Trying to set up IPsec Tunnel NS->Fritzbox

Support
1

Hi,

at the moment i´m trying to connect my Nethserver with an Fritzbox via IPsec VPN Tunnel.

I just created a config file with the Fritzbox-Tool. Described here (German): http://wiki.securepoint.de/index.php/IPSec_-_Fritzbox

After that i got 2 Config files. One of them i imported into the remote Fritzbox. The configuration file which was generated for my fritzbox (so now it´s my NS) looks like this:

vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = “FILLED IN NAME”;
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = “FILLED IN NAME”;
localid {
fqdn = “FILLED IN FQN-NAME”;
}
remoteid {
fqdn = “FILLED IN FQN-NAME”;
}
mode = phase1_mode_aggressive;
phase1ss = “all/all/all”;
keytype = connkeytype_pre_shared;
key = “THE GENERATED KEY”;
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.177.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.179.0;
mask = 255.255.255.0;
}
}
phase2ss = “esp-all-all/ah-none/comp-all/pfs”;
accesslist = “permit ip any 192.168.179.0 255.255.255.0”;
}
ike_forward_rules = “udp 0.0.0.0:500 0.0.0.0:500”,
“udp 0.0.0.0:4500 0.0.0.0:4500”;
}

// EOF

I just edit the config file for this post with Caps.

My config on the WebGUI of my NS looks like this:

Pasted image471×859 24 KB

The Tunnel Status show this:

Pasted image1266×54 3.02 KB

And the Fritzbox shows this:

I also added a portforwarding for UDP ports: 500 and 4500. Destination is my NS. Is this right?

Anyone an idea what i have to do?

2

Have you taken a look at this yet?
@Hunv and @buddha @andreac might be your men!

3

yes but it doesn´t help. He configured an old Fritzbox with old firmware version. This is not up to date.

4

Hi @prostream
First: Remove the port forwarding for the IPSec-Ports

I tried to configure it and I see the following log in the ipsec.log:

Sep 13 18:45:09 aa pluto[2460]: packet from 12.34.56.78:500: received Vendor ID payload [XAUTH]
Sep 13 18:45:09 aa pluto[2460]: packet from 12.34.56.78:500: received Vendor ID payload [Dead Peer Detection]
Sep 13 18:45:09 aa pluto[2460]: packet from 12.34.56.78:500: received Vendor ID payload [RFC 3947]
Sep 13 18:45:09 aa pluto[2460]: packet from 12.34.56.78:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Sep 13 18:45:09 aa pluto[2460]: packet from 12.34.56.78:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 13 18:45:09 aa pluto[2460]: packet from 12.34.56.78:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 13 18:45:09 aa pluto[2460]: packet from 12.34.56.78:500: initial Aggressive Mode message from 12.34.56.78 but no (wildcard) connection has been configured with policy PSK+XAUTH+AGGRESSIVE+IKEV1_ALLOW

I think the last line is interesting because this seems to be what the FritzBox sends to the Nethserver.
If I disable XAUTH, the string looks like this:

Sep 13 18:55:50 aapluto[2460]: packet from 12.34.26.78:500: initial Aggressive Mode message from 12.34.56.78 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW

So the big question is: What does Nethserver expects?

5

Same error in my log:

Sep 11 16:12:42 NET01 pluto[28578]: packet from 79.235.29.25:500: received Vendor ID payload [Dead Peer Detection]
Sep 11 16:12:42 NET01 pluto[28578]: packet from 79.235.29.25:500: received Vendor ID payload [RFC 3947]
Sep 11 16:12:42 NET01 pluto[28578]: packet from 79.235.29.25:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 11 16:12:42 NET01 pluto[28578]: packet from 79.235.29.25:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 11 16:12:42 NET01 pluto[28578]: packet from 79.235.29.25:500: initial Aggressive Mode message from 79.235.29.25 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW

I don´t know what to do.

6

So after some research and testing i found this manual in german:
https://elcravo-networks.eu/security-tipps/details/ipsec-vpn-zwischen-openswan-und-einer-fritz-box-unter-centos-6/

So i had to configure the openswan Server manually.

