IPSec site to site Ubiquiti issue

Support
, ,
1

NethServer Version: 7.7.1908

Hello,
i’m trying to setup a site to site vpn between a Unifi USG and NS via IPSec, but i keep getting stuck on a wall.

So the setup it’s pretty simple, on USG side i have this parameter with PFS enabled:

IKEv2 - AES-256 - SHA 1 - 14

usg_settings
usg_settings.png1091×909 101 KB

And here it’s the NS configuration:

config_ng
config_ng.png1241×902 96.2 KB

But everytime i try to setup the connection i get back with this message in the logs.

Feb  3 17:06:24 rt01 pluto[20799]: "demoipsec_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: retransmission; will wait 4 seconds for response
Feb  3 17:06:24 rt01 pluto[20799]: "demoipsec_ipsec-tunnel/1x1" #1: Peer ID is ID_IPV4_ADDR: '84.xx.xx.xx'
Feb  3 17:06:24 rt01 pluto[20799]: "demoipsec_ipsec-tunnel/1x1" #1: we require IKEv1 peer to have ID '@demoipsec.remote', but peer declares '84.xx.xx.xx'
Feb  3 17:06:24 rt01 pluto[20799]: "demoipsec_ipsec-tunnel/1x1" #1: sending encrypted notification INVALID_ID_INFORMATION to 84.xx.xx.xx:4500

Anyone can point me on a direction to get it working ?

The same setup on unifi USG, works without isse on pfSense:

pfsense_ok
pfsense_ok.png1194×571 66 KB

The only parameter that differ on pfsense it’s the local id, where i’ve put the public ip address of the router in front of pfsense ( on nethserver i cant change it, i can only use eth0, wich is set on static as an internal ip )

What i’m doing wrong ?

Thanks

Edit:
Also tested setting the local identifier as my external ip address and remote identifier as the remote public ip address and in that case i get this messages on the logs:

Feb  3 17:21:30 rt01 pluto[30525]: "demoipsec_ipsec-tunnel/1x1" #4: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
Feb  3 17:21:34 rt01 pluto[30525]: "demoipsec_ipsec-tunnel/1x1" #4: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
Feb  3 17:21:42 rt01 pluto[30525]: "demoipsec_ipsec-tunnel/1x1" #4: STATE_QUICK_I1: retransmission; will wait 16 seconds for response
Feb  3 17:21:42 rt01 pluto[30525]: "demoipsec_ipsec-tunnel/1x1" #1: ignoring informational payload INVALID_HASH_INFORMATION, msgid=00000000, length=12
Feb  3 17:21:42 rt01 pluto[30525]: | ISAKMP Notification Payload
Feb  3 17:21:42 rt01 pluto[30525]: |   00 00 00 0c  00 00 00 01  01 00 00 17
Feb  3 17:21:42 rt01 pluto[30525]: "demoipsec_ipsec-tunnel/1x1" #1: received and ignored informational message
Feb  3 17:21:58 rt01 pluto[30525]: "demoipsec_ipsec-tunnel/1x1" #4: STATE_QUICK_I1: retransmission; will wait 32 seconds for response
Feb  3 17:21:58 rt01 pluto[30525]: "demoipsec_ipsec-tunnel/1x1" #1: ignoring informational payload INVALID_HASH_INFORMATION, msgid=00000000, length=12
Feb  3 17:21:58 rt01 pluto[30525]: | ISAKMP Notification Payload
Feb  3 17:21:58 rt01 pluto[30525]: |   00 00 00 0c  00 00 00 01  01 00 00 17
Feb  3 17:21:58 rt01 pluto[30525]: "demoipsec_ipsec-tunnel/1x1" #1: received and ignored informational message
2

For complete information, i’ve also tried to let NS do the pppoe ( to have the public ip assigned directly to the NS box )

ns_error_pppoe_ipsec
ns_error_pppoe_ipsec.png1436×849 69.3 KB

and this is the log that i recive:

Feb  3 17:26:55 rt01 pluto[13119]: | setup callback for interface tunrw:500 fd 15
Feb  3 17:26:55 rt01 pluto[13119]: loading secrets from "/etc/ipsec.secrets"
Feb  3 17:26:55 rt01 pluto[13119]: loading secrets from "/etc/ipsec.d/tunnels.secrets"
Feb  3 17:26:55 rt01 pluto[13119]: ERROR "/etc/ipsec.d/tunnels.secrets" line 12: index "%ppp0" illegal (non-DNS-name) character in name
Feb  3 17:26:55 rt01 pluto[13119]: initiating all conns with alias='demoipsec_ipsec-tunnel'
Feb  3 17:26:55 rt01 pluto[13119]: "demoipsec_ipsec-tunnel/1x1": We cannot identify ourselves with either end of this connection.  84.xx.xx.xx or 0.0.0.0 are not usable
Feb  3 17:26:59 rt01 sudo: pam_unix(sudo:session): session closed for user root

and this is the output of tunnels.secrets

[root@rt01 ~]# cat /etc/ipsec.d/tunnels.secrets 
# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
# 
#
# 40clients
#
%ppp0 84.xx.xx.xx : PSK "randompassword1234!"
3

Would/could you fallback to IKEv1 just as test?

4

Sure, same configuration, just changed on unifi from ikev2 to ikev1

Feb  3 18:27:32 rt01 pluto[10348]: initiating all conns with alias='ipsecdm_ipsec-tunnel'
Feb  3 18:27:32 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: initiating Main Mode
Feb  3 18:27:32 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Feb  3 18:27:32 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I2: retransmission; will wait 0.5 seconds for response
Feb  3 18:27:32 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Feb  3 18:27:33 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: Peer ID is ID_IPV4_ADDR: '84.xx.xx.xx'
Feb  3 18:27:33 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: we require IKEv1 peer to have ID '@ipsecdm.remote', but peer declares '84.xx.xx.xx'
Feb  3 18:27:33 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: sending encrypted notification INVALID_ID_INFORMATION to 84.xx.xx.xx:4500
Feb  3 18:27:33 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response
Feb  3 18:27:33 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: Peer ID is ID_IPV4_ADDR: '84.xx.xx.xx'
Feb  3 18:27:33 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: we require IKEv1 peer to have ID '@ipsecdm.remote', but peer declares '84.xx.xx.xx'
Feb  3 18:27:33 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: sending encrypted notification INVALID_ID_INFORMATION to 84.xx.xx.xx:4500
Feb  3 18:27:33 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: retransmission; will wait 1 seconds for response
Feb  3 18:27:34 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: Peer ID is ID_IPV4_ADDR: '84.xx.xx.xx'
Feb  3 18:27:34 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: we require IKEv1 peer to have ID '@ipsecdm.remote', but peer declares '84.xx.xx.xx'
Feb  3 18:27:34 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: sending encrypted notification INVALID_ID_INFORMATION to 84.xx.xx.xx:4500
Feb  3 18:27:34 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: retransmission; will wait 2 seconds for response
Feb  3 18:27:35 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: Peer ID is ID_IPV4_ADDR: '84.xx.xx.xx'
Feb  3 18:27:35 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: we require IKEv1 peer to have ID '@ipsecdm.remote', but peer declares '84.xx.xx.xx'
Feb  3 18:27:35 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: sending encrypted notification INVALID_ID_INFORMATION to 84.xx.xx.xx:4500
Feb  3 18:27:36 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  3 18:27:36 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/ipsec/read
Feb  3 18:27:36 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  3 18:27:36 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  3 18:27:36 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: retransmission; will wait 4 seconds for response
Feb  3 18:27:37 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: Peer ID is ID_IPV4_ADDR: '84.xx.xx.xx'
Feb  3 18:27:37 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: we require IKEv1 peer to have ID '@ipsecdm.remote', but peer declares '84.xx.xx.xx'
Feb  3 18:27:37 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: sending encrypted notification INVALID_ID_INFORMATION to 84.xx.xx.xx:4500
Feb  3 18:27:40 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: retransmission; will wait 8 seconds for response
Feb  3 18:27:41 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: Peer ID is ID_IPV4_ADDR: '84.xx.xx.xx'
Feb  3 18:27:41 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: we require IKEv1 peer to have ID '@ipsecdm.remote', but peer declares '84.xx.xx.xx'
Feb  3 18:27:41 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: sending encrypted notification INVALID_ID_INFORMATION to 84.xx.xx.xx:4500
Feb  3 18:27:48 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: byte 2 of ISAKMP Hash Payload should have been zero, but was not (ignored)
Feb  3 18:27:48 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: length of ISAKMP Hash Payload is larger than can fit
Feb  3 18:27:48 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: malformed payload in packet
Feb  3 18:27:48 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/logs/read
Feb  3 18:27:48 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  3 18:27:48 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  3 18:27:48 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-logs/execute
Feb  3 18:27:48 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  3 18:27:48 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  3 18:27:48 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: retransmission; will wait 16 seconds for response
Feb  3 18:27:49 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: Peer ID is ID_IPV4_ADDR: '84.xx.xx.xx'
Feb  3 18:27:49 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: we require IKEv1 peer to have ID '@ipsecdm.remote', but peer declares '84.xx.xx.xx'
Feb  3 18:27:49 rt01 pluto[10348]: "ipsecdm_ipsec-tunnel/1x1" #1: sending encrypted notification INVALID_ID_INFORMATION to 84.xx.xx.xx:4500
Feb  3 18:27:50 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-logs/execute
Feb  3 18:27:50 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)

For testing purpose, i’ve set on local identifier my public IP address and remote identifier the Remote public ip address and we got some light light :smiley:

Feb  3 18:30:21 rt01 pluto[13421]: loading secrets from "/etc/ipsec.d/tunnels.secrets"
Feb  3 18:30:21 rt01 pluto[13421]: initiating all conns with alias='ipsecdm_ipsec-tunnel'
Feb  3 18:30:21 rt01 pluto[13421]: "ipsecdm_ipsec-tunnel/1x1" #1: initiating Main Mode
Feb  3 18:30:21 rt01 pluto[13421]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Feb  3 18:30:21 rt01 pluto[13421]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I2: retransmission; will wait 0.5 seconds for response
Feb  3 18:30:22 rt01 pluto[13421]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Feb  3 18:30:22 rt01 pluto[13421]: "ipsecdm_ipsec-tunnel/1x1" #1: Peer ID is ID_IPV4_ADDR: '84.xx.xx.xx'
Feb  3 18:30:22 rt01 pluto[13421]: "ipsecdm_ipsec-tunnel/1x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
Feb  3 18:30:22 rt01 pluto[13421]: "ipsecdm_ipsec-tunnel/1x1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:99c12809 proposal=AES_CBC_256-HMAC_SHA1_96-MODP2048 pfsgroup=MODP2048}
Feb  3 18:30:22 rt01 pluto[13421]: "ipsecdm_ipsec-tunnel/1x1" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
Feb  3 18:30:22 rt01 pluto[13421]: "ipsecdm_ipsec-tunnel/1x1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xc4bb022f <0x03eb7cf9 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=84.33.99.75:4500 DPD=active}
Feb  3 18:30:25 rt01 sudo: pam_unix(sudo:session): session closed for user root

With ikev1 the tunnel seems up, but there’s no traffic, can’t ping router or hosts in the other network :thinking:

tunnel_up_no_traffic
tunnel_up_no_traffic.png1637×188 14.7 KB

5

IMVHO NethServer already provides routes and firewall settings for allow communication (i tried with NethGUI, not cockpit)
Does USG by Ubiquiti do the same thing?

6

Well, it looks like it does…

Last login: Mon Feb  3 10:58:43 2020 from 192.168.2.62
admin@USG4:~$ show interfaces 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                 
---------    ----------                        ---  -----------                 
eth0         10.164.100.1/24                   u/D  LAN                         
eth1         192.168.2.1/24                    u/u  LAN2                        
eth1.90      172.16.90.1/24                    u/u                              
eth2         -                                 u/u  WAN                         
eth3         -                                 u/u  WAN2                        
lo           127.0.0.1/8                       u/u                              
             ::1/128                          
pppoe0       84.xx.xx.xx                       u/u                              
pppoe1       5.x.x.xx1                         u/u                              
vti65        -                                 u/u                              
                
      
admin@USG4:~$ show vpn ipsec sa 
peer-93.188.101.29-tunnel-vti: #8, ESTABLISHED, IKEv1, 62028b6fb5d68992:dc997a9e61bdf403
  local  '84.xx.xx.xx' @ 84.xx.xx.xx
  remote '93.xxx.xxx.29' @ 93.xxx.xxx.29
  AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 883s ago, reauth in 26981s
  peer-93.xxx.xxx.xx-tunnel-vti: #7, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_2048
    installed 882 ago, rekeying in 1997s, expires in 2718s
    in  c4bb022f,      0 bytes,     0 packets
    out 03eb7cf9,      0 bytes,     0 packets
    local  192.168.2.0/24
    remote 192.168.110.0/24


admin@USG4PAtena:~$ show ip route 
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

