Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 820 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ipsec vpn problems, astaro stops responding

cpm
can't sort this one out, been dogging me for a couple of years. Longer maybe.

I'll get a ticket 'Can't connect to vpn' from my remote access users.
I go in, and turn off ipsec vpn, then turn it back on again. Then it's good
for a few days, a week, maybe longer, until it isn't again.

As more and more folks start using remote access, this becomes more and more
of a problem.

Currently running 6.314, but it's been a problem for a long time.

client side, OSX ipsec l2tp on versions 10.2,10.3,10.4,10.5 and windows XP SP2/SP3

that I can't easily determine who is logged in to the vpn is a headache,
that I can't easily determine the vpn access history is a headache.

Clues?


This thread was automatically locked due to age.
  • 0
    I'd seriously consider upgrading to Version 7; there have been significant changes and improvements to all modules, including the VPN modules.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    You might evaluate the Astaro Report Manager for your history questions.  In V7, you can determine who is logged in very easily: just touch the 'Remote Access' bar.

    I suspect that the VPN problem is in the clients.  The next time you get a ticket, run an experiment yourself to see if you can connect.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Bruce;
    I'd love to upgrade to 7, however, as you know, the jump from 6 to 7 isn't exactly trivial. I'm running a 320, am routing 7 subnets, have 3 uplinks and 3 dmzs, 50+ l2tp ipsec users, and many hundreds of rules. Upgrading will pretty resemble a tear down and rebuild. Gonna be a long weekend for that one. A weekend that no one has any work to do. Since I'm the 'lone sysadmin' I'm not looking forward to it. 

    BAlfson;
    I too suspect client issues. However, as stated in the initial post, I'm using the native l2tp ipsec client on XP SP2/3 and OS X 10.2,.3,.4 and .5. 
    I think it might have more to do with client user behavior. 

    When the link goes wonky, NO ONE can get in until the ipsec service is stopped and restarted. And anyone who had a link up at the time will lose it.
  • 0
    At this stage, I would normally write a kludgy cron job to restart the ipsec service a couple of times a day. However, I'm reluctant to mess with the astaro internals.
  • 0 in reply to cpm
    I've never heard of this before.  Are you using a PSK or a certificate for authentication?

    Bruce always knows what he's talking about, so I'd follow his suggestion and get up to 7.306 or 7.401.  After that, if you're still having the problem, you should open a support ticket with Astaro.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I'm using PSK. 

    I've no doubt that Bruce knows what he's talking about.
    However, it's a non-trivial task.
  • 0 in reply to cpm
    I would definitely be ready to reimage and go back to V6.314, but I think you can avoid making a weekend of it.  If you aren't quarantining email, then it should be really pretty straightforward to reimage with 7.4, import the 6.314 backup and set up the L2TP over IPSec.  What else on the upgrade checklist do you see that you will need to tickle after moving to V7?
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner