I briefly skimmed to see if anything else had been posted about this and I don't see anything in particular so I thought I'd ask my specific question. I have two sites, both connected via high speed internet and both running ClearOS 7.2 as the VPN servers. Site A has ClearOS 7.2 as the default gateway running the IPSec service. Site B has the IPSec service running on a ClearOS 7.2 machine behind their default gateway, so I've port forwarded 500 to it's specific IP address. At this point I've filled in (on both sides) The connection name, connection mode (automatic), local WAN IP from the drop down, Local Lan Subnet (side A 192.168.2.0/24 & side B 192.168.1.0/24), the optional settings (Local Gateway IP & Local LAN IP) on both sides have been left blank for now. The Remote WAN IP has been filled in with the WAN IP of the respective sides. The Remote LAN Subnet is set up as well for the remote sides local subnet and again the optional options have been left blank. Both sides have the same pre-shared key.
The output from /var/log/ipsec is
Sep 22 16:22:25 router pluto[2977]: forgetting secrets
Sep 22 16:22:25 router pluto[2977]: loading secrets from "/etc/ipsec.secrets"
Sep 22 16:22:25 router pluto[2977]: loading secrets from "/etc/ipsec.d/ipsec.un$
Sep 22 16:22:27 router pluto[2977]: "davlijah": deleting connection
Sep 22 16:22:27 router pluto[2977]: | certificate not loaded for this end
Sep 22 16:22:28 router pluto[2977]: | certificate not loaded for this end
Sep 22 16:22:28 router pluto[2977]: added connection description "davlijah"
That repeats over and over
The output from /var/log/ipsec-20160921 is
Sep 20 13:19:32 router pluto[2977]: packet from SiteB.wanip:500: initial Main Mode message received on SiteA.wanip:500 but no connection has been authorized with policy IKEV1_ALLOW
I have a connection over both setups so if something is necessary from SiteA or B please let me know and I can supply it. I've never set up an IPSec VPN before, this is the first time I've ever tried. So go easy on me if something is blatantly obvious. Thanks guys!
The output from /var/log/ipsec is
Sep 22 16:22:25 router pluto[2977]: forgetting secrets
Sep 22 16:22:25 router pluto[2977]: loading secrets from "/etc/ipsec.secrets"
Sep 22 16:22:25 router pluto[2977]: loading secrets from "/etc/ipsec.d/ipsec.un$
Sep 22 16:22:27 router pluto[2977]: "davlijah": deleting connection
Sep 22 16:22:27 router pluto[2977]: | certificate not loaded for this end
Sep 22 16:22:28 router pluto[2977]: | certificate not loaded for this end
Sep 22 16:22:28 router pluto[2977]: added connection description "davlijah"
That repeats over and over
The output from /var/log/ipsec-20160921 is
Sep 20 13:19:32 router pluto[2977]: packet from SiteB.wanip:500: initial Main Mode message received on SiteA.wanip:500 but no connection has been authorized with policy IKEV1_ALLOW
I have a connection over both setups so if something is necessary from SiteA or B please let me know and I can supply it. I've never set up an IPSec VPN before, this is the first time I've ever tried. So go easy on me if something is blatantly obvious. Thanks guys!
Share this post:
Responses (10)
-
Accepted Answer
Hi Eli,
Can I ask that you try the following configuration:
Your side:
conn davlijah
type=tunnel
authby=secret
auto=start
left=your_side.wan.ip
leftsubnet=192.168.2.0/24
leftsourceip=192.168.2.10
right=other_side.wan.ip
rightsubnet=192.168.1.0/24
Other side:
This is a minimal configuration and it could be optimised a bit. It should be how the IPsec interface would create it with left meaning the server's local side. If you were not using the interface it would be totally safe to completely swap left and right at one end or both!conn davlijah
type=tunnel
authby=secret
auto=start
left=other_side.wan.ip
leftsubnet=192.168.1.0/24
leftsourceip=192.168.1.3
right=your_side.wan.ip
rightsubnet=192.168.2.0/24
The secrets file should have something like:
The same file can be used on both sides.your_side.wan.ip other_side.wan.ip : PSK "your_secret_in_quotes" -
Accepted Answer
Hi Eli,
The "code" tags have nothing to do with ClearOS; they are on the forum. Putting text from files and from the terminal between them keeps it formatted as you'd see on the terminal or in the file. Just above the reply box it is the little piece of paper icon with a <> on it.
IPsec when NAT'd is not so neat but works. I don't think you can use the basic interface for it, but it is easy to edit the underlying files. Without NAT between fixed IP's it is simple to set up but you had a configuration error with the left/rightnexthops. I think we could possibly help a bit with the interface by changing left/rightsourceip (I think on the interface, ClearOS LAN IP) to be "recommended" and left/rightnexthop to be "normally not configured". -
Accepted Answer
Hi Nick,
Thank you for your assistance. I'm still not sure what you meant by between the code tags. There are no code tags when opening the file. I'm sorry it's been awhile since I've last updated. I'm not sure if it's something to do with using the free version or not as to why it's not connecting, but I've switched to using openvpn as a site to site vpn which is working out so far better than this set up.
