine for you? What changed?

Anyway i have the exact same problem...

I never get a default gateway from the connection only a dhcp server.

Regards, Tony
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to tony_01

I thought SSH Sentinel allowed people on the road to access their LAN machines ?

I have a connection up to a subnet I created on ASL 4.006
(The network I created is 192.168.200.X)
My local LAN on the ASL side is 192.168.2.X

The SSH Sentinel client has an IP set of 192.168.200.100

How can I access the machines on the 192.168.2.X net ?
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 22 years ago in reply to oliver.desch

Oliver.

Not sure I understand you.

SSH Sentinel is designed to let someone connect via IPSEC to work remotely yes ?

ie, say I want to access a network drive on my LAN. I use SSH Sentinel to connect to ASL and hence my LAN no ? Isn't this an IPSEC gateway ??
Cancel
Vote Up 0 Vote Down

Cancel
0 oliver.desch over 22 years ago in reply to Simon Shaw

O.K. think that was a misunderstanding, if the tunnel is up (right click on the Sentinel Icon -> select VPN)
you'd need packet filters to allow access. The auto packet filter option doesn't work properly in the current
version, so define your client addresses in DEFINITIONS/NETWORK, please don't use the same name than
used for the remote key, and set according filters.

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel