Looking for VPN Help and Nethserver Expert


My only suggestion is: do the homework.
IPSec parameters are named sometimes differently from device to device, but once you find corrispondencies between both sides… it works.
Do not use try-and-error, sequence, at least, not for beginning.
Write down most of the options (remember than linux use @text notation for text into local and remote id, then try to mix and match mode, hash, proposal (please do not use less than AES), PFS/Diffie-Hellmann.

Did you ever managed to connect two networks via IPSec?

No, I didn’t managed two networks to connect via IPSes.

You can start from here…
https://en.avm.de/service/vpn/tips-tricks/connecting-the-fritzbox-with-a-companys-vpn/
and here
https://docs.nethserver.org/en/v7/vpn.html#ipsec

Maybe this can also be of help:

1 Like

What do you suggest if i need to access the Home Network devices from the comapny Network?

Quite hard answer without a… police grilling about current network structure/subnets, goals, and (therefore) steps to acquire the result.
Fundamentally, doing all the job except put configuration into devices and test.

So please, start to describe what is the current situation of the home and remote network (subnets, topology) and the goals…

1 Like

I don’t have a Fritzbox to test but it seems the documentation from AVM describes a roadwarrior scenario. You need a site-to-site VPN to have full access to any device from both sides.

I didn’t find any documentation about setting up site-to-site in the Fritzbox user interface. In this case I think you have to use a cfg file and import it to your Fritzbox (Add VPN button).

Check the link posted by @dnutan to get an example of a cfg file for the Fritzbox and a working /etc/ipsec.conf for Nethserver.

Here is another cfg example (in German).

There’s a “Configure FRITZ!Box VPN Connection” tool to create cfg files.

Then you need to set same values on both sides as @pike described here.

2 Likes

Dear,

Still, I have not succeeded with the Fritzbox and Nethserver VPN connection using IPsec.is there anything that I am missing.

my fritzbox network is 192.168.10.0
my nethserevr network are192.168.8.0 (LAN; Green), 192.168.88.0(WAN Red)

Local and remote identifier are missing?
Also: i do not suggest to use %any for the Remote IP (unless the remote endpoint has dynamic IP address)

added local and remote identifier, my remote endpoint has a dynamic IP address
but still, the tunnel status is red as you can see

Again: do the homework and double check everything. Also be sure that UDP ports 500 and 4500 (if behind a NAT) can be reached by both setups (Fritz AND NethServer).
Also: feel free to verify that the ISP allows IPSec traffic.
An example of today: this morning for create again an IPSec tunnel (my appliance after a firmware upgrade decided that the configuration was not good and resetted itself) i had at least two or tre adjustment for wrong settings… And took about 40 minutes.

Please post the cfg file or configuration you use in the Fritzbox

and the output of the Nethserver IPSEC configuration

db vpn show

so we can compare the settings of the two devices.

Don’t forget to mask public domain names and psks.

Hello,

I applied the follwing configuration on my fritz box as described by Fritz box link

The Nethsererv IPsec configuration is following.

The fritzbox link describes a scenario where the fritzbox connects as client to the Nethserver and that means you can’t reach the devices behind the fritzbox from the Nethserver side, see Looking for VPN Help and Nethserver Expert

Could you post a screenshot of the fritzbox settings so we can compare them?

Did you already try to disable PFS on the Nethserver?

Hello,

The configuration of my fritz box cfg file is following

vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = “myvpm”;
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = XXX.XXX.XXX.XXX;
remote_virtualip = 0.0.0.0;
localid {
fqdn = “xxxxxx.myfritz.net”;
}
remoteid {
ipaddr = XXX.XXX.XXX.XXX;
}
mode = phase1_mode_aggressive;
phase1ss = “all/all/all”;
keytype = connkeytype_pre_shared;
key = “RANDOM PRE SHARED KEY”;
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = yes;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.10.0; //LOCAL IPADRESS OF FRITZBOX LAN
mask = 255.255.255.0; //LOCAL SUBNETMASK OF FRITZBOX LAN
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.8.0; //LOCAL IPADRESS OF OPENSWAN LAN
mask = 255.255.255.0; //LOCAL SUBNETMASK OF OPENSWAN LAN
}
}
phase2ss = “esp-aes256-3des-sha/ah-all-sha/comp-lzs-no/pfs”;
accesslist = “permit ip any 192.168.8.0 255.255.255.0”;
}
ike_forward_rules = “udp 0.0.0.0:500 0.0.0.0:500”,
“udp 0.0.0.0:4500 0.0.0.0:4500”;
}

Nethservver /etc/ipsec.conf file

config setup
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fe80::/10

conn Site-to-Site
authby=secret
auto=add
type=tunnel
aggrmode=yes
left= XXX.XXX.XXX.XXX
leftid= @XXXXXXXXXXXXXX
leftnexthop=%defaultroute
leftsourceip=192.168.8.12
leftsubnet=192.168.8.0/24
right=%any
rightsubnet=192.168.10.0/24
rightid= XXXXXXXX.myfritz.net
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048

include /etc/ipsec.d/*.conf

Comparing the settings I found some missing values.

