Problem testing IPSec VPN

buddha · November 19, 2015, 2:12pm

Hi there!
I have problem testing IPSec VPN. When red interface has static IP address it’s ok. But if red is DHCP or PPPOE, there is no opportunity to choose it in IPSec setup. Drop-down list contains only green interface, and if it is choosen, tunnel doesn’t work.

robb · November 19, 2015, 3:02pm

Maybe a tip to be able to test this:
Many VPS providers offer a 1 week trial period for a VPS. You can freely install any image and have a public IP address. If you install a CentOS 6.x instance and install NS on top of that, you can create a VPN from your homeserver (or VM) to that instance.
I have VPS at https://www.directvps.nl/ and they offer a 1week testing period for all their VPS’s

filippo_carletti · November 19, 2015, 3:42pm

AFAIK, when one of the vpn endpoint has a dynamic ip, the tunnel config needs to be changed to work only in one direction, from the dynamic ip to the static side.
I can suggest to use the interface to create a skeleton config choosing the green interface and then try to follow some guide on the net to modify ipsec.conf and bring the tunnel up.
If the changed needed in ipsec.conf are “confined” we could develop an enhancement to the standard ipsec interface to allow dynamic IPs.

In the past, I worked on a tunnel like your and I used left=%any to make it work.
Unfortunately, I no longer have it to have a look.

buddha · November 23, 2015, 8:14am

My ISP assign to all my offices a public IP’s, which are absolutely accessible. So each my office has a constant address, assigned by ISP via DHCP. My second ISP also gave me a fixed IP via PPPoE. So all my offices actually have a static public IP.
When red is DHCP, I can anyway set static. But when red is PPPoE…

filippo_carletti · November 25, 2015, 4:55pm

Here’s what I did.

define the vpn selecting the green Local IP edit /etc/ipsec.conf and
change left=green_ip with left=%eth1, where eth1 is my red dhcp
interface

Please, let me know if you succeed. If yes, I’ll try to extend the user interface.

buddha · November 26, 2015, 2:57pm

Thank you! I’ll try it and then post any result.

filippo_carletti · November 30, 2015, 5:08pm

@giacomo just finished working on an updated ipsec panel that permits usage of non-static red interfaces.
See http://dev.nethserver.org/issues/3326 for details.
I will be really grateful if you could test the new package (available tomorrow as an update or now from the testing repository).

buddha · December 9, 2015, 7:52am

I think i’m late for two weeks with answer. Sorry. But anyway…
It’s all about release i’ve tested.
If red is static - it’s all right. If red is dhcp, i can’t choose it in ipsec settings. But! If first i set red to static and save changes, then change red back to dhcp, i get possibility to choose red dhcp in ipsec. I tested this in virtual (VirtualBox) and physical environment.
And i tryed to do as written before (again virtually and physically):

define the vpn selecting the green Local IP edit /etc/ipsec.conf
change left=green_ip with left=%eth1, where eth1 is red dhcp interface.
It doesn’t work. Tunnel satays down, any changes of .conf are not effective. And after changing conf GUI settings was like before.

And i tryed to connect NS with pfSense via IPSec - successfully. Tunnel was stable. ping was short.

filippo_carletti · December 9, 2015, 9:42am

If you update the system you will be able to select any kind of red.
We modified the ipsec vpn panel after your issue.
Thank you.

alefattorini · December 10, 2015, 12:00pm

@buddha thanks for having improved our product highlighting this issue! well done
And also to @filippo_carletti @giacomo for having implemented it