This is what my ipsec.conf looks like:

version 2.0     # conforms to second version of ipsec.conf specification

 

# basic configuration

config setup

        # Debug-logging controls:  "none" for (almost) none, "all" for lots.

        # klipsdebug=none

        # plutodebug="control parsing"

        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey

        protostack=netkey

        nat_traversal=yes

        virtual_private=%v4:192.168.179.0./24,%v4:192.168.177.0./24

        oe=off

        # Enable this if you see "failed to find any available worker"

        # nhelpers=

conn Site-to-Site

        authby=secret

        auto=add

        type=tunnel

        aggrmode=yes

        left= <mypublicip>

        leftid= <myfqdn>

        leftnexthop=%defaultroute

        leftsourceip=192.168.177.21

        leftsubnet=192.168.177.0/24

        right=%any

        rightsubnet=192.168.179.0/24

        rightid= <the fqdn of the Fritzbox>

        ike=aes256-sha1;modp2048

        phase2=esp

        phase2alg=aes256-sha1;modp2048

And this is what my Fritzbox config looks like:

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "myhome";
                always_renew = no;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = my public ip adress;
                remote_virtualip = 0.0.0.0;
                remotehostname = "my fqdn";
                localid {
                        fqdn = "fqdn Fritzbox";
                }
                remoteid {
                        ipaddr = "my public ip adress";
                }
                mode = phase1_mode_aggressive;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "SecretKEY";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.179.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 192.168.177.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                accesslist = "permit ip any 192.168.177.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}


// EOF


> // EOF

After restarting the openswan server the /var/log/ipsec.log shows this:

Sep 20 13:10:08 NET01 pluto[19646]: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:19646
Sep 20 13:10:08 NET01 pluto[19646]: core dump dir: /var/run/pluto
Sep 20 13:10:08 NET01 pluto[19646]: secrets file: /etc/ipsec.secrets
Sep 20 13:10:08 NET01 pluto[19646]: leak-detective disabled
Sep 20 13:10:08 NET01 pluto[19646]: NSS crypto [enabled]
Sep 20 13:10:08 NET01 pluto[19646]: XAUTH PAM support [enabled]
Sep 20 13:10:08 NET01 pluto[19646]:    NAT-Traversal support  [enabled]
Sep 20 13:10:08 NET01 pluto[19646]: virtual-private entry not proper subnet: extra garbage on end of dotted-decimal address
Sep 20 13:10:08 NET01 pluto[19646]: virtual-private entry not proper subnet: extra garbage on end of dotted-decimal address
Sep 20 13:10:08 NET01 pluto[19646]: 2 bad entries in virtual-private - none loaded
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
Sep 20 13:10:08 NET01 pluto[19646]: starting up 1 crypto helpers
Sep 20 13:10:08 NET01 pluto[19646]: started thread for crypto helper 0 (master fd 10)
Sep 20 13:10:08 NET01 pluto[19646]: Using Linux XFRM/NETKEY IPsec interface code on 2.6.32-642.4.2.el6.x86_64
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating aes_ccm_8: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating aes_ccm_12: Ok
Sep 20 13:10:08 NET01 pluto[19646]: ike_alg_register_enc(): Activating aes_ccm_16: Ok
Sep 20 13:10:08 NET01 pluto[19646]: | selinux support is NOT enabled.
Sep 20 13:10:09 NET01 pluto[19646]: | certificate not loaded for this end
Sep 20 13:10:09 NET01 pluto[19646]: | certificate not loaded for this end
Sep 20 13:10:09 NET01 pluto[19646]: added connection description "Site-to-Site"
Sep 20 13:10:09 NET01 pluto[19646]: listening for IKE messages
Sep 20 13:10:09 NET01 pluto[19646]: adding interface tun0/tun0 10.1.1.1:500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface tun0/tun0 10.1.1.1:4500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface ppp0/ppp0 192.168.177.5:500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface ppp0/ppp0 192.168.177.5:4500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface ppp0/ppp0 130.255.120.228:500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface ppp0/ppp0 130.255.120.228:4500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface eth0/eth0 192.168.177.6:500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface eth0/eth0 192.168.177.6:4500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface lo/lo 127.0.0.1:500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface lo/lo 127.0.0.1:4500
Sep 20 13:10:09 NET01 pluto[19646]: adding interface lo/lo ::1:500
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface lo:500 fd 28
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface lo:4500 fd 27
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface lo:500 fd 26
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface eth0:4500 fd 25
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface eth0:500 fd 24
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface ppp0:4500 fd 23
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface ppp0:500 fd 22
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface ppp0:4500 fd 21
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface ppp0:500 fd 20
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface tun0:4500 fd 19
Sep 20 13:10:09 NET01 pluto[19646]: | setup callback for interface tun0:500 fd 18
Sep 20 13:10:09 NET01 pluto[19646]: loading secrets from "/etc/ipsec.secrets"
Sep 20 13:10:09 NET01 pluto[19646]: loaded private key for keyid: PPK_RSA:AwEAAbXa6
Sep 21 02:52:59 NET01 pluto[19646]: packet from 216.218.206.114:23152: initial Main Mode message received on 130.255.120.228:500 but no connection has been authorized with policy IKEV1_ALLOW
Sep 21 04:21:50 NET01 pluto[19646]: packet from 184.105.139.67:8470: initial Main Mode message received on 130.255.120.228:500 but no connection has been authorized with policy IKEV1_ALLOW

The Fritzbox is trying to connect the tunnel but there always comes up an timeout error: Error: IKE-Error 0x2027

Any ideas?