S   0.0.0.0/0 [230/0] is directly connected, pppoe1
S>* 0.0.0.0/0 [1/0] is directly connected, pppoe0
C>* 10.13.1.5/32 is directly connected, vtun68
C>* 10.14.1.5/32 is directly connected, vtun64
C>* 10.15.1.5/32 is directly connected, vtun65
C>* 10.16.1.5/32 is directly connected, vtun66
C>* 10.17.1.5/32 is directly connected, vtun67
C>* 10.164.100.0/24 is directly connected, eth0
S>* 10.164.110.0/24 [3/0] is directly connected, vtun64
S>* 10.164.115.0/24 [30/0] is directly connected, vtun66
S>* 10.164.120.0/24 [30/0] is directly connected, vtun65
S>* 10.164.125.0/24 [30/0] is directly connected, vtun67
S>* 10.164.130.0/24 [30/0] is directly connected, vtun68
C>* 81.xxx.0.x1/32 is directly connected, pppoe0
C>* 82.xxx.1xx.24/32 is directly connected, pppoe1
C>* 127.0.0.0/8 is directly connected, lo
C>* 172.16.90.0/24 is directly connected, eth1.90
C>* 192.168.2.0/24 is directly connected, eth1
S>* 192.168.110.0/24 [30/0] is directly connected, vti65
admin@USG4P:~$

I’ve also followed all the steps here but nothing works, tunnel still up but 0 packets :frowning:

Anyway there’s a way Nethserver to force IKEv2 ? It looks like it just try with IKEv1, how can i force it ?

Thanks

7

So, i’ve checked the cfg on the ubiquiti :
ipsec.conf ( ubiquiti )

conn peer-93.xxx.xxx.xx-tunnel-vti
        left=84.xx.xx.xx
        right=93.xxx.xxx.x9
        leftsubnet=0.0.0.0/0
        rightsubnet=0.0.0.0/0
        ike=aes256-sha1-modp2048!
        keyexchange=ikev2
        reauth=no
        ikelifetime=28800s
        esp=aes256-sha1-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        mark=9437185
        auto=route
        keyingtries=%forever
#conn peer-93.xxx.xxx.x9-tunnel-vti

and i’ve tried to replicate the cfg on NS, using docs from here

btw, it’s the right format, just add Custom_key value ?

[root@rt01 ~]# db vpn setprop ipsecs2s Custom_ike aes256-sha1-modp2048!
[root@rt01 ~]# db vpn setprop ipsecs2s Custom_esp aes256-sha1-modp2048!
[root@rt01 ~]# db vpn setprop ipsecs2s Custom_keyexchange ikev2
[root@rt01 ~]# signal-event nethserver-ipsec-tunnels-save 
[root@rt01 ~]# db vpn show ipsecs2s 
ipsecs2s=ipsec-tunnel
    Custom_esp=aes256-sha1-modp2048!
    Custom_ike=aes256-sha1-modp2048!
    Custom_keyexchange=ikev2
    compress=no
    dpdaction=restart
    esp=auto
    espcipher=aes256
    esphash=sha1
    esppfsgroup=modp2048
    ike=auto
    ikecipher=aes256
    ikehash=sha1
    ikelifetime=28800
    ikepfsgroup=modp2048
    left=%eth0
    leftid=93.xxx.xxx.x9
    leftsubnets=192.168.110.0/24
    pfs=no
    psk=randompassword1234!!randompassword1234!!
    right=84.xx.xx.x5
    rightid=84.xx.xx.x5
    rightsubnets=192.168.2.0/24
    salifetime=3600
    status=enabled

but ofc, the ipsec process seems to just crash the log just report this:

