Hello everyone! I’d like to thank you for this amazing product!
I’ve got a problem creating an ipsec tunnel between a NethServer and a Vodafone station.
My settings are these:
Nethserver
Local IP: ppp0 - PPPoE
Local subnets: 192.168.20.0/24
Local identifier: @mamma.local
Remote IP: %any
Remote subnets: 192.168.0.0/24
Remote identifier: @vodafone
Enable PFS
Phase 1 (IKE): Auto
Phase 2 (ESP): Auto
Unfortunately on the vodafone station there are not a lot of settings.
Now on the nethserver log it shows this:
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: received Vendor ID payload [Dead Peer Detection]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: received Vendor ID payload [RFC 3947]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: initial Main Mode message received on 95.233.3.213:500 but no connectionhas been authorized with policy PSK+IKEV1_ALLOW
I’ve searched for PSK+IKEV1_ALLOW without luck. Any idea? Thanks.
The solution is this:
Vodafone station:
Remote IP: your remote ip or ddns
Remote subnets: your remote subnet in my case 192.168.20.0
Remote netmask: your remote netmask in my case 255.255.255.0
Shared secret: your shared secret
NethServer:
Name: any name to identify your connection
Pre-Sared Key: your shared secret
Local IP: your external ip
Local subnets: your local subnet WITH netmask in my case 192.168.20.0/24
Local identifier: your EXTERNAL IP
Remote IP: the external ip of the vodafone station or %any if you have a dynamic IP
Remote subnets: your remote subnets with netmask in my case 192.168.0.0/24
Remote identifier: the vodafone station EXTERNAL ip
Enable PFS
Phase 1 (IKE): Auto
Phase 2 (ESP): Auto
I’m sorry to bring this topic up again, is there someone that at least know how to deal with the
packet from vodafone station ip:500: initial Main Mode message received on 95.233.3.213:500 but no connectionhas been authorized with policy PSK+IKEV1_ALLOW
@Cloud21 did you try to disable th PFS flag in NethServer?
Said that …the fact is that we need to know the IKE and ESP parameters of the Vodafone Station in order to recreate same settings in NethServer, but it seems quite difficult to find this parameters.
I also found a document that shows how to make an ipsec vpn between a Vodafone Station and a TP link device (in italian) :
If anybody knows the default IKE and ESP values on TP Link this could help.
This seems to be a problem related to local and remote IDs of the Ipsec configuration.
Because the Vodafone Station doesn’t allow you to specify the IDs I assume that it’s using Public IPs as identifiers.
So, if your Nethserver has a public ip on the red interface yuo can set local and remote id that way:
local ID: public ip adress of nethserver
remote ID: public ip adress of the vodafone station
Yes, that’s it!
I made the ipsec tunnel between NethServer and Vodafone station work!
The only thing is: is there a variable that pick my esternal address and put it in the leftid and the remote address (from ddns) and put it in the rightid?
Because both NethServer and Vodafone station have dynamic ID.
