Trying to establish a point-to-point from home UTM 9 to the office UTM 9 using Frontier fiber connection. Frontier provides the cable modem that has a firewall built in that cannot be changed to bridge mode. So, put the home UTM in the cable modems DMZ and assign is a static internal IP. (192.168.1.X) So far, everything seems to work ok with the double NAT, including SSL VPN connection from my home workstations to the office firewall. So I am attempting the following; [LIST=1] setup office UTM (it has a static public IP) with Site-to-site SSLVPN assign it a higher port number (Ex:19443) on Frontier firewall / modem made certain the same port forwarded (19443) download the SSLVPN client info from the office UTM upload the .acp config file to home UTM newly create SSLVPN "Client" connection enable connection buttons on both firewalls [/LIST] The error I am getting under the home UTM live log is; Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA [fp.bnssite.com] Peer Connection Initiated with [AF_INET]office public ip:19443 (via [AF_INET]192.168.1.254:50999) SENT CONTROL [fp.bnssite.com]: 'PUSH_REQUEST' (status=1) AUTH: Received control message: AUTH_FAILED PLUGIN_CLOSE: /usr/lib/openvpn/plugins/openvpn-plugin-utm.so SIGHUP[soft,auth-failure] received, process restarting OpenVPN 2.3.0 i686-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 23 2014 Restart pause, 10 second(s) PLUGIN_CLOSE: /usr/lib/openvpn/plugins/openvpn-plugin-utm.so SIGTERM[hard,init_instance] received, process exiting OpenVPN 2.3.0 i686-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 23 2014 MANAGEMENT: client_uid=0 MANAGEMENT: client_gid=0 MANAGEMENT: unix domain socket listening on /var/run/openvpn_mgmt_REF_SslCliTofpcolo WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables PLUGIN_INIT: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so '[/usr/lib/openvpn/plugins/openvpn-plugin-utm.so] [REF_SslCliTofpcolo]' intercepted=PLUGIN_UP|PLUGIN_DOWN|PLUGIN_ROUTE_UP|PLUGIN_ROUTE_PREDOWN Socket Buffers: R=[87380->131072] S=[16384->131072] Attempting to establish TCP connection with [AF_INET]public ip:19443 [nonblock] MANAGEMENT: Client connected from /var/run/openvpn_mgmt_REF_SslCliTofpcolo bnsbase openvpn[22672]: MANAGEMENT: CMD 'state' TCP: connect to [AF_INET]public ip:19443 failed, will try again in 5 seconds: Connection timed out MANAGEMENT: Client disconnected Is this because the Site-to-Site SSLVPN require a public (non double nat) IP to work ? If so, why does the SSLVPN client work fine on my workstations ? Thanks in advance for any insight provided

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site SSL VPN Setup with Frontier

Trying to establish a point-to-point from home UTM 9 to the office UTM 9 using Frontier fiber connection. Frontier provides the cable modem that has a firewall built in that cannot be changed to bridge mode. So, put the home UTM in the cable modems DMZ and assign is a static internal IP. (192.168.1.X) So far, everything seems to work ok with the double NAT, including SSL VPN connection from my home workstations to the office firewall. So I am attempting the following;

[LIST=1]

setup office UTM (it has a static public IP) with Site-to-site SSLVPN
assign it a higher port number (Ex:19443)
on Frontier firewall / modem made certain the same port forwarded (19443)
download the SSLVPN client info from the office UTM
upload the .acp config file to home UTM newly create SSLVPN "Client" connection
enable connection buttons on both firewalls

[/LIST]

The error I am getting under the home UTM live log is;

Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
[fp.bnssite.com] Peer Connection Initiated with [AF_INET]office public ip:19443 (via [AF_INET]192.168.1.254:50999)
SENT CONTROL [fp.bnssite.com]: 'PUSH_REQUEST' (status=1)
AUTH: Received control message: AUTH_FAILED
PLUGIN_CLOSE: /usr/lib/openvpn/plugins/openvpn-plugin-utm.so
SIGHUP[soft,auth-failure] received, process restarting
OpenVPN 2.3.0 i686-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 23 2014
Restart pause, 10 second(s)
PLUGIN_CLOSE: /usr/lib/openvpn/plugins/openvpn-plugin-utm.so
SIGTERM[hard,init_instance] received, process exiting
OpenVPN 2.3.0 i686-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 23 2014
MANAGEMENT: client_uid=0
MANAGEMENT: client_gid=0
MANAGEMENT: unix domain socket listening on /var/run/openvpn_mgmt_REF_SslCliTofpcolo
WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
PLUGIN_INIT: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so '[/usr/lib/openvpn/plugins/openvpn-plugin-utm.so] [REF_SslCliTofpcolo]' intercepted=PLUGIN_UP|PLUGIN_DOWN|PLUGIN_ROUTE_UP|PLUGIN_ROUTE_PREDOWN
Socket Buffers: R=[87380->131072] S=[16384->131072]
Attempting to establish TCP connection with [AF_INET]public ip:19443 [nonblock]
MANAGEMENT: Client connected from /var/run/openvpn_mgmt_REF_SslCliTofpcolo
bnsbase openvpn[22672]: MANAGEMENT: CMD 'state'
TCP: connect to [AF_INET]public ip:19443 failed, will try again in 5 seconds: Connection timed out
MANAGEMENT: Client disconnected

Is this because the Site-to-Site SSLVPN require a public (non double nat) IP to work ? If so, why does the SSLVPN client work fine on my workstations ?

Thanks in advance for any insight provided

This thread was automatically locked due to age.

0 rrosson over 10 years ago

When you say client can you explain.

Since your office UTM is acting as a server and you setup your home UTM connection under Site-2-Site SSL VPN on the office UTM. This should be as simple as downloading the configuration from your office UTM and uploading it to your Home UTM.

Can you provide some sanitized screenshots of your Office UTM and Home UTM?
Cancel
Vote Up 0 Vote Down

Cancel
0 GSD over 10 years ago

Ahhh sorry for the confusion regarding SSLVPN Client.

When I setup the relationship between UTM Home & UTM office; correct I setup the UTM office as the server in that relationship. I download "client" info from the Office UTM which is uploaded to home UTM. ( That's the part that is getting the above error when trying to connect)

The SSLVPN client I was referring to was a few workstations behind the home UTM have the remote access SSLVPN client from the office UTM installed directly on them, and they work just fine. ( the double nat'ting, does not seem to effect the a "workstation to office" UTM SSLVPN setup)
Cancel
Vote Up 0 Vote Down

Cancel