I am looking for confirmation that the paid for version of IPSec will work in a road warrior situation and that help is available via the forums to get it working.
I am asking as we have road warriors in China who will need access to Google and our current OpenVPN solution doesn't work reliably.
We have an end point in Hong Kong and half the time, the end user can't even connect to the server.
It would seem that the Great Firewall of China is not allowing the initial connection.
I am asking as we have road warriors in China who will need access to Google and our current OpenVPN solution doesn't work reliably.
We have an end point in Hong Kong and half the time, the end user can't even connect to the server.
It would seem that the Great Firewall of China is not allowing the initial connection.
Share this post:
Responses (11)
-
Accepted Answer
-
Accepted Answer
I've managed to get IKEv2 on libreswan going with Android. The webconfig can be used but is missing some bits. The bits I had to add to my conn by hand were:
I don't know how many of the above options were needed, but without them I would get the following errors:rightaddresspool=172.17.4.16-172.17.4.31
modecfgdns1=172.17.2.1
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
As it is IKEv2 I used a Left ID and Right ID. Also in Android I had to use the Advanced settings to specify my remote network or it did not route anything to it (I could not ping my server). I could not find a way to ping a LAN device and I'd need to spend more time experimenting. I think I'll stick to OpenVPN.May 8 20:38:52 server pluto[4494]: "test"[1] 85.255.235.33 #107: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to 85.255.235.33:42343
May 8 20:38:53 server pluto[4494]: packet from 85.255.235.33:42343: sending unencrypted notification v2N_INVALID_IKE_SPI to 85.255.235.33:42343
May 8 20:38:55 server pluto[4494]: packet from 85.255.235.33:42343: sending unencrypted notification v2N_INVALID_IKE_SPI to 85.255.235.33:42343 -
Accepted Answer
Nick Howitt wrote:
One of the tricks some VPN providers use is udp:53 - the DNS port - but it would not surprise me if the Great Wall controlled that as well.
Nick
Thanks, I'll try UDP:53.
I know they muckabout with DNS as far as Google is concerned, last time I tried one of our offices with a China Unicom ISP google.com resolved to something other than what it should.
Our plants DNS is redirected through OpenVPN tunnels to HKG and onto the Google DNS servers. -
Accepted Answer
-
Accepted Answer
Nick
I have no confirmation that an IPSec tunnel would work at all but I'm trying anything. Editing files manually isn't an issue so if it ends up being manually configured with no web GUI I don't mind.
I've tried UDP1194, TCP1194, TCP80 and UDP80 all with limited to no success. TCP80 is safe to use as there's no webserver running. Hasn't helped though.
Don't know if UDP500 will work, I'll try it when I'm back in Monday.
I know that our US office has a working solution but I'm not sure yet what they are using,I'll ask and hopefully it's something I can try. -
Accepted Answer
Those instructions are for strongswan which is a little different from libreswan/openswan. I would expect you to be able to make a connection from your laptop. Your second laptop may connect but traffic probably won't pass.
Have you considered using non-standard ports for OpenVPN. If IPsec will work, can you switch OpenVPN to udp:500? It is easy to change /etc/openvpn/clients.conf and the downloaded ovpn file. -
Accepted Answer
Nick
Thanks for this,I tried to follow the instructions on this link https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html, but for some reason the initial handshake isn't succeeding. I know I'm probably missing something but haven't worked out what yet.
Before I chase my own tail too much should it work on private IP addresses?
My test system is connected to an ISP router as its external and it's LAN a switch. I connect to the ISP router by wifi on a RW laptop so it's kind of public.
Laptop - ISP Router (LAN) - ClearOS (Ext) - ClearOS (LAN) - Switch - Second Laptop -
Accepted Answer
-
Accepted Answer
Hmm. I was not aware of the bit about "Support for road warrior connections with multiple remote IP addresses" and I helped with the app!
I've just tried testing with IKEv2 with PSK and it is giving errors. Once I create the connection definition I cannot view it through the Webconfig so have to edit it manually. I am also failing to make a proper connection. It starts then gives errors. I can post to the libreswan mailing list but I don't think any help is available here. -
Accepted Answer
Nick
Thanks for that.
The only reason I am asking for clarification is that their own documentation says that it does!
https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_static_vpn
The Full version comes with the above plus options to support connections with third party hardware:-
Dead peer detection
Additional options for IKE and ESP Encryption, Rekeying and Keylife, IKEv2 and Aggressive mode for maximum support with other hardware
Manual tunnel control with reloading of specific tunnels
Live AJAX tunnel status display
Use of tunnel ID's to identify local / remote connections
Support for road warrior connections with multiple remote IP addresses
Log and IPsec policy information for diagnostics
-
Accepted Answer
No the Static IPsec VPN for Business is not suitable for road warriors. It is really meant for a LAN to LAN connection. It may just about be possible but I would not want to commit.
However, the underlying package is Libreswan and it can be configured manually to give you what you want. Have a poke round their documentation and the rest of their site. You should be able to mix and match some of their configs, so you should be able to do things like IKEv2 with PSK. Probably the best way to go is IKEv2 and certificates (if you can work them out - again there is info on their web site). They also have a mailing list which is supported by the principal developer.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »