IPSecuritas

Transcription

IPSecuritas

Checkpoint NG Feature Pack 4
Checkpoint NG Feature Pack 4
by Jim Kelly on 2004-03-24 14:20:30 +0100
Are there any configuration instructions for use of IP Securitas with
Checkpoint NG FP 4?
Re: Checkpoint NG Feature Pack 4
by Mitch on 2004-03-26 15:28:37 +0100
Hi Jim,
Don't have an answer for you yet. Just downloaded the software at work
today and will take home and try it out tonight or tomorrow. I had limited
success with VPN Tracker and Checkpoint and saved screen shots of my
settings in that. I'll try configuring IPSecuritas with those and pass on the
info to you.
Checkpoint is a real pain in the a** when it comes to working through
third-party software, which I wouldn't even bother if they had a Mac
version. Stuck with Checkpoint, however, since my office uses it. As long as
IPSecuritas can import my .p12 file, I should be able to do it.
I've had to use VirtualPC, a no-legged dog when it comes to speed with the
Windows version of Checkpoint installed on that.
by cnadig on 2004-03-26 17:15:56 +0100
Hello,
Have a look at the HOWTO section in the online help. There are some
instructions how to configure IPsecuritas for a Checkpoint firewall, some
settings might differ, depending of the Checkpoint setting.
Since IPSecuritas can't (yet) import PKCS#12, check out the section that
describes how to convert them into files in PEM format to import the
certificates.
by Mitch on 2004-04-11 13:14:21 +0200
I modified my p12 cert the way described in help file and imported into
ipsecuritas, but the program still doesn't recognize the pem file when
setting up the ID section. It says that there are no certs available. What am
I doing wrong?
by cnadig on 2004-04-14 07:58:55 +0200
Hello Jim,
have you imported the two files as 'own certificate' and does the certificate
show up in the certifictates manager window (with the rows private saying
yes and CA saying no)?
Christoph
by Mitch on 2004-04-15 19:39:27 +0200
Still having problems. Importing as own certificate leaves the private
column "no" and the ca column "no".
fAntivirus and Firewall
by fmorchid on 2004-05-21 12:30:03 +0200
hello,
is it possible to install a symantec antivirus with the checkpoint firewall?
thnak you
by sandra maury on 2004-11-12 13:10:57 +0100
I have same problem. can you have solution ?
Thank you very much.
Sandra
[quote author=Mitch link=1080134430/0#5 date=1082050767]Still having
problems. Importing as own certificate leaves the private column "no" and
the ca column "no".[/quote]
NAT-T Support?
NAT-T Support?
by petro on 2004-03-28 18:50:05 +0200
Does anyone know where implementing NAT-T in the core MacOS IPsec
implementation stands? Unfortunately, KAME's web site isn't the easiest to
figure this stuff out on. Is apple using the straight KAME implementation?
Thanks,
-pete
Re: NAT-T Support?
by cnadig on 2004-04-14 08:12:18 +0200
Hello Petro,
there is NAT-T support in racoon in 10.3 - as for the necessary kernel
support I don't know yet.
I'm in contact with a few people to get some experience with NAT-T and
will keep you updated on any progress!
Christoph
Re: NAT-T Support?
by NetWhiz on 2004-05-28 18:11:42 +0200
Any further knowledge on this? Testing over a wireless dial-up b/c of a lack
of NAT-T support in the Mac OS X kernel really sucks.
UPDATE: Just saw teh new client, so tried it and it works wonderfully! Now,
is there any way you could post the racoon.conf file (or its location) so that
we might see what is being set? I would love to be able to get the built-in
L2TP/IPSec client working with NAT-T if at all possible! At least I could test
plain IPSec on a NAT'd connection now. Back to dialup for the L2TP support
though ... :(
Thanks,
NetWhiz
Re: NAT-T Support?
by cnadig on 2004-06-08 22:54:39 +0200
Hello,
IPSecuritas writes its racoon.conf to /tmp/ipsecuritas.conf - only root can
read it.
Could you elaborate a bit more on your tests with NAT-T?
Thanks,
Christoph
Re: NAT-T Support?
by AaronA1975 on 2004-10-08 04:40:44 +0200
Any news as to whether NAT-T will be available in an upcoming release of
IPSecuritas?
error malformed cookie received...
error malformed cookie received...
by Viny on 2004-03-29 05:15:04 +0200
I use IPSecuritas 1.0.3 on OS X 10.3.3 to a FW-1 NG AI R54 without
problem.
When using IPSecuritas 2.0, I have this error:
Mar 28 22:06:41 xxxx racoon: DEBUG: isakmp.c:519:isakmp_main():
malformed cookie received or the initiator's cookies collide.
I don't have error on the firewall.
When I come back with 1.0.3, it's OK.
And I have deleted 1.0.3 settings before reconfiguring 2.0 without success.
Somebody can help me ?
Thanks.
Re: error malformed cookie received...
by cnadig on 2004-03-30 06:38:48 +0200
Helloy Viny,
probably the other end sends a notification, probably to indicate an
unexpected situation. This is often done without the remote cookie and
therefore you get the error message. The key exchange would probably be
aborted anyway.
Could you post just the last line before the malformed cookie message, i.e:
Mar 24 05:21:01 g4 racoon: DEBUG: plog.c:199:plogdump():
8fefe5e8 ac9d2d2c 00000000 00000000 0b100500 00000000 00000028
0000000c
00000001 0100001d
That would allow to determine the content of the notification and the
reason, why it was send (unsupported exchange type in the example
above).
Christoph
by Viny on 2004-03-30 12:24:34 +0200
Hello Christoph,
This is the line:
Mar 30 05:18:11 xxxx racoon: DEBUG: plog.c:199:plogdump(): 65dd6250
681660e4 00000000 00000000 0b100500 4ef00f34 00000028 0000000c
00000000 01000012
Thanks
by cnadig on 2004-03-30 23:05:14 +0200
Hello Viny,
from the log and your error description I assume you're using a DN as your
local identification. IPSecuritas 1.0.3 always treated them as a username
with fully qualified distinguished name (a USER_FQDN), which seems to be
fine with a number of firewalls/routers.
Version 2.0 now makes a strict distinction between a USER_FQDN (normally
in the form user@dn) and a FQDN (without the user part and the @). It
seems that certain firewalls (including Checkpoint) only accept a
USER_FQDN, regardless of the actual value.
With 2.0.2 (get it at http://www.lobotomo.com/products/downloads
/IPSecuritas202.dmg) you can now force IPSecuritas to use USER_FQDN. Just
put a @ sign in front of the username (instead of 'user' enter '@user' into
the DN field for your local identifier).
It should then work again for you!
I'll release an official update that resolves a few more of these smaller
issues (also in the documentation) in a few weeks.
Christoph
by Viny on 2004-03-31 06:37:44 +0200
Perfect ! It's work !
Thanks !
Viny
by Jeff on 2004-05-15 18:46:23 +0200
I'm getting the same "malformed cookie" error, also with VPN-1. Here is the
line before in the log:
May 15 12:25:59 Jeffs-Computer racoon: DEBUG: plog.c:199:plogdump():
3ceb1670 26c898de 00000000 00000000 0b100500 00000000
00000028 0000000c 00000000 0100001d
Can you help?
Thanks!
IPSecuritas <-> Sonicwall
IPSecuritas <-> Sonicwall
by Guy van der Kolk on 2004-03-30 11:23:04 +0200
Goodmorning/afternoon/evening ;)
I haven an issue with the interoperability between IPSecuritas and a
Sonicwall. Specs of the Sonicwall will be added as soon as I get them.
We have a succesfull setup using VPNTracker. Off-course, as we are ever
aware of the costs, a free/donation program is better, and IPSecuritas looks
good.
I have set up the connectionsettings just as they are in the Working
VPN-Tracker setup. Racoon starts up like a charm, but I do not get past:
[i]racoon: ERROR: oakley.c:2053:oakley_skeyid(): couldn't find the pskey[/i]
Having tried almost every possible combination (luckily, there aren't that
many in the Phase 1 setup) I am at a loss.
As a final note: VPN-Trackers log ALSO says it can't find a PSKey, but
VPN-Tracker somehow continues and sets a working connection anyway.
Re: IPSecuritas <-> Sonicwall
by cnadig on 2004-03-30 11:32:16 +0200
Hello,
there are two possibilities that should resolve the issue:
1. Deselect the 'Verify Identity' option in Options tab
2. Set the remote identifier to 'DN' and enter the numerical IP address of the
IPSec router into the text field (which of course is only possible if it has a
static address).
I'm not sure whether racoon (the MacOS X IKE daemon) or the firewall is at
fault here - but it rather seems to be in racoon as I has similar reports with
different VPN routers.
Christoph
by Guy van der Kolk on 2004-03-30 12:20:56 +0200
Thank you very much!
The "Verify Identifier" option did the trick.
It now gives the same message as VPN-Tracker, but builds a working
connection anyway!
We'll be looking at a donation very soon. :)
by viparre on 2004-04-14 18:37:21 +0200
Hello,
I am trying to use a SonicWall too, but with no success :-(
- Should I use a separate SA in the SonicWall, or I must use the GroupVPN?
- May I use a dynamic IP address when I connect to the SonicWall?
- I created a new SA with the following options:
* Remote IP address 0.0.0.0
* Aggressive Mode
* Group 2
* esp des hmac md5
* dest network: 192.168.10.1/32
- On the Ip Securitas side:
* Host To Network
* The remote network
* a local address 192.168.10.1
* Exchange Mode: Aggressive
* Proposal Check: Obey / 16
* Ph 1: Grp 2, DES, MD5
* Ph 2: Grp 1, DES, HMAC MD5
* ID Auth Address, Address
* Options: IPSec DOi, SIT_IDE.., Initial Conact, Generate Policy, MIP6
The negotiation starts but the Sonicwall says that the ipsec proposal
doesn't match (Phase 1).
Unfortunately, I can' find a basic working example to start a trial.
Thanks for the help,
Vito Parisi
by David Barnhart on 2004-04-21 18:10:22 +0200
I have just spent a few weeks getting IPSecuritas 2.0 to connect to a Sonic
Wall.
There are a couple of things you should note.
1. You can use either the GroupVPN or a separate SA. I finally just had the
IT guy set me up a separate SA as that made it easier to have a different
home network than the one used by the people coming in through the
GroupVPN.
2. Setting up IPSecuritas in the network-to-network mode makes the
configuration job easier. Just use the network that you local address
resides in as the local network. Host to network should work as well, but it
does some things differently that were causing me some problems.
3. Make sure that the SonicWall has a route to your home network
address/network. This also applies to any routers on the network you are
trying to tunnel to.
Now, with regard to getting the tunnel established in the first place before
worrying about routing, I used a couple of different parameters than you
mention.
Proposal check: Claim 16
Phase 1: 3DES, SHA1
Phase 1 DH Group: Group 1
Phase 2: ESP 3DES HMAC SHA1
Phase 2 PFS Group: Group 1
As mentioned in one of the messages in this thread, turn off the Verify
Identifier option.
With all of the above set, I was able to establish a tunnel to our SonicWall,
even across a home router (which has IP-Sec passthrough turned on).
Obviously, you will have to check that the options match on both sides.
Hope this info helps.
by JIMBOB on 2004-04-23 11:44:32 +0200
I've tried to connect to a sonic wall SOHO3 and cannot seem to manage.
it seems to nearly get there, this is the last lines from debug
Apr 23 10:20:06 xxxxxx racoon: DEBUG:
isakmp.c:1374:isakmp_parsewoh(): succeed.
Apr 23 10:20:06 xxxxxx racoon: ERROR:
isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no
phase2 handle found.
isakmp_inf.c:870:isakmp_info_recv_n(): notification message 14:NOPROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0b0b7bf9(size=4).
Apr 23 10:20:06 xxxxxx racoon: ERROR:
Apr 23 10:20:16 xxxxxx racoon: ERROR: pfkey.c:745:pfkey_timeover():
xx.xx.xx.xx give up to get IPsec-SA due to time up to wait.
Apr 23 10:20:16 xxxxxx racoon: ERROR: pfkey.c:745:pfkey_timeover():
xx.xx.xx.xx give up to get IPsec-SA due to time up to wait.
schedule.c:210:sched_scrub_param(): an undead schedule has been
deleted.
any ideas greatfully received
using host to network, Ph1 group 1 des md5, Ph2 group 1 des md5
preshared secret and verify identifier off.
os 10.3.3, cable modem, dyn IP (though quite static), local network by
airport, port mapping 500 and 4500, local ip 10.0.1.2.
J/ :P
by JIMBOB on 2004-04-23 18:41:57 +0200
Hello again,
This is the corrisponding sonic wall log.
I'll have a play soon, but any magic ideas welome.
04/23/2004 10:18:20.848
IKE Responder: ESP Perfect Forward Secrecy
mismatch
xx.xx.xx.xx,
xx.xx.xx.xx
04/23/2004 10:18:20.704
IKE Responder: Received Quick Mode
Request (Phase 2)
xx.xx.xx.xx,
xx.xx.xx.xx
04/23/2004 10:18:01.592
IKE Responder: IPSec proposal does not
match (Phase 2)
xx.xx.xx.xx,
xx.xx.xx.xx
10.0.1.2/32 ->
193.112.230.3/24
04/23/2004 10:18:01.592
IKE Responder: ESP Perfect Forward Secrecy
mismatch
xx.xx.xx.xx,
xx.xx.xx.xx
04/23/2004 10:18:01.512
IKE Responder: Received Quick Mode
Request (Phase 2)
xx.xx.xx.xx,
xx.xx.xx.xx
04/23/2004 10:18:00.464
IKE Responder: Aggressive Mode complete
(Phase 1)
xx.xx.xx.xx,
xx.xx.xx.xx
DES MD5 Group 1
lifeSeconds=3600
04/23/2004 10:18:00.320
NAT Discovery : Peer IPSec Security Gateway
doesn't support VPN NAT Traversal
xx.xx.xx.xx,
xx.xx.xx.xx
thanks.
by JIMBOB on 2004-04-27 15:34:35 +0200
Well sorted that one easy enough,
The sonic wall doesn't support phase 2 DH, so set this to null on sucuritas.
;)
by Doug Fodeman on 2004-04-28 00:37:17 +0200
Like many others I'm looking for a low cost alternative to VPN Tracker. We
have a SonicWall Pro 230 and have turned on VPN services. A PC is able to
get in just fine but I haven't been able to tunnel in with my OSX Mac. Below
is the log file.
Here are the stats:
Host to Network operation
Phase1: DH Group1, 3DES, SHA1
Phase2: PFS Group2, DES, 3DES, HMAC, SHA1
ID/Authentication: Local is set to address while remote identifier uses the
identifying key in the Sonicwall. Preshared secret is entered correctly.
Options: Verify Identifier is turned off. Turned on are IPSec_DOI,
SIT_Identity, Initial Contact, Generate Policy, MIP6, Establish IKE
Immediately.
Log reads:
Apr 27 18:17:28 Computer IPSecuritas: Racoon is running
Apr 27 18:17:28 Computer IPSecuritas: Set kernel keys
Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:1357:isakmp_open():
192.168.xxx.xxx[500] used as isakmp port (fd=6)
Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:1357:isakmp_open():
192.168.xxx.xxx[500] used as isakmp port (fd=6)
Apr 27 18:17:28 Computer racoon: INFO:
isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for xxx.xxx.xxx.xx
queued due to no phase1 found.
isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for xxx.xxx.xxx.xx
queued due to no phase1 found.
isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation:
192.168.xxx.xxx[500]<=>xxx.xxx.xxx.xx[500]
Apr 27 18:17:28 Douglas-Fodemans-Computer racoon: INFO:
192.168.xxx.xxx[500]<=>xxx.xxx.xxx.xx[500]
isakmp.c:800:isakmp_ph1begin_i(): begin Aggressive mode.
isakmp.c:800:isakmp_ph1begin_i(): begin Aggressive mode.
Any thoughts or suggestions??
Doug
by Brian Godden on 2004-08-17 21:30:02 +0200
Hi, I have another case of trying to get IPSecuritas connected to a Sonicwall.
The settings are pretty standard for both, os it's likely just my ignorance of
what each side requires, hopefully, it's something very obvious. I'm going
to list specs, settings and results below, any suggestions on changing the
settings for the client or SA would be greatly appreciated!
Firewall: SonicWall Pro-VX
-------------------------------VPN Summary(these feature are enabled):
Enable VPN
Enable IKE Dead Peer Detection
Dead Peer Detection Interval (seconds): 60
Failure Trigger Level (missed heartbeats): 3
Clean up Active tunnels when Peer Gateway DNS name resolves to a
different IP Address
SA: GroupVPN
IPSec Keying Mode: IKE using pre-shared secret
Security Policy:
SA Life time (secs): 28800
Phase 1 Encryption/Authentication: DES & MD5
Phase 2 Encryption/Authentication: Encrypt and Authenticate (ESP DES
HMAC MD5)
Shared Secret: ---------IPSecutas, version 2.0.6
Mac OS X 10.3.5
General:
Mode: Host to Network
Remote IPSec Device: (IP Address of firewall)
Remote Network: 10.5.1.0 / 24
Exchange Mode: Main
Proposal Check: Obey Nonce Size: 16
Phase 1:
Lifetime: 28800
DH Group: Mod768(1)
Encryption: DES
Authentication: MD5
Phase 2:
Lifetime: 28800
PFS Group: Mod768 (1)
Encryption: DES
Authentication: HMAC MD5
Id/Auth:
Identifiers set to Address (also tried setting DN of remote to firewall
address)
Preshared Secret set
Options (these are enabled):
Compression Deflate
IPSec DOI
SIT_IDENTITY_ONLY
Initial Contact
MIP6
DHCP-Passthrough
Establish IKE Immediately
Here are my log entries:
Here is the log of IPSecuritas in normal mode:
Aug 17 12:23:02 powerbookg3 IPSecuritas: Parsing configuration
Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up racoon.conf
Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up setkey.conf
Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up psk.txt
Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up tunnel.conf
Aug 17 12:23:03 powerbookg3 IPSecuritas: Parsing configuration done
Aug 17 12:23:04 powerbookg3 IPSecuritas: Starting racoon...
Aug 17 12:23:04 powerbookg3 IPSecuritas: Racoon is running
Aug 17 12:23:04 powerbookg3 IPSecuritas: Set kernel keys
Aug 17 12:23:06 powerbookg3 racoon: ERROR:
isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2
handle found.
handle found.
handle found.
Aug 17 12:23:36 powerbookg3 racoon: ERROR: pfkey.c:745:pfkey_timeover():
64.139.33.26 give up to get IPsec-SA due to time up to wait.
handle found.
Aug 17 12:23:36 powerbookg3 racoon: ERROR: pfkey.c:745:pfkey_timeover():
And the corresponding log of the firewall:
08/17/2004 12:23:27.064
SENDING>>>> ISAKMP OAK INFO (InitCookie 0x517f043c892f85c1, MsgID:
0x34722540) *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
64.139.33.26, 500
63.196.31.22, 498
08/17/2004 12:23:27.064
IKE Responder: IPSec proposal does not match (Phase 2)
63.196.31.22 (admin)
64.139.33.26
10.5.10.127/32 -> 10.5.1.0/24
08/17/2004 12:23:27.064
IKE Responder: ESP Perfect Forward Secrecy mismatch
63.196.31.22 (admin)
64.139.33.26
08/17/2004 12:23:26.928
RECEIVED<<< ISAKMP OAK QM (InitCookie 0x517f043c892f85c1, MsgID:
0x14E299E6) *(HASH, SA, NON, KE, ID, ID)
63.196.31.22, 498 (admin)
64.139.33.26, 500
Hmmm.. OK, after reading more thoroughly through JIMBOBs setup above,
I set Phase 2 PFS Group to None and then estabished a connection!! You
guys rock for making this freeware, I will get a donation of some kind
going...
I am however, not able to ping machines inside the other network... Any
help on what might be happening there?
Thanks!
-Brian
by Paul Chernoff on 2004-12-24 15:58:45 +0100
I just upgraded my SonicWall 2040 to Sonic Enhanced OS 2.5 from the
regular Sonic OS 2.1. I had to recreate all of my settings on the SonicWall.
Since then I cannot get IPSecuritas to connect to the SonicWall.
My IPSecuritas settings are intended to mirror my SonicWall (which I won't
have access to until Monday). My IPSecuritas settings are as follows:
Host to Network
Exchange Mode: Main
Proposal Check: Obey, size :16
Phase 1
Lifetime: 28800
DH Group: Mod768 (1)
Encryption: 3DES
Auth: MD5
Phase 2
Lifetime: 28800
PFS Group: None (I know it is EPS on the SW)
Encryption: 3DES
Auth: MD5
ID/Auth
Address for both and a preshared secret
Options
Establish IKE immediately
Here is the log on my IPSecuritas
Dec 24 09:52:05 Paul-Chernoffs-Computer IPSecuritas: Parsing
configuration
Dec 24 09:52:05 Paul-Chernoffs-Computer IPSecuritas: Setting up
racoon.conf
setkey.conf
Dec 24 09:52:05 Paul-Chernoffs-Computer IPSecuritas: Setting up psk.txt
tunnel.conf
Dec 24 09:52:05 Paul-Chernoffs-Computer IPSecuritas: Parsing
configuration done
Dec 24 09:52:06 Paul-Chernoffs-Computer IPSecuritas: Starting racoon...
Dec 24 09:52:07 Paul-Chernoffs-Computer IPSecuritas: Racoon is running
Dec 24 09:52:07 Paul-Chernoffs-Computer IPSecuritas: Set kernel keys
Dec 24 09:52:07 Paul-Chernoffs-Computer racoon: ERROR:
ipsec_doi.c:2993:ipsecdoi_checkid1(): Expecting IP address type in main
mode, but FQDN.
mode, but FQDN.
isakmp_ident.c:668:ident_i4recv(): invalid ID payload.
Any suggestions would be welcome.
by Kurt Wolf on 2005-02-03 05:03:59 +0100
I am having some issues connecting to a SonicWall 2030. Leg from
ipsecuritas is below. Any help would be greatly appriciated.
Feb 2 21:02:06 WolfiePowerBook racoon: DEBUG:
isakmp.c:1718:isakmp_ph1resend(): resend phase1 packet
b4021be9c0639221:0000000000000000
isakmp.c:233:isakmp_handler(): ===
isakmp.c:234:isakmp_handler(): 92 bytes message received from
216.185.179.130[500]
Feb 2 21:02:06 WolfiePowerBook racoon: DEBUG: plog.c:199:plogdump():
b4021be9 c0639221 1270aedd d606c3e2 0b100500 00000000 0000005c
00000040 00000000 0110000e b4021be9 c0639221 1270aedd d606c3e2
00060004 00000000 00040018 0000004e 6f207072 6f706f73 616c2069
73206368 6f73656e
isakmp_inf.c:115:isakmp_info_recv(): receive Information.
Feb 2 21:02:06 WolfiePowerBook racoon: ERROR:
isakmp_inf.c:142:isakmp_info_recv(): ignore information because the
message has no hash payload.
Feb 2 21:02:06
by Martijn Goudkamp on 2005-04-19 19:48:30 +0200
Hi! I just got my Mac mini with OS 10.3.9 working with our company 3060
(running 2.6 enhanced). Full VPN, no problems.
Here is my config for IPsecuritas:
[b]General[/b]
Network to network
Aggressive mode
Claim Nonce 16
[b]Phase 1[/b]
DH group 1
Encryption 3DES
Authentication SHA1
[b]Phase 2[/b]
DH group none
Encryption 3DES
Authentication HMAC SHA1
And here's the trick; you NEED to use an identifier on BOTH sides. Put
whatever you want to use but make sure that on the other side, it's the
opposite and select Domain Name on the Sonicwall:
[b]Id[/b]
Local ident: DN mydomain.it
Remote ident: DN theirdomain.it
Preshared: whatanicesecret
The rest is default.
On the Sonicwall, I created a new SA (no GroupVPN since our clients
connect using XAUTH) with the same settings.
I'm using my Mac thru a wireless ADSL router, at work with have a 10mbit
fiber connection. Hope it's been helpfull!
by Karsten on 2005-10-12 00:45:09 +0200
[quote author=David Barnhart link=1080638584/0#4 date=1082563822]I
have just spent a few weeks getting IPSecuritas 2.0 to connect to a Sonic
Wall.
There are a couple of things you should note.
1. You can use either the GroupVPN or a separate SA. I finally just had the
IT guy set me up a separate SA as that made it easier to have a different
home network than the one used by the people coming in through the
GroupVPN.
[/quote]
Quick question here: How do you tell IPSecuritas which SA to use?
Thanks,
Karsten
by mango on 2005-10-29 09:20:45 +0200
ok, i have a wierd problem with ipsecuritas or with my sonicwall tz 170, os
10.4.2. I'm able to vpn correctly, but shortly after i make a connection, my
network or usb printer starts to print blank pages about 50 pages or so.
This has happen with two different computers each using two different
printer models and the same settings for the vpn. Everthing else seems to
work corectly, vnc, file sharing, telnet... The print manager shows multiple
completed jobs with the name (stdin) .Only the defualt printer is affected.
Any help who be nice. thanks
by ghuller on 2005-12-20 15:05:55 +0100
I need help from anyone who has experience setting up IPSecuritas & VPN
Tracker with a SonicWall. I have a SonicWall 3060. I can setup a Host to
Network VPN with no problems with VPN Tracker 3, but I'm unsuccessful
when I copy the settings into the more cost effective IPSecuritas. What am I
missing? Can someone help me translate my VPN Tracker 3 settings into
IPSecuritas and have it actually work??!!??
Here are the VPN Tracker settings I'm trying to copy over into IPSecuritas
(NOTE: if settings aren't noted, then they are left blank in the VPN Tracker
configuration):
CONNECTION:
SonicWall SonicOS
Phase1 GeneralExchange mode: aggressive, main
Proposal check: claim
Nonce size: 16
* Send INITIAL-CONTACT message
*Support MIP6
*Use IPSEC DOI
*Use SIT_IDENTITY_ONLY
Phase1 ProposalEncryption Algorithm: 3DES
Hash Algorithm: SHA1
Diffie-Hellman: Group 2 (1024 bit)
Lifetime: 28800 seconds
Phase2*PFS Enabled: Group 2 (1024 bit)
Encryption Algorithm: 3DES
Authentication Algorithm: HMAC SHA1
*Initiate Connection From This End
NETWORK:
Host to Network
Network Port: Automatic
VPN Gateway Address: ip address specified here
Local Address: blank
Remote Network/Mask: ip address & mask specified here
AUTHENTICATION:
Pre-shared key: key specified here
*Enable Extended Authentication (XAUTH)
IDENTIFIERS:
Local Identifier:
*FQDN: specified here
Remote Identifier
*FQDN: specified here
DNS:
*Use Remote DNS Server
*Use server for all domains
IPSecuritas, ZyWALL + NAT
IPSecuritas, ZyWALL + NAT
by chris on 2004-04-04 12:53:31 +0200
I'm working with a ZyWALL 10 and IPSecuritas as VPN Client. It works fine, if
NAT Translation is not activated in my VPN Rule on ZyWALL. Otherwise I get
an PAYLOAD ERROR 130 in IPSecuritas.
NAT Translation is needet due many customers are in Networks with NAT
and not able to use VPN to my location.
Does someone have an idea or a workaround?
- Chris (Switzerland)
what MacOS
by cnadig on 2004-04-14 08:10:12 +0200
Hello Chris,
what MacOS version do you run? There seems to be NAT-T support in 10.3
which is missing in 10.2, although I don't have any experiences yet.
Could you also post the relevant lines from log to spot the place in racoon's
sources?
Thank you,
Christoph
Re: IPSecuritas, ZyWALL + NAT
by chris on 2004-04-25 23:02:19 +0200
Hello Christoph
Sorry for my late answer, I was on holiday :D
After switching to MacOS X 10.3 and updating the ZyWall's Firmware it's
working fine now.
Thank you,
Chris
Connecting to Nortel Contivity?
Connecting to Nortel Contivity?
by George White on 2004-04-04 19:05:45 +0200
Has anyone had any luck connecting to a Nortel Contivity? I'm trying to
determine if I can use IPSecuritas in place of the Nortel Multi-OS client.
I'm pretty sure that I have the correct ESP config for my office config, but
I'm not sure the correct format of the DN and PSK. Any ideas?
Thanks,
G
Re: Connecting to Nortel Contivity?
by cnadig on 2004-04-14 08:14:00 +0200
Hello,
do you have any indication from the log window of what fails (set the log
level to 'Verbose Debug' in IPSecuritas' preferences)?
Christoph
Re: Connecting to Nortel Contivity?
by Fred on 2004-08-04 07:49:50 +0200
Could you give me a hint as to what you did to set it up?
I'm wanting to do the same thing
Connecting to multiple networks behind a firewall
Connecting to multiple networks behind a firewall
by Doug Weathers on 2004-04-04 21:23:56 +0200
Hi,
Love IPSecuritas! It's got a few more options than VaporSec, which is good
because my setup is a bit more complicated than the usual. Unfortunately,
I still can't figure out the correct combination of settings I need.
I have a SonicWALL firewall at work. There are several networks behind it,
because we connect to a lot of business partners.
I can't figure out how to connect to more than one network behind the
firewall. I've configured two tunnels with identical setups, differing only by
the destination network. They each work individually, but if I try them
simultaneously only the first one seems to work.
Anyone have any idea how to fix this?
Thanks,
Doug
Re: Connecting to multiple networks behind a firew
by cnadig on 2004-04-14 08:03:53 +0200
Hello Doug,
at the moment this is not possible (unless you can combine the severeal
networks into one with a smaller netmask). I'm also unsure whether racoon
(the IKE daemon) allows this, but I will check.
Would you be able to test an enhanced version of IPSecuritas (unfortunately
I don't have access to such a setup yet)?
Christoph
by Eduardo Alvarenga on 2004-04-21 22:12:46 +0200
I have a setup like this and would be very glad to test this new release.
Currently my VPN Network is based on ISAKMPD-OpenBSD servers (5
nodes), with Windows clients I can access all the networks by specifying
0.0.0.0/0 as the destination network but it seems IPSecuritas/Racoon
doesn't allows this.
Please mail me if any version appears ok ?
Best Regards,
Eduardo
by cnadig on 2004-04-22 13:35:31 +0200
Hello Eduardo,
the host to anywhere mode sets the remote network to 0.0.0.0/0 and
will send all traffic through the tunnel (using the host to network mode with
the remote network set to 0.0.0.0/0 won't work because this would also try
to send the IKE traffic through the not yet established tunnel... The host to
anywhere mode has an exclude rule for the IKE traffic).
Regards,
Christoph
by Doug Weathers on 2004-04-25 06:41:06 +0200
[quote author=cnadig link=1081106636/0#1 date=1081922633]Hello
Doug,
Would you be able to test an enhanced version of IPSecuritas (unfortunately
I don't have access to such a setup yet)?
Christoph[/quote]
I would be happy to test enhanced versions of IPSecuritas. I'm the network
admin where I work and have lots and lots of networks to connect to :)
by Eduardo Alvarenga on 2004-05-10 02:22:55 +0200
Unfortunatelly I can't use HOST->Anywhere mode because I need to specify
my "Local Address". Using host to anywhere doesn't give me this option.
Any ideas?
by Fabrice Vincent on 2005-08-03 01:30:20 +0200
[quote author=Doug Weathers link=1081106636/0#0 date=1081106636]
I can't figure out how to connect to more than one network behind the
firewall. I've configured two tunnels with identical setups, differing only by
the destination network. They each work individually, but if I try them
simultaneously only the first one seems to work.
Anyone have any idea how to fix this?
[/quote]
Hi,
I have precisely the very same need and very same behavior as described
above. I browsed through the forum but failed to find any answer to this
question.
So, is it possible to have more than one tunnels active at the same time?
If not, is there any chance that it could work in the near future?
I will be happy to do some testing if it can be usefull.
My context: I manage our company Firewal and use IPSecuritas to create
VPN connexions for roaming users. Our Firewall is an Arkoon A200
appliance, which uses linux swansea as foundation (see
http://www.arkoon.net/EN/g_mid.php?menuon=eczone2&#p_38 for
details).
BTW, thank for this great (and cheap!) tool!!!
cheers,
Fabrice
by favincen on 2005-08-03 02:25:09 +0200
Some more details:
1) Of course the different subnets I connect to cannot be merged into a
bigger subnet...
2) I managed to make this work with the demo version of VPNTracker. I just
configured the various subnets into the same VPN connexion and it worked.
If VPNTracker is using the same IPsec stack as IPSecuritas then I assume
there would be some ways to make IPSecuritas behave the same.
Thanks in advance for your help.
by cnadig on 2005-08-04 23:38:14 +0200
Hello Fabrice,
I'm happy to announce that the next release of IPSecuritas will finally allow
for multiple remote networks (amongst other long awaited extensions).
Public alpha/beta versions will presumably be available by the end of
August/beginning of September - please drop me a line at
[email protected] if you're interested in an early version.
Cheers,
Christoph
by favincen on 2005-08-05 13:17:58 +0200
great news. I look forward for the testing.
IPSecuritas with Airport Extreme NAT
IPSecuritas with Airport Extreme NAT
by TLangley on 2004-04-15 20:00:16 +0200
Hi,
I'm using IP Securitas to connect from DSL at home to a Netscreen firewall
at the office.
From testing at a couple of locations out of the office, I've found that if
another box (a Linksys) is doing the NAT and the AEBS is only bridging,
IPSec works great. If I take the Linksys out of the setup and have the AEBS
do NAT, IPSec stops working. It appears to connect and will ping, but will
not support any real traffic, such as a server connection.
There's a lot of talk on the Apple Discussion boards about this. On
suggestion is to set your VPN software to "Negotiate UDP encapsulation
with VPN server for NAT traversal". I'm wondering if there is a way around
this problem within IPSecuritas.
Thanks.
Re: IPSecuritas with Airport Extreme NAT
by cnadig on 2004-04-15 22:20:00 +0200
Hello,
there was an issue with older firmware versions of the AEBS (not sure of the
exact version anymore, but I think it was 5.1.x) and IP fragmentation, which
resulted in the described beahvior (small packets work (ping), real traffic
that needs fragmentation fails).
I'm using IPSec with AEBS and NAT enabled daily without problems with
firmware version 5.3.
Christoph
Re: IPSecuritas with Airport Extreme NAT
by Laurens van Hoorn on 2004-11-04 10:04:09 +0100
I have Airport in my home, and also the possibility to connect to my
(Thomson) router by dropcable.
Airport seems fine at first (no errors in log, and green lights from
IPSecuritas) but doesn't work. Connecting by dropcable (and thus going
around the Airport) does.
Checkpoint NG AI R55
Checkpoint NG AI R55
by sumpfgottheit on 2004-04-16 11:53:19 +0200
Hi!
I try a VPN to my Checkpoint in the Office, but i get the following error:
Apr 16 11:43:39 Powerbook racoon: ERROR:
isakmp.c:2033:isakmp_chkph1there(): phase2 negotiation failed due to
time up waiting for phase1. ESP <FW-IP>-><MY-IP>
Any hints?
best regards,
florian
Re: Checkpoint NG AI R55
by cnadig on 2004-04-16 13:28:27 +0200
Hello Florian,
since Phase 1 negotiation fails, there is a timeout for Phase 2 - setting the
log level to 'Verbose Debug' will give a better indication.
Have a look at the following threads for possible solutions:
http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas;
action=display;num=1080638584
and
If none of this resolves the problem, I'd need a more detailed log (please
make sure to remove any confidential information).
Christoph
by Viny on 2004-04-19 02:07:04 +0200
This is my parameters with NG AI R54 and IPSecuritas 2.0.2
http://www.lobotomo.com/products/downloads/IPSecuritas202.dmg
I don't know if it's the best configuration but it's work for me.
Good luck....
Check Point NG AI R54 and IPSecuritas 2.0.2
Check Point
Global Proterties
Remote Access
VPN - Basic
Check: Pre-Shared Secret, Public Key Signatures, Hybrid Mode
Check: Gateways support IKE over TCP
VPN - Advanced
User Encryption Proterties: 3DES, MD5
Check: OKE Security associations proterties: Groupe 2
Resolving mechanism: Enable Securemote/SecureClient ...
Check Point Gateway
Traditional mode IKE properties
Check: 3DES, MD5, Pre_shared Secret, Public Key Signatures,
Exportable...
Traditional mode IKE properties, Advanced
Check: Group 2, Support aggressive mode
Renegotiate IKE... : 1440 minutes
Renegotiate IPsec... : 3600 Seconds
User Properties
Encryption
Check: IKE
Encryption, Edit
Specify the password
IPSecuritas 2.0.2
General
Mode of Operation: Host to Network
Exchange Mode: Aggressive
Proposal Check: Claim
by Jonathan Lundell on 2004-05-24 00:21:51 +0200
Moving to 2.0.2 and adding @ to my user name helped, in that I'm getting
quite a bit farther. Now I get this message, repeated:
May 23 15:10:05 jlundell racoon: NOTIFY: oakley.c:2057:oakley_skeyid():
couldn't find the proper pskey, try to get one by the peer's address.
May 23 15:10:05 jlundell racoon: ERROR:
oakley.c:1190:oakley_validate_auth(): HASH mismatched
(I'm posting in this thread because we're running R55. This is my first time
trying IPSecuritas, so I don't have a history of getting it working with earlier
CKPT versions.)
Some debug output:
May 23 15:53:59 jlundell racoon: DEBUG:
algorithm.c:382:alg_oakley_encdef(): encription(3des)
May 23 15:53:59 jlundell racoon: DEBUG: oakley.c:2519:oakley_newiv(): IV
computed:
May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump(): dfc362ed
e12abcc7
oakley.c:1163:oakley_validate_auth(): HASH received:
May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump():
30254ef1 792a6d52 ce679ee7 d6bccc13
oakley.c:868:oakley_ph1hash_common(): HASH with:
May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump():
d368dd02 8801cc92 a7a5a433 c22f14b7 eea5c074 989e23ac b560a021
37f32c7f a40c2447 be9ee589 a9bbb3b6 48416b8b 09fca579 d45055ca
c5e5546e 5de46d00 93e63569 268c6fd8 de759484 84cbb44e 7414b5d8
a236db8d 7648741e aa775df4 0c84420a 8021d4f7 1f0e20d6 baf83d05
fdee751b 7a0094be 4dd0ed9f 58b7707a 7ad19f1e 5b2f0eb7 86dee952
4df5e79d 344a9f95 508aa061 4d99d3f2 14a1d245 d4d76c20 55a4d9b3
4e3abe60 3769ec75 e16bf93d 3582e4ab 335d23ec 912ff688 5eb83211
f271d0a6 55509639 730389ce 06275464 023c70b5 7582fe7c 278fd227
b192a39f b3d97707 cba995a3 f83e4c02 bc4d93b1 63a3fa00 292c9b64
b6ab7457 e1c9da6c 4b438d9c 4ea96b0a 5ebba063 00000001 00000001
00000028 01010001 00000020 01010000 800b0001 800c012c
80010005 80030001 80020001 80040002 01000000 d1ac64a2
algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)
oakley.c:878:oakley_ph1hash_common(): HASH computed:
May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump(): ef6a6f6f
86860528 202a8eff 218e7b07
by Viny on 2004-05-26 04:53:24 +0200
I use R55 HF02 now I have no problem. I'm sorry, I'm a newbie so I can't
help you more.
Viny, thanks, it's a big help just to know that it can work. I assume that I've
got a configuration problem.
Can you tell me how you're configured? Is your configuration the same as
the one you posted for R54?
This morning I saw, as usual,
...but my net admin claims that nothing at all showed up in the Check Point
logs. Seems odd, since the debug log suggestst that there's a significant
amount of negotiation necessary to get to that point.
Anyway, thanks again, and if anyone (Christoph?) would care to suggest a
course of action, I'd be grateful.
by Viny on 2004-05-28 14:31:58 +0200
Jonathan,
It's the same configuration (R54=R55). No modification.
Viny
Thanks. I moved to 2.0.5 today, with no change.
FWIW, I'm setting my local ID to @jlundell, which is my Check Point user
name, plus the magic FQID thing. Other combinations don't seem to get as
far, including [email protected], where mydomain is the domain of
the firewall.
I need a clue.
by Viny on 2004-05-29 07:43:32 +0200
I use a certificate now.
But if I remember, I used a username like "user", not "[email protected]"
or something else with "@". And in Check Point, the username was the same
("user").
Viny
Exporting/Importing Profiles
Exporting/Importing Profiles
by Matthew on 2004-04-21 22:41:35 +0200
Is there an easy way to export/import gateway configurations? I want to be
able to easily distribute IPSecuritas to users who don't want to go through
the process is building (and possibly screwing up) VPN connections. I
thought maybe IPsecuritas might create something in /Library/Preferences,
but I didn't see anything.
Thanks,
-matthew
Re: Exporting/Importing Profiles
by Matthew on 2004-04-22 05:36:14 +0200
Me again. I found the preferences in ~/Library/Preferences, but just copying
the com.lobotomo.IPSecuritas.plist file didn't do it for a system that hadn't
previously run IPSecuritas. Does IPSecuritas modify anything else?
by cnadig on 2004-05-05 16:57:24 +0200
Hello Matthew,
import/export of a configuration is one of the top requirements for the
next release. I'm confident to release an update in a few weeks time.
Christoph
by yadda on 2004-10-06 16:49:53 +0200
Any updates on the this issue? Can this be done yet? Thanks.
by cnadig on 2004-10-07 08:18:27 +0200
Hello,
unfortunately not yet - I plan to put a considerable amount of effort into
IPSecuritas once I have finished MoofMenu 1.5 in a few days
Cheers,
Christoph
IPSecuritas and Linksys
IPSecuritas and Linksys
by Ronald Bellamy on 2004-05-07 22:10:05 +0200
I am trying to connect to a Linksys Cable Firewall Router with VPN endpoint
(BEFSX41) from home with IPSecuritas.
The VPN endpoint has a static IP Address. At home I connect to a Linksys
DSL router that has been assigned a address from DHCP. I am using MacOS
10.2.8.
Any suggestions as to how to set up the VPN and/or IPSecuritas?
I have not worked with VPN setup before and so far I have not been able to
connect past phase 1. :-/
Re: IPSecuritas and Linksys
by cnadig on 2004-05-11 18:12:28 +0200
Hello Ronald,
what is failing after successfully establishing a phase 1 connection (set
the log level to Verbose Debug). Also, do you have access to the routers
log?
Christoph
Hi Christopher
Not sure if this is helpful. There is a lot of lines in the log that seem to
indicate that things are OK. This is where Error lines start appearing:
May 11 12:33:10 Ronald racoon: DEBUG:
isakmp_inf.c:210:isakmp_info_recv(): hash validated.
isakmp.c:1121:isakmp_parsewoh(): begin.
isakmp.c:1148:isakmp_parsewoh(): seen nptype=8(hash)
isakmp.c:1148:isakmp_parsewoh(): seen nptype=11(notify)
isakmp.c:1187:isakmp_parsewoh(): succeed.
May 11 12:33:10 Ronald racoon: ERROR:
May 11 12:33:10 Ronald racoon: ERROR:
isakmp_inf.c:870:isakmp_info_recv_n(): notification message 16:PAYLOADMALFORMED, doi=1 proto_id=3 spi=00000000(size=4).
grabmyaddr.c:442:update_myaddrs(): msg 5 not interesting
May 11 12:33:30 Ronald racoon: DEBUG: sockmisc.c:421:sendfromto():
sockname 192.168.1.111[500]
send packet from 192.168.1.111[500]
send packet to 68.150.80.245[500]
May 11 12:33:30 Ronald racoon: DEBUG: sockmisc.c:563:sendfromto(): 1
times of 260 bytes message will be sent to 192.168.1.111[500]
May 11 12:33:30 Ronald racoon: DEBUG: plog.c:193:plogdump(): 0048766f
a2b9058c cfa545f0 8db74490 08102001 4a924fb2 00000104 7ce66c23
ee0f7e87 5d9ee65e fbeaf05e 345fdf59 2b946c43 ad1c46bf 85099a78
c2b20570 33004776 9aa21c82 3cc620ef 1527a9a4 20d547f6 178dba8d
93d2d258 dd7f990a 752281fb 7afee4e5 c26baa19 5f9c196b 0e6c2413
7043fa1b 663d0f4f 35dc100e 664e8b68 6e7fe02f 1a3908d2 1957955c
b792a8bf ac418956 d4f47029 274e80dc a616ae69 28ec5aac 93333935
f3f2e311 c5d4c279 20e8297c 1e6c8a84 d34c6b34 59b9f13e 805daa1a
ff63a70d 15a0e351 c1407e7d 622a35f9 762bbfc0 25087ff4 0f6b4c0a
5648f37d 90e41bba efe226c2 cdc34189 e1bfbb8c e6d37889 253385e9
15d9ce63
0048766fa2b9058c:cfa545f08db74490:4a924fb2
May 11 12:33:40 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover():
May 11 12:33:40 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover():
I do have access to the router logs but not while I am at home. I will try to
get that info next time I am out.
by Bryan Derman on 2004-06-05 13:07:12 +0200
From a press release that just got posted:
=====
2004-Jun-01 : Derman Enterprises publishes a set of web pages that
outline how to use IPSecuritas (a free VPN-setup utility) and Mac OS X to
achieve a Host-to-Network and Network-to-Network secure/VPN
connection to the popular and inexpensive LinkSys BEFSX41 Switch/Router
/Firewall/VPN appliance.
Using this information will allow you to configure a stationary or
mobile/dial-up secure tunnel to your small business or home network. See
http://www.derman.com/Misc/VPN/Overview.html for the information.
=====
Hope this helps, if you hadn't already figured it out.
Hi Bryan
I found the information helpful and hoped that it would solve the problem
but using the settings still doesn't seem to work.
I was finally able to get the log info from IPSecuritas and the Linksys.
Hopefully somebody can find what I need to change:
Jun 6 15:21:57 Ronald racoon: DEBUG:
isakmp_inf.c:210:isakmp_info_recv(): hash validated.
Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp.c:1121:isakmp_parsewoh():
begin.
seen nptype=8(hash)
seen nptype=11(notify)
succeed.
Jun 6 15:21:57 Ronald racoon: ERROR:
Jun 6 15:21:57 Ronald racoon: ERROR:
isakmp_inf.c:870:isakmp_info_recv_n(): notification message 18:INVALIDID-INFORMATION, doi=1 proto_id=3 spi=0701eb2e(size=4).
Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:421:sendfromto():
sockname 192.168.1.111[500]
Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:423:sendfromto(): send
packet from 192.168.1.111[500]
Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:425:sendfromto(): send
packet to 68.150.80.245[500]
Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:563:sendfromto(): 1
Jun 6 15:22:16 Ronald racoon: DEBUG: plog.c:193:plogdump(): 3b1285f7
05215f04 ae763ee4 2e83205e 08102001 7e6ea993 000000fc 980cf3f9
933bf763 f98a28a0 bb374f0a 5e8f4327 d1a349b1 07266af8 eb36e65d
57dadd9d dfd13515 faf925ae 86185ad7 aaff6ae9 91d7cea8 85e736da
64fa300a 848779ea ecc81fee 9277f735 91fe9215 7693cbd8 56b6da60
22df06ba 03d79b9e 262b81ec bc24bbbf 1967f641 6cb06f56 e1da7e9d
58e6883e 3bbcc170 b4ecd9fe d87271f9 dc51b230 92791738 3163da5e
b0d72751 5156b1b3 eb26dba1 1147de86 a5e239b7 bd953863 20ece927
120be189 2e0fef10 fa47d9a1 ab0d5939 473e8c88 71d9b73a 081c8f36
95404fa9 d98c0f54 af232f52 4e48a74c 9cd0f80c 9726c1d1
Jun 6 15:22:16 Ronald racoon: DEBUG: isakmp.c:1496:isakmp_ph2resend():
resend phase2 packet 3b1285f705215f04:ae763ee42e83205e:7e6ea993
Jun 6 15:22:26 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover():
Jun 6 15:22:26 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover():
From the Linksys Router
2004-06-06 15:21:51 IKE[6] Rx << MM_I1 : 198.53.201.16 SA
Sorry, don't look here very often so didn't see your posting. You might
want to check the firmware version you're using because some of the
released versions simply don't work in certain aspects, including VPN
operation. Have a look at the stuff on this page (http://www.derman.com
/Misc/VPN/BEFSX41-Problems.html) and look in the forums referenced
there, as well. BTW, the currently posted/released version on the LinkSys
site seems to be OK.
According to your log, you have a mismatch between the Local/Remote
Secure Group settings (i.e., those settings in IPSecuritas and those on the
Linksys).
Hi Bryan
I was able to connect finally but I had to supply IPSecuritas and the VPN
Linksys with the dynamic IP of my home Linksys. "ANY" does not work
although that is the setting that Linksys documentation says to use if the
remote user will have a dynamic IP. Since my IP will change this is not an
ideal setup. It is workable since I can access the VPN Linksys from home
and can change the IP remotely before trying to connect. IPSecuritas is also
easy to change and works great. The VPN does everything that is needed
now.
unknown informational exchange...
unknown informational exchange...
by FraserJopp on 2004-05-08 08:19:59 +0200
Having set up the VPN successfully, the connection fails when the key is to
be renewed. I get the following in the log of the FVS318 (host)
4/29/2004 06:27:32 - FVS318 IPsec:STATE_QUICK_R2: IPsec SA established
Thur, 04/29/2004 07:30:32 - FVS318 IPsec:event after this is
EVENT_SA_EXPIRE in 0 seconds
Thur, 04/29/2004 07:30:32 - FVS318 IPsec:IPsec SA expired (LATEST!)
Thur, 04/29/2004 07:30:32 - FVS318 IPsec:delete_out()
Thur, 04/29/2004 07:30:32 - FVS318 IKE:[VPNLANPC_tmp20] TX >>
DELETE SA : 81.178.250.58 (SPI=5bd07bf6)
Thur, 04/29/2004 07:30:34 - FVS318 IPsec:ISAKMP SA expired (LATEST!)
Thur, 04/29/2004 07:30:34 - FVS318 IPsec:delete_isa_out()
Thur, 04/29/2004 07:30:34 - FVS318 IPsec:[VPNLANPC_tmp20] is removed
from the head of conn_list
Thur, 04/29/2004 07:30:34 - FVS318 IPsec:Connection [VPNLANPC_tmp20]
is deleted from connection table
Thur, 04/29/2004 07:31:00 - FVS318 IPsec:find_insa() not found
Thur, 0
And this in the log of the client:
Apr 29 06:27:32 Alison-Robertss-Computer IPSecuritas: Set kernel keys
Apr 29 07:30:34 Alison-Robertss-Computer racoon: ERROR:
isakmp.c:662:isakmp_main(): unknown Informational exchange received.
Both sides have key life (phase1) at 3600 seconds, and IKE key lifetime
(phase 2) at 28,800 seconds. The connection is initiated at the Ipsecuritas
end
I then have to stop & start IPSec to reconnect
Many thanks for any help you can offer
Fraser Jopp
Re: unknown informational exchange...
by cnadig on 2004-05-10 15:38:11 +0200
Hello Fraser,
first of all sorry for not getting back to your e-mail earlier!
I'm expecting a Netgear FVS328 this week to arrive and, assuming it has
the same or a similar firmware as the 318, I expect to run into the same
problems. I'll let you know as soon as I find a solution.
From the log you attached it seems that both phase 1 and 2 time out at
the same time - what have you set for the exchange mode in IPSecuritas?
Cheers,
Christoph
by FraserJopp on 2004-05-11 08:15:04 +0200
It's aggressive. The timeout is always 180 seconds after the phase 1 key life
(if this helps). As far as I can see, the settings are the same on both sides.
Thanks for your help
Fraser
by FraserJopp on 2004-05-12 09:33:00 +0200
Cracked it, thanks to a clue in your reply. I had not realised that Phase 1 =
IKE SA lifetime, Phase 2 = IPSec Sa lifetime, as different terms are used at
the other end. Transposed the two figures, and it works fine..
Fraser
by jsilk on 2004-06-06 18:19:54 +0200
Hi there,
I am hoping you would be so kind to share your working connection details
in both IPSecuritas and FVS318 (naturally exluding any IP adresses) .
Thanks,
Johan
Cisco VPN Client
Cisco VPN Client
by brichpmr on 2004-05-16 15:59:49 +0200
My company provides a .pcf file to import into the CiscoVPN client app
through our Cisco 3000 series VPN concentrator. Does IPSecuritas work
with a Cisco .pcf script? Can I import the configuration into your app? I'm
running Panther (10.3.3)
IPSecuritas to Zyxel ZyWall 35
IPSecuritas to Zyxel ZyWall 35
by Thomas von Hassel on 2004-05-17 14:34:07 +0200
Hi all
I'm trying to connect a 10.3 client with
this in my zywall logs:
IPSecuritas to a Zywall 35. I get
Phase 1 IKE SA process done
then:
!! No proposal chosen
Could someone point me in the right direction :)
/thomas
Re: IPSecuritas to Zyxel ZyWall 35
by cnadig on 2004-05-18 16:31:58 +0200
Hello Thomas,
according to the Zyxel user manual you have a mismatch of the encryption
or authentication parameters, either in pahse 1 or 2, so that no satisfying
SA proposal can be found and the tunnel negotiation is aborted.
Check the phase 1 and phase 2 settings in IPSecuritas with the ones of the
zyxel router.
If you change the log level of IPSecuritas to 'Verbose Debug', you should see
in more detail what has been offered by your side and the Zyxel router and
why the two proposals don't match.
Christoph
Re: IPSecuritas to Zyxel ZyWall 35
by Chief_Nerd on 2004-08-25 21:51:58 +0200
I too am trying to get going with a ZyWALL. But in my case, it's
10.2 I'm using.
I have AES 256 and SHA1 set.
My verbose debug says:
{wonder where the ----'ed line came from; as that's not an IP in use here}
Log output from IPSecuritas 2.0.6
Aug 25 15:30:07 Notanumber IPSecuritas: Parsing configuration
Aug 25 15:30:07 Notanumber IPSecuritas: Setting up racoon.conf
Aug 25 15:30:07 Notanumber IPSecuritas: Setting up setkey.conf
Aug 25 15:30:07 Notanumber IPSecuritas: Setting up psk.txt
Aug 25 15:30:07 Notanumber IPSecuritas: Setting up tunnel.conf
Aug 25 15:30:07 Notanumber IPSecuritas: Parsing configuration done
Aug 25 15:30:08 Notanumber IPSecuritas: Starting racoon...
Aug 25 15:30:08 Notanumber racoon: INFO: main.c:169:main(): @(#)racoon
20001216 20001216 [email protected]
Aug 25 15:30:08 Notanumber racoon: INFO: main.c:169:main(): @(#)racoon
20001216 20001216 [email protected]
Aug 25 15:30:08 Notanumber racoon: INFO: main.c:170:main(): @(#)This
product linked OpenSSL 0.9.6i Feb 19 2003 (http://www.openssl.org/)
Aug 25 15:30:08 Notanumber racoon: INFO: main.c:170:main(): @(#)This
product linked OpenSSL 0.9.6i Feb 19 2003 (http://www.openssl.org/)
Aug 25 15:30:10 Notanumber IPSecuritas: Racoon is running
Aug 25 15:30:10 Notanumber IPSecuritas: Set kernel keys
Aug 25 15:30:10 Notanumber racoon: DEBUG2: cfparse.y:1354:cfparse():
parse successed.
Aug 25 15:30:10 Notanumber racoon: INFO: isakmp.c:1369:isakmp_open():
192.168.1.69[500] used as isakmp port (fd=6o)
-----------------------------------------^^^^^^^^^ huh?
Aug 25 15:30:10 Notanumber racoon: INFO: isakmp.c:1369:isakmp_open():
192.168.1.69[500] used as isakmp port (fd=6)
Aug 25 15:30:10 Notanumber racoon: DEBUG: pfkey.c:192:pfkey_handler():
get pfkey X_SPDDUMP message
Aug 25 15:30:10 Notanumber racoon: DEBUG2: plog.c:193:plogdump():
02120200 00020000 00000000 00000200
pfkey X_SPDDUMP failed: No such file or directory
get pfkey REGISTER message
Aug 25 15:30:10 Notanumber racoon: DEBUG2:
{.....}
Aug 25 15:30:31 Notanumber racoon: ERROR:
time up waiting for phase1. ESP 207.188.193.107->192.168.1.69
Aug 25 15:30:42 Notanumber racoon: INFO:
isakmp.c:1790:isakmp_chkph1there(): delete phase 2 handler.
Aug 25 15:30:42 Notanumber racoon: INFO:
Replacing CheckPoint SecureClient
Replacing CheckPoint SecureClient
by Ben on 2004-05-17 15:45:02 +0200
Hi there,
I came across IPSecuritas after posting to Apple's support forums. Anyway,
here's the gist of my problem.
At work, we use Checkpoint's VPN-1 SecureClient for Windows to connect
to the company's LAN remotely. My question is how can I do the same thing
with my PowerBook.
Someone kindly suggested that I try out IPSecuritas, which I installed
without any problem. However, the tricky part came when I tried to import
the certificate.
IPSecuritas wants the certificate to be of the type .pem, whatever that is. At
work, we have Entrust certificates that have a .epf suffix. Now, I'm not sure
what these different file formats mean (simply changing the suffix didn't do
the trick), but I was hoping there would be some sort of conversion utility,
or perhaps there is some way to export a certificate from SecureClient as a
.pem. Is this even the right approach?
Apologies in advance if the above isn't the clearest, but digital certificates
and PKI are kind of new to me.
Ben
Re: Replacing CheckPoint SecureClient
by cnadig on 2004-05-18 16:26:02 +0200
Hello Ben,
I found very little information about the Entrust Profile File (.epf), especially
conecrning about it's contents and format, so importing them directly won't
be possible.
I don't know how your company generates the certificate files but I'd expect
the software to be able to export it into different format (at least PKCS12,
which can be imported into IPSecuritas with a few steps, see the online
help).
As an alternative (and it probably needs very good connections to the
network admin), you could setup an alternative CA: http://www.atsec.com
/docs/fw1-openssl.howto.pdf
Christoph
Re: Replacing CheckPoint SecureClient
by Benjamin So on 2004-05-24 10:50:03 +0200
Hi Christoph,
I think the export method seems like the better bet. At present, the utilities
supplied by the company don't allow any export function. Are there any
conversion apps available that could do this for me? And which file formats
does IPSecuritas understand?
Ben
Can't setup VPN
Can't setup VPN
by robbiemurray on 2004-05-18 16:49:20 +0200
I have had 3 days of frustration trying to connect my home network to my
colleagues using the VPN software in MAC OS X.
Both networks have static IP addresses and are using Netgear DG834
Routers, and Internet/email works fine. I tried configuring both PPTP and
L2TP connections, but either got a 'server not responding - check address
etc', message, either immediately or after a delay where the icon in the
menu bar tried to connect, but gave up after a couple of minutes. (I can
however ping from one to the other) Checked with Netgear support, who
were unhelpful, but eventually had me open all ports. Still no joy. After a
lot of trawling found recommendations for IPSecuritas. Downloaded,
installed, configured on both, but no connection - just the red X
removed all the Mac VPN configurations, but still no go.
Please can anyone help????
Re: Can't setup VPN
by cnadig on 2004-05-18 17:51:09 +0200
Hello Robbie,
a quick question first: Is NAT (Network Address Translation) enabled on any
of the routers?
Could you also post the log from IPSecuritas when set to 'Verbose Debug'
(in the IPSecuritas preferences). Please remove any confidential information
like you static IP addresses.
Christoph
Re: Can't setup VPN
by robbiemurray on 2004-05-18 23:18:17 +0200
Hi Christoph
Thanks for your interest. Yes, both have NAT enabled, as they were set up
with the simple login suggested by the ISP-login & password, with all
others info provided dynamically by the ISP,
(although the both addresses are static)
How much of the log do you want, as there are pages & pages,and it seems
to loop?
I’m new to this site, and don’t want to get in trouble...........
I could email it if that's an option
Regards
Robbie
IPSec startup failed
IPSec startup failed
by benoit_mikros on 2004-05-20 18:09:47 +0200
Hello Christoph,
I've got message "IPSec startup failed" (in the verbose log, nothing than
"Log output from IPSecuritas 2.0")
The configuration of IPSec should work because it's being used by one of
my colleague, Marc, with the same kind of connection (OS 10.3.3 with
Netscreen FW).
In fact it did work fine once, at my place (home), but I could'nt stop IPSec
properly (refused) : I had to quit IPSecuritas and then no more DNS resolve
with any app : Safari , Mail, etc...
So I found that /etc/resolv.conf was linked to /tmp/IPSecuritas...
Then I redo the link to /var/run/resolv.conf and add some DNS names in
my OS Network Preferences . So Http and Mail work fine again now...
In the meantime, I aslo removed all settings of IPSecuritas (to start from
scratch).
Then I re-edit IPSecutitas settings and prefs, checked them twice (the same
that work for Marc) but IPSecuritas does not want to start...(immediate
message : "IPSec startup failed").
I also removed my optional DNS server names in my OS Network
Preferences (and anyway I have checked "Replace DNS Settings on IPSec
Activation" with my job DNS refs).
But it doesn't start ;-(
Any idea to work this out?
Re: IPSec startup failed
by cnadig on 2004-05-20 23:44:46 +0200
Hello Benoit,
at the moment I can only guess, but I think your installation has been
corrupted. Please try to remove IPSecuritas completely and re-install it.
If you still have trouble, I'll compile a version that logs more detail in such
an event.
Christoph
okay : I removed IPSecuritas and prefs, then reinstalled it completely.
Same result ;-(
Benoit
more detais for log ...;-)
HEllo Chritophe,
Did you change the logs with more details in such an event, with V 2.05?
I still have the same message.
I even try to update my OS to 10.3.4 (never know...)
Still the same instantaneous "IPSec startup failed ".
Benoit
by cnadig on 2004-06-08 23:20:10 +0200
Hello Benoit,
sorry for the late answer - my daytime job is keeping me busy...
I did not have the opportunity to get more verbose log in, but a quick
question: when you try to start IPSec and it fails, do you get anything in the
lgo window (with log level set to verbose debug). Also, if you have teh
replace DNS settings options set, do you still need to replace the link to
/var/run/resolv.conf after terminating IPSecuritas in order to get normal
internet acces sback?
Christoph
by MacPapy on 2004-09-28 23:55:22 +0200
Hi everybody
I would have loved to announce that IPSecuritas is working fine with an
Equinet gateway (at least on a host to network basis) but, in my case, its
works only with one of my computer (a PowerBook G3, OS 10.2.6)
On my iMac (G3, 600 Mhz, 10.2.6) I have directly the "startup has failed"
message, and no message in the log window.
I've tried for a couple of nights to understand what the differences are, but I
do not find any succesfull explanation.
Hypothesis : on my initial launch of IPSecuritas, it happens that I was not
loged as an "Administrator" for the system. Of course, I've tried to reinstall
and relaunch, but no success :'(
Another idea : The mac which is not working was initially configured as a
gateway with IPSharing (using the MacOs embeded feature) ; I've stopped
IPSharing during the testing of IPSecuritas, (and tried to restart, and
everything ...) but this doesn't solve the problem
Last : on my iMac, there was an previous version of racoon, hidden in an old
"Previous system" directory, that was remainig on my disk. I did clean all
that stuff after, but could it be a problem linked with that bad config at
beginning.
Any idea ?
Thanks by advance
Jean (from France)
by Pascal Frey on 2004-10-16 20:43:08 +0200
Same troubles as benoit_mikros and MacPapy :
I've tried to estabilish a VPN Connection with IP Securitas, but as soon as I
click on "Start IPSec", it answers me "IPSec Startup failed", with nothing at all
in the log (even in Verbose Debug mode).
I first tried IP Securitas on an other Mac and it seemed to work fine. So I did
a clean install on my own Mac and I re-installed IP Securitas.
I managed to estabilish connections for about 15 or 20 time, and then,
back to the same error message : "IPSec startut failed"...
Then I tried to have a look into the IP Securitas.app package.
I tried to launch IPSecuritas.app/Contents/MacOS/vpntool sevral times and
it didn't answered me anything.
BUT, I then relaunched IPSecuritas by invoking IPSecuritas/contents/MacOS
/IPSecuritas in the same shell, and it seemed to work fine again.
At least I can clik on "Start IPSec" without having the error message. But this
time, the connection doesn't work. I haven't changed anything in the config
file, but the connection fails to estabilish. That's what the log shows :
[i]Log output from IPSecuritas 2.0.6
Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Parsing
configuration
Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Setting up
racoon.conf
setkey.conf
Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Setting up psk.txt
tunnel.conf
Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Parsing
configuration done
Oct 16 20:14:03 Ordinateur-de-Famille-Frey IPSecuritas: Starting racoon...
Oct 16 20:14:03 Ordinateur-de-Famille-Frey IPSecuritas: Racoon is running
Oct 16 20:14:03 Ordinateur-de-Famille-Frey IPSecuritas: Set kernel keys
add net 192.168.1.0: gateway gif0
Oct 16 20:14:34 Ordinateur-de-Famille-Frey racoon: ERROR:
pfkey.c:745:pfkey_timeover(): x.x.x.x give up to get IPsec-SA due to time
up to wait.
Oct 16 20:14:34 Ordinateur-de-Famille-Frey racoon: ERROR:
pfkey.c:745:pfkey_timeover(): x.x.x.x give up to get IPsec-SA due to time
up to wait.
delete net 192.168.1.0
Oct 16 20:15:26 Ordinateur-de-Famille-Frey IPSecuritas: Flushing kernel
keys
Oct 16 20:15:26 Ordinateur-de-Famille-Frey IPSecuritas: Stopping racoon...
Oct 16 20:15:27 Ordinateur-de-Famille-Frey IPSecuritas: Racoon normally
terminated[/i]
If somebody understainds what's happening ?
... Meanwhile, I've also tried with VPNTracker and it works fine in any case
Antivirus and Firewall
Antivirus and Firewall
by fmorchid on 2004-05-21 19:40:02 +0200
hello,
is it possible to install a symantec antivirus with the checkpoint firewall?
thnak you
smb query
smb query
by rnoranbrock on 2004-05-24 23:38:54 +0200
OK, I've got IPSecuritas set up and connecting properly to a SonicWall
SOHO3. And I would swear that at least the first time I set it up I was able
to connect to shared portions of an Exchange server behind the Sonic;
however, currently, I am unable to do the same thing. I try to enter
smb://MACHINE/OBJECTS in the Connect to Server dialog, but all I get is
"The Finder cannot complete the operation because some data in
"smb://MACHINE/OBJECTS" could not be read or written. (Error code -36)."
with the option to Try Again or Cancel.
If I try to double click the aliases setup for the same share from behind
the Sonic, it attempts to connect (I guess) and then asks if I want to fix or
delete the alias.
And just to add more strangeness on top, Entourage (which is configured
to connect as an IMAP client from behind the Sonic) has no problem
connecting with the address entered as
SECOND_MACHINE.DOMAIN.NAME.COM
I can use MS Remote Desktop Connection to connect through the VPN
and access the Exchange Server, so that works, but so far no success at
specifying an smb address. Any thoughts?
Thanks,
-Randy
Re: smb query
by info.helpdesk on 2007-04-25 14:44:40 +0200
We are having the same problem using version 3.0 of the software on a Mac
OS X 10.4 machine. Any ideas?
Re: smb query
Sorry, I haven't tried to connect recently as I believe I read in another post
that the problem was in the Mac OS.
Interestingly though, if I bring up Win XP under Parallels, I can mount any of
the drives/machines in Win XP, but not in the Finder. Strange.
-Randy
Re: smb query
by Dave on 2007-04-26 00:42:07 +0200
Are you using IP addresses for MACHINE in your examples?
Re: smb query
Honestly, I don't recall if I tried that or not. The names resolve to the
proper IP address in terminal and ping correctly. If I get a chance to try
later, I'll post back.
-R
OS X 10.3.4 breaks Ipsecuritas
OS X 10.3.4 breaks Ipsecuritas
by Thomas von Hassel on 2004-05-27 01:40:56 +0200
Well i got Ipsecuritas working with my ZyWall ... but i just installed 10.3.4
and now Ipsecuritas gives me this:
Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas:
configuration
racoon.conf
setkey.conf
psk.txt
tunnel.conf
configuration done
racoon...
running
keys
ifconfig: SIOCIFCREATE: Invalid argument
route: writing to routing socket: No such process
delete net 192.168.1.0: not in table
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
delete gif0
racoon...
normally terminated
kernel keys
so 10.3.4 obiusliy breaks something :)
/thomas
Parsing
Setting up
Setting up
Setting up
Setting up
Parsing
Starting
Racoon is
Set kernel
Could not
Stopping
Racoon
Flushing
Re: OS X 10.3.4 breaks Ipsecuritas
by Mark Dadgar on 2004-05-27 06:39:47 +0200
Yep - broke my copy, too. :(
- Mark
by cnadig on 2004-05-27 08:56:33 +0200
Hello,
I can reproduce the problem and am working on a solution, which should
be available within days.
Christoph
by Mark Dadgar on 2004-05-27 18:58:07 +0200
THANK YOU!!
- Mark
by NetWhiz on 2004-05-31 01:33:39 +0200
Any update on the status of the fix for this? ???
NetWhiz
by cnadig on 2004-06-01 14:20:29 +0200
Hello,
sorry for the late notification! IPSecuritas 2.0.5 is available for download at
[url]http://www.lobotomo.com/products/IPSecuritas/index.html[/url].
See [url]http://www.lobotomo.com/products/IPSecuritas
/changes.html[/url] for a list
of changes.
Christoph
by DarX on 2004-06-01 15:51:37 +0200
[quote author=cnadig link=1085614856/0#5 date=1086092429]Hello,
sorry for the late notification! IPSecuritas 2.0.5 is available for download at
[url]http://www.lobotomo.com/products/IPSecuritas/index.html[/url].
See [url]http://www.lobotomo.com/products/IPSecuritas
/changes.html[/url] for a list
of changes.
Christoph[/quote]
hey, this works!
thanks a bunch! .. keep up the good work!
/thomas
by NetWhiz on 2004-06-02 23:14:50 +0200
Is ther a version that fixes the problem? This version is the same as from
last week and it does not fix my broken issue. Everything worked fine with
this version, until I opened and used the built-in Mac OS X IPSec/L2TP
client. When I went back to try IPSecuritas, it will not get past:
Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Parsing configuration
Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up racoon.conf
Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up setkey.conf
Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up psk.txt
Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up tunnel.conf
Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Parsing configuration done
Jun 2 21:11:48 Allison-Baby-3 IPSecuritas: Starting racoon...
Jun 2 21:11:48 Allison-Baby-3 IPSecuritas: Racoon is running
Jun 2 21:11:48 Allison-Baby-3 IPSecuritas: Set kernel keys
Jun 2 21:11:48 Allison-Baby-3 racoon: ERROR:
Jun 2 21:11:48 Allison-Baby-3 racoon: ERROR:
Jun 2 21:11:55 Allison-Baby-3 IPSecuritas: Flushing kernel keys
Jun 2 21:11:55 Allison-Baby-3 IPSecuritas: Stopping racoon...
Jun 2 21:11:56 Allison-Baby-3 IPSecuritas: Racoon normally terminated
Then it just sits and eventually times out or I get that error. How can this be
fixed????
NetWhiz
by NetWhiz on 2004-06-04 05:51:50 +0200
Anyone even watching the board? No one else having this problem?
NetWhiz
by NetWhiz on 2004-06-08 01:56:56 +0200
Just checking in to see if anyone is having this issue or a solution been
found????????
NetWhiz
by davehodg on 2004-07-08 17:52:30 +0200
I'm getting this too, trying to connect to an FVL328:
Jul 8 16:47:34 Daves-PB syslogd: restart
Jul 8 16:47:34 Daves-PB syslogd: restart
Jul 8 16:47:35 Daves-PB racoon: ERROR:
Offers?
by Rusty Bias on 2004-09-07 07:57:48 +0200
I've had the same issue... IPsecuritas working fine until messing with built
in L2TP/VPN, and even after removing L2TP configs, IPsecuritas won't
work...
Support for ...
Support for ...
by NetWhiz on 2004-05-28 18:28:34 +0200
Will there be support added for DH modp2048 and/or SHA2?
Also, will the source code for this app be released?
Thanks,
NetWhiz
New User
New User
by Spark on 2004-05-28 19:03:19 +0200
Hello I am a new user that would love to use IPSecuritas! I cannot seem to
find a how to on the SF. Is there documintation or a how to page i can be
directed to.
I am running 10.3.4 wirh the firewall on. I do a ton of file transfers and
would like to make them secure. Will this mask my ip address when
accessing sites and running my own server? Any help would be greatly
appreciated! :)
Version 2.0.5 breaks name resolution
Version 2.0.5 breaks name resolution
by Russ Marks on 2004-06-02 23:29:16 +0200
IPSecuritas 2.0.5 does not release the "DNS Servers" entry in its Preferences
panel. Once IPSecuritas is run, the OS does not revert back to the DNS
servers entry listed in the OS X "Network" system preference pane. I am able
to fix this by clearing the IPSecuritas "DNS Servers" entry, committing it
then exiting. This problem exists on my 10.3.4 & 10.2.8 machines.
Regards,
Russ Marks
anyone help me?
anyone help me?
by hopecompany on 2004-06-04 11:30:56 +0200
hi,everybody!my first time here,nice to meet all of you!
I have experienced a question:I have 2 Nokia IP530 platforms,which had
installed checkpoint NG AI(R55),I configured them running in clusters'
environment,and I am sure clusters work well!but a problem occured:when
a oracle client connects oracle server behind cluster gateway,the session
only remained about 5 to 10 minutes,and the session disconnected,I
reseted the connection in oracle client and it worked well again,but
disconnectd after 5-10 minutes,I don't know how to settled the
problem,anybody help me?looking forward to hearing from you!thanks a lot
Netgear - Phase 2 failing
Netgear - Phase 2 failing
by 2manysecrets on 2004-06-04 19:42:29 +0200
I am using a netgear FVS318 at my office with a fixed IP and connecting
from home (and would like to connect from the road) with IPSecuritas and a
dynamic IP.
The office and home have two different subnets and I did have this working
for a couple of weeks. When it was working the computer at work could not
see any of the computers on my home network. But, I could see all of the
computers on the office network.
Something has changed and I am not sure what it is.
The debug log show that phase 1 succeeded, but I keep getting
Jun 4 13:28:03 AgentSmith racoon: DEBUG:
42cb18005b4777b4:f3941f0d568a1a16:de4771c6
Jun 4 13:28:12 AgentSmith racoon: ERROR: pfkey.c:745:pfkey_timeover():
Jun 4 13:28:12 AgentSmith racoon: ERROR: pfkey.c:745:pfkey_timeover():
Jun 4 13:28:12 AgentSmith racoon: DEBUG:
schedule.c:210:sched_scrub_param(): an undead schedule has been
deleted.
After reading several "guides" on setting up NetGear routers I am now total
confused.
What parameters are affecting the phase 2 verification?
Re: Netgear - Phase 2 failing
by jsilk on 2004-06-06 18:12:08 +0200
Hi,
Any possibility you could share your configuration that worked before you
tried to change so you could roam from anywhere including your home?
For Phase 2 I have the same configuration as with Phase 1 with the
exception of the life time. This seems to work fine, I am not getting any
errors like you are seeing. But after what seems like a successful connection
at both ends I am unable to access any hosts at work behind the FVS318...
by jsilk on 2004-06-07 02:21:16 +0200
Hi there I can replicate your message when my Network settings are not
matching up between FVS318 and the IPSecuritas settings. Ensure you
remote and local network configuration is the same at both ends.
Cheers!
Johan
The only way I was able to login from a remote site was to know the public
IP and put that into the local address field. This worked from home, but
when I was at the hotel it was not a viable solution since I cannot find out
the public IP.
But since I have been reading more it sounds like that the local address
field should be the local machine's IP address.
Now I am even more confused since in the NetGear setup I need to specifiy
the IP address or range for the remote LAN IP.
I know that I am missing something and the was the reason for the original
post.
Thanks
by cnadig on 2004-06-08 23:04:12 +0200
Hello,
the local address field in IPSecuritas is used to explicitly define the source
address of your traffic going through the tunnel - it has no effect on the
tunnel itself (its often referred to as virtual local adress because it makes
the remote end (machines within the LAN behind the VPN router, not to the
VPN router itself) think you have a different IP address.
Basically everything works for this field, but it is common to use a private
network address like 10.x.x.x or 192.168.x.x. If no local address is
specified, your computers default interface's address is used (whatever you
get from your ISP or the NAT router).
The VPN router normally has rules on how to route packets through which
tunnel. So if you define 192.168.1.1 for your local address in IPSecuritas,
you should also enter this address for the destination address rule in your
Netgear configuration.
I don't have a FVS318 but a 328, but I assume the two work quite similarily.
I could post a working configuration of my 328, if you like.
Cheers,
Christoph
Yep I found that out today. Thanks for the reply.
I now have it working and the only unresolved issue is the ability for the
computers behind the FVS318 to see my computer.
I have a good connection working, but if my laptop goes to sleep while the
VPN is connect and the network connection is dropped, I have to sleep the
laptop and wake it back up before I can reconnect.
Hope that helps.
I do have a working configuration
FVS318 settings
Connection Name : IPSecuritas
Local IPSec : FVS318
Remote: Home
Tunnel can be accessed from: any local IP
Tunnel can access: a subnet of remote addresses
Remote LAN start IP Address: 10.0.0.1
Remote LAN IP Subnetmake: 255.255.255.0
Remote WAN IP or FQDN: 0.0.0.0
Secure Association: Aggressive Mode
Perfect Forward Secrecy: Enabled
Encryption Protocol: 3DES
Key Group: Diffie- Hellman Group 2
Preshared Key: 0123456789
Key Life: 28800
IKE Life Time: 86400
NETBIOS Enabled: false
IPSecuritas Settings:
Remote IPSec Device: <Static IP Address> of your VPN router
Remote Network: <DHCP Address> (192.168.1.1 / 24)
Local Address: [blank]
Exchange Mode: Agressive
Proposal Check: Strict Nonce Size 16
Phase 1:
Lifetime: 28800
DH group: Mod1024 (2)
Encryption: 3DES
Authentication: MD5
Phase 2: (least sure about all of these settings, but it works)
Lifetime: 28800
Encryption: 3DES, AES192, AES128
Authentication: HMAC MD5, HMAC SHA1
ID/Auth:
Local Identifier DN: home
Remote Identifier DN: FVS318
Preshared Secret: 0123456789
Options: (where unchanged from default)
Everything selected but (Passive, Verify Certificate, and Auto Start)
----------------
by Johan Silkenas on 2004-06-09 12:40:03 +0200
Thanks for the configuration.
Mine matches it except for the encryption, where I have opted for less
security (DES) to get better speed than when using 3DES.
About the Local IP, yes what Christoph was saying is certainly what I have
found as well. All it is, is a virtual address. As long as your settings are the
same in IPSecuritas as in FVS318 for your profile, then you can roam
anywhere.
Sorry don't know about making your machine visable to the machines
behind the FVS318.
Cheers!
Johan
by nickb on 2004-06-11 02:44:51 +0200
I've tried building on the config above but get:
racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation
failed due to time up waiting for phase1.
?
