IPsec - a messy test

ipsec
v7

(Michael Kicks) #1

NethServer Version: NethServer release 7.3.1611
Module: Ipsec tunnels

My silly NethServer installation use this kind of setup.
3 network adapters
1 Red Static IP 172.20.1.99/24, GW 172.20.1.254
1 Green Static IP 172.31.3.1/24
1 Blue Static IP 172.31.251.1 (cable not connected).

At the same DSL router it’s also connected an USG20W appliance by Zyxel, capable of different things… IPSec tunnel for instance.

WAN 172.20.1.252/24, GW 172.20.1.254
LAN1 172.31.1.1/24

I cannot use two public connections so i were trying to create an IpSec tunnel between them for test.

NethServer fully updated, USG20W Firmware Version 3.30 BDR9, the latest available.

(A little reminder for all: I used IpSec for connecting Zyxel USG’s between them several times, also for connect USG with IpFire or DSL consumer routers, TP-Link and NetGear among others. Be kind, I’m still a newbie on the task but non that noob…)

The tunnel was created as DNS Local/Remote ID, with a passphrase, AES128 as algorithm and SHA1 for checksum (Ike and ESP). Time key exchange was triple checked (86400/3600), PFS was enable on both side for Phase1 and Phase 2 (DH2, default for NethServer).
Obviously, still not working.

Italian interface of the Tunnel setup of Nethserver says

Task completato con errori
# (codice d'uscita )

(for non-italian speaking people…)

Task completed with errors 
# (exit code)

but obviously exit code is missing… And i cannot understand whats’ going wrong.

The strangest think for my little experience is… i have no kind of dialog between devices into Zyxel’s Log.
I’m not used and skilled enough for correctly reading and understand the logs from Linux/NethServer, but i’m quite used to understand the Zyxel appliance’s log, and seems no kind of data exchange/messages between two installations.
So: what i’m doing wrong?


VPN IPSec limit problem
IPSec failed to start (Protocol / Topology )
(Michael Kicks) #2

Ok, hangin’ around i’ve learned that /var/log/messages and /var/log/secure are two files to check in case of VPN issues.
And into messages i’ve found some interesting things…

Jul 10 08:52:39 scapegoat systemd: ipsec.service holdoff time over, scheduling restart.
Jul 10 08:52:39 scapegoat systemd: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jul 10 08:52:39 scapegoat addconn: cannot load config '/etc/ipsec.conf': /etc/ipsec.d/tunnels.conf:19: syntax error, unexpected STRING [Protocol]
Jul 10 08:52:39 scapegoat systemd: ipsec.service: control process exited, code=exited status=3
Jul 10 08:52:39 scapegoat systemd: Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec. Jul 10 08:52:39 scapegoat systemd: Unit ipsec.service entered failed state.
Jul 10 08:52:39 scapegoat systemd: ipsec.service failed.
Jul 10 08:52:39 scapegoat esmith::event[24565]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.537167]
Jul 10 08:52:39 scapegoat systemd: ipsec.service holdoff time over, scheduling restart.
Jul 10 08:52:39 scapegoat systemd: start request repeated too quickly for ipsec.service
Jul 10 08:52:39 scapegoat systemd: Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jul 10 08:52:39 scapegoat systemd: Unit ipsec.service entered failed state.
Jul 10 08:52:39 scapegoat systemd: ipsec.service failed. Jul 10 08:52:40 scapegoat systemd: Reloading.

And…

Jul 10 08:52:43 scapegoat esmith::event[24609]: [INFO]
Jul 10 08:52:43 scapegoat esmith::event[24609]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.371091]
Jul 10 08:52:43 scapegoat esmith::event[24609]: Event: nethserver-firewall-base-save SUCCESS Jul 10 08:52:43 scapegoat esmith::event[24565]: Action: /etc/e-smith/events/trusted-networks-modify/S94firewall-adjust SUCCESS [3.026094]
Jul 10 08:52:43 scapegoat esmith::event[24565]: Event: trusted-networks-modify SUCCESS
Jul 10 08:52:43 scapegoat esmith::event[24335]: Action: /etc/e-smith/events/nethserver-ipsec-tunnels-save/S95trusted-networks-modify SUCCESS [4.550002]
Jul 10 08:52:43 scapegoat esmith::event[24335]: Event: nethserver-ipsec-tunnels-save FAILED

Why should Nethserver fail to save config?
I ignited this log entries editing the tunnel.


(Michael Kicks) #3

Anyway: i decided to throw away (disable) the tunnel and create a new one.
Writing the name of the first tunnel i received the message that i cannot use capital letter in tunnel name, so maybe this kind of error could corrupt the create of the tunnel entry into ipsec. I edited it later.

Now i’m receiving constant errors on Zyxel’s log, so i can trouble-shot something…


(Michael Kicks) #4

And after enough shells on the config, i managed to connect devices.

Therefore, few question to @dev_team:

  1. is there a limit to number of characters for pre-shared key? With 20 chars (min and numbers) i had issues, with 18 worked like a charm. (I would like at least 32-48 characters…)
  2. if an error is made creating the tunnel at the first time, is this enough to corrupt the tunnel configuration?

(in any case, the issue is solved…)


(Filippo Carletti) #5

AFAIK, the answer is no to both questions. :slight_smile:
No limit on PSK length.
Errors can’t corrupt the configuration.

Could you please try to reproduce the problems from scratch?


(Michael Kicks) #6

Yes of course, only awaiting for request.
Test1: wrong tunnel name with correct data: issue not replied.
Test2: created tunnel 18 chars for PSK. Tunnel working. Changed PSK, 20 chars, tunnel not working.


(Filippo Carletti) #7

I’ll try to replicate this ASAP.
Could you share the PSK with me? Does it contain “strange” characters (like $%"’)?


(Michael Kicks) #8

A nice occasion for change it… :smiley:
1aff062ae4fe6a9231
pretty simple mix of lowercase and numbers… The “strange” thing is that it seems an hex value, not an ascii

I add a couple of char at the end of the string for editing (a letter and a number every time)

BTW… I generated again 20chars, a little more “random” also with uppercase. Tunnel not working.
Shortened to 18, started working again.


(Filippo Carletti) #9

Tested with a 30 chars psk between two nethserver: vpn is up.
I suspect that your problem is due to an undocumented limit on the other firewall.


(Michael Kicks) #10

Maybe your suspect is good.
But i can use an 23 psk (AES 128/SHA1 - DH1 for both phase) on the same firmware version (another device)
The remote endpoint is a Linux Firewall.

I am using AES128-SHA1 DH2 86400 sec for phase 1, AES128-SHA1 DH2 3600 for phase 2. Default for NethServer if i specify the cypher options.

Would you like i try to use the auto settings?


(Filippo Carletti) #11

Yes, I used auto settings.


(Michael Kicks) #12

23 characters.
And it works.


With the same settings on Zyxel side about timing and cypher.
What the …