Re: [Vyatta-users] IPSec Termination
All, Thanks for your input. I got the tunnel up and running. After taking several suggestions I decided to switch to main mode and set the right side to dynamic. Also when using dynamic even as a termination point auto is set to "add". version 2.0 config setup interfaces="ipsec0=eth0" hidetos=yes conn clear auto=ignore conn clear-or-private auto=ignore conn private-or-clear auto=ignore conn private auto=ignore conn block auto=ignore conn packetdefault auto=ignore conn peer-0.0.0.0-tunnel-1 left=1.1.1.1 right=%any rekey=no leftsubnet=192.168.12.0/24 rightsubnet=192.168.10.0/24 ike=3des-md5,3des-sha1 ikelifetime=28800s aggrmode=no esp=3des-md5,3des-sha1 keylife=1800s rekeymargin=540s type=tunnel pfs=yes compress=no authby=secret auto=add Carlos Dunmoodie Network Engineer Engineering Office: (301) 944-2896 Cell: (443) 864-9822 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ken Felix Sent: Thursday, February 07, 2008 5:21 PM To: vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] IPSec Termination My take, the remote peer is not recognized. Do you have an appropiate PSK key in the ipsec.secrets file ? fwiw: I would create a default setting and apply all of your setting for things like this in the default profile conn %default left=aaa.bbb.ccc.dd leftnexthop=aaa.bbb.ccc.eee dpddelay=5 dpdtimeout=5 dpdaction=hold pfs=no auth=esp authby=secret compress=yes aggrmode=yes etc. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
Hi Carlos, I'm not sure I'm correctly understanding your reason for using aggressive mode but, are you sure that the other end of the connection is expecting an aggressive mode negotiation? If your only special requirement is that the other end of the connection is being initiated from an unknown peer address, then simply setting the peer to 0.0.0.0, which it looks like you've done, should work for you. Either way, I don't think your phase 1 negotiation will complete if only one end is set to aggressive mode. This may be the reason for the INVALID_ID error. Have you tried connecting with aggrmode=no? If none of the above apply to your situation, can you reply with the VPN configuration on the remote end? Also, what type of device is it? Thanks! Robyn Dunmoodie, Carlos wrote: > Here's my config > > > > > conn peer-0.0.0.0-tunnel-1 > left=1.1.1.1 > right=%any > leftsubnet=192.168.12.0/24 > rightsubnet=192.168.10.0/24 > rekey=no > ike=3des-sha1,3des-sha1 > ike=3des-sha1,3des-sha1 > ikelifetime=3600s > aggrmode=yes > esp=3des-md5,3des-sha1 > keylife=1800s > rekeymargin=540s > type=tunnel > pfs=yes > compress=no > authby=secret > auto=add > > > > > >From the initiator I get an error message "INVALID_ID INFORMATION" > > How do you configure the user id to match the userid from the > initiator, or does that matter? > > Also does the above config look accurate for an aggressive mode. When I > configure "auto=ignore" I see no IPSEC information > > When I change auto=add, I see the IPSEC negotiations, and it doesn't > initiate, which is good. But tunnel not established > > > Carlos Dunmoodie > Network Engineer > Engineering > Office: (301) 944-2896 > Cell: (443) 864-9822 > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of ken Felix > Sent: Monday, February 04, 2008 7:32 PM > To: vyatta-users@mailman.vyatta.com > Subject: [Vyatta-users] IPSec Termination > > Couldn't you get the same thing with the VPN dead peer-detect set to > HOLD? > > Under strongswan for example, their's a setting that would allow you to > auto=start or auto=ignore, if you could add this, you should be okay. > Here's how my vyatta ipsec.conf looks; > > > > > If the last line was set to auto=ignore, than I would think ipsec would > be started and the host would wait for the far-end ( right ) to > initiated the session. > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users > ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
Here's my config conn peer-0.0.0.0-tunnel-1 left=1.1.1.1 right=%any leftsubnet=192.168.12.0/24 rightsubnet=192.168.10.0/24 rekey=no ike=3des-sha1,3des-sha1 ike=3des-sha1,3des-sha1 ikelifetime=3600s aggrmode=yes esp=3des-md5,3des-sha1 keylife=1800s rekeymargin=540s type=tunnel pfs=yes compress=no authby=secret auto=add >From the initiator I get an error message "INVALID_ID INFORMATION" How do you configure the user id to match the userid from the initiator, or does that matter? Also does the above config look accurate for an aggressive mode. When I configure "auto=ignore" I see no IPSEC information When I change auto=add, I see the IPSEC negotiations, and it doesn't initiate, which is good. But tunnel not established Carlos Dunmoodie Network Engineer Engineering Office: (301) 944-2896 Cell: (443) 864-9822 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ken Felix Sent: Monday, February 04, 2008 7:32 PM To: vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] IPSec Termination Couldn't you get the same thing with the VPN dead peer-detect set to HOLD? Under strongswan for example, their's a setting that would allow you to auto=start or auto=ignore, if you could add this, you should be okay. Here's how my vyatta ipsec.conf looks; If the last line was set to auto=ignore, than I would think ipsec would be started and the host would wait for the far-end ( right ) to initiated the session. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