Feb  4 17:43:36 rt01 pluto[23176]: FIPS Product: NO
Feb  4 17:43:36 rt01 pluto[23176]: FIPS Kernel: NO
Feb  4 17:43:36 rt01 pluto[23176]: FIPS Mode: NO
Feb  4 17:43:36 rt01 pluto[23176]: NSS DB directory: sql:/etc/ipsec.d
Feb  4 17:43:36 rt01 pluto[23176]: Initializing NSS
Feb  4 17:43:36 rt01 pluto[23176]: Opening NSS database "sql:/etc/ipsec.d" read-only
Feb  4 17:43:36 rt01 pluto[23176]: NSS initialized
Feb  4 17:43:36 rt01 pluto[23176]: NSS crypto library initialized
Feb  4 17:43:36 rt01 pluto[23176]: FIPS HMAC integrity support [enabled]
Feb  4 17:43:36 rt01 pluto[23176]: FIPS mode disabled for pluto daemon
Feb  4 17:43:36 rt01 pluto[23176]: FIPS HMAC integrity verification self-test passed
Feb  4 17:43:36 rt01 pluto[23176]: libcap-ng support [enabled]
Feb  4 17:43:36 rt01 pluto[23176]: Linux audit support [enabled]
Feb  4 17:43:36 rt01 pluto[23176]: Linux audit activated
Feb  4 17:43:36 rt01 pluto[23176]: Starting Pluto (Libreswan Version 3.25 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO GCC_EXCEPTIONS NSS (AVA copy) (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:23176
Feb  4 17:43:36 rt01 pluto[23176]: core dump dir: /run/pluto
Feb  4 17:43:36 rt01 pluto[23176]: secrets file: /etc/ipsec.secrets
Feb  4 17:43:36 rt01 pluto[23176]: leak-detective enabled
Feb  4 17:43:36 rt01 pluto[23176]: NSS crypto [enabled]
Feb  4 17:43:36 rt01 pluto[23176]: XAUTH PAM support [enabled]
Feb  4 17:43:36 rt01 pluto[23176]: NAT-Traversal support  [enabled]
Feb  4 17:43:36 rt01 pluto[23176]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
Feb  4 17:43:36 rt01 pluto[23176]: Encryption algorithms:
Feb  4 17:43:36 rt01 pluto[23176]:  AES_CCM_16          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
Feb  4 17:43:36 rt01 pluto[23176]:  AES_CCM_12          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
Feb  4 17:43:36 rt01 pluto[23176]:  AES_CCM_8           IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
Feb  4 17:43:36 rt01 pluto[23176]:  3DES_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  (3des)
Feb  4 17:43:36 rt01 pluto[23176]:  CAMELLIA_CTR        IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
Feb  4 17:43:36 rt01 pluto[23176]:  CAMELLIA_CBC        IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (camellia)
Feb  4 17:43:36 rt01 pluto[23176]:  AES_GCM_16          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
Feb  4 17:43:36 rt01 pluto[23176]:  AES_GCM_12          IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
Feb  4 17:43:36 rt01 pluto[23176]:  AES_GCM_8           IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
Feb  4 17:43:36 rt01 pluto[23176]:  AES_CTR             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
Feb  4 17:43:36 rt01 pluto[23176]:  AES_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes)
Feb  4 17:43:36 rt01 pluto[23176]:  SERPENT_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (serpent)
Feb  4 17:43:36 rt01 pluto[23176]:  TWOFISH_CBC         IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  (twofish)
Feb  4 17:43:36 rt01 pluto[23176]:  TWOFISH_SSH         IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  (twofish_cbc_ssh)
Feb  4 17:43:36 rt01 pluto[23176]:  CAST_CBC            IKEv1:     ESP     IKEv2:     ESP           {*128}  (cast)
Feb  4 17:43:36 rt01 pluto[23176]:  NULL_AUTH_AES_GMAC  IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}  (aes_gmac)
Feb  4 17:43:36 rt01 pluto[23176]:  NULL                IKEv1:     ESP     IKEv2:     ESP           []
Feb  4 17:43:36 rt01 pluto[23176]: Hash algorithms:
Feb  4 17:43:36 rt01 pluto[23176]:  MD5                 IKEv1: IKE         IKEv2:
Feb  4 17:43:36 rt01 pluto[23176]:  SHA1                IKEv1: IKE         IKEv2:             FIPS  (sha)
Feb  4 17:43:36 rt01 pluto[23176]:  SHA2_256            IKEv1: IKE         IKEv2:             FIPS  (sha2 sha256)
Feb  4 17:43:36 rt01 pluto[23176]:  SHA2_384            IKEv1: IKE         IKEv2:             FIPS  (sha384)
Feb  4 17:43:36 rt01 pluto[23176]:  SHA2_512            IKEv1: IKE         IKEv2:             FIPS  (sha512)
Feb  4 17:43:36 rt01 pluto[23176]: PRF algorithms:
Feb  4 17:43:36 rt01 pluto[23176]:  HMAC_MD5            IKEv1: IKE         IKEv2: IKE               (md5)
Feb  4 17:43:36 rt01 pluto[23176]:  HMAC_SHA1           IKEv1: IKE         IKEv2: IKE         FIPS  (sha sha1)
Feb  4 17:43:36 rt01 pluto[23176]:  HMAC_SHA2_256       IKEv1: IKE         IKEv2: IKE         FIPS  (sha2 sha256 sha2_256)
Feb  4 17:43:36 rt01 pluto[23176]:  HMAC_SHA2_384       IKEv1: IKE         IKEv2: IKE         FIPS  (sha384 sha2_384)
Feb  4 17:43:36 rt01 pluto[23176]:  HMAC_SHA2_512       IKEv1: IKE         IKEv2: IKE         FIPS  (sha512 sha2_512)
Feb  4 17:43:36 rt01 pluto[23176]:  AES_XCBC            IKEv1:             IKEv2: IKE         FIPS  (aes128_xcbc)
Feb  4 17:43:36 rt01 pluto[23176]: Integrity algorithms:
Feb  4 17:43:36 rt01 pluto[23176]:  HMAC_MD5_96         IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (md5 hmac_md5)
Feb  4 17:43:36 rt01 pluto[23176]:  HMAC_SHA1_96        IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha sha1 sha1_96 hmac_sha1)
Feb  4 17:43:36 rt01 pluto[23176]:  HMAC_SHA2_512_256   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha512 sha2_512 hmac_sha2_512)