Double check you configuration. Make sure the exchange mode, DH Group,
Encryption and Authentication match between IPSecuritas and your VPN
server. Next make sure the Local Identifier and Remote Identifier are
correct. If these do not match then you will not make it past phase 1.
Hope that helps
UPDATE
This seems to work better than "Tunnel can access: a subnet of remote
addresses "
Tunnel can access: a single address
Remote LAN start IP Address: 10.0.0.12
Remote LAN IP Subnetmake: 255.255.255.0
Remote WAN IP or FQDN: 0.0.0.0
IPSecuritas <--> NetScreen Firewall
IPSecuritas <--> NetScreen Firewall
by MacJunkie on 2004-06-05 00:56:30 +0200
I configured IPSecuritas to conect with a NetScreen Firewall and i got
following log message:
Jun 5 00:32:50 Vigor102 racoon: ERROR:
Jun 5 00:32:50 Vigor102 racoon: ERROR:
time up waiting for
(I deleted the IP-Adress in this Article because of Data Rights).
Has any body configured a IPSecuritas to Netscreen connection
successfully? How?
(With VPNTracker the connection works fine - but I want not to use
VPNTracker)
Re: IPSecuritas <--> NetScreen Firewall
by cnadig on 2004-06-08 23:10:39 +0200
Hello,
could you post a bit more of the log, especially the last 5-10 lines before
what you posted already?
Also, posting your IPSecuritas settings would be useful (please remove any
confidential information!)
Thanks,
Christoph
IPv6 and IPSecuritas
IPv6 and IPSecuritas
by Axel on 2004-06-05 22:47:08 +0200
Does Anyone knows if IPSecuritas is interoperable with IPv6 address?
Netgear FVS318 LOG says I am connected.....
Netgear FVS318 LOG says I am connected.....
by Johan Silkenas on 2004-06-06 17:38:58 +0200
I am confused to why I am not able to access the remote network. My
Netgear FVS318 VPN log says:
06/07/2004 01:17:24 - FVS318 IKE:[JohanSilkenas_tmp37] established with
144.132.212.106 successfully.
The Netgear VPN status show an Active connection.
IPSecuritas LOG confirms connection:
Jun 7 01:20:55 jsilkimac racoon: INFO: pfkey.c:1352:pk_recvadd():
IPsec-SA established: ESP/Tunnel [my IP address] -> [VPN Server IP
address] spi=3847618502(0xe555ffc6)
How ever when I try a telnet to a remote host it just sits there same if a try
connecting to a file share.
If I use VPN Tracker it works straight away. My configuration is the same in
IPSecuritas as with VPN Tracker. My OS is 10.3.4 and I am using IPSecuritas
2.0.5
Is there anyone out there who have successfully got IPSecuritas 2.0.5 to
work with Netgear FVS318? Looking forward to creative ideas for getting
this great VPN client to successfully allow access to FVS318 protected
network.
Cheers!
Johan
Re: Netgear FVS318 LOG says I am connected.....
by cnadig on 2004-06-08 23:08:26 +0200
Hello Johan,
do you get a green check mark instead of the red cross in the main
window?
If so, I suspect a routing problem or a problem with you local IP address did you fill anything into the local address field?
Also, could you post a short description of your network setup and the
settings in IPSecuritas (please remove any confidential information!)
Cheers,
Christoph
cant to connect to netscreen, VPN tracker works!
cant to connect to netscreen, VPN tracker works!
by desktopguy on 2004-06-09 16:26:54 +0200
Hi,
I am having trouble connecting to a netscreen firewall via an OS X 10.3.4
workstation. VPN tracker works fine.
The log shows;
Jun 10 00:02:55 support racoon: WARNING:
ipsec_doi.c:3064:ipsecdoi_checkid1(): ID type mismatched.
ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched.
Jun 10 00:02:55 support racoon: NOTIFY: oakley.c:2057:oakley_skeyid():
Jun 10 00:02:55 support racoon: NOTIFY: oakley.c:2057:oakley_skeyid():
Jun 10 00:02:55 support racoon: ERROR: oakley.c:2071:oakley_skeyid():
couldn't find the pskey for X.X.X.X.
Jun 10 00:02:55 support racoon: ERROR: oakley.c:2071:oakley_skeyid():
couldn't find the pskey for X.X.X.X.
my setting for ID/Auth are;
local identifier - DN: [email protected]
remote identifier - DN: netscreen
using preshared secret.
With identical setting (default) in VPN tracker it works OK.
NOTE: the VPN tracker log shows;
2004-06-09 23:23:35: INFO: isakmp.c:1034:isakmp_ph1begin_i(): begin
Aggressive mode.
2004-06-09 23:23:35: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID
type mismatched.
2004-06-09 23:23:35: WARNING: ipsec_doi.c:3134:ipsecdoi_checkid1(): ID
value mismatched.
2004-06-09 23:23:35: NOTIFY: oakley.c:2111:oakley_skeyid(): couldn't find
the proper pskey, try to get one by the peer's address.
2004-06-09 23:23:35: INFO: isakmp.c:2783:log_ph1established():
ISAKMP-SA established X.X.X.X[500]-X.X.X.X[500]
spi:1eddb852701da258:ad5d572683e3bc62
2004-06-09 23:23:36: INFO: isakmp.c:1173:isakmp_ph2begin_i(): initiate
new phase 2 negotiation: X.X.X.X[0]<=>X.X.X.X[0]
I guess VPN tracker also has problems, but then falls back to another
setting which works
any help would be appreciated
Re: cant to connect to netscreen, VPN tracker work
by cnadig on 2004-06-23 18:22:07 +0200
Hello,
try to set the remote identifier to address instead of DN.
Cheers,
Christoph
Re: cant to connect to netscreen, VPN tracker work
by desktopguy on 2004-06-24 02:28:32 +0200
thanks cnadig,
that works fine now.
It is slower to establish the VPN but it works
xauth
xauth
by manu sawkar on 2004-06-09 23:27:45 +0200
will ipsecuritas incorporate xauth support? i can't find an os x client that
has this feature.
I can connect to our sonicwall FW when i turn off xauth, but our group VPN
policy requires this and i am not allowed to keep it disabled.
any thoughts?
thanks,
Manu Sawkar
Re: xauth
by cnadig on 2004-06-23 18:20:06 +0200
Hello Manu,
IPSecuritas is completely dependant on racoon, the IKE daemon which is
responsible for the authentication and key exchange. According to their
webseit (http://www.kame.net/racoon), theyhave no plans to support
XAUTH as it is not an official IETF standard.
As soon as racoon supports XAUTH, IPSecuritas will.
Cheers,
Christoph
Re: xauth
by shaddow on 2006-01-19 01:17:34 +0100
Does Tiger support xauth yet?
I read here that it did, and was hoping if it was true it would be added to
IPsecuritas.
http://wiki.openswan.org/index.php/InteroperatingMac
I also saw that racoon went to ipsec-tools and I believe ipsec-tools now
supports xauth?
Re: xauth
by gdanko on 2006-01-30 04:49:13 +0100
How does VPN Tracker implement xauth?
Re: xauth
by cnadig on 2006-01-31 00:34:03 +0100
Hello,
a beta version of IPSecuritas 3.0 with support for XAUTH is available (not
yet public but on request) and I'm looking for testers. If interested, please
send me an e-mail to [email protected].
Christoph
Re: xauth
by gdanko on 2006-01-31 19:43:32 +0100
I installed the beta. Here are my settings on both ends.
Here are my settings for the SonicWall 5060...
[b]General Tab[/b]
IPSec Keyring Mode: IKE using Preshared Secret
Name: WAN GroupVPN
Shared Secret: SomeSharedSecretKey
[b]Proposals Tab[/b]
[u]IKE (Phase 1) Proposal[/u]
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time (seconds): 28800
[u]Ipsec (Phase 2) Proposal[/u]
Protocol: ESP
Encryption: 3DES
Enable Perfect Forward Security: Unchecked
[b]Advanced Tab[/b]
Enable Windows Networking (NetBIOS) Broadcast: Checked
Enable Multicast: Unchecked
Management via this SA: HTTP and HTTPS unchecked
Default Gateway: 0.0.0.0 (aka None)
Require Authentication of VPN Clients via XAUTH: Checked
User Group for XAUTH users: Trusted Users
Here are my IPSecuritas Settings
[b]General Tab[/b]
Remote IPSec Device: aaa.bbb.ccc.ddd
Local Side Endpoint Mode: Host (IP left empty)
Remote Side Endpoint Mode: 10.0.10.0
Network Mask (CIDR): 24
[b]Phase 1 Tab[/b]
Life Time: 28800 Seconds
DH Group: 1024 (2)
Encryption: 3DES
Proposal Check: Obey (SonicWall tech doesnt know what this is for)
Nonce Size: 16
[b]Phase 2 Tab[/b]
Lifetime: 28800 Seconds
PFS Group: None
Encryption: Only 3DES is checked
Authentication: Only SHA1 is checked
[b]Id/Auth Tab[/b]
Local Identifier: Address (SonicWall tech doesnt know what this is for)
Remote Identifier: Address (SonicWall tech doesnt know what this is for)
Authentication Method: Preshared Key (my key here)
[b]Options Tab[/b]
The SonicWall tech didn't know what to put here so everything is left
Re: xauth
by shaddow on 2006-02-16 04:13:35 +0100
I tried emailing a week or so ago and have heard nothing. I can test this on
a router here that supports xauth.
a beta version of IPSecuritas 3.0 with support for XAUTH is available (not
yet public but on request) and I'm looking for testers. If interested, please
send me an e-mail to [email protected].
Christoph[/quote]
Re: xauth
by ritani on 2006-03-28 16:43:57 +0200
Hi,
We are using xauth with RSA and not with pre-shared key, was anyone able
to make it work?
We are testing revision 3.0 with Netscreen 208 version 5.1.0r4a.0.
Thank you,
ritani
Re: xauth
by ritani on 2006-03-29 15:55:59 +0200
We also tried xauth with preshared keys, but it seems that the Netscreen is
not detecting that the client is sending him any password while the client
starts Phase 2 negotiations.
Below is the log of the Netscreen:
2006-03-29 14:04:26 info IKE: User <[email protected]> with ID <75>
requested a connection
2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 1: Responder
starts AGGRESSIVE mode negotiations.
2006-03-29 14:04:26 info IKE: User <[email protected]> with ID <75>
requested a connection.
2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 1: IKE responder
has detected NAT in front of the local device.
2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 1: IKE responder
has detected NAT in front of the remote device.
2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 1: Completed
Aggressive mode negotiations with a <28800>-second lifetime.
2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 2 msg ID
<fb4be856>: Responded to the peer's first message.
2006-03-29 14:04:26 info Rejected an IKE packet on loopback.1 from
192.168.136.24:4500 to 192.168.140.2:4500 with cookies
d2b2a44cc455b8a0 and 70ac984644c807a1 because a Phase 2 packet
arrived while XAuth was still pending.
2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 2 msg ID
<fb4be856>: Negotiations have failed.
2006-03-29 14:04:32 info IKE<192.168.136.24>: XAuth login was aborted
for gateway <CNSwlanGW>, username <zs03>, retry: 0.
2006-03-29 14:04:40 info IKE<192.168.136.24>: XAuth login expired and
was terminated for username <zs03> at <192.168.157.105>.
Has any body faced the same?
Thanks
IPSec with Bintec Router works fine.
IPSec with Bintec Router works fine.
by netgoblin on 2004-06-14 10:15:58 +0200
Hello,
for information I have tested IPSecuritas with Bintec Router IPsec.
- Presahred Key and Certificate works
- But in the moment only 3des / AES encryption works.
By interest I may send the config form both sides.
by netgoblin
Re: IPSec with Bintec Router works fine.
by cnadig on 2004-06-23 18:17:45 +0200
Hello Netgoblin,
I'd be thankful for a short description that I could add to the online help in
IPSecuritas!
Thanks,
Christoph
by netgoblin on 2004-06-28 09:44:28 +0200
IPSec Config Bintec VPN25:
1. IPSec Main Screen
2. IKE Phase 1 defaults
3. IPsec Phase 2 defaults
4. Peer Config
4.1 Traffic List
5. Certificates
5.1 CA Certificat
5.2 Own Certificat
5.3 Peer Certificat
6. Tips
Software Releases:
Bintec VPN25:
fossie:> show rev
Logik :
V.1.0
Bootmon :
V.7.1.2
Boss
:
V.7.1 Rev. 2 (Patch 8 ) IPSec V. 2.1.1 from 2004/06/17
00:00:00
1. IPSec Main Screen
VPN Access 25 Setup Tool
BinTec Access Networks GmbH
[IPSEC]: IPsec Configuration - Main Menu
fossie
_______________________________________________________________________________
Enable IPSec
: yes
Pre IPSec Rules >
Configure Peers >
Post IPSec Rules >
IKE (Phase 1) Defaults *autogenerated*
IPsec (Phase 2) Defaults *autogenerated*
Certificate and Key Management >
edit >
edit >
Advanced Settings >
Wizard >
Monitoring >
SAVE
CANCEL
_______________________________________________________________________________
2. IKE Phase 1 defaults: (*autogenerated*)
[IPSEC][PHASE1][EDIT]
fossie
_______________________________________________________________________________
Description (Idx 1) : *autogenerated*
Proposal
: 2 (DES3/MD5)
Lifetime
: 7200 Sec (1)
Group
: 2 (1024 bit MODP)
Authentication Method : RSA Signatures
Mode
: id_protect
Heartbeats
: none
Block Time
: 0
by netgoblin on 2004-06-28 09:45:03 +0200
5. Certificates
5.1 CA Certificat
[IPSEC][CERTMGMT][OWN]: IPsec Configuration - Certificate Management
fossie
_______________________________________________________________________________
Flags: 'O'= own cert, 'CA'= CA cert, 'N'= no CRLs, 'T'= cert forced trusted
Description
Flags SerialNo Subject Names
vpn25-fossie O
2
CN=vpn25, OU=Support, O=netgoblin, ST=Bav
DOWNLOAD
DELETE
EXIT
_______________________________________________________________________________
5.2 Own Certificat
[IPSEC][CERTMGMT][CAS]: IPsec Configuration - Certificate Management
fossie
_______________________________________________________________________________
Description
Chewbacker
O=netgoblin
Flags SerialNo
CA,N,T 0
Subject Names
CN=chewbacker, OU=chewbacker,
DOWNLOAD
DELETE
EXIT
_______________________________________________________________________________
5.3 Peer Certificat
[IPSEC][CERTMGMT][PEERS]: IPsec Configuration - Certificate Management
fossie
_______________________________________________________________________________
Description
powerbook
Flags SerialNo Subject Names
T
0
OU=pb4, O=netgoblin, ST=Bavaria, C=DE, [n
DOWNLOAD
DELETE
EXIT
______________________________________________________________________________
8.
Watch your time and date on the Bintec specialy when you work with
certificates. ( New Bintec Products have not realtime clocks.)
Timesync via ntp or isdn.
fossie:> date
Mon Jun 28 9:33:35 2004
Debug level increment.
IPSecuritas appears to be doing nothing at all
IPSecuritas appears to be doing nothing at all
by DarkBytes on 2004-06-23 14:58:52 +0200
Hi I have installed & ran the latest version of IPSecuritas on macOS 10.2.8 in
an attempt to have it connect through our checkpoint NG firewall.
The thing is after configuring the client , & attempting to intialize a
connection, My gateway logs are showing no connections from the client at
all ?
I must be doing something fundementally wrong , but it is as if the
IPSecuritas is doing nothing at all.
also could someone explain where i can find the logs for the client , or how
i run it in verbous mode.
I would assume that as long as i have the correct ip of my gateway &
roughly the correct settings on the client , i should see some kind of
connection attempts on my firewall, be them failed attempts etc.
please help
Many many thanks
Re: IPSecuritas appears to be doing nothing at all
by cnadig on 2004-06-23 18:14:31 +0200
Hello,
to open the log window, go to File and select Open Log. The log detail can
be increased in the preferences.
I would also assume that there should be some activity visible in the
firewall's log, as long as the 'Establish IKE' option is enabled in IPSecuritas.
I can probably give more hints if you'd post the IPSecuritas log (with log
level to debug or verbose debug) - please remove any confidential
information.
Christoph
Can you use certs and user/pass on same connection
Can you use certs and user/pass on same connection
by LoopyShane on 2004-06-23 18:14:37 +0200
This may be a unique setup here but my client has just had a BSD based
router installed that is setup for incoming L2TP over IPSec connections that
use a cert as well as username/password auth.
Apple's Internet Connect allows the username/password but no certs.
IPSecuritas allows the certs but I can't see that it allows user/pass.
Is there a way to use both or get IPSecuritas to add cert auth to the apple
connect?
Or is there a way to get IPSecuritas to use the user/pass?
Re: Can you use certs and user/pass on same connec
by nbirnbaum on 2004-08-26 21:21:30 +0200
Did you ever figure this out?
Re: Can you use certs and user/pass on same connec
by Fernando J. Pereda on 2004-09-08 02:14:35 +0200
I really need this.... If you know how to do it. It'd be great !
Cheers
Stop IPSec keeps GIF1 alive - Route corrupt
Stop IPSec keeps GIF1 alive - Route corrupt
by mhaury on 2004-06-29 14:02:18 +0200
Hello,
Don't know if this is a bug or not, I have two VPN connection setup in
parallel, one for our Intranet, another for our DMZ. Both work fine however
when I stop IPSec the second connection (to the DMZ) continues to stay
active, although apparently IPSec is shutdown.
At least the routing table seems wrong and indicates a route via GIF1 (and
should be EN0):
route to: xxx.aaa.bbb.com
destination: 192.168.0.0
mask: 255.255.0.0
interface: gif1
flags: <UP,DONE,STATIC,PRCLONING>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount
mtu
expire
0
0
0
0
0
0
1280
0
I'm Running OSX10.3.4 all updates and IPSecurityas 2.0.5
Any ideas, also how can I reset the routes correctly such that things work,
'route flush' does not work, only restart.
Thanks for the GREAT Software anyway !!!
Matthias
checkpoint userc.C file
checkpoint userc.C file
by ac7ub on 2004-06-30 11:05:31 +0200
Greetings folks,
Does anyone out there know how to extract the pkcs12 certificate from
a userc.C file my company gave me for the winblows client and convert it
to a format I can import?
Re: checkpoint userc.C file
by llllllllllllllllllllllll on 2004-09-30 03:51:32 +0200
Did anyone ever figure this out? I have a userc.C file from windows that I'd
like to use to set up IPS on my new Mac.
Are these keys linked with hardware in anyway? I'm wondering if there is
some Intel chip code that it's looking for.
Using IPSecuritas for a VPN-1 SecuRemote login
Using IPSecuritas for a VPN-1 SecuRemote login
by mluker on 2004-07-07 00:50:03 +0200
I have an office VPN that is accessed using the standard VPN-1 SecuRemote
client on Windows. I have a powerbook at home I would rather use than the
corporate laptop I was given.
I have tried to get IPSecuritas setup, but I must confess to being complete
ignorant of what settings I should use. My HelpDesk only supports the
Windows software, and the "settings" they gave me were next to useless
(i.e. enter this IP and use your login) when it comes to all the IPSecuritas
settings.
Does anyone have the standard settings for a CheckPoint firewall that is
normally accessed by a SecuRemote client?
Any help at all is greatly appreciated :D
Re: Using IPSecuritas for a VPN-1 SecuRemote login
by Matthias Haury on 2004-07-08 19:43:08 +0200
Hello,
we had the same problem, we have a pretty much standard VPN setup in a
Checkpoint NG... so here are the settings for IPSecuritas that work for us:
remote device <IP of your Checkpoint FW>
remote network 172.22.0.0/16 (or whatever netmask you choose for
access)
local mask 32
main
shared secret: <password entered in VPN of Checkpoint>
local IP: <leave empty>
mode: aggressive
proposal check: claim
nounce size: 16
phase 1
lifetime 1440 secondss
dh group 2
3des
sha1
phase 2
lifetime 3600 seconds
pfs group 2
3des
hmac_sha1
id
local: <your email or whatever ID you entererd in Checkpoint>
remote:<leave empty>
Here for a couple of commandline tools to see your setup once started in IP
Securitas (you need to be root or run as sudo)
Diagnosis:
==========
See the Current Setup
sudo setkey -DP
Flush the Current Setup
sudo setkey -FP
Hope that helps.. we have some problems when stopping the IPSecuritas
on OSX 10.3.4 where it sometimes keeps the gif1 Interface active for a
second VPN connection that one enters (see my post on this issue), other
than that it works great. You can add a special local IP if you wish (i left it
empty above), and this helps you to be identified correctly.. however you
cannot specify the same network range for local IP as the one behind your
Checkpoint FW !!!
Best.
Matthias
by mluker on 2004-07-08 22:15:47 +0200
Thanks for your reply. Unfortunately it is still not working :-(
Here are the settings I currently have:
General
Mode: Host To NetWork
Remote IPSec Device:
[address as given to me by support for SecuRemote]
Remote Network: [same address sans a byte] / 24
Local Address: <blank>
Proposal: Claim
Nonce: 16
Phase 1
Lifetime: 1440
DH Group: Mod1024(2)
Encryption: 3DES
Phase 2
Lifetime: 3600
PFS Group: Mod1024(2)
Encryption: 3DES
Authentication: HMAC SHA1
ID/Auth
Identificaton: DN: [my username]
Remote Identifier: Address
Authentication: Preshared Secret: [my password]
Options:
IPSec/IKE Options:
IPSEC DOI, SIT_IDENTITY_ONLY, Initial Contact,
Generate Policy, MIP6
General Options:
---Is there something I am missing? From the log file, it appears to be failing on
phase 1:
[quote]
Jul 8 13:03:32 meson racoon: INFO: isakmp.c:1953:isakmp_post_acquire():
IPsec-SA request for checkpoint-ip queued due to no phase1 found.
Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:1001:isakmp_ph1begin_i():
===
Jul 8 13:03:32 meson racoon: INFO: isakmp.c:1006:isakmp_ph1begin_i():
initiate new phase 1 negotiation: 10.20.20.33[500]<=>checkpoint-ip[500]
Jul 8 13:03:32 meson racoon: INFO: isakmp.c:1011:isakmp_ph1begin_i():
begin Aggressive mode.
Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:2265:isakmp_newcookie():
new cookie: 9fac4f294e77ce4f
Jul 8 13:03:32 meson racoon: DEBUG: ipsec_doi.c:3212:ipsecdoi_setid1(): use
ID type of FQDN
Jul 8 13:03:32 meson racoon: DEBUG: oakley.c:257:oakley_dh_generate():
compute DH's private.
Jul 8 13:03:32 meson racoon: DEBUG: oakley.c:259:oakley_dh_generate():
compute DH's public.
Jul 8 13:03:32 meson racoon: DEBUG: isakmp_agg.c:169:agg_i1send():
authmethod is pre-shared key
Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:2382:set_isakmp_payload():
add payload of len 48, next type 4
by Matthias Haury on 2004-07-19 10:40:38 +0200
Hello,
well, sorry, might be my mistake, have now some different settings
running, but don't remember if this was because of an upgrade of NG... try
those:
Tab: Phase 1
Lifetime 28800 seconds
Group: mod1024(2)
Endryption: DES
Tab: Id/Auth
Encryption:
I have active: DES, AES256, 3DES, AES128
Authenciation:
I have HMAC MD5 and HMAC SHA1
Options:
I don't have selected "Verify Identifier"
Everything else is identical to yours...
If this does not work, you have to see with your support what are the
settings they hacked into Checkpoint.. maybe they modified the default
ones.
Also verify that your IP netmask is really /24
Let me know if this helps...
M.
by Helmut Peschke on 2004-09-21 17:40:00 +0200
Hi folks,
I am using IPSecuritas on Mac OS 10.3.5 with CheckPoint with all the
parameters described in the HOWTO, however the Local Identifier in
Id/Auth has to be written as
name@domain
(e.g. the email adress), which in turn has to be the userid in the VPN-1
software, otherwise the contents is not identified as user id.
Hope this helps.
by Fabrice on 2004-11-06 18:43:38 +0100
[quote author=Helmut Peschke link=1089154204/0#4
date=1095781200]Hi folks,
I am using IPSecuritas on Mac OS 10.3.5 with CheckPoint with all the
parameters described in the HOWTO, however the Local Identifier in
Id/Auth has to be written as
name@domain
(e.g. the email adress), which in turn has to be the userid in the VPN-1
software, otherwise the contents is not identified as user id.
Hope this helps.[/quote]
Can you help me ?
I used with success vaporsec 0.9 on panther, but I know that the developer
stop this program, and he suggests IPSecuritas.
I'm just trying to connect my computer from my home to my network
(firewall checkpoint).
I can admin the server side.
I've got the "green check" on IPSecuritas, but the log give the error :
Nov 6 18:12:14 XXXX racoon: NOTIFY: oakley.c:2057:oakley_skeyid():
And of course it doesn't work.
Is the problem you're talking about ?
You mean that in the "local identifier DN" I put my full e-mail ?
And on server side, I put the full e-mail ? Where ?
Thanks a lot in advance
Kind regards
by cnadig on 2004-11-07 01:42:25 +0100
Hello Fabrice,
try disabling the 'Verify Identifier' option in IPSecuritas.
Let us know how it goes!
Cheers,
Christoph
by Fabrice on 2004-11-07 10:12:10 +0100
Fabrice,
try disabling the 'Verify Identifier' option in IPSecuritas.
Cheers,
Christoph[/quote]
Thanks for your answer. "Verify Identifier" was already disabled.
by fabrice on 2004-11-07 10:47:12 +0100
Difficult to explain, but it works !
The only thing I've changed is in phase 2 in IPSecuritas : I've unchecked
DES, AES 128, AES 256 and HMAC MD5.
Of course anybody can tell me my settings, if it can help.
Thanks for your help.
Using IPSecuritas with NetScreen 208
Using IPSecuritas with NetScreen 208
by joanba on 2004-07-09 19:43:03 +0200
Hi,
I'm a completely newbie with VPN questions and I want to know if what is
happening to me is normal.
We use a NetScreen 208 firewall to protect our company network and I want
to access it from Internet using a Mac ( MacOS X 10.3.4 ).
The NetScreen is configured to use L2TP, I think that without IPSec. I can
connect, but look what I need to do:
I've configured Internet Connect, using VPN(L2TP), I write my
user/password but in the log appears:
Fri Jul 9 19:37:19 2004 : L2TP: starting racoon...
Fri Jul 9 19:37:22 2004 : L2TP connecting to server '62.ZZ.XX.YY'
(62.ZZ.XX.YY)...
Nothing else.