In the fritzbox cfg file edit following values:

name = "FQDN of Nethserver";
remoteip = 0.0.0.0;

and add

remotehostname = "FQDN OF Nethserver";

You may try modp1024 bit (DH2) instead of modp2048 on the Neth side.

Please check (and maybe post) fritzbox and Nethserver VPN logs when trying to connect.

journalctl -u ipsec.service

https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-ipsec-tunnels.html#logs

2 Likes

Hello,
The log file is really big, I can only post few last lines.

Oct 16 09:22:23 xxxpluto[1653]: NSS initialized
Oct 16 09:22:23 xxxpluto[1653]: NSS crypto library initialized
Oct 16 09:22:23 xxxpluto[1653]: FIPS HMAC integrity support [enabled]
Oct 16 09:22:23 xxxpluto[1653]: FIPS mode disabled for pluto daemon
Oct 16 09:22:23 xxxpluto[1653]: FIPS HMAC integrity verification self-test passed
Oct 16 09:22:23 xxxpluto[1653]: libcap-ng support [enabled]
Oct 16 09:22:23 xxxpluto[1653]: Linux audit support [enabled]
Oct 16 09:22:23 xxxpluto[1653]: Linux audit activated
Oct 16 09:22:23 xxxpluto[1653]: Starting Pluto (Libreswan Version 3.25 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO GCC_EXCEPTIONS NSS (AVA copy) (IPsec profile) DNSSEC SYSTEMD_WATC
Oct 16 09:22:23 xxxpluto[1653]: core dump dir: /run/pluto
Oct 16 09:22:23 xxxpluto[1653]: secrets file: /etc/ipsec.secrets
Oct 16 09:22:23 xxxpluto[1653]: leak-detective enabled
Oct 16 09:22:23 xxxpluto[1653]: NSS crypto [enabled]
Oct 16 09:22:23 xxxpluto[1653]: XAUTH PAM support [enabled]
Oct 16 09:22:23 xxxpluto[1653]: NAT-Traversal support [enabled]
Oct 16 09:22:23 xxxpluto[1653]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
Oct 16 09:22:23 xxxpluto[1653]: Encryption algorithms:
Oct 16 09:22:23 xxxpluto[1653]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)
Oct 16 09:22:23 xxxpluto[1653]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)
Oct 16 09:22:23 xxxpluto[1653]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)
Oct 16 09:22:23 xxxpluto[1653]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] (3des)
Oct 16 09:22:23 xxxpluto[1653]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}
Oct 16 09:22:23 xxxpluto[1653]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (camellia)
Oct 16 09:22:23 xxxpluto[1653]: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)
Oct 16 09:22:23 xxxpluto[1653]: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)
Oct 16 09:22:23 xxxpluto[1653]: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)
Oct 16 09:22:23 xxxpluto[1653]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)
Oct 16 09:22:23 xxxpluto[1653]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes)
Oct 16 09:22:23 xxxpluto[1653]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (serpent)
Oct 16 09:22:23 xxxpluto[1653]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} (twofish)
Oct 16 09:22:23 xxxpluto[1653]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)
Oct 16 09:22:23 xxxpluto[1653]: CAST_CBC IKEv1: ESP IKEv2: ESP {*128} (cast)
Oct 16 09:22:23 xxxpluto[1653]: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP {256,192,*128} (aes_gmac)
Oct 16 09:22:23 xxxpluto[1653]: NULL IKEv1: ESP IKEv2: ESP []
Oct 16 09:22:23 xxxpluto[1653]: Hash algorithms:
Oct 16 09:22:23 xxxpluto[1653]: MD5 IKEv1: IKE IKEv2:
Oct 16 09:22:23 xxxpluto[1653]: SHA1 IKEv1: IKE IKEv2: FIPS (sha)
Oct 16 09:22:23 xxxpluto[1653]: SHA2_256 IKEv1: IKE IKEv2: FIPS (sha2 sha256)
Oct 16 09:22:23 xxxpluto[1653]: SHA2_384 IKEv1: IKE IKEv2: FIPS (sha384)
Oct 16 09:22:23 xxxpluto[1653]: SHA2_512 IKEv1: IKE IKEv2: FIPS (sha512)
Oct 16 09:22:23 xxxpluto[1653]: PRF algorithms:
Oct 16 09:22:23 xxxpluto[1653]: HMAC_MD5 IKEv1: IKE IKEv2: IKE (md5)
Oct 16 09:22:23 xxxpluto[1653]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS (sha sha1)
Oct 16 09:22:23 xxxpluto[1653]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS (sha2 sha256 sha2_256)
Oct 16 09:22:23 xxxpluto[1653]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS (sha384 sha2_384)
Oct 16 09:22:23 xxxpluto[1653]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS (sha512 sha2_512)
Oct 16 09:22:23 xxxpluto[1653]: AES_XCBC IKEv1: IKEv2: IKE FIPS (aes128_xcbc)
Oct 16 09:22:23 xxxpluto[1653]: Integrity algorithms:
Oct 16 09:22:23 xxxpluto[1653]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (md5 hmac_md5)
Oct 16 09:22:23 xxxpluto[1653]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha sha1 sha1_96 hmac_sha1)
Oct 16 09:22:23 xxxpluto[1653]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha512 sha2_512 hmac_sha2_512)
Oct 16 09:22:23 xxxpluto[1653]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha384 sha2_384 hmac_sha2_384)
Oct 16 09:22:23 xxxpluto[1653]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 sha2_256 hmac_sha2_256)
Oct 16 09:22:23 xxxpluto[1653]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS (aes_xcbc aes128_xcbc aes128_xcbc_96)
Oct 16 09:22:23 xxxpluto[1653]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS (aes_cmac)
Oct 16 09:22:23 xxxpluto[1653]: NONE IKEv1: ESP IKEv2: ESP FIPS (null)
Oct 16 09:22:23 xxxpluto[1653]: DH algorithms:
Oct 16 09:22:23 xxxpluto[1653]: NONE IKEv1: IKEv2: IKE ESP AH (null dh0)
Oct 16 09:22:23 xxxpluto[1653]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh2)
Oct 16 09:22:23 xxxpluto[1653]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH (dh5)
Oct 16 09:22:23 xxxpluto[1653]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh14)
Oct 16 09:22:23 xxxpluto[1653]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh15)
Oct 16 09:22:23 xxxpluto[1653]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh16)
Oct 16 09:22:23 xxxpluto[1653]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh17)
Oct 16 09:22:23 xxxpluto[1653]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS (dh18)
Oct 16 09:22:23 xxxpluto[1653]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_256)
Oct 16 09:22:23 xxxpluto[1653]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_384)
Oct 16 09:22:23 xxxpluto[1653]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS (ecp_521)
Oct 16 09:22:23 xxxpluto[1653]: DH22 IKEv1: IKE ESP AH IKEv2: IKE ESP AH
Oct 16 09:22:23 xxxpluto[1653]: DH23 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
Oct 16 09:22:23 xxxpluto[1653]: DH24 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS
Oct 16 09:22:23 xxxpluto[1653]: starting up 2 crypto helpers
Oct 16 09:22:23 xxxpluto[1653]: started thread for crypto helper 0
Oct 16 09:22:23 xxxpluto[1653]: started thread for crypto helper 1
Oct 16 09:22:23 xxxpluto[1653]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-1062.1.1.el7.x86_64
Oct 16 09:22:24 xxxpluto[1653]: | selinux support is NOT enabled.
Oct 16 09:22:24 xxxpluto[1653]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Oct 16 09:22:24 xxxpluto[1653]: watchdog: sending probes every 100 secs
Oct 16 09:22:24 xxxsystemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Oct 16 09:22:24 xxxlibipsecconf[1682]: Warning: ignored obsolete keyword ‘nat_traversal’
Oct 16 09:22:24 xxxpluto[1653]: Failed to add connection “Site-to-Site”: ike string error: IKE DH algorithm ‘mod1024’ is not recognized
Oct 16 09:22:24 xxxpluto[1653]: added connection description “myvpn_ipsec-tunnel/1x1”
Oct 16 09:22:24 xxxpluto[1653]: listening for IKE messages
Oct 16 09:22:24 xxxpluto[1653]: adding interface br0/br0 192.168.8.230:500
Oct 16 09:22:24 xxxpluto[1653]: adding interface br0/br0 192.168.8.230:4500
Oct 16 09:22:24 xxxpluto[1653]: adding interface ens192/ens192 192.168.88.230:500
Oct 16 09:22:24 xxxpluto[1653]: adding interface ens192/ens192 192.168.88.230:4500
Oct 16 09:22:24 xxxpluto[1653]: adding interface lo/lo 127.0.0.1:500
Oct 16 09:22:24 xxxpluto[1653]: adding interface lo/lo 127.0.0.1:4500
Oct 16 09:22:24 xxxpluto[1653]: adding interface lo/lo ::1:500
Oct 16 09:22:24 xxxpluto[1653]: | setup callback for interface lo:500 fd 21
Oct 16 09:22:24 xxxpluto[1653]: | setup callback for interface lo:4500 fd 20
Oct 16 09:22:24 xxxpluto[1653]: | setup callback for interface lo:500 fd 19
Oct 16 09:22:24 xxxpluto[1653]: | setup callback for interface ens192:4500 fd 18
Oct 16 09:22:24 xxxpluto[1653]: | setup callback for interface ens192:500 fd 17
Oct 16 09:22:24 xxxpluto[1653]: | setup callback for interface br0:4500 fd 16
Oct 16 09:22:24 xxxpluto[1653]: | setup callback for interface br0:500 fd 15
Oct 16 09:22:24 xxxpluto[1653]: loading secrets from “/etc/ipsec.secrets”
Oct 16 09:22:24 xxxpluto[1653]: loading secrets from “/etc/ipsec.d/tunnels.secrets”
Oct 16 09:22:24 xxxpluto[1653]: initiating all conns with alias=‘myvpn_ipsec-tunnel’
Oct 16 09:22:24 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: initiating Main Mode
Oct 16 09:22:24 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
Oct 16 09:22:25 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: STATE_MAIN_I1: retransmission; will wait 1 seconds for response
Oct 16 09:22:26 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: STATE_MAIN_I1: retransmission; will wait 2 seconds for response
Oct 16 09:22:28 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: STATE_MAIN_I1: retransmission; will wait 4 seconds for response
Oct 16 09:22:32 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: STATE_MAIN_I1: retransmission; will wait 8 seconds for response
Oct 16 09:22:40 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: STATE_MAIN_I1: retransmission; will wait 16 seconds for response
Oct 16 09:22:56 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: STATE_MAIN_I1: retransmission; will wait 32 seconds for response
Oct 16 09:23:28 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: STATE_MAIN_I1: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKE
Oct 16 09:23:28 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: starting keying attempt 2 of an unlimited number
Oct 16 09:23:28 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: initiating Main Mode to replace #1
Oct 16 09:23:28 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: deleting state (STATE_MAIN_I1) and NOT sending notification
Oct 16 09:23:28 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #1: deleting IKE SA for connection ‘myvpn_ipsec-tunnel/1x1’ but connection is supposed to remain up; schedule EVENT_REVIVE_C
Oct 16 09:23:28 xxxpluto[1653]: Initiating connection myvpn_ipsec-tunnel/1x1 which received a Delete/Notify but must remain up per local policy
Oct 16 09:23:28 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
Oct 16 09:23:29 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: STATE_MAIN_I1: retransmission; will wait 1 seconds for response
Oct 16 09:23:30 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: STATE_MAIN_I1: retransmission; will wait 2 seconds for response
Oct 16 09:23:32 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: STATE_MAIN_I1: retransmission; will wait 4 seconds for response
Oct 16 09:23:36 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: STATE_MAIN_I1: retransmission; will wait 8 seconds for response
Oct 16 09:23:44 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: STATE_MAIN_I1: retransmission; will wait 16 seconds for response
Oct 16 09:24:00 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: STATE_MAIN_I1: retransmission; will wait 32 seconds for response
Oct 16 09:24:32 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: STATE_MAIN_I1: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKE
Oct 16 09:24:32 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: starting keying attempt 3 of an unlimited number
Oct 16 09:24:32 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: initiating Main Mode to replace #2
Oct 16 09:24:32 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: deleting state (STATE_MAIN_I1) and NOT sending notification
Oct 16 09:24:32 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #2: deleting IKE SA for connection ‘myvpn_ipsec-tunnel/1x1’ but connection is supposed to remain up; schedule EVENT_REVIVE_C
Oct 16 09:24:32 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
Oct 16 09:24:33 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: STATE_MAIN_I1: retransmission; will wait 1 seconds for response
Oct 16 09:24:34 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: STATE_MAIN_I1: retransmission; will wait 2 seconds for response
Oct 16 09:24:36 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: STATE_MAIN_I1: retransmission; will wait 4 seconds for response
Oct 16 09:24:37 xxxpluto[1653]: Initiating connection myvpn_ipsec-tunnel/1x1 which received a Delete/Notify but must remain up per local policy
Oct 16 09:24:40 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: STATE_MAIN_I1: retransmission; will wait 8 seconds for response
Oct 16 09:24:48 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: STATE_MAIN_I1: retransmission; will wait 16 seconds for response
Oct 16 09:25:04 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: STATE_MAIN_I1: retransmission; will wait 32 seconds for response
Oct 16 09:25:36 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: STATE_MAIN_I1: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKE
Oct 16 09:25:36 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: starting keying attempt 4 of an unlimited number
Oct 16 09:25:36 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #4: initiating Main Mode to replace #3
Oct 16 09:25:36 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: deleting state (STATE_MAIN_I1) and NOT sending notification
Oct 16 09:25:36 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #3: deleting IKE SA for connection ‘myvpn_ipsec-tunnel/1x1’ but connection is supposed to remain up; schedule EVENT_REVIVE_C
Oct 16 09:25:36 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #4: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
Oct 16 09:25:37 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #4: STATE_MAIN_I1: retransmission; will wait 1 seconds for response
Oct 16 09:25:38 xxxpluto[1653]: “myvpn_ipsec-tunnel/1x1” #4: STATE_MAIN_I1: retransmission; will wait 2 seconds for response

Seems like there’s a typo, should be modp1024.

I recommend to setup the Nethserver IPSEC via web GUI to avoid typos.

If you need more customization than the web UI provides or overrides:

https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-ipsec-tunnels.html

It seems you edited /etc/ipsec.conf but it was thought just as example from an older version of Nethserver to see which settings were used. Sorry for being not clear enough.
Nethserver has it’s IPSEC tunnel configuration now in /etc/ipsec.d/tunnels.conf

NS uses a template system for writing config files out of a database so you have to create a custom template if you want to edit /etc/ipsec.d/tunnels.conf

3 Likes

Hello,

I deleted the old vpn tunnel and then created a new IPsec tunnel using webUI

but this time again the tunnel status is red as you can see

and my fritzbox config file is following

Oct 17 13:36:04 nethserver.ZZZZZz.com pluto[19315]: “myvpn_ipsec-tunnel/1x1” #88: ERROR: asynchronous network error report on ens192 (sport=500) for message to 192.168.10.254 port 500, complainant 192.168.88.230: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Oct 17 13:36:08 nethserver.ZZZZZz.com pluto[19315]: “myvpn_ipsec-tunnel/1x1” #88: STATE_MAIN_I1: retransmission; will wait 8 seconds for response
Oct 17 13:36:08 nethserver.ZZZZZz.com pluto[19315]: ERROR: “myvpn_ipsec-tunnel/1x1” #88: sendto on ens192 to 192.168.10.254:500 failed in EVENT_v1_RETRANSMIT. Errno 1: Operation not permitted
Oct 17 13:36:08 nethserver.ZZZZZz.com pluto[19315]: “myvpn_ipsec-tunnel/1x1” #88: ERROR: asynchronous network error report on ens192 (sport=500) for message to 192.168.10.254 port 500, complainant 192.168.88.230: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Oct 17 13:36:16 nethserver.ZZZZZz.com pluto[19315]: “myvpn_ipsec-tunnel/1x1” #88: STATE_MAIN_I1: retransmission; will wait 16 seconds for response
Oct 17 13:36:16 nethserver.ZZZZZz.com pluto[19315]: ERROR: “myvpn_ipsec-tunnel/1x1” #88: sendto on ens192 to 192.168.10.254:500 failed in EVENT_v1_RETRANSMIT. Errno 1: Operation not permitted
Oct 17 13:36:16 nethserver.ZZZZZz.com pluto[19315]: “myvpn_ipsec-tunnel/1x1” #88: ERROR: asynchronous network error report on ens192 (sport=500) for message to 192.168.10.254 port 500, complainant 192.168.88.230: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Oct 17 13:36:32 nethserver.ZZZZZz.com pluto[19315]: “myvpn_ipsec-tunnel/1x1” #88: STATE_MAIN_I1: retransmission; will wait 32 seconds for response
Oct 17 13:36:32 nethserver.ZZZZZz.com pluto[19315]: ERROR: “myvpn_ipsec-tunnel/1x1” #88: sendto on ens192 to 192.168.10.254:500 failed in EVENT_v1_RETRANSMIT. Errno 1: Operation not permitted
Oct 17 13:36:32 nethserver.ZZZZZz.com pluto[19315]: “myvpn_ipsec-tunnel/1x1” #88: ERROR: asynchronous network error report on ens192 (sport=500) for message to 192.168.10.254 port 500, complainant 192.168.88.230: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]