Topic: B2B VPN from SME with pre-shared key

[besterl]

Hi All.

Just need someone that can point me in the right direction.

I need to set up a VPN connection from a SME 7.5.1 box to an ASA5520.

All they gave me is the ASA5520 public IP and the key to use.

I need this to establish automatically when the server starts up and reconnect automatically if dropped.

I know how to set up users to have VPN access, but suggestions around doing it from the SME would save me alot of time searching for a solution.

Thanks in advance.

[janet]

besterl

I need to set up a VPN connection from a SME 7.5.1 box to an ASA5520.
All they gave me is the ASA5520 public IP and the key to use.

See http://wiki.contribs.org/Category:Contrib
Look at the OpenVPN articles for possible clues re how to achieve what you want.

[besterl]

Hi

I tried the IPSEC VPN server to server as detailed here

http://wiki.contribs.org/Ipsec

However - the howto seems to be for 7.1 and I get a lot of errors on my 7.5.1 box.

The sites seem to connect, but routing is not working

Will attempt the OpenVPN tomorrow and see if that works any better

Will keep you posted

[MSmith]

The most common problem with VPNs is the use of the same subnet (i.e. 192.168.1.X) on both sides of the VPN.  With subnet mask 255.255.255.0 there's literally no way the routers can know where the packets are supposed to go.

[besterl]

OK - I loaded the OpenVPN but that is more suited for doing OpenVpn to OpenVpn connection with SME's on both sides.

The problem I have here is that I need to connect from a SME to a Cisco ASA5520

The subnets are different and I understand the routing.

The problem with IPSEC option though is that the howto refers to certain steps that needs to be taken to sourt out routing issues.

But the ifup and ifdown file to be downloaded are from 2007 and does not work with the current version of racoon.

Any ideas?

[Stefano]

take a look here: http://wiki.centos.org/HowTos/vpnc

HTH

[besterl]

Hi

vpnc Seems to be connecting a single PC to a Cisco firewall, but thanks for the tip

Seems like we are stuck with the IPSEC tunnel

OK - Here is the current status quo

From the firewall I get the following if I view the messages logfile tail -F /var/log/messages

xxx.xxx.xxx.xxx is my SME and yyy.yyy.yyy.yyy is the Cisco

May 10 17:12:57 firewall racoon: INFO: unsupported PF_KEY message REGISTER
May 10 17:13:24 firewall racoon: INFO: initiate new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>yyy.yyy.yyy.yyy[500]
May 10 17:13:24 firewall racoon: INFO: begin Identity Protection mode.
May 10 17:13:24 firewall racoon: INFO: ISAKMP-SA established xxx.xxx.xxx.xxx[500]-yyy.yyy.yyy.yyy[500] spi:43de47a192002e42:bb45363ce98422a9
May 10 17:13:25 firewall racoon: INFO: initiate new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]
May 10 17:13:25 firewall racoon: ERROR: unknown notify message, no phase2 handle found.
May 10 17:13:25 firewall racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP spi=43de47a192002e42:bb45363ce98422a9.
May 10 17:13:55 firewall racoon: INFO: IPsec-SA expired: AH/Tunnel yyy.yyy.yyy.yyy->xxx.xxx.xxx.xxx spi=153025252(0x91efae4)
May 10 17:13:55 firewall racoon: WARNING: the expire message is received but the handler has not been established.
May 10 17:13:55 firewall racoon: ERROR: yyy.yyy.yyy.yyy give up to get IPsec-SA due to time up to wait.
May 10 17:13:55 firewall racoon: INFO: ISAKMP-SA deleted xxx.xxx.xxx.xxx[500]-yyy.yyy.yyy.yyy[500] spi:43de47a192002e42:bb45363ce98422a9
May 10 17:13:55 firewall racoon: INFO: IPsec-SA expired: ESP/Tunnel yyy.yyy.yyy.yyy->xxx.xxx.xxx.xxx spi=35985212(0x225173c)
May 10 17:13:57 firewall racoon: INFO: IPsec-SA request for yyy.yyy.yyy.yyy queued due to no phase1 found.
May 10 17:13:57 firewall racoon: INFO: initiate new phase 1 negotiation: xxx.xxx.xxx.xxx[500]<=>yyy.yyy.yyy.yyy[500]
May 10 17:13:57 firewall racoon: INFO: begin Identity Protection mode.
May 10 17:13:57 firewall racoon: INFO: ISAKMP-SA established xxx.xxx.xxx.xxx[500]-yyy.yyy.yyy.yyy[500] spi:3bbeaff11f929392:69e9318165483241
May 10 17:13:58 firewall racoon: INFO: initiate new phase 2 negotiation: xxx.xxx.xxx.xxx[0]<=>yyy.yyy.yyy.yyy[0]
May 10 17:13:58 firewall racoon: ERROR: unknown notify message, no phase2 handle found.
May 10 17:13:58 firewall racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP spi=3bbeaff11f929392:69e9318165483241.


It seems like phase 1 is established, but then it gets torn down

I am not sure why

[besterl]

On the Cisco I get the following

All IPSec SA proposals found unacceptable!

Seems like Cisco is a bit snobbish 


I was looking at open / free S/Wan but see that development with SME died a natural death in about 2006.

A pity though as it seems to do the trick.

The link for IPSEC tunneling HOWTO on SME was last really updated for 7.1

On there they suggested downloading the following

#cd /etc/sysconfig/network-scripts
#mv ifup-ipsec ifup-ipsec.old
#mv ifdown-ipsec ifdown-ipsec.old
#wget http://www.comnetel.com/sme7_ipsec/ifup-ipsec
#wget http://www.comnetel.com/sme7_ipsec/ifdown-ipsec


But that seem outdated - as the ipsec utils are newer than those files

So - Lloyd and David - thanks for the good work - but where to now - you guys are the experts

And Knuddi - I see bugs should be reported to you.

It is not a bug - just a request for help.