Ipsec tunnel between NethServer and Vodafone Station

Cloud21 · November 25, 2016, 9:09am

NethServer Version: NethServer release 7.2.1511 (rc2)
Module: Tunnel IPsec

Hello everyone! I’d like to thank you for this amazing product!
I’ve got a problem creating an ipsec tunnel between a NethServer and a Vodafone station.
My settings are these:

Nethserver
Local IP: ppp0 - PPPoE
Local subnets: 192.168.20.0/24
Local identifier: @mamma.local
Remote IP: %any
Remote subnets: 192.168.0.0/24
Remote identifier: @vodafone
Enable PFS
Phase 1 (IKE): Auto
Phase 2 (ESP): Auto

Vodafone station:
Remote IP: my no-ip host
Remote subnets: 192.168.20.0/24
Remote identifier: @vodafone

Unfortunately on the vodafone station there are not a lot of settings.

Now on the nethserver log it shows this:

Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: received Vendor ID payload [Dead Peer Detection]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: received Vendor ID payload [RFC 3947]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 21 10:01:10 qwall pluto[17139]: packet from vodafone station ip:500: initial Main Mode message received on 95.233.3.213:500 but no connectionhas been authorized with policy PSK+IKEV1_ALLOW

I’ve searched for PSK+IKEV1_ALLOW without luck. Any idea? Thanks.

The solution is this:
Vodafone station:

Remote IP: your remote ip or ddns
Remote subnets: your remote subnet in my case 192.168.20.0
Remote netmask: your remote netmask in my case 255.255.255.0
Shared secret: your shared secret

NethServer:

Name: any name to identify your connection
Pre-Sared Key: your shared secret
Local IP: your external ip
Local subnets: your local subnet WITH netmask in my case 192.168.20.0/24
Local identifier: your EXTERNAL IP
Remote IP: the external ip of the vodafone station or %any if you have a dynamic IP
Remote subnets: your remote subnets with netmask in my case 192.168.0.0/24
Remote identifier: the vodafone station EXTERNAL ip
Enable PFS
Phase 1 (IKE): Auto
Phase 2 (ESP): Auto

Cloud21 · November 22, 2016, 12:09pm

I’m sorry to bring this topic up again, is there someone that at least know how to deal with the

packet from vodafone station ip:500: initial Main Mode message received on 95.233.3.213:500 but no connectionhas been authorized with policy PSK+IKEV1_ALLOW

error? Thanks

dnutan · November 22, 2016, 1:22pm

@prostream succeded with ipsec and a fritzbox which showed similar messages, not sure it will help you with the vodafone station.

Cloud21 · November 22, 2016, 1:26pm

thank you

davide_marini · November 23, 2016, 10:55am

@Cloud21 did you try to disable th PFS flag in NethServer?

Said that …the fact is that we need to know the IKE and ESP parameters of the Vodafone Station in order to recreate same settings in NethServer, but it seems quite difficult to find this parameters.

I also found a document that shows how to make an ipsec vpn between a Vodafone Station and a TP link device (in italian) :

If anybody knows the default IKE and ESP values on TP Link this could help.

Cloud21 · November 23, 2016, 12:12pm

Thank you @davide_marini , but as you point out the TP-Link has “auto” as key exchange method.
Yes I tried disabling PFS but it’s no use, same error.

Cloud21 · November 23, 2016, 12:52pm

my error was in the nethserver configuration, i didn’t specify the network mask (/24) in the remote network… My bad
But now I’ve got this error:

sending encrypted notification INVALID_ID_INFORMATION to vodafone station ip:500

davide_marini · February 1, 2017, 4:19pm

This seems to be a problem related to local and remote IDs of the Ipsec configuration.
Because the Vodafone Station doesn’t allow you to specify the IDs I assume that it’s using Public IPs as identifiers.
So, if your Nethserver has a public ip on the red interface yuo can set local and remote id that way:

local ID: public ip adress of nethserver
remote ID: public ip adress of the vodafone station

Cloud21 · November 25, 2016, 8:59am

Yes, that’s it!
I made the ipsec tunnel between NethServer and Vodafone station work!
The only thing is: is there a variable that pick my esternal address and put it in the leftid and the remote address (from ddns) and put it in the rightid?
Because both NethServer and Vodafone station have dynamic ID.

prostream · February 1, 2017, 4:19pm

I solved this by using dyndns hosters like no-ip.org.
In my config i just entered:

leftid=@mydomainname.no-ip.org
leftnexthop=%defaultroute
rightid=@othersitedomainname.no-ip.org
right=%any

Hope that helps.

Cloud21 · November 30, 2016, 3:24pm

It’s what I used too, I didn’t write it