But if I run IPSecuritas 2.0.5 ( without any configuration ), the Start IPSec
button is disabled and Stop IPSec is enabled. If I press Stop IPSec the
connection starts and works fine:
Fri
Fri
Fri
Fri
Fri
Fri
Fri
Fri
Fri
Fri
Fri
Fri
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
Jul
9
9
9
9
9
9
9
9
9
9
9
9
19:37:26
19:37:26
19:37:26
19:37:26
19:37:26
19:37:26
19:37:26
19:37:26
19:37:26
19:37:53
19:37:53
19:37:53
2004
2004
2004
2004
2004
2004
2004
2004
2004
2004
2004
2004
:
:
:
:
:
:
:
:
:
:
:
:
L2TP connection established.
Using interface ppp0
Connect: ppp0 <--> socket[34:18]
Remote message: We welcome you.
acsp resetci called
local IP address 10.250.250.1
remote IP address 62.ZZ.XX.YY
primary DNS address 10.0.0.15
secondary DNS address 10.0.0.16
Terminating on signal 15.
Connection terminated.
Connect time 0.5 minutes.
And when I close the connection the log also finishes:
Fri Jul 9 19:37:53 2004 : Sent 44 bytes, received 0 bytes.
Fri Jul 9 19:37:53 2004 : L2TP disconnecting...
Fri Jul 9 19:37:53 2004 : L2TP disconnected
Any idea or comment ? What I'm doing wrong ?
Best regards,
Joan B. Altadill
VPN is happy; but can't see remote network
VPN is happy; but can't see remote network
by twarge on 2004-07-15 06:52:55 +0200
So I've made a connection with the linksys BEFVP41 router in the lab; I have
a nice green checkbox and both sides seem to agree that they're happily
connected. Now I'm missing something rather serious here: I'm not seeing
the remote network.
I've tried various computer's IP addresses and get no response. If I look at
the computers in the Network folder, I see just the local computers at home
like I've always seen. So how do I channel all my traffic through the tunnel?
What am I missing?
Help is greatly appreciated.
Tom Kornack
Re: VPN is happy; but can't see remote network
by sbickle on 2004-07-29 16:39:20 +0200
Is this still a problems? It would sound like the IPSEC tunnel doesn't contain
the right information for what IP's are on the other side of the remote
network...
by sfazzina on 2004-08-06 02:43:54 +0200
I HAVE THE SAME PROBLEM :) - EXCEPT - I DO NOT HAVE A CHECKBOX - I
HAVE A RED X
by Matt Deatherage on 2004-08-06 09:36:43 +0200
I have the same problem, and it's not that the tunnel contains the wrong
information. The BEFVP41 reports that the tunnel is connected, and the
remote computer correctly reports that traffic to the local area network
should be routed through gif0 - but nothing happens. The network on the
Linksys end is 192.168.1/24, and the remote computer is trying to connect
as 192.168.1.100, but even though the tunnel is up and the routing is
right, the remote computer can't reach any machines on the local network
or vice-versa. Attempts on the local network to ping 192.168.1.100 are
fruitless.
by Laurens van Hoorn on 2004-11-04 09:06:41 +0100
I (now) have the same problem, although the VPN used to work fine from
another location. Unfortunately, that location is on another continent so
going back there is not an option.
No indication in the log that anything is wrong:
Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas:
done
Parsing configuration
Setting up racoon.conf
Setting up setkey.conf
Setting up psk.txt
Setting up tunnel.conf
Starting racoon...
Racoon is running
Set kernel keys
So what could be the problem?!
Any suggestions greatly appreciated.
by Rich on 2004-11-05 12:29:19 +0100
Same trouble. Cannot ping wireless machines from Xserve, cannot see
wired Macs in Local on wireless machines. Wireless machines can see each
other in Local
by JP on 2004-12-02 00:34:27 +0100
I had the same problem if I try to VPN from the corporate network. Turns
out they filter just about everything. No ipsec pass-thru, no ESP, etc.
Here's how you can test. Dial up to AOL via modem, try to VPN again, now
it should work. If you can ping your remote machine, then you know for
sure something is being filtered.
Hope this helps someone.
Y'all might want to have a look at the stuff on [size=13]
[url]http://www.derman.com/Misc/VPN/Overview.html[/url][/size].
'Though it's for a LinkSys [b]BEFSX41[/b], the information also applies to
the [b]BEFVP41[/b].
Hope this helps.
FVL328 denial of service?
FVL328 denial of service?
by davehodg on 2004-07-21 17:11:15 +0200
I've got a Netgear FVL328 merrily conversing with Netgear Windows VPN
client software.
I've set up IPSecuritas, as far as I can see, identically to the textbook
example that Netgear supply.
It negotiates the IKE phase1 fine but then the phase 2 just ends up with a
bunch of stuff as attached at the end. Seems like it's just lost the plot.
Worse still, it seems to knock out the internet-facing interface on the
router! Not good.
Any ideas?
Jul 21 15:39:26 Daves-PB racoon: DEBUG:
algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_sha1)
oakley.c:759:oakley_compute_hash1(): HASH computed:
Jul 21 15:39:26 Daves-PB racoon: DEBUG: plog.c:199:plogdump():
571bee24 e446718f 55faeb79 d1d7e435 fad70c7b
isakmp_quick.c:1810:get_sainfo_r(): failed to get sainfo.
isakmp_quick.c:1810:get_sainfo_r(): failed to get sainfo.
isakmp_quick.c:1044:quick_r1recv(): failed to get sainfo.
isakmp_quick.c:1044:quick_r1recv(): failed to get sainfo.
isakmp.c:1271:isakmp_ph2begin_r(): failed to pre-process packet.
isakmp.c:1271:isakmp_ph2begin_r(): failed to pre-process packet.
grabmyaddr.c:454:update_myaddrs(): caught rtm:2, need update interface
address list
address list
address list
Jul 21 15:39:27 Daves-PB racoon: DEBUG: pfkey.c:196:pfkey_handler(): get
pfkey X_SPDFLUSH message
Jul 21 15:39:27 Daves-PB racoon: DEBUG: pfkey.c:196:pfkey_handler(): get
pfkey FLUSH message
Jul 21 15:39:27 Daves-PB racoon: DEBUG: oakley.c:2563:oakley_newiv2():
compute IV for phase2
phase1 last IV:
Jul 21 15:39:27 Daves-PB racoon: DEBUG: plog.c:199:plogdump():
9caad0f2 386c356a d0a5d3d3
algorithm.c:252:alg_oakley_hashdef(): hash(sha1)
algorithm.c:382:alg_oakley_encdef(): encription(3des)
SonicWall PRO100
SonicWall PRO100
by Peter Pop on 2004-07-21 21:32:36 +0200
Hi,
Maybe some of you can tell me whats wrong here:
<removed date and machine name> IPSecuritas: Parsing configuration
<removed date and machine name> IPSecuritas: Setting up racoon.conf
<removed date and machine name> IPSecuritas: Setting up setkey.conf
<removed date and machine name> IPSecuritas: Setting up psk.txt
<removed date and machine name> IPSecuritas: Setting up tunnel.conf
<removed date and machine name> IPSecuritas: Parsing configuration done
<removed date and machine name> IPSecuritas: Starting racoon...
<removed date and machine name> IPSecuritas: Racoon is running
<removed date and machine name> IPSecuritas: Set kernel keys
<removed date and machine name> racoon: WARNING:
ipsec_doi.c:920:cmp_aproppair_i(): attribute has been modified.
ipsec_doi.c:920:cmp_aproppair_i(): attribute has been modified.
In the connection overview the connection has the green checkmark
indicating an established connection, so there's nothing wrong with the
link.
Netgear FVS318 Cofig Help!!
Netgear FVS318 Cofig Help!!
by Wayne Sturman on 2004-07-29 02:19:34 +0200
These are the settings I am trying to use to connect from my Powerbook G4
Laptop to my Imac G4 15" behind Netgear FVS318 both running OS x
10.3.4
Static Public IP address of my Netgear 66.93.84.14
Lan IP address of my Imac at the office: 192.168.0.25
Dynamic IP at home from cable modem- Powerbook connected to internet
via airport through Asante Freindly Net Router Model #FR3004C.
Local Lan IP address is 192.168.123.194
I am including jpgs of configuration settiings for both the netgear and
IPSecuritas as well as the Log file for these settings.
Please can anyone help!!
THIS IS THE MAIN VPN SCREEN FOR NETGEAR
[img]http://aquaexperts.com/IPs/Netgear_FVS318Main.jpg[/img]
THIS IS THE SETTINGS PAGE FOR NETGEAR
[img]http://aquaexperts.com/IPs/Netgear_FVS318settings.jpg[/img]
THIS IS THE GENERAL TAB FOR IPSecuritas
[img]http://aquaexperts.com/IPs/IPS_general.jpg[/img]
THIS IS THE PHASE 1 TAB FOR IPSecuritas
[img]http://aquaexperts.com/IPs/IPS_Phase1.jpg[/img]
THIS IS THE PHASE 2 TAB FOR IPSecuritas
[img]http://aquaexperts.com/IPs/IPS_Phase2.jpg[/img]
THIS IS THE ID/AUTH TAB GOT IPSecuritas
[img]http://aquaexperts.com/IPs/IPS_ID.jpg[/img]
THID IS THE LOG FILE GENERATED BY IPSecuritas when I try to connect
[img]http://aquaexperts.com/IPs/IPS_Log.jpg[/img]
CAN SOMEONE GIVE ME THE CORRECT SETTINGS SO I CAN CONNECT TO MY
OFFICE NETWORK
THANKS
WAYNE
Re: Netgear FVS318 Cofig Help!!
by sbickle on 2004-07-30 17:37:14 +0200
I had a lot of the same problems setting it up... My settings are similiar,
but I have aggressive mode selected with 3des, enable perf. and netbios
ARE checked.
What I found was that in the remote address field I had to specify the IP of
my IPSecuritas client and NOT the remote network.
Hope that helps.
S
by cnadig on 2004-08-02 23:23:44 +0200
Hello Wayne,
try disabling the 'verify identifier' option or set the remote identification to
address instead of DN.
Christoph
by John Hamann on 2004-08-05 04:56:33 +0200
I think your Proposal Check should be set to Claim, DH Group and PFS
Group should be set to Mod1024. I don't have Verify Identifier checked but
do have checked IPSec DOI, SIT_IDENTITY_ONLY, Initial Contact, MIP6 and
DHCP Pass-Though. Hope this helps.
NETGEAR FVS318 doesn't allow remote network
NETGEAR FVS318 doesn't allow remote network
by sbickle on 2004-07-29 16:35:37 +0200
After reading through the other messages and playing around with multiple
settings I was able to get the FVS318 talking. The problem I found is that
for some reason it does not work if I set the remote as a network with a
/24 only if I set it as single host and put the private IP of the remote
device.
Has anyone else seen this? Any ideas what causes this?
Thanks in advance
S
Import certificate failed
Import certificate failed
by Yann Borg on 2004-08-03 00:47:07 +0200
Hello,
if I receive and download a certificate from Microsoft Entourage v.X or
v.2004, IPSecuritas is not able to import it properly:
Failed to import xxx_cert.pem. Please make sure the file contains a
signed X.509 certificate in PEM format.
But if I bounce the mail to Mail.app and download the certificate, then
IPSecuritas import it fine.
I'm not very ease in UCL but when I make a 'diff file1 file2' the result ist "No
newline at end of file".
Have a look with BBEdit in the file doesn't help me to find where the new
line is in the one file and should be in the second.
It seems to be an Entourage bug/whatever, but could IPSecuritas recognize
such certificate although?
Thanks,
Yann
Re: Import certificate failed
by Yann Borg on 2004-08-03 14:07:21 +0200
Hi,
I've asked our security partner and he tolds that on byte level, an Entourage
"Newline" is a 0x0d (Carraige Return) and for Mail.app a 0x0a (Line Feed).
Could IPSecuritas be more tolerant to accept those Entourage newlines?
Thanks,
Yann
Re: Import certificate failed
by Yann Borg on 2004-08-03 23:06:44 +0200
Hello again,
a helpfull and easy workaround is to open a certificate who was
downloaded from Microsoft Entourage with BBEit Lite and to save it with
"options" > "Line Break" > "Unix". So IPSecuritas 2.0.6 will import the
certificate it could not before, because of the Macintosh line break.
Regards,
Yann, alone in the forum today? ;-)
having a problem with certificates
having a problem with certificates
by sfazzina on 2004-08-04 20:45:07 +0200
IPSecuritas will not allow me to select the use of certificates in the config.
All cert. related checkboxes are greyed out and not available - can
someone help me get these boxes woken up?
Re: having a problem with certificates
by cnadig on 2004-08-04 20:55:59 +0200
Hello,
have you already imported the certificates with the Certificates Manager?
Christoph
by sfazzina on 2004-08-05 04:37:03 +0200
have you already imported the certificates with the Certificates Manager?
Christoph[/quote]
Yes - they show up in the Cert Manager -
by cnadig on 2004-08-05 07:41:12 +0200
Hello,
if you select Certificates instead of Preshared Key for the authentication, the
certificates ID radiobuttons stay greyed-out?
Or is this button already greyed-out?
Christoph
by sfazzina on 2004-08-05 15:26:47 +0200
if you select Certificates instead of Preshared Key for the authentication, the
certificates ID radiobuttons stay greyed-out?
Or is this button already greyed-out?
Christoph[/quote]
ALL certificate options are greyed out.
here is a screenshot
[img]http://www.supersam.com/certt.jpg[/img]
I can provide more if you like - just tell me which screens you want to see.
Thanx
--sam
by sfazzina on 2004-08-05 17:01:56 +0200
NEVERMIND - I GOT MY ANSWER......
YOU NEED TO IMPORT A X.509 CERT AND PRIVATE KEY.
I DID IMPORT MY KEY - BUT NO PRIVATE KEY - THAT WAS THE PROBLEM.
THEN IT LIGHTS UP LIKE A XMAS TREE,
LOL
THANX ANYWAYS.
I WILL PROBABLY HAVE MORE QUESTIONS.
by sfazzina on 2004-08-06 02:12:24 +0200
hi again - sdo i finally got this thing to use certs - now it wont connect - i
get the following error - any help would be appreciated
Mac OS X Version 10.3.4 (Build 7H63)
Aug 5 20:05:25 SUPERBOOK syslogd: restart
Aug 5 20:05:25 SUPERBOOK syslogd: restart
Aug 5 20:05:27 SUPERBOOK racoon: ERROR:
Netgear FVM318 problem, any ideas?
Netgear FVM318 problem, any ideas?
by John Hamann on 2004-08-05 04:48:55 +0200
Hello, I have a VPN set up with a Netgear FVM318 router and it works
fine...except that I cannot connect to certain computers (OS X) on the office
network. Others can connect with no problem. All I can decern is that the
IP I am connecting to is not on the primary NIC but on a secondary one.
This is no problem locally, the IP can be pinged all day but through the
tunnel, it doesn't respond. Other computers, both OS 9 and OS X, ping OK
and can be connected to through Appleshare. Does anybody have any idea
what could be going on? ??? I've been banging my head with this one for
days now, any ideas would be much appreciated.
Re: Netgear FVM318 problem, any ideas?
I have not been able to connect from home using Mac OSX with a subnet
specified in the FVM318 settings. The only way was to specify an IP
address. I could see the entire network behind the FVM318, but so far they
cannot see me. This has not been a problem since I am normally the one
connecting to the office to get files.
I have not had any difficulty connecting to any of the computers behind the
FVM318. I might have to input the computer's IP address manually, but it
will always connect.
I have not been able to locate most of the computer with network browser.
Not sure what is causing the problem.
Steve
SonicWall VPN tunnel up, no network
SonicWall VPN tunnel up, no network
Sorry for opening a new topic if this isn't appropriate, just thought my
messages in the other SonicWall topic might be fairly buried.
Thanks for any help!!
I have been able to establish a successful host to network connection from
IPSecuritas to a SonicWall, but can't get access to the remote network. Here
are my current settings:
Firewall: SonicWall Pro-VX
-------------------------------VPN Summary(these feature are enabled):
Enable VPN
Enable IKE Dead Peer Detection
Dead Peer Detection Interval (seconds): 60
Failure Trigger Level (missed heartbeats): 3
Clean up Active tunnels when Peer Gateway DNS name resolves to a
different IP Address
SA: GroupVPN
IPSec Keying Mode: IKE using pre-shared secret
Security Policy:
SA Life time (secs): 28800
Phase 1 Encryption/Authentication: DES & MD5
Phase 2 Encryption/Authentication: Encrypt and Authenticate (ESP DES
HMAC MD5)
Shared Secret: ---------IPSecutas, version 2.0.6
Mac OS X 10.3.5
General:
Mode: Host to Network
Remote IPSec Device: (IP Address of firewall)
Remote Network: 10.5.1.0 / 24
(Also have tried setting local address)
Exchange Mode: Main
Phase 1:
Lifetime: 28800
DH Group: Mod768(1)
Encryption: 3DES
Phase 2:
Lifetime: 28800
PFS Group: None
Encryption: 3DES
Id/Auth:
Identifiers set to Address
Preshared Secret set
Options (these are enabled):
Compression Deflate
IPSec DOI
SIT_IDENTITY_ONLY
Initial Contact
Netgear FVS318 setup
Netgear FVS318 setup
by Brian Nichols on 2004-08-19 06:22:48 +0200
Can someone be so kind as to give the setup of their FVS318 and
IPSecuritas that WORK? I have been successfully using VPN Tracker but
would rather use IPSecuritas but I can't get a connection with the FVS318
settings as they are. I would rather just use the settings on the FVS318 that
work for someone else (minus the shared key, etc.) rather than play with my
settings as that has become very frustrating for a newbie to VPN. Thanks!
Re: Netgear FVS318 setup
by Brian Nichols on 2004-08-21 21:45:13 +0200
Never mind. It's actually quite easy to match the settings in IPSecuritas with
the FVS318. Thanks to the developer for this great app!
by edy piro on 2004-09-10 15:30:35 +0200
can you (or anyone else0 help me with config????
i have a netpilot as well, but i cannot make it work!
please help
:-)
thanks
edy
by edy piro on 2004-09-10 15:33:53 +0200
SORRY
i have a NETPILOT not a NETGEAR...any ideas?
thanks anyway
edy
by Greg on 2004-10-21 03:58:24 +0200
[quote author=Brian Nichols link=1092889368/0#1
date=1093117513]Never mind. It's actually quite easy to match the
settings in IPSecuritas with the FVS318. Thanks to the developer for this
great app![/quote]
I'm glad to hear that someone got it working... I've played with it all day still
to no avail....
Would you or anyone else mind posting your settings so the rest of us can
see something that's working?
Thanks
Greg
by Mike Johnson on 2004-11-23 12:49:27 +0100
Does anyone have a configuration that works with the FVS318?
IPSecuritas 2.0.6 problems
IPSecuritas 2.0.6 problems
by Paul van der Laan on 2004-08-26 12:06:41 +0200
I'm trying for several days now to get a 'host to network' connection to
work, but so far my attempts were unfruitfull. I'm using Panther 10.3.5 in
combination with a Vigor 2200E router to connect to the internet. When I
start IPSecuritas there's a red cross in the name of my configuration
indicating that no connection can be established. The worrying thing is that
when I stop and quit IPSecuritas my entire network connection is dead: no
e-mail, web or anything. I can only revive it again by rebooting the system.
This is what the logfile reads:
Aug 25 19:14:40 Vigor10 IPSecuritas: Parsing configuration
Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up racoon.conf
Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up setkey.conf
Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up psk.txt
Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up tunnel.conf
Aug 25 19:14:40 Vigor10 IPSecuritas: Parsing configuration done
Aug 25 19:14:41 Vigor10 IPSecuritas: Starting racoon...
Aug 25 19:14:42 Vigor10 IPSecuritas: Racoon is running
Aug 25 19:14:42 Vigor10 IPSecuritas: Set kernel keys
route: writing to routing socket: File exists
add net 192.168.1.0: gateway gif0: File exists
Aug 25 19:14:43 Vigor10 racoon: WARNING:
Aug 25 19:14:43 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv():
invalid ID payload.
invalid ID payload.
invalid ID payload.
invalid ID payload.
Aug 25 19:15:13 Vigor10 racoon: ERROR:
Aug 25 19:15:13 Vigor10 racoon: ERROR:
invalid ID payload.
invalid ID payload.
Aug 25 19:15:17 Vigor10 IPSecuritas: Flushing kernel keys
Aug 25 19:15:17 Vigor10 IPSecuritas: Stopping racoon...
Aug 25 19:15:18 Vigor10 IPSecuritas: Racoon normally terminated
Any help would be greatly appreciated.
Cheers,
Re: IPSecuritas 2.0.6 problems
by netgoblin on 2004-08-27 13:27:26 +0200
Hello Paul,
can you check ID/Auth parameters,
see log > ID value mismatched
cu netgoblin
Re: IPSecuritas 2.0.6 problems
by tom lafleur on 2004-08-28 06:15:39 +0200
I also am having problems with 2.06 and osx 10.3.5 into a Zyxel Zwall10...
using VPN tracker works fine on the same system...
IPSecuritas crashes FVL328, VPNTracker works!
IPSecuritas crashes FVL328, VPNTracker works!
by davehodg on 2004-08-26 12:43:41 +0200
Hi - revisiting connecting to and FVL328.
VPNTracker just went through a major version bump so I've been able to
re-test connecting to my FVL328.
Using exactly the same parameters as the Netgear VPN client recommends
(3DES/SHA-1/1024 in both phases), VPNtracker works perfectly and I can
see the internal network.
Loading up IPSecuritas, it sees the identical parameters (with most of the
option flags in phase 2 turned off), connects, the router's VPN status sees a
well-made connection but I can't see the internal LAN. Furthermore, the
LAN users stop being able to see the Internet!
It looks like we'll have to grudgingly fork out for VPNTracker licenses...
OS X 10.3.5 Server lost connection to IN
OS X 10.3.5 Server lost connection to IN
by Frogstar on 2004-08-29 19:22:30 +0200
Hi,
for a VPN Test i install IPsecuritas on my Webserver on an other location.
After start IPsecuritas and config a Setup i lost the connection to my server
over ARD (Apple Remote Desktop).
Then, i can't connect to my server over ssh or anything. The last chance for
me, to connect to my server ist to connect to another Computer in that
location und connect via Timbuktu in the local Subnet onto the server.
The firewall Setup is unchangend an i test it with turning the Firewall off,
too. But the Problem is the same.
If i'm in the local Network i can connect to the Server. If i'll try to connet
over the Internet the answer is "Connection refused"
My Server cannot connetct to the Internet after that.
Any Idea?
PS: Sorry about my english. Im from Germany and my english is not the
best. :-)
Nortel Problems
Nortel Problems
by rbrugman on 2004-09-04 22:26:59 +0200
Hello,
I am trying to connect to my schools VPN with my Mac. There is a PC client,
but Netlock wants to charge me $95 for their official nortel client. The
main problem is that the universities VPN switch is set to use Group
Password Authentication. I know the group username and password, but
that's it. I also know that the encryption is "3DES" and MD5 is mentioned.
That's pretty much all I can find out. If there's some way to get into
Netlocks config file, I could possibly tell more, but prefs.db just is a bunch
of text. I tried putting the settings in IPSecuritas, and this is what I got as
an output:
(Edit: Too long, so I put it as a .rtf file)
http://hosted.reaktor6.net/ipsec_error.rtf
I hope someone can help me decipher.
Robert
Re: Nortel Problems
by rbrugman on 2004-09-04 23:10:31 +0200
I found out some more information that I hope helps. I installed the VPN
client for Windows on my desktop and made a log file, and I also took a
screenshot. Here they are:
Log file from PC:
http://hosted.reaktor6.net/vpn_pc.txt
Screenshot from PC:
http://hosted.reaktor6.net/vpn_pc_ss.jpg
I seriously hope that can help someone help me.
Robert
Re: Nortel Problems
by rbrugman on 2004-09-07 04:17:01 +0200
I have more information. The creators of VPN tracker say that at least in my
case, the Nortel VPN switch is using an IPSec extension called mod_cfg.
Does anyone know if IPSecuritas has this feature?
Thanks,
Robert
Any issues re recent Security Update 9-7?
Any issues re recent Security Update 9-7?
Is there any reason to hold off applying this Security Update? Any effect on
IP Securitas?
Thanks,
-Randy
IPSecuritas and NAT-T support, routing issues
IPSecuritas and NAT-T support, routing issues
by seano on 2004-09-09 03:54:08 +0200
Hi all,
I checked out IPSecuritas after finding out VPN Tracker doesn't have NAT-T
support. I'm using OS 10.3.4.
Seems I can establish a tunnel ok, but two things are wrong:
1.) On a NAT'ed network, I can't actually communicate to a host over the
tunnel. I've verified our firewall (isakmpd/pf on openbsd) is correctly
allowing ESP traffic. Seems NAT-T support is not working.
2.) When tunnels are created, I don't see a route created in the routing
table. Is this normal?
thanks,
Sean
Re: IPSecuritas and NAT-T support, routing issues
by seano on 2004-09-14 22:36:13 +0200
does anyone have an idea or am i just out of luck for support?
Re: IPSecuritas and NAT-T support, routing issues
by Grant Janssen on 2004-09-16 07:09:06 +0200
:P Me too, I feel your pain.
I can establish a "Host To Network" connection. Keys exchange fine, but I
can't stuff anything over the tunnel. When I move my laptop on the other
side of the router (no NAT), this runs perfectly.
I've seen VPN client software function with NAT, so I know this can work, as
long as you don't try to establish multiple tunnels from the same NATed
network to the same destination firewall.
All my other clients are PCs running the SafeNet SoftRemote product
[url]http://www.safenet.biz/prod/software/software_a.asp[/url]. This
supports NAT, and has run well for us, but is PC only.
Is there some setup detail I've missed? ???
Cookies Colliding using IPSecuritas to SOHO 6tc
Cookies Colliding using IPSecuritas to SOHO 6tc
by Graeme Rae on 2004-09-22 01:58:52 +0200
Trying to connect from a 192.168.1.# network via net and SOHO 6tc to a
192.168.146.# network. Using a Mac OSX10.3.5
All security settings are identical on each side (checked many times)
Getting this error:
Sep 21 16:32:32 graemes-g4 racoon: DEBUG: sockmisc.c:421:sendfromto():
sockname 192.168.1.56[500]
send packet to 64.7.211.227[500]
1 times of 112 bytes message will be sent to 192.168.1.56[500]
Sep 21 16:32:32 graemes-g4 racoon: DEBUG: plog.c:199:plogdump():
fc7dfa15 5b5d18bf 00000000 00000000 01100100 00000000 00000070
05000034 00000001 00000001 00000028 01010001 00000020
01010000 800b0001 800c7080 80010005 80030001 80020001
80040001 0a00000c 011101f4 c0a80138 00000014 e2e59147 a73c03ce
319df5da 5dd11fdf
Sep 21 16:32:32 graemes-g4 racoon: DEBUG:
fc7dfa155b5d18bf:0000000000000000
64.7.211.227[500]
Sep 21 16:32:32 graemes-g4 racoon: DEBUG: plog.c:199:plogdump():
fc7dfa15 5b5d18bf 00000000 00000000 0b100500 00000000 00000044
00000028 00000001 01000004 fc7dfa15 5b5d18bf 00000000 00000000
01100100 00000000 00000070
Sep 21 16:32:32 graemes-g4 racoon: DEBUG: isakmp.c:531:isakmp_main():
Sep 21 16:32:52 graemes-g4 racoon: ERROR:
isakmp.c:1706:isakmp_ph1resend(): phase1 negotiation failed due to time
up. fc7dfa155b5d18bf:0000000000000000
Sep 21 16:32:52 graemes-g4 racoon: ERROR:
up. fc7dfa155b5d18bf:0000000000000000
Any ideas? Please Help!!!
Using
Phase 1/Mod768/3Des/MD5
Phase 2/No PFS/3Des/Md5
Local ID DN: graeme
Remote ID: Address
Auth: Pre-shared secret (checked many times)
Problems with PPP
Problems with PPP
by strandoo on 2004-09-22 14:08:30 +0200
I've been able to use IPSecuritas from my home via an ADSL account, but
can't get it to work when I use a modem/ppp dial-up account. Any ideas
about what I'm doing wrong?
Thanks.
racoon: must be root to invoke this program
racoon: must be root to invoke this program
by cdant on 2004-09-29 04:01:32 +0200
I'm having an error with starting up a connection, getting an error from
racoon that I must be root to invoke it. I've tried setting racoon to suid root
but that didn't resolve the issue.
Here's my log:
Sep 28 21:30:27 localhost IPSecuritas: Parsing configuration
Sep 28 21:30:27 localhost IPSecuritas: Setting up racoon.conf
Sep 28 21:30:27 localhost IPSecuritas: Setting up setkey.conf
Sep 28 21:30:27 localhost IPSecuritas: Setting up psk.txt
Sep 28 21:30:27 localhost IPSecuritas: Setting up tunnel.conf
Sep 28 21:30:27 localhost IPSecuritas: Parsing configuration done
Sep 28 21:30:27 localhost IPSecuritas: Could not create
/etc/syslog_ipsecuritas_orig.conf
Sep 28 21:30:27 localhost IPSecuritas: Starting racoon...
racoon: must be root to invoke this program.
Sep 28 21:30:27 localhost IPSecuritas: Failed to start racoon
Sep 28 21:30:27 localhost IPSecuritas: Stopping racoon...
Sep 28 21:30:27 localhost IPSecuritas: Racoon normally terminated
Sep 28 21:30:27 localhost IPSecuritas: Flushing kernel keys
pfkey_open: Operation not permitted
pfkey_open: Operation not permitted
from scratch
from scratch
by love on 2004-10-05 00:35:00 +0200
Hi folks!
I am a real newbie on this i being trying to figure ut how to set up a VPN
connection, but its just to many different parameters to set to figure put my
self !
this is what it looks like
------------------------------Office Network
Zywall10
set to NAT
LAN IP: 192.168.3.0~
Config in Zywall10
Menu 27.1.1 - IPSec Setup
Index #= 1
Name= test
Active= Yes
Keep Alive= No Nat Traversal= Yes
Local ID type= IP
Content=
My IP Addr= 213.xxx.xxx.xxx
Peer ID type= IP
Content= 0.0.0.0
Secure Gateway Address= 0.0.0.0
Protocol= 0
Local: Addr Type= RANGE
IP Addr Start= 192.168.3.1
End/Subnet Mask= 192.168.3.99
Port Start= 0
End= N/A
Remote: Addr Type= N/A
IP Addr Start= N/A
End/Subnet Mask= N/A
Port Start= N/A
End= N/A
Enable Replay Detection= No
Key Management= IKE
Edit Key Management Setup= No
------------------------------------------------------------------------
Menu 27.1.1.1 - IKE Setup
Phase 1
Negotiation Mode= Main
PSK= keykeykey
Encryption Algorithm= DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Key Group= DH1
Phase 2
Active Protocol= ESP
Encryption Algorithm= DES
Authentication Algorithm= SHA1
SA Life Time (Seconds)= 28800
Encapsulation= Tunnel
Perfect Forward Secrecy (PFS)= None
-----------------------------------------------------------------this is what i want to achieve
static ip on wan
DHCP on wan
Officenetwork--officerouterNAT--internet--airportexpressNAT--
Re: from scratch
by cnadig on 2004-10-07 08:32:04 +0200
Hello,
I'd propose the following to start with for IPSecuritas' configuration:
General:
Host to Network mode
Remote IPSec device: 213.xxx.xxx.xxx (the public IP address of the Zyxel
10)
Remote Network: 192.168.3.0/24
Local Address: Leave empty
Exchange Mode: Main
Propopsal Check: Obey
Nonce Size: 16
Phase 1:
Lifetime: 28800
Encryption: DES
Authentication: MD5
Phase 2:
Lifetime 28800
PFS Group: None
Encryption: Enable DES, disable all others
Authentication: Enable HMAC SHA1, disable all others
Id/Auth:
Local Identifier: Address
Authentication: Preshared key, enter keykeykey (and change this once
everything is working :-) )
Options: Leave all on defaults.
From experience I know that Zyxel is very picky about the network mask
settings - it might be necessary to change the remote addr type to subnet
with a netmask of 24.
Please make sure to increas IPSecuritas' log level and post the log output if
it is not working.
CAUTION: Please remove any confidential information like your public IP
address! And change the preshared key before posting the log!
Cheers,
Christoph
Trying to set up IPSec between two Macs
Trying to set up IPSec between two Macs
by Lee Kilpatrick on 2004-10-05 03:55:48 +0200
I want to use IPSecuritas in the "host to anywhere" mode so I can have
encrypted traffic when I am using a public WiFi network. I do not have a
VPN gateway product, but would like ot use another Mac as the secure
endpoint at my house. The documentation is not clear on how you set up
this configuration, and I am trying to set up simple configurations just to
see if I can get it working (since debugging it remotely from a coffee shop
would be pretty difficult).
I don't have a lot of equipment to test with, so I am trying to create a tunnel
between two Macs on the same ethernet. Is this possible, or will there be
routing/interface problems? Do I need another network interface on both
machines in order to have a private address to try and access over the
tunnel? I set up both with another interface -- one with an Airport, and one
with an IP over Firewire.
How should I set up IPsecuritas? From reading the online documentation, I
have gathered that I should set up the server as "network to network", and
my laptop as "host to anywhere". Is this correct?
The two machines are connected to an ethernet through the hub/router
which is a linksys BEFR41. I have set the router to "IPSec pass through". In
general, I'm not even sure that that setting has any effect if you are
communicating through two LAN ports on it.
When I start IPSec on both machine, the chekmark never becomes green,
but stays as a red "X". In the IPSecuritas log, I get this on one machine (the
"client"):
Oct 4 20:54:47 Scarlet IPSecuritas: Oct 4 20:54:47 Scarlet IPSecuritas:
Parsing configurationParsing configuration
Setting up racoon.confSetting up racoon.conf
Oct 4 20:54:48 Scarlet IPSecuritas:
Starting racoon...Starting racoon...
Setting up psk.txt
Parsing configuration done
Setting up psk.txt
Racoon is runningRacoon is running
Oct 4 20:54:49 Scarlet IPSecuritas: Oct 4 20:54:49 Scarlet IPSecuritas: Set
kernel keys
I then tried to ping the private address on the other machine (the server)
and got no response. After a while, the log showed:
Oct 4 20:55:37 Scarlet racoon: ERROR:
isakmp.c:2045:isakmp_chkph1there(): phase
2 negotiation failed due to time up waiting for phase1. ESP
10.0.0.4->10.0.0.100
Re: Trying to set up IPSec between two Macs
by cnadig on 2004-10-07 08:16:44 +0200
Hello Lee,
I'd try the following:
Client Side: Host to anywhere is fine, other settings on their default values
Server Side: Use Host to Host (Tunnel), with the local IP address of the
Ethernet interface and the laptop's IP as remote IP.
Please also set the passive option on the server side.
Then first start the server side IPSec, once it says running, you can start the
client (laptop) IPSec.
Please increase the log level in IPSecuritas beforehand (in Preferences) to
'Verbose debug' - the log output then contains much more information.
If you want to access other machines (or the internet) through the server
Mac, you will need a second interface on that machine (although you
probably can get around with aliased interfaces, but I would need to figure
this out first - let me know if you need it).
Cheers,
Christoph
zywall 10II
zywall 10II
by andrew on 2004-10-10 03:17:20 +0200
Hi,
Wondering if anyone has a setup for IPSecuritas for a ZyWall 10II with
something flexible enough on various locations? I connect often from
behind a school firewall (cisco pix) but with real ips and sometimes from
locations behind a standard RFC1918 (adsl router - no control over it) and
othertimes on the road from a dialup ip..
My internal LAN is 192.168.1.0/24
Thanks.
FVS318 now working, but no Network Browsing
FVS318 now working, but no Network Browsing
by Greg on 2004-10-21 20:53:10 +0200
So after playing with it all day I finally bagged the VPN tracker settings I was
trying to get into the IP Securitas, and instead used the VPN Wizard that is
available in newer firmware versions of the FVS318. At the end, it offered
the proper settings to put into the VPN client... once those were inputed...
away it went no problems connected rightup.
One setting it had added was the Enable NetBios for network browsing... I
couldn't find a setting in IPSecuritas however to allow me to enable network
browsing... does anyone know how I can enable that. As I'd like to be able
to browse the network rather then needing to go in and find each IP
address and type it in manually. And this will make printing and using
some other network functions alot easier....
Thanks in advance..
Greg
Re: FVS318 now working, but no Network Browsing
by AaronA1975 on 2004-10-21 22:01:03 +0200
NetBIOS is a non-routable protocol that Windows uses for file and print
sharing, and it usually transmits data via broadcasts. The checkbox allows
NetBIOS broadcasts to be sent over the VPN connection. If you're using
Windows, this setting is convenience, but since NetBIOS tends to be a chatty
protocol, some people would rather not have that traffic sent over the WAN.
Checking that box means nothing to your Mac because it does not use
NetBIOS. Macs use SLP (Service Location Protocol) to discover network
services, which can be enabled in the Directory Access app.
If you're unable to browse the network you're connected to via VPN, the
NetBIOS checkbox is not your problem.
by Greg on 2004-10-21 22:16:02 +0200
Thanks for the info.... so I've gone and looked the SLP is turned on in
direcoty access, any ideas on how to make sure that the VPN tunnel is
allowing it. Or is that even possible to browse a Mac Network via a VPN
using SLP or any other method for that matter?
Thanks,
Greg
by AaronA1975 on 2004-10-22 23:08:14 +0200
It's entirely possible to browse a Mac network over your VPN connection - I
do it with mine all the time. There should be no reason why your firewall
would disallow SLP unless you've somehow expressly instructed it to.
by GaryS on 2004-11-01 23:18:03 +0100
I have the same router and have the same experience... I'm unable to
browse the office network remotely, yet SLP is enabled and I'm running the
latest version of IPSecuritas and the NetGear firmware for the router.
Aargh...
Connecting to Linksys 10/100 8port router
Connecting to Linksys 10/100 8port router
by oolong on 2004-10-23 04:24:30 +0200
Hi everyone I'm attempting to connect to this Linksys 10/100 8-port VPN router via
IPSecurita (no VPN router on my side). So far, it doesn't work and I haven't
found anybody talk about this combination either.
If you happen to have this connection established, please share the config
on both Linksys and IPSecurita.
My current IPSecurita log goes on and on for a while, but here are the
highlights:
(At early stage it says...)
IPSecuritas: Racoon is running
IPSecuritas: Set kernel keys
route: writing to routing socket: File exists
add net 172.137.2.0: gateway gif0: File exists
racoon: DEBUG2: cfparse.y:1365:cfparse(): parse successed.
(Towards the end it says...)
racoon: DEBUG: grabmyaddr.c:454:update_myaddrs(): caught rtm:2, need
update interface address list
racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 1 not interesting
And then it eventually shuts down after not finding phase1 nor 2.
As I have no idea at this point, I appreciate any help!! Thank you.
Autostart
Autostart
by Rich Eaton on 2004-10-26 16:37:11 +0200
OS X.3.5 IPsecuritas autostart does not appear to work on boot up. Once
manually started it works fine.
Re: Autostart
by Rich on 2004-10-29 12:37:32 +0200
I should add, it does autostart but the connection fails. Starting by hand
after login works fine. Using Airport to conect to IPsec device. Is this an OS
X startup problem ?
FQDN in phase 2
FQDN in phase 2
by Daniel Cini on 2004-10-29 11:52:36 +0200
Hi,
I currently have a host to network configuration. My remote IPSec device
expects the phase 2 proposal to contain my FQDN instead of the IP address.
Is it possible to configure IPSecuritas to do so?
Also, does IPSecuritas support NAT traversal?
Thanks in advance for any help,
Daniel Cini
Re: FQDN in phase 2
by GaryS on 2004-11-01 23:27:36 +0100
I do this for my office connections... simply select the "DN" radio button in
the ID/auth tab (instead of the "Address" button), and enter your FQDN in
the blank field.
Unstable VPN Connection to FVS318
Unstable VPN Connection to FVS318
by GaryS on 2004-11-01 23:24:18 +0100
I recently upgraded to the latest firmware for the NetGear FVS318 (v.2.4) in
the hopes that I would be able to browse my office network, but to no avail.
Anyways, since the upgrade, the router runs much better... except for my
VPN connections using IPSecuritas. IPSec starts successfully, and my
connection shows the little green arrow. But, whereas I used to be able to
mount any office Mac quickly, now the mounting times out regularly, and
even a Mac that I've mounted doesn't respond properly all the time.
The log shows the following:
Nov 1 13:53:49 THUNDERDOME IPSecuritas: Parsing configuration
Nov 1 13:53:49 THUNDERDOME IPSecuritas: Setting up racoon.conf
Nov 1 13:53:49 THUNDERDOME IPSecuritas: Setting up setkey.conf
Nov 1 13:53:50 THUNDERDOME IPSecuritas: Setting up psk.txt
Nov 1 13:53:50 THUNDERDOME IPSecuritas: Setting up tunnel.conf
Nov 1 13:53:50 THUNDERDOME IPSecuritas: Parsing configuration done
Nov 1 13:53:51 THUNDERDOME IPSecuritas: Starting racoon...
Nov 1 13:53:51 THUNDERDOME IPSecuritas: Racoon is running
Nov 1 13:53:51 THUNDERDOME IPSecuritas: Set kernel keys
Nov 1 13:53:54 THUNDERDOME racoon: ERROR:
proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3
Nov 1 13:55:34 THUNDERDOME IPSecuritas: Flushing kernel keys
Nov 1 13:55:34 THUNDERDOME IPSecuritas: Stopping racoon...
Nov 1 13:55:35 THUNDERDOME IPSecuritas: Racoon normally terminated
My settings on the router are identical now as how they were prior to the
upgrade, and I don't understand the "trns_id mismatched" error in the log.
Any help would be appreciated. BTW, I'm running OSX 10.3.5.
VPN with dynamic IP on both sides?
VPN with dynamic IP on both sides?
by mandarax on 2004-11-02 15:12:10 +0100
I'm trying to figure out, wether it is possible to connect to networks or even
Macs, both connected to the internet via DSL. Both sides receive dynamic IP
adresses when logging in.
Is it possible to use a domain name offered by a service like DynDNS
instead of a known IP adress in the "General Settings" section when setting
up a new connection?
Any help appreciated.
Thanks, Hans
Re: VPN with dynamic IP on both sides?
by cnadig on 2004-11-03 07:24:12 +0100
Hello Hans,
you can enter a hostname into the remote IPSec device field. The hostname
is then translated into an IP address every time you start IPSec.
Christoph
Netgear FVS328
Netgear FVS328
by sgljungholm on 2004-11-04 14:58:15 +0100
I have set up the Netgear box and tested with other clients that seem to
work. When I try IPSecuritas I get a message that says
EROOR:isakmp_inf.c:848:isakmp_info_recv_n():unknown notify message, no
Any ideas?
Thanks
Re: Netgear FVS328
by cnadig on 2004-11-07 01:46:59 +0100
Hello sgljungholm,
please find a working example setup at [url]http://www.lobotomo.com
/products/IPSecuritas/howtoUpdates.html[/url]
Cheers,
Christoph
Re: Netgear FVS328
I have gotten this working to a point. I now am connected but I cannot see
any of the computers on the remote network. I noticed this in the logs. Any
idea?
Dec 26 07:54:40 Svens-Computer racoon: NOTIFY:
isakmp.c:267:isakmp_handler(): the packet is retransmitted by
138.88.162.101[500].
Dec 26 07:54:53 Svens-Computer racoon: DEBUG:
Dec 26 07:57:25 Svens-Computer racoon: INFO:
isakmp.c:1785:isakmp_ph1expire(): ISAKMP-SA expired
192.168.168.102[500]-138.88.162.101[500]
spi:25c51c4f8287898b:25b94c4b38c99f17
isakmp.c:1785:isakmp_ph1expire(): ISAKMP-SA expired
192.168.168.102[500]-138.88.162.101[500]
spi:25c51c4f8287898b:25b94c4b38c99f17
isakmp.c:1833:isakmp_ph1delete(): ISAKMP-SA deleted
192.168.168.102[500]-138.88.162.101[500]
spi:25c51c4f8287898b:25b94c4b38c99f17
isakmp.c:1833:isakmp_ph1delete(): ISAKMP-SA deleted
192.168.168.102[500]-138.88.162.101[500]
spi:25c51c4f8287898b:25b94c4b38c99f17
Re: Netgear FVS328
This is still not working. I am now testing with another unit and I still can't
make it work. Can anyone help. I set the VPN as the site suggested but
nothing.
Watchguard Firebox X15 Edge
Watchguard Firebox X15 Edge
by Raggamax on 2004-11-04 16:46:51 +0100
Hi Everyone...
i am using IPSecuritas on my Mac to connect to a Watchguard Firebox X15
Edge without any success. I tried different settings but i always get the
following Error: isakmp.c:2045:isakmp_chkph1there(): phase 2 negotiation
failed due to time up waiting for phase 1.
Can anyone help me with that? Any idea what goes wrong?
I am wondering if i have to change the settings on my box or on the client.
From a PC with installed MUVPN-Client (Provided by watchguard) everything
goes just fine. I can connect via VPN to the remote Network without any
problem.
Thank you in advance for your help...
Re: Watchguard Firebox X15 Edge
by swamphopper on 2005-01-28 05:14:11 +0100
I seem to have the same problem. Using VPN Tracker, I've got a VPN
between my Mac and Firebox X1000, but IPSecuritas doesn't work. Can
anyone suggest a solution? Thanks.
Automatically dial VPN ?
Automatically dial VPN ?
by bwinter on 2004-11-05 12:29:32 +0100
Hi - I have a user who I need to have to the IPSecuritas VPN automatically
dial, say upon login. I have added IPSecuritas to the startup items in the
users account settings. I would like to be able to have it all happen
automatically.
Also, is there anyway to have a dial up connection dial an internet
connection automatically before the VPN connection is attempted ??????
Thanks
New Sample Configurations Available
New Sample Configurations Available
by cnadig on 2004-11-07 01:44:46 +0100
Hello,
please find sample configurations for Netgear FVS328, Netpilot VPN and
Linksys BEFSX41 at [url]http://www.lobotomo.com/products/IPSecuritas
/howtoUpdates.html[/url]
Cheers,
Christoph
router and ipsecuritas
router and ipsecuritas
by Fabrice on 2004-11-13 00:23:37 +0100
Hi,
I need your help again. I'm using IPSecuritas on my powerbook to connect
via ADSL to my professionnal network (so "Host to network") with success.
I've just received my freebox, an ADSL modem with NAT properties.
No way to connect to my network. The ckeck comes finally green, but I can't
ping my network.
I've hard fixed my local IP in my local network.
I use the following IP forwarding :
Port: 2746 - Protocole: tcp - Destination: 192.168.0.1 - Port: 2746
Port: 2746 - Protocole: udp - Destination: 192.168.0.1 - Port: 2746
Is that correct ? Should I use or not IP DMZ option ?
I've tried to modify IPSecuritas with "Network to network", with :
Remote Network : 172.23.0.0 / 16 (the network mask is 255.255.0.0)
Local network : 192.168.0.0 / 24 (the network mask is 255.255.255.0)
But it's not better.
Thanks in advance
Fabrice
Re: router and ipsecuritas
by cnadig on 2004-11-14 00:04:24 +0100
Hello Fabrice,
do you know the manufacturere and model of the router?
Some router require to enable IPSec passthrough explicitely or
don't allow IPSec with NAT.
also, as it seems that the tunnel can be established successfully,
a dump from tcpdump could be useful (tcpdump -i en0 for
Ethernet or tcpdump -i en1 for Airport).
Cheers,
Christoph
by Fabrice on 2004-11-14 14:51:00 +0100
Fabrice,
do you know the manufacturere and model of the router?
Some router require to enable IPSec passthrough explicitely or
don't allow IPSec with NAT.
also, as it seems that the tunnel can be established successfully,
a dump from tcpdump could be useful (tcpdump -i en0 for
Ethernet or tcpdump -i en1 for Airport).
Cheers,
Christoph[/quote]
Thanks for your response. I'm waiting for more informations on the
freebox, but it's a specific modem of my provider (Free). Some people say
i't's pass-through, some other not. A person said just me "option priority
must be on "legacy" and not on "normal" to not cut udp packets, but I don't
find this option in IPSecuritas.
I've juste seen the "DHCP Pass-through" option in IPSecuritas ; should I
check it ?
For more informations, I give a link to a picture of the on-line web page
given by my provider to modify the NAT table :
http://kerlienes.free.fr/freebox.jpg
About tcpdump, can you please explain me ? I don't undersand at all, sorry.
Thanks a lot in advance.
Fabrice
by akerem on 2005-01-09 12:38:10 +0100
Hi,
If you use CheckPoint firewall remotely, you should make sure that its vpn
domain includes the ip addresses you are trying to connect. (The
172.23.0.0/16 block) That may be the problem.
Nortel and local bind issue
Nortel and local bind issue
by djb on 2004-11-13 06:54:54 +0100
hi,
I am attempting to connect to a Nortel Contivity but can barely start the
connection when the log spits this out :
Nov 13 00:23:03 JDAB IPSecuritas: Racoon is running
Nov 13 00:23:03 JDAB IPSecuritas: Set kernel keys
Nov 13 00:23:03 JDAB racoon: ERROR:
isakmp.c:1532:isakmp_setup_socket(): failed to bind (Address already in
use).
Nov 13 00:23:03 JDAB racoon: ERROR:
isakmp.c:1532:isakmp_setup_socket(): failed to bind (Address already in
use).
Nov 13 00:23:03 JDAB racoon: ERROR: isakmp.c:1616:isakmp_open(): no
address could be bound.
Nov 13 00:23:03 JDAB racoon: ERROR: isakmp.c:1616:isakmp_open(): no
lsof says that the other process holding the isakml port is something called
INM.
any thoughts or fixes? I cannot kill teh inm proc for some reason.
thanks
derek
Re: Nortel and local bind issue
by cnadig on 2004-11-14 00:05:49 +0100
Hi Derek,
do you have any more information on this process - I did a Google
search but could not find anything.
What happens if you create another user and log in as him - is the process
still running?
Christoph
by djb on 2004-11-15 05:20:19 +0100
this is the result of
root
363 0.0 0.1
ps -aux | grep inm
28068
296 ?? S
10:21PM 0:00.20 inm -p9165
the proc is run at startup ...
thanks
derek
by Grant McChesney on 2006-03-01 23:08:26 +0100
Do you by chance have the Netlock Contivity VPN Client from Apani
installed? I do, and I get the same error. In fact, I get this error when I load
the Netlock VPN after installing Securitas:
Connection to the switch dropped due to an IKE/ISAKMP Error.
This is probably the cause of the error. Trying uninstalling the Netlock vpn
client.
Classic Applications (Outlook2001) over VPN
Classic Applications (Outlook2001) over VPN
by alhinds on 2004-11-16 20:20:49 +0100
Does anyone know if IPSecuritas will support applications running in Classic
environment (under OSX) over IPSec VPN?
Main use required is Outlook2001 (as Entourage just doesn't seem to be up
to scratch yet).
Thanks...
network to network
network to network
by Fabrice on 2004-11-17 11:43:08 +0100
Hello everybody,
Does anyone use the protocol "network to network" ? In that case, thanks
in advance to give me the configuration for ipsecuritas.
Should I modify anything on the server side (I use Checkpoint firewall) ?
Thanks a lot
Fabrice
Can't assign requested Address (Ipsecuritas 2.06)
Can't assign requested Address (Ipsecuritas 2.06)
by AndreasF on 2004-11-25 10:02:49 +0100
Hello!
I am trying to connect to my office. But I keep getting this message in the
log. I have used the same configuration before (and it worked). Does
anybody understand what could be the possible error?
"Log output from IPSecuritas 2.0.6
Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Parsing
configuration
Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Setting up
racoon.conf
setkey.conf
psk.txt
tunnel.conf
Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Parsing
configuration done
Nov 25 09:08:20 Andreas-Fredrikssons-dator IPSecuritas: Starting racoon...
Nov 25 09:08:20 Andreas-Fredrikssons-dator IPSecuritas: Racoon is
running
Nov 25 09:08:20 Andreas-Fredrikssons-dator IPSecuritas: Set kernel keys
The result of line 7: File exists.
[b]ifconfig: SIOCSIFPHYADDR: Can't assign requested address
ifconfig: interface gif2 does not exist[/b]
delete net 192.168.100.0
route: writing to routing socket: No such process
delete net 192.168.100.0: not in table
ifconfig: interface gif2 does not exist
Nov 25 09:08:21 Andreas-Fredrikssons-dator IPSecuritas: Could not delete
tunnel gif2 192.168.1.1 192.168.100.0/24
ifconfig: interface gif2 does not exist
Nov 25 09:08:21 Andreas-Fredrikssons-dator IPSecuritas: Could not delete
gif2
Nov 25 09:08:21 Andreas-Fredrikssons-dator IPSecuritas: Stopping
racoon...