I agree, but with our solution, IP addressing is coming from WSP dynamically. so the use of aggressive mode is needed. -Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ken Felix Sent: Tuesday, February 05, 2008 11:39 AM To: vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] IPSec Termination I have to check, but I think in my previous experience with strongswan and linux, the auto=ignore is what I've used in the past to make the ipsec client sit as receiver. Aggressive mode iirc is not what it seems like, but a way that the P1 is established and how many steps are taken in doing so. Main mode is ALWAYS better than Aggressive mode when it comes to ipsec setup. I think it's like 6 steps vrs 4 with aggressive. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
Let me add in, that I'm using aggressive mode. The initiating stations are dynamic. Will this change your answer? -Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ken Felix Sent: Monday, February 04, 2008 7:32 PM To: vyatta-users@mailman.vyatta.com Subject: [Vyatta-users] IPSec Termination Couldn't you get the same thing with the VPN dead peer-detect set to HOLD? Under strongswan for example, their's a setting that would allow you to auto=start or auto=ignore, if you could add this, you should be okay. Here's how my vyatta ipsec.conf looks; conn peer-1.1.1.1-tunnel-1 left=1.1.1.1. right=2.2.2.2 leftsubnet=192.168.254.0/24 rightsubnet=192.168.255.0/24 ike=3des-md5-modp1024 ikelifetime=28800s aggrmode=no dpddelay=30s dpdtimeout=60s dpdaction=restart esp=3des-md5 keylife=3000s rekeymargin=540s type=tunnel pfs=no compress=yes authby=secret auto=start If the last line was set to auto=ignore, than I would think ipsec would be started and the host would wait for the far-end ( right ) to initiated the session. ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
Ken, You are right that changing the "auto=start" line will change this behavior. Initially our goal was to have a fairly simple configuration to bring-up a tunnel, but over time we'll need to add more options to the vpn cli. The last time this came up I opened an enhancement request to make this configurable (https://bugzilla.vyatta.com/show_bug.cgi?id=2506). Maybe I should increase the priority of that bug? Note: changes to /etc/ipsec.conf will be lost on a reboot. If you want to change the behavior such that it will survive a reboot you can edit /opt/vyatta/libexec/xorp/vpn-config.pl (search for "auto=start"). stig > Couldn't you get the same thing with the VPN dead peer-detect set to > HOLD? > > Under strongswan for example, their's a setting that would allow you to > auto=start or auto=ignore, if you could add this, you should be okay. > Here's how my vyatta ipsec.conf looks; > > conn peer-1.1.1.1-tunnel-1 > left=1.1.1.1. > right=2.2.2.2 > leftsubnet=192.168.254.0/24 > rightsubnet=192.168.255.0/24 > ike=3des-md5-modp1024 > ikelifetime=28800s > aggrmode=no > dpddelay=30s > dpdtimeout=60s > dpdaction=restart > esp=3des-md5 > keylife=3000s > rekeymargin=540s > type=tunnel > pfs=no > compress=yes > authby=secret > auto=start > > If the last line was set to auto=ignore, than I would think ipsec would > be started and the host would wait for the far-end ( right ) to > initiated the session. > > ___ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
One workaround that may or may not work for you is a 0.0.0.0 peer. When the vyatta is configured with a 0.0.0.0 peer it can not initiate since it doesn't know which address it's coming from. stig _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dunmoodie, Carlos Sent: Monday, February 04, 2008 6:39 AM To: [EMAIL PROTECTED] Subject: Re: [Vyatta-users] IPSec Termination I'm trying to establish an IPSec tunnel with a wireless modem on the right and vyatta on the left. Problem I'm running into is the Vyatta is suppose the terminate the tunnel and the wireless modem is the initiator. However, when you look at the logs and the ipsec.conf file, Vyatta is also attempting to initiate the tunnel. Is there a parameter in the config that will allow the Vyatta to be used as a terminator. Please assist ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
Re: [Vyatta-users] IPSec Termination
I'm trying to establish an IPSec tunnel with a wireless modem on the right and vyatta on the left. Problem I'm running into is the Vyatta is suppose the terminate the tunnel and the wireless modem is the initiator. However, when you look at the logs and the ipsec.conf file, Vyatta is also attempting to initiate the tunnel. Is there a parameter in the config that will allow the Vyatta to be used as a terminator. Please assist ___ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
