1. Store
  2. Apps
  3. Hardware
  4. Support
  5. Solutions

ClearFoundation

Forums
ClearOS ClearFoundation and ClearCenter have moved to the new website ClearOS.com (https://clearos.com). We are making this change in order to improve search and exposure of ClearOS to the world. There are several improvements that are being made and some that are still on the table for development. The forums are now live on clearos.com and locked on this site until all the redirects are in place. If you have issues using the new site, feel free to ask on the #clearfoundation room in IRC chat on freenode.net or engage with a chat agent on the site if they are around. Our goal is to complete this step so that we can be properly ready for the types of communication that will be essential for the release of ClearOS 7!
Welcome, Guest
IPSec site to site VPN to ASA - Unable to connect Forum is locked
(1 viewing) 1 Guest
Go to bottomPage: 1
TOPIC: IPSec site to site VPN to ASA - Unable to connect
#30420
IPSec site to site VPN to ASA - Unable to connect 3 Years, 9 Months ago  
Can't seem to figure out what I am doing wrong.

ipsec.conf
Code:


config setup
        protostack=netkey
        klipsdebug=none
        plutodebug=all
        interfaces=%defaultroute
        oe=no

conn %default
        authby=secret
        auto=start
        aggrmode=no
        compress=no
        rightupdown=/usr/libexec/ipsec/_updown.app
        leftupdown=/usr/libexec/ipsec/_updown.app
        left=xxx
        leftsubnet=xxx/24

conn realtime
        type=tunnel
        keyexchange=ike
        pfs=no
        right=xxx
        rightsubnet=xxx/24



ipsec.secrets
Code:


xxx xxx : PSK "*****"



ASA is the same I always do ESP-3DES-SHA

ipsec auto --status
Code:


...
000 #3: xxx:500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 40s; nodpd; idle; import:admin initiate
000 #3: pending Phase 2 for "xxx" replacing #0



Which I believe means it's not getting a response from the ASA?
Steven Barnes
Fresh Boarder
Posts: 4
graphgraph
User Offline Click here to see the profile of this user
Last Edit: 2011/07/26 13:06 By MrRat.
The topic has been locked.
 
#30426
Re: IPSec site to site VPN to ASA - Unable to connect 3 Years, 9 Months ago  
If you can I'd set left=%defaultroute otherwise I think you have to specify leftnexthop.
I'd turn off plutodebug by setting it to none. The normal logs should be good enough.
If you get the tunnel up I'd set leftsourceip to your gateway LAN IP.
If the ASA is trying to call you, try changing auto to "add" so there is initially only one way negotiation.
Does the ASA not like PFS?
Have you opened the firewall to inbound UDP:500?

Can you do the first two changes at least then post a few more lines of /var/log/secure as the connection starts negotiation until it fails?
Nick Howitt
Moderator
Posts: 6565
graphgraph
User Offline Click here to see the profile of this user
Last Edit: 2011/07/21 07:55 By NickH.
The topic has been locked.
 
#30461
Re:IPSec site to site VPN to ASA - Unable to connect 3 Years, 9 Months ago  
I really appreciate your help here. I've configured several VPN on the ASA but never messed with OpenSwan before.

Changed debug to none and added left=%defaultroute

Code:


000 #1: "xxx":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 0s; nodpd; idle; import:admin initiate
000 #1: pending Phase 2 for "xxx" replacing #0
000

Steven Barnes
Fresh Boarder
Posts: 4
graphgraph
User Offline Click here to see the profile of this user
Last Edit: 2011/07/26 13:07 By MrRat.
The topic has been locked.
 
#30468
Re:IPSec site to site VPN to ASA - Unable to connect 3 Years, 9 Months ago  
I'm afraid I'm going to have to stop here as I am about to go away for a week. Things to do/try:
- remove the left/rightupdown bits so you use the default up/down scripts
- try auto=add and see if the ASA tries to contact Openswan
- check you have opened up incoming standard service IPSec (UDP:500 + AH/ESP)
- I think you have multiwan so check everything is going out through the correct port
- have a look at the ASA logs to see if it is being contacted and from which IP

To me it looks like one end or the other is blocking the messages or not responding.

Then for good help try the openswan mailing lists. They may ask you to upgrade to a current version of Openswan. As you are running a manual configuration you can uninstall what you've got (2.6.21) and download, compile and install the new package directly. If you want everything to go in the ClearOS normal places there is a one line change to make to makefile.inc before compiling. Search this forum (possibly), but definitely it is in the old Clarkconnect forums. If you're not bothered, compile the package as it is. It works fine.
Nick Howitt
Moderator
Posts: 6565
graphgraph
User Offline Click here to see the profile of this user
The topic has been locked.
 
#30599
Re:IPSec site to site VPN to ASA - Unable to connect 3 Years, 9 Months ago  
Setup a test box and forgot to add "interfaces=%defaultroute" and the test VPN worked.

Removed the line from the production box and it connected also.

Final configuration was simply
Code:


config setup
        protostack=netkey
        klipsdebug=none
        plutodebug=none

conn %default
        authby=secret
        auto=start
        rightupdown=/usr/libexec/ipsec/_updown.app
        leftupdown=/usr/libexec/ipsec/_updown.app

conn realtime1
        type=tunnel
        pfs=no
        left=<External IP>
        leftsubnet=<Internal Subnet>/24
        right=<Remote External IP>
        rightsubnet=<Remote Internal Subnet>24


from all I've seen that is not suppose to work, but it does
Steven Barnes
Fresh Boarder
Posts: 4
graphgraph
User Offline Click here to see the profile of this user
The topic has been locked.
 
Go to topPage: 1
  get the latest posts directly to your desktop