7

@davide_marini can you help somehow?

8

Hi all!
I never had the chance to configure an IPsec on a Fritzbox and I don’t know it, I just can tell you what it seems to me a little weird, hoping something I’m writing will be useful.

  • in the NS conf: there are specified remote and local IDs like @xxxxx.remote, @xxxxx.local … they are different from those in the Fritzbox configuration, since they must be be present and equal in both configurations I suggest you to use in the fritzbox always the type “fqdn” and write, in inverted position, the local and remote ID you put in the NS

  • In the NS configuration: the remote IP address is 79.235.15.238, in the last lines of the last log I see packets from IPs 216.218.206.114 and from IPs 184.105.139.67… in other logs I see connection not authorized but never from the IP 79.235.15.238 so …are the Fritbox packets coming from the right public ip address?

  • in the fritzbox : I don’t understand the reason to forward the ports 500 and 4500 UDP, they should already referred to the Fritzbox devices I suppose, but I can be wrong, may be this is the right way for the FritzBox

  • the aggressive mode should permits only protocols and cipher declared, better to not use it to ensure better compatibility

2 Likes
9

  • Do you mean rightid and leftid? In the ipsec.conf? I will test that.

  • The Fritzbox has an dynamic IP Adress caused by the ISP. Is this a problem? This is why i´m using the FQDN

  • This configuration file is automatically generated by an tool from AVM so i think this is the right way for the FritzBox

  • Okay i will turn that off

Thanks for help. I will have a try.

The thing i can´t understand is that the FritzBox gives me an timeout. Does anybody know why? I can ping both FQDN from both sides.

10

  • Yes, I mean the leftid and rightid

  • If you have a dynamic ip put the fqdn instead of the remote IP also in the NS configuration

1 Like
11

Okay now i tried the following configs and something happen.

ipsec.conf:

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:192.168.179.0./24,%v4:192.168.177.0./24
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=

conn Site-to-Site
        authby=secret
        auto=add
        type=tunnel
        aggrmode=yes
        left= PUBLIC IP ADRESS OF NSSERVER
        leftid= FQDN OF NSSERVER
        leftnexthop=%defaultroute
        leftsourceip=192.168.177.21
        leftsubnet=192.168.177.0/24
        right=%any
        rightsubnet=192.168.179.0/24
        rightid= FQDN OF FRITZBOX
        ike=aes256-sha1;modp2048
        phase2=esp
        phase2alg=aes256-sha1;modp2048

Fritzbox config:

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "ANYNAME";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip = PUBLIC IP OF NSSERVER;
                remote_virtualip = 0.0.0.0;
                localid {
                        fqdn = "FQDN OF FRITZBOX";
                }
                remoteid {
                        ipaddr = "PUBLIC IP ADRESS OF NSSERVER";
                }
                mode = phase1_mode_aggressive;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "SECRET KEY";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = no;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.179.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 192.168.177.0;
                                mask = 255.255.255.0;
                        }
                }
                phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                accesslist = "permit ip any 192.168.177.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}


// EOF

And the ipsec.log shows this on and on:

Sep 24 11:20:09 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [XAUTH]
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [RFC 3947]
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:20:17 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [XAUTH]
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [RFC 3947]
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:20:37 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [XAUTH]
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [RFC 3947]
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:20:39 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [XAUTH]
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [RFC 3947]
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:20:43 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [XAUTH]
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: received Vendor ID payload [RFC 3947]
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:20:51 NET01 pluto[6327]: packet from 79.235.2.199:500: initial Aggressive Mode message from 79.235.2.199 but no (wildcard) connection has been configured with policy PSK+AGGRESSIVE+IKEV1_ALLOW

Disabling aggressive mode on both sides gives this:

Sep 24 11:45:48 NET01 pluto[8193]: packet from 79.235.30.110:500: initial Main Mode message received on 192.168.177.6:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [XAUTH]
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [RFC 3947]
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:45:52 NET01 pluto[8193]: packet from 79.235.30.110:500: initial Main Mode message received on 192.168.177.6:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [XAUTH]
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [Dead Peer Detection]
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: received Vendor ID payload [RFC 3947]
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: ignoring unknown Vendor ID payload [a2226fc364500f5634ff77db3b74f41b]
Sep 24 11:46:00 NET01 pluto[8193]: packet from 79.235.30.110:500: initial Main Mode message received on 192.168.177.6:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW

Whats wrong?

12

No idea?

13

okay i got it.
There were a few configuration problems. So now i´m running an ipsec tunnel between OpenSwan 2.0 and Fritzbox 3270.