Feb  4 17:43:36 rt01 pluto[23176]:  HMAC_SHA2_384_192   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha384 sha2_384 hmac_sha2_384)
Feb  4 17:43:36 rt01 pluto[23176]:  HMAC_SHA2_256_128   IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha2 sha256 sha2_256 hmac_sha2_256)
Feb  4 17:43:36 rt01 pluto[23176]:  AES_XCBC_96         IKEv1:     ESP AH  IKEv2: IKE ESP AH  FIPS  (aes_xcbc aes128_xcbc aes128_xcbc_96)
Feb  4 17:43:36 rt01 pluto[23176]:  AES_CMAC_96         IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_cmac)
Feb  4 17:43:36 rt01 pluto[23176]:  NONE                IKEv1:     ESP     IKEv2:     ESP     FIPS  (null)
Feb  4 17:43:36 rt01 pluto[23176]: DH algorithms:
Feb  4 17:43:36 rt01 pluto[23176]:  NONE                IKEv1:             IKEv2: IKE ESP AH        (null dh0)
Feb  4 17:43:36 rt01 pluto[23176]:  MODP1024            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh2)
Feb  4 17:43:36 rt01 pluto[23176]:  MODP1536            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        (dh5)
Feb  4 17:43:36 rt01 pluto[23176]:  MODP2048            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh14)
Feb  4 17:43:36 rt01 pluto[23176]:  MODP3072            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh15)
Feb  4 17:43:36 rt01 pluto[23176]:  MODP4096            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh16)
Feb  4 17:43:36 rt01 pluto[23176]:  MODP6144            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh17)
Feb  4 17:43:36 rt01 pluto[23176]:  MODP8192            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh18)
Feb  4 17:43:36 rt01 pluto[23176]:  DH19                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_256)
Feb  4 17:43:36 rt01 pluto[23176]:  DH20                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_384)
Feb  4 17:43:36 rt01 pluto[23176]:  DH21                IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_521)
Feb  4 17:43:36 rt01 pluto[23176]:  DH22                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH
Feb  4 17:43:36 rt01 pluto[23176]:  DH23                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
Feb  4 17:43:36 rt01 pluto[23176]:  DH24                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
Feb  4 17:43:36 rt01 pluto[23176]: starting up 5 crypto helpers
Feb  4 17:43:36 rt01 pluto[23176]: started thread for crypto helper 0
Feb  4 17:43:36 rt01 pluto[23176]: started thread for crypto helper 1
Feb  4 17:43:36 rt01 pluto[23176]: started thread for crypto helper 2
Feb  4 17:43:36 rt01 pluto[23176]: started thread for crypto helper 3
Feb  4 17:43:36 rt01 pluto[23176]: started thread for crypto helper 4
Feb  4 17:43:36 rt01 pluto[23176]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-1062.9.1.el7.x86_64
Feb  4 17:43:36 rt01 pluto[23176]: | selinux support is NOT enabled.
Feb  4 17:43:36 rt01 pluto[23176]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Feb  4 17:43:36 rt01 pluto[23176]: watchdog: sending probes every 100 secs
Feb  4 17:43:36 rt01 pluto[23176]: listening for IKE messages
Feb  4 17:43:36 rt01 pluto[23176]: adding interface tunrw/tunrw 10.123.22.1:500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface tunrw/tunrw 10.123.22.1:4500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface tuns2s-dl/tuns2s-dl 10.55.186.1:500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface tuns2s-dl/tuns2s-dl 10.55.186.1:4500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface eth1.50/eth1.50 10.50.0.1:500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface eth1.50/eth1.50 10.50.0.1:4500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface eth1/eth1 192.168.110.1:500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface eth1/eth1 192.168.110.1:4500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface eth0/eth0 192.168.179.150:500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface eth0/eth0 192.168.179.150:4500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface lo/lo 127.0.0.1:500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface lo/lo 127.0.0.1:4500
Feb  4 17:43:36 rt01 pluto[23176]: adding interface lo/lo ::1:500
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface lo:500 fd 27
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface lo:4500 fd 26
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface lo:500 fd 25
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface eth0:4500 fd 24
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface eth0:500 fd 23
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface eth1:4500 fd 22
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface eth1:500 fd 21
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface eth1.50:4500 fd 20
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface eth1.50:500 fd 19
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface tuns2s-dl:4500 fd 18
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface tuns2s-dl:500 fd 17
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface tunrw:4500 fd 16
Feb  4 17:43:36 rt01 pluto[23176]: | setup callback for interface tunrw:500 fd 15
Feb  4 17:43:36 rt01 pluto[23176]: loading secrets from "/etc/ipsec.secrets"
Feb  4 17:43:36 rt01 pluto[23176]: loading secrets from "/etc/ipsec.d/tunnels.secrets"
Feb  4 17:43:40 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:43:40 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/ipsec/read
Feb  4 17:43:40 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:43:41 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:44:41 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/ipsec/update
Feb  4 17:44:41 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:44:42 rt01 pluto[23176]: shutting down
Feb  4 17:44:42 rt01 pluto[23176]: forgetting secrets
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface lo/lo ::1:500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface lo/lo 127.0.0.1:4500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface lo/lo 127.0.0.1:500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface eth0/eth0 192.168.179.150:4500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface eth0/eth0 192.168.179.150:500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface eth1/eth1 192.168.110.1:4500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface eth1/eth1 192.168.110.1:500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface eth1.50/eth1.50 10.50.0.1:4500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface eth1.50/eth1.50 10.50.0.1:500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface tuns2s-dl/tuns2s-dl 10.55.186.1:4500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface tuns2s-dl/tuns2s-dl 10.55.186.1:500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface tunrw/tunrw 10.123.22.1:4500
Feb  4 17:44:42 rt01 pluto[23176]: shutting down interface tunrw/tunrw 10.123.22.1:500
Feb  4 17:44:42 rt01 pluto[23176]: leak detective found no leaks
Feb  4 17:44:46 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:44:46 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/ipsec/read
Feb  4 17:44:46 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:44:46 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:48:18 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:51:23 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/logs/read
Feb  4 17:51:23 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:51:24 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:51:24 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-logs/execute
Feb  4 17:51:24 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:51:24 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:51:25 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-logs/execute
Feb  4 17:51:25 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:51:25 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:51:54 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/dashboard/read
Feb  4 17:51:54 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:51:55 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:51:55 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/dashboard/read
Feb  4 17:51:55 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/dashboard/read
Feb  4 17:51:55 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:51:55 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:51:55 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:51:55 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:52:00 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/dashboard/read
Feb  4 17:52:00 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:52:00 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/dashboard/read
Feb  4 17:52:00 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:52:00 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:52:00 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:52:00 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/nethserver-vpn-ui/logs/read
Feb  4 17:52:00 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:52:01 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:52:01 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-logs/execute
Feb  4 17:52:01 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:52:01 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:52:01 rt01 polkitd[985]: Registered Authentication Agent for unix-process:30715:1738378 (system bus name :1.2282 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.utf8)
Feb  4 17:52:01 rt01 polkitd[985]: Unregistered Authentication Agent for unix-process:30715:1738378 (system bus name :1.2282, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.utf8) (disconnected from bus)
Feb  4 17:52:03 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-logs/execute
Feb  4 17:52:03 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:52:03 rt01 sudo: pam_unix(sudo:session): session closed for user root
Feb  4 17:52:05 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-logs/execute
Feb  4 17:52:05 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:52:09 rt01 sudo:    root : TTY=unknown ; PWD=/run/user/0 ; USER=root ; COMMAND=/usr/libexec/nethserver/api/system-logs/execute
Feb  4 17:52:09 rt01 sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Feb  4 17:52:09 rt01 sudo: pam_unix(sudo:session): session closed for user root