Nov 25 09:08:22 Andreas-Fredrikssons-dator IPSecuritas: Racoon normally
terminated
Nov 25 09:08:22 Andreas-Fredrikssons-dator IPSecuritas: Flushing kernel
keys
Log output from IPSecuritas 2.0.6"
Regards Andreas
IPSEcuritas and zywall1
IPSEcuritas and zywall1
by gbuma on 2004-11-25 15:45:34 +0100
Hello, I am trying to create a connection between a distant laptop (dynamic
IP) and the office firewall (dynamic ip, can be found with dyndns.org).
I keep on getting the "couldn't find the pskey for OFFICE_IP " error.
Auth is done with email for local and remote. Using pre-shared key.
On ipsecuritas, mode is "host to network".
Sonicwall Pro 230
Sonicwall Pro 230
by Jim Collis on 2004-11-28 00:41:28 +0100
Has anybody successfully gotten IPSecuritas running on OSX 0.3.6 to work
with a Sonicwall Pro 230? If so, can you provide complete configuration
info?
Verified working with IpCop
Verified working with IpCop
by gloin on 2004-11-30 22:16:13 +0100
Am short on time, but will create a sample configuration page on my blog
as soon as I can. Just so you know, it works both with certificate and PSK.
Sorry for the tease...
Re: Verified working with IpCop
by gloin on 2004-12-14 21:05:16 +0100
Well, that took way too long, but I had some things come up at home here
that really needed my attention. Here's the link (which will hopefully
change if some Benificient Admin deigns to relieve my burgeoning
bandwidth bill by mirroring the sample configurations:
http://www.taupehat.com/vpn/
Enjoy!
by Rob D on 2005-03-25 20:19:30 +0100
[quote author=gloin link=1101849373/0#1 date=1103054716]Well, that
took way too long, but I had some things come up at home here that really
needed my attention. Here's the link (which will hopefully change if some
Benificient Admin deigns to relieve my burgeoning bandwidth bill by
mirroring the sample configurations:
Enjoy![/quote]
Hi gloin / all
I've been unable to connect to IPCOP 1.4.2 from my 10.3.8 iBook. My log
file is below. Any ideas?
Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Parsing configuration
Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up racoon.conf
Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up setkey.conf
Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up psk.txt
Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up tunnel.conf
Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up resolv.conf
done
Mar 25 19:08:25 Rob-Dykes-Computer IPSecuritas: Starting racoon...
Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Racoon is running
Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Set kernel keys
line 3: Unknown error at [192.168.0.0]
Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR:
sockmisc.c:738:str2saddr(): getaddrinfo(80.46.98.226,500): resolved to
multiple address, taking the first one
by gloin on 2005-03-26 19:58:49 +0100
Not entirely sure, but it does look like someone's multihoming. You
probably want to start with the simplest case possible and then add in extra
interfaces once things are working.
by Rob - D on 2005-03-28 23:30:24 +0200
[quote author=gloin link=1101849373/0#3 date=1111863529]Not entirely
sure, but it does look like someone's multihoming. You probably want to
start with the simplest case possible and then add in extra interfaces once
things are working.[/quote]
Gloin...
someone = who?
my local iBoook is not multihomed...only interface UP and with IP is WLAN.
WLAN is connected to AP routing to INTERNET to remote/IPCOP f/w.
I can understand why you are saying that though... the 'resolved to multiple
address' in the log file made me think something similar...
Yet...
I get all the way to phase 2 authentication. And then I am unable to make
phase 2. It would seem that
is the crucial part of the problem.....
by robd on 2005-03-29 22:48:39 +0200
Some further testing.
Right. I've verified that all is working on the IPCOP side as I have
successfully setup a net-to-net VPN connection to the IPCOP.
Gotta work out whats going on on the client side for my host-to-net
roadwarrior connection.
FreeS/WAN (X.509) connection fails
FreeS/WAN (X.509) connection fails
by petschni on 2004-12-02 09:32:40 +0100
Hello,
i am trying to access the network in my university but unfortunatley i get an
error (see end of the message).
The Gateway runs on a Debian/LINUX and IPSec is implemented with
Openswan. The Data Connection is secured with ESP (Encapsulated Security
Payload RFC 2406). In Openswan is the 3DES Encryption used.
Authentification works with X.509-Certificates.
I got it to work in VPN Tracker but in IPSecurtitas I get the error when i trys
to connect.
I don't know if it is of any interest, but if you start VPN Tracker and
IPSecurtitas at the same time and establish the connection with VPN Tracker
the button in IPSecurtitas turns green also, but if IPSecurtitas has to do it on
its own it stays red.
Do you got any idea what I can do?
greetings and thanks
peter
Dec 2 09:02:43 wlanbzw25 IPSecuritas: Parsing configuration
Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up racoon.conf
Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up setkey.conf
Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up psk.txt
Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up tunnel.conf
Dec 2 09:02:43 wlanbzw25 IPSecuritas: Parsing configuration done
Dec 2 09:02:44 wlanbzw25 IPSecuritas: Starting racoon...
Dec 2 09:02:44 wlanbzw25 IPSecuritas: Racoon is running
Dec 2 09:02:44 wlanbzw25 IPSecuritas: Set kernel keys
Dec 2 09:03:26 wlanbzw25 racoon: ERROR:
Dec 2 09:03:26 wlanbzw25 racoon: ERROR:
Sidewinder
Sidewinder
by Chris Coyne on 2004-12-02 21:42:41 +0100
Hi
Has anyone set up ipsecuritas to work with Sidewinder G2?? I am very
confused as to how to do this. Any help would be great!
Thanks
Chris
Re: Sidewinder
by Chris Creighton on 2005-03-08 19:14:12 +0100
Yes, it's pretty easy. They now have an unsupported document
explaining how to do this. Contact Secure Computing.
However I am having a problem with the Mac in this regard, not
the IPSEC configuration that is stopping my Mac from beginning
the negotiation. I think the problem is what IPSecuritas is doing
to set up the IPSEC connection, but since the error messages are
vague to say the least, I can't tell what the problem is.
See my other post.
I have connected to the Sidewinder using FQDN, and fixed IP, both
with shared secrets. I have not yet got the certificates to work, but
I was working with 5.2.1.10, not 6.1, which may generate the
files in the format that IPSecuritas will accept, i.e. *.pem format.
Good luck ... Chris
VPN to Sonicwall TZ-170
VPN to Sonicwall TZ-170
by Doug Smart on 2004-12-13 22:51:05 +0100
Can ipsecuritas be used to create a VPN connection to a sonicwall tz170
using domain authentication? I have a group VPN policy set up that grants
Access using a pre shared secret and the domain log in credentials. I have
not found anything about passing domain user and password credentials In
the ipsecuritas online help or in the forum which is why I am submitting a
new topic.
I have a few home a Mac users (including myself) and I think you would be
great for them to be able to connect using ipsecuritas. I have the ability to
create new SA’s, so if I can’t use domain authentication I can use just about
any method That works.
Thanks.
Doug
connecting to Fortinet VPN: "invalid ex
connecting to Fortinet VPN: "invalid ex
by Michael Hanisch on 2004-12-22 23:55:58 +0100
Hi everyone,
I'm out of luck trying to connect my Mac to a VPN (host to network setup).
The remote endpoint is a Fortinet 200 firewall w/ VPN.
The log contains lots of debug messages, but also some errors, the first
being:
Dec 22 23:51:20 Vigor11 racoon: DEBUG: plog.c:199:plogdump():
7025a13e a4e13035 6fe41458 7991664e 08100601 ebfef208 0000004c
c7fcbfb8 5681de4a f247e6e3 6c5f2990 685b48bc aa605eb6 c55a8fd4
a325ac70 7613fc0d d1dad56d 53f688e5 d6050555
Dec 22 23:51:20 Vigor11 racoon: ERROR: isakmp.c:759:isakmp_main():
Invalid exchange type 6 from X.X.X.X[500].
Dec 22 23:51:23 Vigor11 racoon: DEBUG: sockmisc.c:421:sendfromto():
sockname 192.168.11.11[500]
These error messages are repeated multiple times.
Can anyone shed some light on this? I can adapt the firewall's config if
necessary, but at the moment I don't have any idea where to start...
I can provide more info if necessary.
Startup - IPsec failed
Startup - IPsec failed
by taniwha on 2004-12-29 05:33:15 +0100
Apple Mac.
When trying to establish the VPN I get the error message "Startup IPsec
failed" instantly.
Any ideas anyone.
Re: Startup - IPsec failed
by sdls on 2004-12-30 21:01:00 +0100
I had the same problem
I'm still testing, but i ran it as root and it got passed the ipsec failed
try it as root
SDLS :)
Netscreen Xauth
Netscreen Xauth
by XAuth on 2005-01-07 21:31:19 +0100
Will IPSECURITAS support the authentication method Xauth or is that a
Netscreen proprietary standard?
Thanks!
Re: Netscreen Xauth
by tji on 2005-06-08 23:17:32 +0200
Xauth is not a Netscreen proprietary thing.. it was on the standards track,
with a draft RFC. But, I don't think it was ever ratified (though I don't
know for sure).
While there are Xauth patches available for KAME / racoon, I don't think
Apple has integrated that support into the Apple code. So, as far as I
know, you cannot use Xauth with MacOS today.
Also, I am not sure if one could get Xauth support by just updating the
racoon binary in MacOS, or if the IPSec support in the kernel needs to be
updated. If only racoon needs updating, it could be pretty easy.
MacOS can be made to work with netscreen, via standard pre-shared keys.
But, the config is a lot more convoluted than the Xauth config. equinux /
VPN Tracker has a good dock on configuring Netscreen to work with their
client config software.
Re: Netscreen Xauth
by tji on 2005-07-08 19:55:21 +0200
I tried Xauth with a Netscreen gateway using the "VPN Tracker" demo, and I
was able to connect. "VPN Tracker" is not free, but if you need Xauth, it's
the only game going right now.
I have a sample config for CheckPoint
I have a sample config for CheckPoint
by akerem on 2005-01-09 11:23:00 +0100
Hi people,
I have at last configured my Checkpoint NG R55 and my Powerbook with
IPSecuritas 2.0.6 with certificates. The VPN connection works perfectly.
I saw that, in the online help of IPSecuritas, using certificates is missing
(and the online help says that it should be updated) so I would like to be
the one who updates it. Also in the online help, there are some problems
with certificate importing, so I would also like to correct those.
Can somebody send me instructions about how to do this? So I can be some
help to people ;D
Cheers,
Kerem
Re: I have a sample config for CheckPoint
by Don on 2005-02-11 06:13:48 +0100
Could you please provide a sample of your configuration as well as the
process you went through to get it to work. For example did you need to
make any changes to the CheckPoint side to get things working or was it
just a case of getting all the IPSecuritas settings right?
I've worked through all the settings with the CheckPoint firewall manager
but have been unable to get things to work. I still don't know how to set the
"Proposal Check" in the general tab or the "Local Identifier" or "Remote
Identifier" in the Identification section of the ID/Auth tab.
Any help would be appreciated.
Thanks . . . Don
Symantec Security Gateway with IPsecuritas
Symantec Security Gateway with IPsecuritas
by matteth on 2005-01-13 10:27:47 +0100
Has anyone been able to use IPSecuritas for VPN with the Symantec 360R,
or any other in the 300-series firewalls?
Thanks! /Mats
Re: Symantec Security Gateway with IPsecuritas
by Chris Liddle on 2005-02-19 02:13:33 +0100
I have the same issue; IPSecuritas <--> Symantec 360R - ? if anyone has
this working.
by R Teller on 2005-08-16 19:35:24 +0200
Here is a symantec article on how to set up a 200 series device using
vaporsec. I spoke with symantec and they said a few helpful things such as
the username should be formatted as an email address and you should
have firmware build 922 before starting. Here's the article
http://service1.symantec.com/SUPPORT/ent-gate.nsf
/6c5cd071f100c71888256ccd0050d548
/3bc9eaa31908580888256e3e004a1d6c?OpenDocument&src=bar_sch_nam
As an alternative you may visit http://www.symantec.com/search and type
in the following document number 2004021808393554
I will be trying some of the "procedure" today, although from the look of it,
they are not alike, lots of digging.
by RT on 2005-08-30 22:37:17 +0200
Tried the Procedure listed on the site and adjusted for differences, but it
will not connect, this are the log entries I get when connecting to the
firewall
<--- Log Begin---!>
[DATE TIME] Connection name - Responding to Aggressive
Mode from
Remote Peer *CLIENT IP ADDRESS*
[DATE TIME] Connection name - ERR:preshared secret disappeared!
[DATE TIME] Connection name - STATE_AGGR_R1:
AUTHENTICATION_FAILED
[DATE TIME] Connection name - state transition function for
STATE_AGGR_R0 failed: AUTHENTICATION_FAILED
[DATE TIME] Connection name - Sending ISAKMP OAK INFO (Notification IKE
SA)
[DATE TIME] Connection name - Terminating connection
[DATE TIME] Connection name - Terminating connection
<---End Log---!>
Am I missing something? I need some assistance on this please.
Thank you
by RT on 2005-09-20 22:11:52 +0200
Has anyone had any luck with this, Symantec is most definitely less than
helpful.
360 R from tiger, supposedly it worked with vaporware on panther
by RT on 2005-09-26 17:41:55 +0200
Finally broke down and called symantec tech support, wasn't able to get it
to work, they finally got to the point where they said "sorry, can't help you"
. So, if anyone has any idea how to make this work, It keeps saying the
preshared secret has dissapeared in the device log file, and have been able
to connect using Symantec's client, please let me know. Thank you.
by ron on 2005-10-10 23:35:12 +0200
use mac ids for this
by jc on 2006-01-29 23:26:09 +0100
Document ID:2005021009270354
by pmossip on 2006-03-16 17:05:20 +0100
The Symantec 200R standard firmware only supports the "keyid" type of
client identifier.
The Documents on symantec's website where it worked with VAPORSEC
were a private 1.7I firmware build where they supported user_fqdn. This
user_fqdn support was never added to the regular released firmware
updates that are generally available. Currently 1.8F.
I have been able to use IPSecuritas to create a skeleton racoon config &
then manually switch to using "keyid".
-Paul Mossip
Certificate Manager
Certificate Manager
by Jose on 2005-01-16 04:47:47 +0100
Could any one tell me where is the Certificate Manager. I need to import a
watchguard certificate but can't find that manager.
Thanks for all your help
Re: Certificate Manager
by akerem on 2005-02-02 16:54:56 +0100
You can open Certificate Manager from File > Open Certificates Manager
Source code
Source code
by Leif Larsson on 2005-02-02 20:21:22 +0100
Hi,
Out of curiosity, is the source code available for IPSecuritas ?
Cheers,
/Leif
Re: Source code
by cnadig on 2005-02-10 22:43:27 +0100
It's not... :)
Re: Source code
by Ty on 2005-05-06 18:12:42 +0200
If I wanted to help donate features that I wanted (in terms of coding them
myself), can I arrange to get the source and do some work on it? I am not
interested in releasing the product, but I would like some features and I
would be willing to code them myself and then hand them back to you for
the next release.
Insert pauses, alternate proxy port, and l2tpd.
Insert pauses, alternate proxy port, and l2tpd.
by sj7trunks on 2005-02-03 23:22:51 +0100
Hi there,
Going through the configs and getting an understanding of whats going on,
I see a couple things that work on a Linux machine and not on the OS X.
cat ipsecuritas_setkey.conf
flush;
spdflush;
spdadd 1.1.1.1/32 2.2.2.2/32 any -P in ipsec esp/transport
/1.1.1.1-2.2.2.2/require;
spdadd 2.2.2.2/32 1.1.1.1/32 any -P out ipsec esp/transport
/2.2.2.2-1.1.1.1/require;
I set the proxy port on the Linux box to [1701] and the connection works
fine.
spdadd 1.1.1.1[1701] 2.2.2.2 any -P in ipsec esp/transport/1.1.1.1-2.2.2.2
/require;
spdadd 2.2.2.2 1.1.1.1[1701] any -P out ipsec esp/transport
/2.2.2.2-1.1.1.1/require;
----------It'd be nice to maybe pause the startup so you can manually edit the config
and put some configuration variables. Or if you specify MIP6 to ungrey an
area where you can specify a UDP proxy port. I've also been able to upgrade
the racoon binary but I run into the problem of MIP6 being outdated,
another great place to insert a pause to do a replacement of MIP4 to proxy.
This might also lead to getting NAT-T working for OS X.
On the case of l2tpd, it seems to be running within the client. Is there a
way to run this program in stages? I'm only curious because it would help
with a lot of debug problems where you can't get further than the limited
GUI interface.
Any help here is greatly appreciated!
Thanks,
Benjamin
Re: Insert pauses, alternate proxy port, and l2tpd
by cnadig on 2005-02-10 22:56:57 +0100
Hello Benjamin,
please get in touch with me on [email protected] as I'm working on the
next release of IPSecuritas and I'd like to discuss ways to integrate your
proposals.
Christoph
Set kernel keys Problem ?
Set kernel keys Problem ?
by fmusso on 2005-02-07 20:46:58 +0100
Hi everybody,
No way to start a VPN Connection with version 2.06 and MAC OS 10.3.7
here is my log
Feb 7 20:43:16 Titanium IPSecuritas: Parsing configuration
Feb 7 20:43:16 Titanium IPSecuritas: Setting up racoon.conf
Feb 7 20:43:16 Titanium IPSecuritas: Setting up setkey.conf
Feb 7 20:43:16 Titanium IPSecuritas: Setting up psk.txt
Feb 7 20:43:16 Titanium IPSecuritas: Setting up tunnel.conf
Feb 7 20:43:16 Titanium IPSecuritas: Parsing configuration done
Feb 7 20:43:17 Titanium IPSecuritas: Starting racoon...
Feb 7 20:43:17 Titanium IPSecuritas: Racoon is running
Feb 7 20:43:17 Titanium IPSecuritas: Set kernel keys
And no more message... I am sure of my VPN configuration. But it is
strange : no error message. Any idea ?
Re: Set kernel keys Problem ?
by fmusso on 2005-02-07 22:02:04 +0100
does VPN TRACKER make change in my system ?
SonicWALL TZ170W Works
SonicWALL TZ170W Works
by Eric Kaiser on 2005-02-08 18:12:02 +0100
Here is my current setup. PowerBook G4 10.3.7 and SonicWALL TZ170W
with SonicOS Enhanced 2.6.0.4-42e. The connection is through the
airport/wireless interface.
SonicWALL settings:
General:
IKE using Preshared Secret on the WLAN GroupVPN
Proposals:
IKE (Phase 1)
DH Group 2
Encryption 3DES
Authentication SHA1
Life Time 28800 seconds
Ipsec (Phase 2)
Protocol ESLP
Encryption 3DES
Enable Perfect Forward Secrecy checked
DH Group 2
Life Time 28800 seconds
Advanced
All boxes unchecked
Default Gateway 192.168.225.193 (Which is my LAN Gateway)
Allow Unauthenticated VPN Client Access: All Interface IP
Client
Allow Connections to: Split Tunnels
Set Default Route as this Gateway checked
All other boxes unchecked
General
Mode Host to Network
Remote Ipsec Device 192.168.225.161 (My WLAN gateway)
Remote Network 192.168.225.192/27 (My LAN network address/subnet)
Local Adress Blank
Exchange Mode: Aggressive (only one checked)
Phase 1
Same settings as on SonicWall
Phase 2
Same settings as on SonicWALL
Only 3DES checked
Id/Auth
Remote Identifier: DN (Put the Uniqe Firewall Identifier from the SonicWALL
in this box)
Preshared Secret: Obviously the Preshared Secret from the SonicWALL
Options
Check the following
Compression Deflate
Re: SonicWALL TZ170W Works
by Simon T on 2005-02-10 04:56:01 +0100
Where you using RADIUS auth for this?
Is so how do you use the username and password?
Re: SonicWALL TZ170W Works
by Eric Kaiser on 2005-02-20 16:24:03 +0100
I was not using Radius Auth. or Xauth for the VPN. However, I do use
WPA-EAP for wireless authentication.
Sonicwall 4060 Pro connection problem via DSL
Sonicwall 4060 Pro connection problem via DSL
by jharris on 2005-02-08 23:46:11 +0100
We are remotely connecting to our network via a Sonicwall 4060 Pro using
IPSecuritas v. 2.0.5 in Mac OS X 10.3.x. I can successfully connect to the
network from our Comcast Internet connection at work as well as mine
from home. We have two remote properties that have an Earthlink DSL
connection as a backup solution. We keep getting a "no hash payload" error
during the Phase 1 negotiation. All Macs are using the same config settings.
They are:
General: Host to Network, Aggressive exchange mode, and Claim proposal
check, nonce size is 16
Phase 1: Lifetime=9600 seconds, Group 1, Encryption=DES,
Authentication=MD5
Phase 2: Lifetime=3600 seconds, PFS Group=None, Encryption=3DES,
Authentication=HMAC SHA1
ID/AUTH: Local ID=Address, Remote ID= DN + Sonicwall Unique ID,
Authentication by Preshared Secret
Options: IPSec/IKE Options enabled-IPSec DOI, Generate Policy,
SIT_IDENTITY_ONLY, MIP6, Initial Contact, and DHCP Pass-Through; General
Options are Establish IKE immediately
I would post a full log, but each time I do I get an error that the message is
too long. I will be happy to email the full log if needed. For now only what
appears to be the relevant portion is included:
Feb 8 16:47:20 user-vc8f15a racoon: DEBUG:
3e2ca792b4de9801:0000000000000000
207.59.138.242[500]
Feb 8 16:47:20 user-vc8f15a racoon: DEBUG: plog.c:199:plogdump():
3e2ca792 b4de9801 8cf63ebd ff806252 0b100500 00000000 0000005c
00000040 00000000 0110000e 3e2ca792 b4de9801 8cf63ebd ff806252
00060004 00000000 00040018 0000004e 6f207072 6f706f73 616c2069
73206368 6f73656e
isakmp_inf.c:115:isakmp_info_recv(): receive Information.
Feb 8 16:47:20 user-vc8f15a racoon: ERROR:
Feb 8 16:47:20 user-vc8f15a racoon: ERROR:
Any assistance that can be offered in solving this dilemma would be greatly
appreciated. All that the support at Sonicwall can tell me is the the problem
is in the Phase 1 configuration. That doesn't seem likely as these settings
are working via cable modem.
Sonicwall Enhanced OS using radius
Sonicwall Enhanced OS using radius
by simon t on 2005-02-10 05:02:43 +0100
Question,
I see that the client works with sonicwall enhanced OS group connection;
however, does it work with this when you have the user authenticate?
If not are their any step by step solutions: i.e. setting up another SA on
enhanced OS and allowing the client to connect?
In advance, thanks for your help.
P.S. great client.
Re: Sonicwall Enhanced OS using radius
by Eric Kaiser on 2005-02-20 16:33:36 +0100
Are you referring to using Xauth? If you are, then you have to establish the
appropriate user group which will authenticate against the SonicWALL (Local
Users and Local Groups) or an external Radius server. This is assuming that
IPSecuritas supports Xauth.
Connecting to Linksys RV082
Connecting to Linksys RV082
by Orb on 2005-02-17 00:59:24 +0100
I've been fiddling all day trying to get my Powerbook to connect to my
remote RV082. I can connect via PPTP, but getting IPSec to work is not
going well.
Anyone have a config that works that I can play with.
Thank.
Re: Connecting to Linksys RV082
by apelsin on 2005-03-25 19:39:25 +0100
Hi i too have an RV802
i cant get anything to work, Which firmware are you using?
Could you send me your settings for pptp?
I'll let you know if i can get ipsec to work.
Thanks
Netgear FVS318 flakey
Netgear FVS318 flakey
by Troy Virojana on 2005-02-17 19:07:53 +0100
Hi.
I am able to connect to the router, but it stops after 2 to 3 minutes.
I have used the same settings as a VPN Tracker client, who doesn't have this
problem.
It will connect, and I'm in the middle of doing something, and just stop
talking. The green checkmark is still there, and no errors come up in the
log at that time.
The only issue I get when I log on is this.
Feb 17 12:01:38 Dhole IPSecuritas: Starting racoon...
Feb 17 12:01:38 Dhole IPSecuritas: Racoon is running
Feb 17 12:01:38 Dhole IPSecuritas: Set kernel keys
Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr():
getaddrinfo(X.X.X.X,500): resolved to multiple address, taking the first one
getaddrinfo(X.X.X.X,500): resolved to multiple address, taking the first one
getaddrinfo(10.1.2.3,0): resolved to multiple address, taking the first one
getaddrinfo(10.1.2.3,0): resolved to multiple address, taking the first one
getaddrinfo(192.168.1.0,0): resolved to multiple address, taking the first
one
one
getaddrinfo(10.69.69.101,500): resolved to multiple address, taking the
first one
first one
as I said, it works, but only for a few minutes. I copied the settings from
VPN Tracker, and I used the setup guide from Equinux. The VPN Tracker
client has no issue. I moved the key life from 3600 (recommended by
Equinux) to 28800 to see if that would help, but it did not.
Any ideas? I don't want to buy VPN Tracker if I don't need to, but it seems
like that is the only one that works well ALL the time.
By the way, I have no problems with IPSecuritas connecting to a sonicwall
TZ170 at all.
Re: Netgear FVS318 flakey
by Roger Meador on 2005-03-21 15:35:17 +0100
hey,
I am having trouble with a 318 as well. Have you had any luck?
Roger
VPN established - unable to pass traffic
VPN established - unable to pass traffic
by Kirk Paulsen on 2005-02-20 06:04:40 +0100
We are trying to establish a VPN between a PowerBook G4 running 10.3.7
and a Netscreen 5GT. This is the only Mac in the organization and I will
admit that I know very little about them. We have established the tunnels
using Netscreen Remote on the Windows XP laptops and they all work as
expected. I have been able to establish the tunnel between the PowerBook
and the Netscreen (both logs show the tunnel connected and green
checkmark in IPSecuritas) however when I try to ping anything on the LAN
behind the firewall - there is complete loss. Is there some special setting
for the Mac to know that the traffic is bound for the VPN? These are the
settings I currently have for IPSecuritas:
General Mode of Operation: Host to Network
Remote IPSec Device: 64.x.x.x
Remote Network: 192.168.14.0/24
Local Address: 192.168.14.140 (also have tried leaving this blank - same
result)
Proposal Check: Obey
Nonce Size: 16
Phase 1 Lifetime: 28800 seconds
Encryption: 3DES
Encryption: 3DES
Id/Auth Local Identifier: DN @[email protected] (found in an article online to
preface with @ since we were having trouble in the beginning even
establishing the tunnel because the firewall didn't recognize the peer
Remote Identifier: blank
Preshared Secret: ********
Options Compression Deflate checked (greyed out)
IPSec DOI checked
SIT_IDENTITY_ONLY checked
Initial Contact checked
MIP6 checked
DHCP Pass-through checked
Establish IKE immediately checked
all other options unchecked
Thanks in advance for any help.