Here are my configs:

Fritzbox-VPN.cfg

vpncfg {
        connections {
                enabled = yes;
                conn_type = conntype_lan;
                name = "ANY-NAME";
                always_renew = yes;
                reject_not_encrypted = no;
                dont_filter_netbios = yes;
                localip = 0.0.0.0;
                local_virtualip = 0.0.0.0;
                remoteip =  PUBLIC IP ADRESS OF OPENSWAN SERVER;
                remote_virtualip = 0.0.0.0;
                localid {
                        fqdn = "FQDN (in my case DYNS) OF FRITZBOX";
                }
                remoteid {
                        ipaddr = "FQDN (in my case DYNS) OF OPENSWAN SERVER (Nethserver)";
                }
                mode = phase1_mode_aggressive;
                phase1ss = "all/all/all";
                keytype = connkeytype_pre_shared;
                key = "RANDOM PRE SHARED KEY";
                cert_do_server_auth = no;
                use_nat_t = yes;
                use_xauth = yes;
                use_cfgmode = no;
                phase2localid {
                        ipnet {
                                ipaddr = 192.168.179.0;			//LOCAL IPADRESS OF FRITZBOX LAN
                                mask = 255.255.255.0;			//LOCAL SUBNETMASK OF FRITZBOX LAN
                        }
                }
                phase2remoteid {
                        ipnet {
                                ipaddr = 192.168.177.0;			//LOCAL IPADRESS OF OPENSWAN LAN
                                mask = 255.255.255.0;			//LOCAL SUBNETMASK OF OPENSWAN LAN
                        }
                }
                phase2ss = "esp-aes256-3des-sha/ah-all-sha/comp-lzs-no/pfs";
                accesslist = "permit ip any 192.168.177.0 255.255.255.0";
        }
        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                            "udp 0.0.0.0:4500 0.0.0.0:4500";
}


// EOF

/etc/ipsec.conf

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:192.168.179.0./24,%v4:192.168.177.0./24
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=

conn Site-to-Site
        authby=secret
        auto=add
        type=tunnel
        aggrmode=yes
        left=PUBLIC IP ADRESS OF OPENSWAN SERVER
        leftid= FQDN OF OPENSWAN SERVER (IMPORTANT: put a @ in fron of. Example: @my.dyndns.com)
        leftnexthop=%defaultroute
        leftsourceip=LOCAL IP ADRESS AT OPENSWAN LAN
        leftsubnet=192.168.177.0/24
        right=%any
        rightsubnet=192.168.179.0/24
        rightid=FQDN OF FRITZBOX (IMPORTANT: put a @ in fron of. Example: @my.dyndns.com)
        ike=aes256-sha1;modp1024
        phase2=esp
        phase2alg=aes256-sha1;modp1024

At least be sure that the /etc/ipsec.secrets is correct.
Also you have to check the /etc/sysctl.conf:

net.ipv4.ip_forward = 1

2 Likes
14

NethServer takes care of setting it.

1 Like
15

can you mention or highlight what exactly is the difference between the Nethserver configuration and what you changed manually?

1 Like
16

@prostream please, could you answer @Hunv’s request?

17

Yes, sorry a bit stressful last time.

I will make it more clearer in the evening.

2 Likes
18

19

So here are the differences between my working ipsec.conf and the generated ipsec.conf:

config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.177.0/24
oe=off

conn my_ipsec-tunnel
authby=secre
#compress=no
#dpdaction=hold
left=%defaultroute
leftid=@FQDN OF NS
leftnexthop=%defaultroute
leftsourceip=192.168.177.21
leftsubnets={ 192.168.177.0/24 }
#pfs=yes
right=%any
rightid=@FQDN OF FRITZBOX
rightsubnets={ 192.168.179.0/24 }
ike=aes256-sha1;modp1024
phase2=esp
phase2alg=aes256-sha1;modp1024

I marked every change to the generated config as strong words.

Here´s the fritzbox config and things i changed to make it work after generate by AVM VPN tool:

vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = “FQDN OF NS”;
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = “FQDN OF NS”;
localid {
fqdn = “FQDN OF FRITZBOX”;
}
remoteid {
ipaddr = “FQDN OF NS”;
}
mode = phase1_mode_aggressive;
phase1ss = “all/all/all”;
keytype = connkeytype_pre_shared;
key = “SECRETKEY”;
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = yes;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.179.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.177.0;
mask = 255.255.255.0;
}
}
phase2ss = “esp-aes256-3des-sha/ah-all-sha/comp-lzs-no/pfs”;
accesslist = “permit ip any 192.168.177.0 255.255.255.0”;
}
ike_forward_rules = “udp 0.0.0.0:500 0.0.0.0:500”,
“udp 0.0.0.0:4500 0.0.0.0:4500”;
}

// EOF

If there are still questions i can also upload my config files.

2 Likes