Net2net VPN tunnel

vpn
v7

(Henry) #1

NethServer Version: 7.4.1708
Module: VPN

I am currently evaluating NethServer functionality and need a VPN connection between the server and two remote sites.

The remote sites may not be NethServer, may be pfsense or other.

What is the best way to achieve this? OpenVPN or IPSec?


(Giacomo Sanchietti) #2

IPSec is built just for for establishing net2net tunnel among different routesr/firewalls… Go with it, and eventually switch to OpenVPN if you can’t find a working configuration.


(Henry) #3

Thanks Giacomo,

Very impressed with NethServer so far.!

I tried OpenVPN first and switched to IPSec as I could not get OpenVPN to work.

Can I confirm if any firewall config is required for an IPSec net2net connection?


(Giacomo Sanchietti) #4

All firewall configuration is done under the hood.

You just need to have a machine with 2 ethernet cards: 1 green for LAN, 1 red for internet.


(Henry) #5

Thanks again.

I’ve got all that working. Red & green interfaces etc.

Under IPSec tunnels my tunnel is shown with a red triangle under “Current State” and I am unsure why.


(Giacomo Sanchietti) #6

The tunnel is not established, you probably need to adjust some settings.

Take a look at the logs to see what is happening under the hood: http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-ipsec-tunnels.html#logs


(Michael Kicks) #7

I realized IPSec tunnel between zyxel appliance and NethServer. And a fork of IpCop and NethServer. Only matters to be sure about the data and settings for cypers, PFS, DPD.


(Henry) #8

The error in the log appears to be the following lines:

Apr 05 08:50:36 nethserver.mydomain.com pluto[23530]: "ipsec_ipsec-tunnel/1x1": route-client output: need at least a destination address
Apr 05 08:50:36 nethserver.mydomain.com pluto[23530]: "ipsec_ipsec-tunnel/1x1": route-client output: /usr/libexec/ipsec/_updown.netkey: doroute "ip route replace 192.168.16.0/24 via  dev ens18  src 192.168.1.254" failed (Error: inet address is expected rather than "
Apr 05 08:50:37 nethserver.mydomain.com pluto[23530]: initiating all conns with alias='ipsec_ipsec-tunnel'
Apr 05 08:50:37 nethserver.mydomain.com pluto[23530]: "ipsec_ipsec-tunnel/1x1": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)

I have used $any for the remote IP as I will have multiple clients connecting not just one. I am hoping I can have multiple remote clients connected simultaneously?


(Filippo Carletti) #9

The screenshot above shows %any which is correct, while $any is wrong.
Could you show the output of db vpn show?


(Henry) #10

sorry typo above I meant %any not $any

[root@nethserver ~]# db vpn show
ipsec=ipsec-tunnel
    compress=no
    dpdaction=hold
    esp=auto
    espcipher=aes128
    esphash=sha1
    esppfsgroup=modp1024
    ike=auto
    ikecipher=aes128
    ikehash=sha1
    ikelifetime=3600
    ikepfsgroup=modp1024
    left=%ens18
    leftid=@ipsec.local
    leftsubnets=192.168.1.0/24
    pfs=no
    psk=5f9d93dd6179d50c48f6
    right=%any
    rightid=@ipsec.remote
    rightsubnets=192.168.16.0/24
    salifetime=3600
    status=enabled
server=openvpn-tunnel-server
    Cipher=
    Compression=enabled
    LocalNetworks=192.168.1.0/24
    Network=10.0.8.0/24
    Port=1195
    Protocol=udp
    PublicAddresses=60.224.1.61
    RemoteNetworks=192.168.16.0/24
    Topology=subnet
    status=enabled
[root@nethserver ~]#