IPSEC Site-to-Site VPN (Zental 2.2 and Cisco 2800) - Possible?

[c4rdinal]

Hi Everyone,

I wonder if anyone was able to implement Zentyal and Cisco Site-to-Site IPSEC VPN? I'm planning to deploy but are still in the planning mode. I'm assuming this is possible or I'm just assuming too much?

Also, I cannot start the VPN service on the Dashboard whatever I do. I wonder if I can start VPN even when the tunnel is not yes established?

I already created the CA but still no luck starting the service.

Thanks in advance.

[c4rdinal]

Update: Still cannot start the VPN Service

I noticed in the logs /var/log/syslog

Nov 10 09:36:18 fw ipsec_setup: Openswan IPsec apparently already active, start                 aborted
Nov 10 09:36:18 fw slapd[4813]: connection_read(32): no connection!
Nov 10 09:36:46 fw slapd[4813]: last message repeated 80 times
Nov 10 09:36:46 fw ipsec_setup: Openswan IPsec apparently already active, start                 aborted
Nov 10 09:36:47 fw slapd[4813]: connection_read(32): no connection!
Nov 10 09:36:48 fw slapd[4813]: last message repeated 29 times

I performed many combinations in but still don't get any positive result. My VPN config is as follows:

Phase 1
IKE Encrypt: 3DES
IKE Auth: SHA-1
IKE Keylife: 2400

Phase 2
ESP Encrypt: 3DES
ESP Auth: SHA-1
ESP DH GROUP: 2
ESP Keylife: 3600
Enable PFS: Check

Btw, what does enabling PFS accomplish?

Thanks in advance!

[c4rdinal]

Finally, I was able to start the IPSEC service. I just removed the module and reinstall it. **what a shame** for such a basic troubleshoot procedure.

I shall configure the Tunnel with my Cisco 2801 Router and will post any developments.

Thanks reading....  heheh

[c4rdinal]

Hi,

I configured the Zentyal IPSEC Connections using the following configuration:

PHASE1
IKE Enc: Any
IKE Auth: Any
IKE Key: 28800

PHASE2
ESP Enc: Any
ESP Auth: Any
ESP DH Group: 2
ESP Key: 3600
ENABLE PSF: Check

My Network settings:
PUBLIC IP: 124.x.x.37
LOCAL SUBNET: 192.168.x.0/32
GATEWAY: 192.168.x.1

REMOTE PUBLIC IP: 207.x.x.41
REMOTE SUBNET: 172.16.x.0/32
REMOTE GATEWAY: 172.16.x.1

I also have a client pc on both sides of the tunnel used for testing routes and ping tests.

++++++

IPSEC Service is up and running. But how can I troubleshoot and see the tunnel if it's up or established in Zentyal?

On the Cisco Router,  the Tunnel Status as "UP" and using the Test Tunnel utility Cisco SDM confirmed that the tunnel is OK.

However, a ping to my CISCO Router to a REMOTE LAN IP failed. Traceroute also failed during the test. Error indicated "Request timed out". I'm doing the ping and traceroute test on both sides (Cisco Router and Zentyal Server).

I already created a Static Route going to the Remote Network at the other side of the VPN Tunnel.

Static Routes
Network: 172.168.x.0/32 (Remote Subnet)
Gateway: 192.168.x.1 (Local GW)

Packet Filter
IPSEC = Allowed Any Any

Any suggestions?

[ichat]

im not exactly sure what you are doing  but i was always told to do:

for testing perposed use a simple small subnet   ike   192.168.x.y/29  1 ip located on your zentyal,  1 on your router and one on a client pc router side.

[c4rdinal]

im not exactly sure what you are doing  but i was always told to do:

for testing perposed use a simple small subnet   ike   192.168.x.y/29  1 ip located on your zentyal,  1 on your router and one on a client pc router side.

This is already configured. Tests were done both on the servers and clients machines. Both gives same error "Requests timed out".

[c4rdinal]

Hi,

IPSEC module suddenly stopped Starting again for whatever reasons, I don't know why.

Any troubleshooting methods I can use to see why IPSEC module is not working?

[c4rdinal]

Any comments from the developer? I have been stuck with this problem for a loooong time.

[jsalamero]

sudo ipsec auto --status

http://wiki.openswan.org/index.php/Openswan/Troubleshooting

[c4rdinal]

sudo ipsec auto --status

http://wiki.openswan.org/index.php/Openswan/Troubleshooting

@jsalamero, Thank you for taking time to answer. Please bear with me as I'm learning...

I got this error when I executed the above command.

$ sudo ipsec auto --status
whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)

~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.23/K2.6.32-35-server (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [FAILED]
  whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)
Two or more interfaces found, checking IP forwarding            [FAILED]
  whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

I switched sysctl.conf value from 0 and 1 and vice versa of the following:

net.ipv4.conf.all.accept_redirects = 1
net.ipv6.conf.all.accept_redirects = 1
net.ipv4.ip_forward = 1

But still have the ICMP redirect error and IP Forwarding. Plus how can I Start the Pluto?

Any suggestions? How can I fix these errors?

[jsalamero]

You don't need to modify sysctl, Zentyal firewall helper does that on runtime for you. If pluto daemon is not working is likely that the configuration file is not valid, can you paste it here? Please, verify that you are up to date with all your modules.

[paatie]

Hi There

Did anyone get this working, I also have the same problem. I'm trying to do the IPsec tunnel between two Zentyal firewalls. the IPsec service says running on both side but I cannot ping the local subnet and I can see any logs for IPsec to tell me where the problem is. Help please I realy like this Distro everything else has been working great.

[jjm1982]

You'll need to configure your firewalls to allow communication between the two networks.

[jsalamero]

Right, allow incoming IPsec connections on external networks to Zentyal and then on from external to internal networks connections from and to the two subnets on both sides.