I'm sorry that my responses were somewhat slow and I wasn't sure exactly what you meant. Tim I saw your name on the app so I know you've a part if not all to do with it, thank you for the app. I'm sure it's something I was doing incorrectly but OpenVPN has really been working out better for me at this point.
Thanks guys! I know you do a lot for the community and I'm sure this isn't the last time we'll speak. -
Accepted Answer
First, please use code tags as I described.
Are the two files really virtually identical? There is no harm in them being identical but it is not what the ClearOS app would generate.
Connection logs are in /var/log/ipsec if you have the ClearOS app or, I think, /var/log/messages without the app. I am not particularly interested in the start-up section, just the bit when the connection starts negotiating.
Can you remove your left/rightnexthop lines. There is something wrong with them - you've switched them between the files but you've not switched anything else. left/rightnexthop are rarely ever needed. Libreswan/Openswan generally detects them automatically. -
Accepted Answer
Sorry about that Nick, it was formatted properly when I was writing this but I was on a mobile device. Below hopefully it's formatted properly this time.
Left Side
conn davlijah
type=tunnel
authby=secret
auto=start
left=my.wan.ip
leftsubnet=192.168.2.0/24
right=remote.wan.ip
rightsubnet=192.168.1.0/24
leftnexthop=73.35.184.1
leftsourceip=192.168.2.10
rightnexthop=71.227.132.1
rightsourceip=192.168.1.3
Right Side
conn davlijah
type=tunnel
authby=secret
auto=start
left=my.wan.ip
leftsubnet=192.168.2.0/24
right=remote.wan.ip
rightsubnet=192.168.1.0/24
leftnexthop=71.227.132.1
leftsourceip=192.168.2.10
rightnexthop=73.35.184.1
rightsourceip=192.168.1.3
Where can I find the connection logs located? I don't want to get you the wrong information. Thanks! -
Accepted Answer
Please can you repost the conf file between code tags (the piece of paper icon with a <> )? It makes no sense the way it has been posted and indenting and line breaks have some importance in Libreswan/Openswan. Please post them from both ends.
Before you do that, can you add a leftsourceip (Local LAN IP) to each conn.
Also please post the connection logs. -
Accepted Answer
Thanks for the updates Nick. I appreciate the help. I'm sure it's something small I'm over looking. My conf file is below.
GNU nano 2.3.1 File: .../ipsec.d/ipsec.unmanaged.davlijah.conf conn davlijah type=tunnel authby=secret auto=start left=my.wan.ip.address leftsubnet=192.168.2.0/24 right=remote.wan.ip.address
rightsubnet=192.168.1.0/24
The IPsec service has been opened on both firewalls rather than just opening up UPD port 500. -
Accepted Answer
No the comments are not valid for an gateway-gateway connection with no NAT. That is a much easier set up which the basic free interface should handle directly.
Make sure you've opened the incoming firewall to the Standard Service IPsec as this does more than open udp:500.
If you can't connect, post your conf files from /etc/ipsec.d/
FWIW left and right can be either side. A lot of people (including the ClearOS webconfig) use left as the local side but you don't have to. A gateway-gateway configuration is often symmetrical and you can pick up the conf file from one side and drop it into the setup on the other side unchanged. Then right becomes your local side. Librewan/Openswan works out which side is which when it matches the conf file with the local IP settings. -
Accepted Answer
Hi Nick,
Thank you for your assistance with this. I've looked over everything you said and it all seems to make sense. I've not implemented anything yet because side B (right side if I understand ClearOS lingo enough) actually made a change and is now running ClearOS 7.2 as their gateway so now both left and right sides have IPSEC on the gateway. My follow up question because it doesn't seem things are working still is, is your post still relevant and I should still follow it or is there another configuration I should follow?
Thanks! Sorry to switch things up. -
Accepted Answer
IPsec is not NAT friendly and a port forward won't work (and you also need to forward esp).
I think it is the default in our set up, but make sure you have a line in /etc/ipsec.conf which says "nat_traversal=yes", in the "config setup" section with no preceding blank lines and make sure the line is indented.
On site B port forward udp:4500 in your router and open udp:4500 in both ClearOS's.
The next bit I'm always hazy on. In your conf file in /etc/ipsec.d, you will need to fix the leftid/rightid manually as each side assumes the other will use its WAN IP, but in reality site B will use the ClearOS WAN IP, assuming left is always the local machine, I think either on A you need to set rightid=clearosB_WAN_interface_IP or on B you need to set left=SiteB's_public_IP. I would prefer the second.
Lastly this will affect your secrets file. The easiest thing to do is to add %any after the two IP addresses. You may have to fix one or both systems to match the left/rightid, but I'm not sure. Or you could just make sure you have 3 IP's in it, A_WAN, B_Public and B_ClearOS_WAN.
Restart ipsec after the changes.
You can do this manually, but I think (I'll have to check later), you need the paid-for version of the interface if you want to do it through the webconfig.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »