Nick

Thanks for trying, I've also given up on the IPsec tunnel setup for the time being.

I now have a working, for now, solution: I'm doing OpenVPN over UDP 500, that seems to be working in all the locations that standard OpenVPN wasn't.

I've managed to get IKEv2 on libreswan going with Android. The webconfig can be used but is missing some bits. The bits I had to add to my conn by hand were:

 rightaddresspool=172.17.4.16-172.17.4.31

 modecfgdns1=172.17.2.1

 leftxauthserver=yes

 rightxauthclient=yes

 leftmodecfgserver=yes

 rightmodecfgclient=yes

 modecfgpull=yes

I don't know how many of the above options were needed, but without them I would get the following errors:

May  8 20:38:52 server pluto[4494]: "test"[1] 85.255.235.33 #107: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to 85.255.235.33:42343

May  8 20:38:53 server pluto[4494]: packet from 85.255.235.33:42343: sending unencrypted notification v2N_INVALID_IKE_SPI to 85.255.235.33:42343

May  8 20:38:55 server pluto[4494]: packet from 85.255.235.33:42343: sending unencrypted notification v2N_INVALID_IKE_SPI to 85.255.235.33:42343

As it is IKEv2 I used a Left ID and Right ID. Also in Android I had to use the Advanced settings to specify my remote network or it did not route anything to it (I could not ping my server). I could not find a way to ping a LAN device and I'd need to spend more time experimenting. I think I'll stick to OpenVPN.

Nick Howitt wrote:

One of the tricks some VPN providers use is udp:53 - the DNS port - but it would not surprise me if the Great Wall controlled that as well.

Nick

Thanks, I'll try UDP:53.

I know they muckabout with DNS as far as Google is concerned, last time I tried one of our offices with a China Unicom ISP google.com resolved to something other than what it should.
Our plants DNS is redirected through OpenVPN tunnels to HKG and onto the Google DNS servers.

One of the tricks some VPN providers use is udp:53 - the DNS port - but it would not surprise me if the Great Wall controlled that as well.

Nick

I have no confirmation that an IPSec tunnel would work at all but I'm trying anything. Editing files manually isn't an issue so if it ends up being manually configured with no web GUI I don't mind.

I've tried UDP1194, TCP1194, TCP80 and UDP80 all with limited to no success. TCP80 is safe to use as there's no webserver running. Hasn't helped though.

Don't know if UDP500 will work, I'll try it when I'm back in Monday.

I know that our US office has a working solution but I'm not sure yet what they are using,I'll ask and hopefully it's something I can try.

Those instructions are for strongswan which is a little different from libreswan/openswan. I would expect you to be able to make a connection from your laptop. Your second laptop may connect but traffic probably won't pass.

Have you considered using non-standard ports for OpenVPN. If IPsec will work, can you switch OpenVPN to udp:500? It is easy to change /etc/openvpn/clients.conf and the downloaded ovpn file.

Nick

Thanks for this,I tried to follow the instructions on this link https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html, but for some reason the initial handshake isn't succeeding. I know I'm probably missing something but haven't worked out what yet.

Before I chase my own tail too much should it work on private IP addresses?
My test system is connected to an ISP router as its external and it's LAN a switch. I connect to the ISP router by wifi on a RW laptop so it's kind of public.

Laptop - ISP Router (LAN) - ClearOS (Ext) - ClearOS (LAN) - Switch - Second Laptop

The webconfig issue is one of my own making, but I still can't get the connection going. I am posting to the libreswan mailing list.

Hmm. I was not aware of the bit about "Support for road warrior connections with multiple remote IP addresses" and I helped with the app!

I've just tried testing with IKEv2 with PSK and it is giving errors. Once I create the connection definition I cannot view it through the Webconfig so have to edit it manually. I am also failing to make a proper connection. It starts then gives errors. I can post to the libreswan mailing list but I don't think any help is available here.

Nick

Thanks for that.

The only reason I am asking for clarification is that their own documentation says that it does!

https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_static_vpn

The Full version comes with the above plus options to support connections with third party hardware:-


Dead peer detection
Additional options for IKE and ESP Encryption, Rekeying and Keylife, IKEv2 and Aggressive mode for maximum support with other hardware
Manual tunnel control with reloading of specific tunnels
Live AJAX tunnel status display
Use of tunnel ID's to identify local / remote connections
Support for road warrior connections with multiple remote IP addresses
Log and IPsec policy information for diagnostics

No the Static IPsec VPN for Business is not suitable for road warriors. It is really meant for a LAN to LAN connection. It may just about be possible but I would not want to commit.

However, the underlying package is Libreswan and it can be configured manually to give you what you want. Have a poke round their documentation and the rest of their site. You should be able to mix and match some of their configs, so you should be able to do things like IKEv2 with PSK. Probably the best way to go is IKEv2 and certificates (if you can work them out - again there is info on their web site). They also have a mailing list which is supported by the principal developer.