IPsec - a messy test

NethServer Version: NethServer release 7.3.1611
Module: Ipsec tunnels

My silly NethServer installation use this kind of setup.
3 network adapters
1 Red Static IP 172.20.1.99/24, GW 172.20.1.254
1 Green Static IP 172.31.3.1/24
1 Blue Static IP 172.31.251.1 (cable not connected).

At the same DSL router it’s also connected an USG20W appliance by Zyxel, capable of different things… IPSec tunnel for instance.

WAN 172.20.1.252/24, GW 172.20.1.254
LAN1 172.31.1.1/24

I cannot use two public connections so i were trying to create an IpSec tunnel between them for test.

NethServer fully updated, USG20W Firmware Version 3.30 BDR9, the latest available.

(A little reminder for all: I used IpSec for connecting Zyxel USG’s between them several times, also for connect USG with IpFire or DSL consumer routers, TP-Link and NetGear among others. Be kind, I’m still a newbie on the task but non that noob…)

The tunnel was created as DNS Local/Remote ID, with a passphrase, AES128 as algorithm and SHA1 for checksum (Ike and ESP). Time key exchange was triple checked (86400/3600), PFS was enable on both side for Phase1 and Phase 2 (DH2, default for NethServer).
Obviously, still not working.

Italian interface of the Tunnel setup of Nethserver says

Task completato con errori
# (codice d'uscita )

(for non-italian speaking people…)

Task completed with errors 
# (exit code)

but obviously exit code is missing… And i cannot understand whats’ going wrong.

The strangest think for my little experience is… i have no kind of dialog between devices into Zyxel’s Log.
I’m not used and skilled enough for correctly reading and understand the logs from Linux/NethServer, but i’m quite used to understand the Zyxel appliance’s log, and seems no kind of data exchange/messages between two installations.
So: what i’m doing wrong?

Ok, hangin’ around i’ve learned that /var/log/messages and /var/log/secure are two files to check in case of VPN issues.
And into messages i’ve found some interesting things…

Jul 10 08:52:39 scapegoat systemd: ipsec.service holdoff time over, scheduling restart.
Jul 10 08:52:39 scapegoat systemd: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jul 10 08:52:39 scapegoat addconn: cannot load config '/etc/ipsec.conf': /etc/ipsec.d/tunnels.conf:19: syntax error, unexpected STRING [Protocol]
Jul 10 08:52:39 scapegoat systemd: ipsec.service: control process exited, code=exited status=3
Jul 10 08:52:39 scapegoat systemd: Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec. Jul 10 08:52:39 scapegoat systemd: Unit ipsec.service entered failed state.
Jul 10 08:52:39 scapegoat systemd: ipsec.service failed.
Jul 10 08:52:39 scapegoat esmith::event[24565]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.537167]
Jul 10 08:52:39 scapegoat systemd: ipsec.service holdoff time over, scheduling restart.
Jul 10 08:52:39 scapegoat systemd: start request repeated too quickly for ipsec.service
Jul 10 08:52:39 scapegoat systemd: Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jul 10 08:52:39 scapegoat systemd: Unit ipsec.service entered failed state.
Jul 10 08:52:39 scapegoat systemd: ipsec.service failed. Jul 10 08:52:40 scapegoat systemd: Reloading.

And…

Jul 10 08:52:43 scapegoat esmith::event[24609]: [INFO]
Jul 10 08:52:43 scapegoat esmith::event[24609]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.371091]
Jul 10 08:52:43 scapegoat esmith::event[24609]: Event: nethserver-firewall-base-save SUCCESS Jul 10 08:52:43 scapegoat esmith::event[24565]: Action: /etc/e-smith/events/trusted-networks-modify/S94firewall-adjust SUCCESS [3.026094]
Jul 10 08:52:43 scapegoat esmith::event[24565]: Event: trusted-networks-modify SUCCESS
Jul 10 08:52:43 scapegoat esmith::event[24335]: Action: /etc/e-smith/events/nethserver-ipsec-tunnels-save/S95trusted-networks-modify SUCCESS [4.550002]
Jul 10 08:52:43 scapegoat esmith::event[24335]: Event: nethserver-ipsec-tunnels-save FAILED

Why should Nethserver fail to save config?
I ignited this log entries editing the tunnel.

Anyway: i decided to throw away (disable) the tunnel and create a new one.
Writing the name of the first tunnel i received the message that i cannot use capital letter in tunnel name, so maybe this kind of error could corrupt the create of the tunnel entry into ipsec. I edited it later.

Now i’m receiving constant errors on Zyxel’s log, so i can trouble-shot something…

And after enough shells on the config, i managed to connect devices.

Therefore, few question to @dev_team:

1. is there a limit to number of characters for pre-shared key? With 20 chars (min and numbers) i had issues, with 18 worked like a charm. (I would like at least 32-48 characters…)
2. if an error is made creating the tunnel at the first time, is this enough to corrupt the tunnel configuration?

(in any case, the issue is solved…)

AFAIK, the answer is no to both questions.
No limit on PSK length.
Errors can’t corrupt the configuration.

Could you please try to reproduce the problems from scratch?

Yes of course, only awaiting for request.
Test1: wrong tunnel name with correct data: issue not replied.
Test2: created tunnel 18 chars for PSK. Tunnel working. Changed PSK, 20 chars, tunnel not working.

I’ll try to replicate this ASAP.
Could you share the PSK with me? Does it contain “strange” characters (like $%"')?

A nice occasion for change it…
1aff062ae4fe6a9231
pretty simple mix of lowercase and numbers… The “strange” thing is that it seems an hex value, not an ascii

I add a couple of char at the end of the string for editing (a letter and a number every time)

BTW… I generated again 20chars, a little more “random” also with uppercase. Tunnel not working.
Shortened to 18, started working again.

Tested with a 30 chars psk between two nethserver: vpn is up.
I suspect that your problem is due to an undocumented limit on the other firewall.

Maybe your suspect is good.
But i can use an 23 psk (AES 128/SHA1 - DH1 for both phase) on the same firmware version (another device)
The remote endpoint is a Linux Firewall.

I am using AES128-SHA1 DH2 86400 sec for phase 1, AES128-SHA1 DH2 3600 for phase 2. Default for NethServer if i specify the cypher options.

Would you like i try to use the auto settings?

Yes, I used auto settings.

23 characters.
And it works.

CatturaIpSec.PNG1175×51 4.34 KB