I’m totally lost… anyone has some ideas ?

8

Ok, you’re a console guy. Totally fair, can configure a few bit more options, in specific way.
I’ve used only GUI to configure NethServer to Zyxel USG device with some… tricks.
Therefore…
A couple of hints:

  • NethServer should be the initiator of the tunnel and USG should be configured as standby (currently Nethserver do not allow it)
  • keep tracking of the timeouts and time, date and timezone of both devices
  • double check compression (consider to disable it) and DPD (consider to enable it on both sides)
  • unfortunately into GUI there’s no specific configuration for IKEv1 or v2
  • unfortunately act II, no certificate support

Last hint: does Ubiquiti USG support OpenVPN too? This could be another option too…

9

No they currently do not. At least not through officially supported means.

10

Actually they do support it, i’ve already tested and OpenVPN site 2 site between USG and NS works, just set topology P2P on NS
By default USG use an insecure protocol ( SHA1 + bf-cbc ) but you can change it via ssh, and export to config.gateway.json to allow the changes persist after another provisioning.

The problem with OpenVPN is that you will lose the hardware offloading, wich basically means the speed of the tunnel will be really slow, because all the power of the little CPU will be eat by the vpn process ( less issue on a USG4 Pro, but on my USG3P it’s like 7/8 mbit top speed with a 100/20mbit)

  • Yep USG wait for the connection
  • TZ and date are the same
  • Compression off / DPD enabled on both

Certificate it’s not a problem, USG with default settings, won’t support too, so it’s not a big deal.
The “true” problem is the explicit IKEv2 missing on the gui.

There’s atleast a way to have a full list of supported param of the cfg ? I don’t mind to get my hand dirt on the console, the daemon should be strongswan 3.25, there’s a list of supported cypher / protocol or a working confing with all the accepted parameters ?
Atm with my “Custom_val” added to the config the service just crash and /var/log/secure don’t give me any hint on what parameter is causing the issue, neither do /var/log/messages … where should the ipsec log the issue ? :thinking:

1 Like
11

Updated VPN module.

Update and try again :wink:

12

That is not officially supported and UBNT won’t support it. You may have gotten the item to work but it isn’t something you can buy a warranty/support for.

13

Sorry, but messing with the custom json file, it’s “allowed” from unifi https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-USG-Advanced-Configuration it just say that if u mess it up you are on your own, they won’t help you to make the custom cfg, but it should not stop you from doing it. If you f**k things up, worst case scenario, just reset the usg and start over :wink:

In the end, with Unifi Product Line, you are your own support :smiley:

s2s-usg-ovpn
s2s-usg-ovpn1920×1080 201 KB

s2s-unifi-ovpn-connected
s2s-unifi-ovpn-connected1920×1080 219 KB

If you don’t wanna mess with custom json config, you can simply stick with the default settings as i said before, from the gui it use ( SHA1 + bf-cbc )

Great will do it tonight :wink:

14

Man… Keep it simple…

15

well it’s harder to expain then doing it :stuck_out_tongue: :wink:

16

No, believe me. Use GUI, only few mix and match. I was able to connect a crappy NetGear router to NethServer only with patience and verifications. Use GUI on both side, it will ease a lot of pain.

17

Here we go again :wink: I guess i’ve got it in the end :slight_smile:

So after all the trial and the new update of NS ( thanks btw :wink: ) forcing ikev2 made the tunnel work without issue :wink:
I / We just need to remember to uncheck / disable the Dynamic Routing on the unifi interface

Unifi CFG:

ipsc-cfg-unifi
ipsc-cfg-unifi.png1920×1080 222 KB

NethServer CFG:

ipsc-cfg-NS
ipsc-cfg-NS.png1920×1080 212 KB

Ping Working :wink:

traffic-tunnel-ok
traffic-tunnel-ok.png1920×1080 171 KB

As a side note, if i forced USG to use ikev1 the tunnel was working fine in the end :wink:

1 Like
18

This is some really cool stuff. I’m glad you got this working, I can’t tell you how frustrating it it is to turn around with a Unifi Security appliance that is a few hundred $$ only to find out it doesn’t officially support some of the most robust/freely available VPN technologies right out of the box. Normally I have to prop up a VPN appliance behind my Unifi devices and this looks like a good step forward to reducing that overhead.

19

You got me :wink: i’m a pritunl user, used to deploy a vm on the servers behind USG just to have some basic Ovpn client connectivity for the road warriors, to save me from headcache :smile:

20

I’m glad you have a 1080P screen, but maybe screenshot could be less sized too.
Also, for NethServer, in English, for a better comprehension for other folks here into the Community.
Anyway, glad you solved. Have a lot of fun.