Re: VPN established - unable to pass traffic
by Kirk Paulsen on 2005-02-20 21:27:32 +0100
An update for anyone that is trying to do a similar configuration. Took the
PowerBook home and everything worked fine when behind a Linksys router.
At the office, we were behind our Netscreen and even though none of our
PC's had a problem something with the PowerBook and our Netscreen was
causing traffic not to be routed or passed correctly.
Another note, found while home that the configuration worked best with
the Local Address left blank.
by KJ on 2005-04-14 22:19:20 +0200
I had the same problem with a PowerMac G5 and a bigger Netscreen as
well, we solved it with turning on reverse-nat on our VPN policy at the
netscreen.
by Paul on 2005-06-22 02:54:31 +0200
Reverse-Nat?
Do you mean nat traversal or incoming NAT translation?
Regards,
Paul.
Isakmp.c 1361: failed2bind(address already in use)
Isakmp.c 1361: failed2bind(address already in use)
by Chris Creighton on 2005-03-08 01:22:38 +0100
I am baffled by this as I am clueless as to what address it is referring to.
My internal Ethernet address is not the same address that I am trying to
reach. But I get this message quickly and it fails to even begin to talk to the
remote IKE server.
Any ideas? I am behind on a project just because of this simple problem.
I am assuming it's simple. This is not an issue of how IPSEC is configured
with IPSecuritas, as at times, it works, but at times, I get these errors and it
just stops trying, quickly.
thanks much ... Chris
Mar 2 00:08:40 Chris racoon: DEBUG2: cfparse.y:1354:cfparse(): parse
successed.
Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1361:isakmp_open(): failed
to bind (Address already in use).
Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1361:isakmp_open(): failed
to bind (Address already in use).
Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1384:isakmp_open(): no
Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1384:isakmp_open(): no
Error Messages
Error Messages
by Jeremy Brown on 2005-03-09 06:10:11 +0100
Hello,
I am trying to connect to a Sidewinder G2 using IPSecuritas. I have received
the document from Secure Computing on how to set this up and followed
the directions. I am using self-signed certificates, imported in PEM format.
I am directly connected to the Internet (not behind a firewall/NAT) and
have full outgoing access.
I have tested this VPN on Windows with their supplied SoftRemote program
and confirmed that the server configuration is correct.
I'm stumped, particularly at the messages saying it's resolved to multiple
addresses. Any help on this would be *greatly* appreciated. I have
google'd for help and come up dry. Here is a log dump (IP's have been
censored):
Mar 8 21:02:09 jbrown IPSecuritas: Parsing configuration
Mar 8 21:02:09 jbrown IPSecuritas: Setting up racoon.conf
Mar 8 21:02:09 jbrown IPSecuritas: Setting up setkey.conf
Mar 8 21:02:09 jbrown IPSecuritas: Setting up psk.txt
Mar 8 21:02:09 jbrown IPSecuritas: Setting up tunnel.conf
Mar 8 21:02:09 jbrown IPSecuritas: Parsing configuration done
Mar 8 21:02:10 jbrown IPSecuritas: Starting racoon...
Mar 8 21:02:11 jbrown IPSecuritas: Racoon is running
Mar 8 21:02:11 jbrown IPSecuritas: Set kernel keys
line 3: Unknown error at [<remote internal subnet>]
line 3: Unknown error at [<my IP address>]
line 4: Unknown error at [<my IP address>]
line 4: Unknown error at [<remote internal subnet>]
Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr():
getaddrinfo(<VPN server IP>,500): resolved to multiple address, taking the
first one
getaddrinfo(<VPN server IP>,500): resolved to multiple address, taking the
first one
getaddrinfo(<my IP address>,0): resolved to multiple address, taking the
first one
first one
getaddrinfo(<remote internal subnet>,0): resolved to multiple address,
taking the first one
getaddrinfo(<remote internal subnet>,0): resolved to multiple address,
taking the first one
first one
first one
Mar 8 21:02:11 jbrown racoon: ERROR: isakmp_ident.c:237:ident_i2recv():
ignore the packet, received unexpecting payload type 7.
Mar 8 21:02:11 jbrown racoon: ERROR: isakmp_ident.c:237:ident_i2recv():
ignore the packet, received unexpecting payload type 7.
Mar 8 21:02:42 jbrown racoon: ERROR:
time up waiting for phase1. ESP <VPN server IP>-><my IP address>
Netgear FVL328 configuration same as FVS328?
Netgear FVL328 configuration same as FVS328?
by Eric Kelly on 2005-03-18 18:50:22 +0100
Anybody know if the optimal configuration for the FVL328 would be the
same as for the FVS328?
Thanks,
Eric
How To Read Log File
How To Read Log File
by GLC on 2005-03-19 05:58:00 +0100
If I could understand the log file messages, I would not post a note that
says "I tried everything and it still does not work.!
I am trying to tunnel in to a Fortigate. I finally have a green checkmark, but
when I run Remote Desktop, it cannot see anything. The log file has lots of
info, but I do not understand it.
Is there a "How to Read The Log File" FAQ somewhere?
Thanks!
Re: How To Read Log File
by robd on 2005-03-26 14:14:09 +0100
What do these error messages mean? I agree GLC we need some more help
so we can help ourselves! Can we get a IPsecuritas wiki? I'd be keen to help.
10.3.80 to IPCOP 1.4.2
10.3.80 to IPCOP 1.4.2
by Rob on 2005-03-25 20:15:25 +0100
I've been following this HOWTO http://www.taupehat.com/vpn/ to get my
10.3.8 machine to connect to an IPCOP firewall v1.4.2
My log output is below.
Anyone got any ideas as to why it is going wrong?
Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up racoon.conf
Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up setkey.conf
Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up psk.txt
Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up tunnel.conf
Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up resolv.conf
done
Mar 25 19:08:25 Rob-Dykes-Computer IPSecuritas: Starting racoon...
Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Racoon is running
Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Set kernel keys
pfkey.c:745:pfkey_timeover(): 80.46.98.226 give up to get IPsec-SA due to
Re: 10.3.80 to IPCOP 1.4.2
by Matt Hodson on 2005-04-15 12:20:24 +0200
Any luck on your problem?
I have just got a mac and trying to use securitas to connect as an l2tp road
warrior to a smoothwall network, but I get the same errors in the log i.e.
add net 192.168.111.0:gateway gif0
Apr 15 09:39:03 Junta racoon: ERROR: sockmisc.c:738:str2saddr():
getaddrinfo(
etc ......
using osx 10.3.8
ipsecuritas 2.0.6
Regards
Matt
Re: 10.3.80 to IPCOP 1.4.2
by Tsathul on 2005-04-22 19:26:06 +0200
Similar problems here with OS X 10.3.8 and IPSecuritas 2.0.6. Tried
changing to dialup and back to network (read somewhere that this resets
some network settings that can get corrupted in OS X 10.3) but that had no
effect.
So, used the recent combo updater to OS X 10.3.9 and hey! It actually
started negotiating with the ZyWALL router at headquarters. Some
configuration debugging and then the link was up.
IPSecuritas has been out for awhile so it must have worked with earlier
versions of OS X 10.3. However there may be something faulty added in
10.3.8 that was fixed in 10.3.9? Or maybe just rebooting solved the
problem and the update is a red herring.
Regardless, all is not perfect, my connection dropped this morning and now
I can't seem to restore it. If it's not one thing it's another.
alias IP address on the Mac
alias IP address on the Mac
by Thomas on 2005-03-31 12:03:07 +0200
Hi
I have successfully managed to get VPN Tracker to work with my Linksys
rv082 router despite the fact that my client machine resides behind a NAT
firewall. To do this I had to set a virtual ip in VPN Tracker.
Does anyone know if a virtual ip adress can be set in IPSecuritas? And if so
how?
Strangeness with port 9 at startup...
Strangeness with port 9 at startup...
by NickBoz on 2005-04-01 06:36:44 +0200
I'm curious about the usage of port 9 by IPSecuritas. When starting the
latest version of the application, it immediately tries to contact the various
IPSec tunnel destination via port 9 (aka Discard protocol).
Since the IPsec destination address is to my firewall's built in IPSec VPN
Server, it immediately closes down the socket and blocks the outside IP
address I was using. I have the firewall's intrusion detection system turned
on. As a result of the close, IPSecuritas fails immediately and contains
nothing in its log.
Now, I can turn all of this firewall blocking off, but what I don't understand
is why this would ever work. Who is going to have a system available on the
Internet that will respond to queries on port 9? It is unsafe and clearly not
part of the standard specs I have been reading.
Furthermore, it prevents IPSecuritas from working at all. If I try the same
configuration in VaporSec, I can at least get to the negotiation stage of
phase 1.
Anyone have any ideas as to why port 9 is used? Can it be turned off?
Thanks,
Nick
Re: Strangeness with port 9 at startup...
by cnadig on 2005-04-11 00:22:24 +0200
Hello Nick,
a UDP packet to port 9 is sent to start the key exchange by racoon without this packet, racoon will only start the key exchange and thus
establish the tunnel with the first user traffic for the remote network.
You can switch this off by disabling the 'Establish IKE immediatly' option in
your connection definition. In this case, you need to access the remote
network manually to start IKE.
Christoph
Tiger compatibility
Tiger compatibility
by AaronA1975 on 2005-04-04 19:10:51 +0200
Is the current version of IPSecuritas compatible with Tiger, or will there be
an update issued?
Re: Tiger compatibility
by Andreas Ley on 2005-04-27 16:04:08 +0200
Seems to work fine on 10.4, Build 8A428. But the Finder still stops
responding whenever a connected AFP volume doesn't respond fast
enough, which is a pain, but nothing to blame Lobotomo for. :)
by jayk on 2005-04-30 09:41:17 +0200
There is a minor incompatibility that I noticed.
The 'replace DNS' settings option in preferences no longer works under
tiger. It does put the info in the /etc/resolv.conf - but apparantly Tiger
ignores that now. I think it has to go into netinfo or something for it to be
effective.
by UncleRobin on 2005-05-01 01:11:11 +0200
Without a doubt, IPSecuritas is the best VPN client I have used, by far.
However it seems like Tiger has crippled it. It works, but it is very
sluggish. Ping packets that where taking 40ms to return are now typically
500ms and more if they return.
UR
by Influence on 2005-05-01 17:02:00 +0200
I've noticed the same issue as UncleRobin:
Since upgrading to tiger the latacy went up from 100ms to 1000ms
rendering my vpn connection basically unusable (at the very least for
interactive applications like ssh).
Any idea what's the problem?
Thanks,
Influence
by RotundRanter on 2005-05-02 03:47:42 +0200
I am seeing the same thing, seems connections still work but are really
slow, to the point of being unusable. I've noticed it with Windows shares
and ssh/sftp. Anyone have a workaround? I could provide Ethereal output
if that helps.
NAT-T work ?
NAT-T work ?
by befek-18 on 2005-04-12 09:49:15 +0200
Hallo,
short question.
Is here someone with a working nat-traversal enviroment.
(Ipsecuritas behind a NAT Router over UDP/4500).
Uwe
Re: NAT-T work ?
by Sander on 2005-04-22 22:46:10 +0200
I had the same question and I e-mailed Lobotomo about it. At this moment
Mac OS X does not support NAT-T. It will come with Mac OS X Tiger but it
only supports one implementation of NAT-T which is probably not
compatible with most routers/vpn servers.
Connect to D-Link DFL-200
Connect to D-Link DFL-200
by Essington on 2005-04-23 02:52:50 +0200
I am trying to connect to a D-Link DFL-200, and am getting an error:
Invalid exchange type 6 from xxx.xxx.xxx.xxx
any idea where I should start mucking around to alleviate this?
Any ideas would be most helpful
Thanks
-jason
Re: Connect to D-Link DFL-200
by dkreutz on 2005-08-20 18:40:46 +0200
I use Ipsecuritas to connect to a DLink DFL-700.
On the firewall configure a VPN of roaming-type. Enter local network and
preshared secret key. Do not change any of the advanced settings.
Ipsecuritas configuration as following:
General - Exchange mode: main, Proposal check: claim, Nonce size 16
Phase1 - Lifetime 28800, DH group: Mod1024 (2), Encryption: AES 128,
Authentication: MD5
Phase1 - Lifetime 28800, PFS group: Mod1024 (2), Encryption:
DES/3DES/AES 128, Authentication: HMAC MD5/HMAC SHA1
ID/Auth - Local identifier: Address, Remote identifier: Address, enter
preshared secret key (same as above)
Options: Initial contact, Generate policy, MIP6, Establish IKE immediately
IPSecuritas SonicWall Pro 230
IPSecuritas SonicWall Pro 230
by stewymac on 2005-05-01 15:39:12 +0200
Hi folks,
I am having troubles getting IPSecuritas 2.0.6 to work with my SonicWall Pro
230 and Mac OS X 10.3.9. I have tried creating a seperate SA and tried
using the GroupVPN, but no luck. I was hoping someone could post their
Client and firewall config. I have been through the Forums and have tried all
the suggestions....any help would be really great.
Thanks
stewymac
Re: IPSecuritas SonicWall Pro 230
by Guest on 2005-07-28 20:32:07 +0200
Bump to this having same issue with Sonicwall Firmware upgrade 3.1
Tiger Compatibility
Tiger Compatibility
by cnadig on 2005-05-01 22:22:59 +0200
Hello,
there have been a number of user reports on IPSecuritas on Tiger. So far,
the following problems have been reported to us:
a. Tunnel establishes normal, but throughput is very bad, packet round-trip
times (ping) between 500 and 1000ms (on connections with approx 50ms
before). This seems to be a bug in the MacOS kernel.
b. DNS replacement does not work anymore - the settings are ignored.
c. In one case, the tunnel could not be established at all.
We are working on problems b. and c., while only Apple can resolve a. At
the moment we don't recommend to update to Tiger if you rely on VPN
connectivity.
More user feedback (positive or negative) is highly appreciated - please
include a short summary of your setup (peer device, mode of operation etc.)
Any progress will be made public on [url]http://www.lobotomo.com[/url]
and in this forum.
Thanks,
Christoph
Re: Tiger Compatibility
by Kevin on 2005-05-02 02:51:47 +0200
I've been hit by a & b. My ping times are 1000ms range (slightly over
actually.)
For the DNS issue, my resolv.conf does change, but the settings in it are
ignored.
Kevin
by frogmella on 2005-05-03 13:00:18 +0200
Using IPSecuritas to connect to a CheckPoint SecuRemote VPN.
The good news is that IPSecuritas does actually create the connection (this
was not working in earlier betas of Tiger). But yes, (a) is a problem although I can SSH to servers within my company, it's slow, and mail.app
fails connecting to our Exchange server.
I don't use (b) - yet - and haven't done enough testing to see if (c) occurs.
Thanks for the excellent work!
by J Mitchell on 2005-05-03 14:39:42 +0200
I can confirm the 1000ms ping time.
The tunnel to a gnatbox GB-1000 is established but performance is very
poor.
Mac OS X 10.4 dual 500.
Thanks
Jonathan
by Matthias on 2005-05-03 16:42:53 +0200
Same problem here 2.06 with OSX 10.4 Various Macs connection to
Checkpoint FW1
Tunnel seems to be working
Ping >1000
DNS replacement seems to work because on the commandline the nslookup
or dig do work ok, however the Browser does not seem to pickup the DNS
Settings.
Hope that helps, can provide more details if anybody wants...
thanks for the great app, and letґs hope weґll solve this fast...
Matthias
by Terry Katz on 2005-05-03 23:14:02 +0200
Same issues here. 1000ms ping times, mostly unuseable.
OSX 10.4 on a PM G5 Dual 2.5ghz, and a 17" PB 1ghz connecting to various
SonicWall devices.
-Terry
by Cid Matrix on 2005-05-04 16:10:39 +0200
Upgraded my PB to Tiger. I'm having issue "c" while attempting to connect
to my corporate Sonicwall firewall.
by Andreas Ley on 2005-05-05 00:30:00 +0200
Etablishing a "Host To Network" tunnel to a monowall (http://m0n0.ch/wall)
works fine, but I too have the problem with high pings (>1000ms).
I thought my WLAN was the cause, but apparently it isn't...
by Craig on 2005-05-05 01:28:35 +0200
Also seeing the (a) & (b) problems connecting from a test system (old 600
mhz G3 iBook) to a Netgear FVX538 in a Host-To-Network configuration.
In testing, I noticed that the DNS for "host myserver.mydomain.com"
worked most of the time (with the occasional ";; connection timed out; no
servers could be reached" because of the lag time.)
But when pinging that same name, you get a "ping: cannot resolve
myserver.mydomain.com: Unknown host".
Thought there might be an issue with lookupd overriding resolv.conf, but
the configuration looks the same as in Panther:
-------% lookupd -configuration
ConfigSource: default
LookupOrder: Cache NI DS
MaxIdleServers: 4
MaxIdleThreads: 2
MaxThreads: 64
TimeToLive: 43200
Timeout: 30
ValidateCache: YES
ValidationLatency: 15
_config_name: Global Configuration
LookupOrder: Cache FF DNS NI DS
_config_name: Host Configuration
LookupOrder: Cache FF NI DS
_config_name: Service Configuration
_config_name: Protocol Configuration
_config_name: Rpc Configuration
TimeToLive: 60
ValidateCache: NO
_config_name: Group Configuration
TimeToLive: 300
ValidateCache: NO
_config_name: Initgroup Configuration
LookupOrder: Cache FF DNS NI DS
_config_name: Network Configuration
-------A "lookupd -flushcache" didn't help.
-ch
by Craig on 2005-05-05 01:48:37 +0200
Looks like my suspicion about lookupd being the culprit is correct:
-------% lookupd -d
> hostWithName: myserver.mydomain.com
nil
> hostWithName: mydomain.com
Dictionary: "DNS: host mydomain.com"
_lookup_DNS_domain: org
_lookup_DNS_server: 192.168.2.1
_lookup_DNS_time_to_live: 3600
_lookup_DNS_timestamp: 1115249859
_lookup_agent: DNSAgent
_lookup_info_system: DNS
interface: 5
ip_address: 99.99.99.99
name: mydomain.com
+ Category: host
+ Time to live: 43200
+ Age: 38 (expires in 43162 seconds)
+ Negative: No
+ Cache hits: 1
+ Retain count: 3
> quit
-------192.168.2.1 is the IP address of the wireless router I'm testing with (my
host was assigned an IP of 192.168.2.8 ).
The 99.99.99.99 is the public address of mydomain.com, not the one
returned by the DNS server that sits behind the firewall.
The nil response for the server explains why ping isn't happy.
Hope this information is helpful.
-ch
by Todd I on 2005-05-07 02:00:25 +0200
I am seeing the same thing, with Tiger IPSec through a Linksys WRV54G
gateway.
PING 10.10.10.9 (10.10.10.9): 56 data bytes
64 bytes from 10.10.10.9: icmp_seq=0 ttl=63
time=293.814 ms
time=1093.747 ms
time=1095.896 ms
time=816.548 ms
time=1093.376 ms
Are there any other general MacOS X forums, or Apple www sites, where we
should be submitting information about this?
by David on 2005-05-07 07:07:39 +0200
Yup, same here. Ping times are about 1020 ms from a Powerbook G4 to
OpenBSD 3.6 gateways running isakmpd. The high delay breaks virtual
clients like VNC and Remote Desktop Connection.
by Amanda Walker on 2005-05-10 21:03:00 +0200
Interestingly enough, I'm not seeing any performance difference under 10.4
talking to either FreeBSD 5.3 or a Netscreen firewall. Seems to work fine,
with round trip times indistinguishable from running under 10.3.8.
by andreast on 2005-05-11 17:05:57 +0200
Apple can be notified of this bug here:
http://www.apple.com/macosx/feedback/
If many of us send them a message, maybe they will do something.
by filipp on 2005-05-14 22:36:22 +0200
Same problem here.
Running IPSecuritas on 10.4 to Netgear FVS338
Ping is pretty much exactly 1000 msec over usual (1035 instead of normal
35)
Interesting, when i simultaniously ping the Internet IP of the Netgear, the
ping times are down to 550, then go back up to 1035 when I stop pinging
the public address.
/ filipp
by atze on 2005-05-16 11:36:02 +0200
i get this on stopping ipsec - the app still runs, seems to be a subprocess:
2005-05-16 11:35:01 +0200
EXC_BAD_ACCESS (0x0001)
KERN_INVALID_ADDRESS (0x0001) at 0xc000429b
Thread 0 Crashed:
0 removedir + 168
1 removecerts + 52
2 performstop + 52
3 main + 320
4 _start + 380
5 start + 48
by Scott Hander on 2005-05-16 20:28:03 +0200
I upgraded to 10.4 before finding there was a problem with IPSecuritas and
10.4, but I was able to use it with Apple Remote Desktop. The connection
was a little odd (it was a little slower than usual and there were several
disconnects, but it did work). The connection was a 10.4 system to a
remote SonicWall firewall and a server on the other side of the firewall. I
thought I would mention this in response to the comments about VNC and
MS RDC.
by bluemeanie on 2005-05-17 02:09:22 +0200
It looks like 10.4.1 does nothing to fix the issue. I'm still getting no VPN
connection to our OpenBSD server (not even a 1000ms response time).
I miss my VPN. :'(
by Draven Weston on 2005-05-17 03:48:39 +0200
I just updated to 10.4.1 and I am seeing a vast improvement in
performance with IPSec. Ping times are down to about 20 ms from
1000+ms
by RotundRanter on 2005-05-17 07:26:37 +0200
10.4.1 fixes my problems connecting to a GTA Gnatbox. Pings are back
down to 35mS and files transfers once again fill the T1 pipe at work. w00t!
by Matt on 2005-05-17 15:40:58 +0200
Anyone tried this with 10.4.1? Apparently the update has fixed problems
with VPNTracker, so fingers crossed...
http://www.macnn.com/print/29256
by Dan on 2005-05-17 21:12:10 +0200
Howdy,
These ping times are from 10.4.1...
192.168.253.0/24[any] x.x.x.x[any] any
in ipsec
esp/tunnel/x.x.x.x-x.x.x.x/require
spid=16 seq=1 pid=904
refcnt=1
x.x.x.x[any] 192.168.253.0/24[any] any
out ipsec
esp/tunnel/x.x.x.x-x.x.x.x/require
refcnt=1
dhcp-248:~ dan$ ping 192.168.253.2
PING 192.168.253.2 (192.168.253.2): 56 data bytes
64 bytes from 192.168.253.2: icmp_seq=0 ttl=64 time=38.098
ms
ms
ms
ms
ms
ms
ms
ms
ms
ms
Looks like no more latency in 10.4.1
by evilmeanie on 2005-05-18 05:53:39 +0200
Well, I fixed my problem. It was the encryption algorithm used in
quick-mode (Phase 2).
Out of AES, only AES-128 will allow packets to pass now. Blowfish doesn't
work, either. 3DES does work. I didn't try anything else.
It seems odd. Why would some algorithms just stop working in Tiger?
Should I stick with AES or go 3DES? Or Cast?
by Jayk on 2005-05-18 21:16:57 +0200
Hi all,
I have stumbled onto the 'no connection' solution. With IPSecuritas 2.1 and
Tiger 10.4.1 - I can get my VPN working again - although I had to adjust
my settings a little.
I had to disable all but AES128 on the 'phase 2' screen. Prior to Tiger, AES
256 would work, as would blowfish.
With 10.4 - having AES 256 enabled would result in no functional
connection - IPSecuritas would show the green check, but packets would
not pass.
Now, AES 128 works and the others do not. Disabling everything but AES
128 worked for me.
Hope this helps others get their VPN working again.
Jay
by Henrik on 2005-05-23 14:50:25 +0200
Hello,
I still have problems with IPsecuritas 2.1 and OS X 10.4.1, connecting to a
Linux FreeS/WAN box.
The connection has always been established without problems, but when
trying to access any machines, it will not. If I ping my VPN IP (that ifconfig
states) it just says no route to host. Very strange...
Any ideas?
Henrik
Watchgaurd Firebox X500 VPN
Watchgaurd Firebox X500 VPN
by Ben Thomas on 2005-05-13 00:18:10 +0200
Hi,
I have been trying for a few months now to connect to a Firebox X500 VPN
using VPN Tracker but have had no luck. Are there any particular issues i
should be on the lookout for concerning the Firebox X500 and settings in IP
Securitas, VPN Tracker or OSX 10.3.9 in general?
I am able to connect using the Watchgaurd VPN client using a PC on my
existing Airport Wireless network. I have the BSD Subsystem installed and
have triple checked passwords and all settings to make sure they are
accurate.
Thanks for any help,
Ben
Re: Watchgaurd Firebox X500 VPN
by cnadig on 2005-05-13 23:18:28 +0200
Hello Ben,
please send me the ouput from the log window to [email protected] with
the log level set to verbose debug (in IPSecuritas' settings).
Please make sure to remove all confidential information like firewall IP
address.
Christoph
by ben on 2005-05-14 03:44:40 +0200
Hi,
I sent you a PM but not sure if it went through, is there an email address I
can send my log file to?
Thanks again,
Ben
by ben on 2005-05-18 16:45:33 +0200
Hi,
Just wondering what the status of my support request is and if you have the
time to help me out.. Thanks again
by david on 2006-07-04 15:21:37 +0200
Hi all,
I'm trying to configure a VPN network with my firebox 500, but i cannot
access to Policy Manger->Network->Remote User ! :-(
And when i use VPN Wizard, it says "VPN module is not loaded onto the
firebox!"
I need help, thanks in advance for your help, you can contact by mail
[email protected]
IPSEC vulnerability: advice?
IPSEC vulnerability: advice?
by tiffert on 2005-05-13 04:16:27 +0200
Having read the NISCC advisory on IPSEC vulnerability, a newbie like me is a
little unclear on what to do about it.
http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en
I wonder if someone could offer configuration advice for IP Securitas that
addresses the vulnerability.
I have a Linksys BEFVP41 (vers. 1) router. What configuration options
should I look at there?
TIA!
Re: IPSEC vulnerability: advice?
by cnadig on 2005-05-13 23:13:55 +0200
Hello,
the advisory describes a possible vulnerability for configurations that don't
use encryption and/or authentication.
In order to prevent such a configuration, disable Null encryption and Null
authentication on the Phase 2 tab in IPSecuritas. These options are meant
for debugging purposes of a connection only and I'm thinking of removing
them in future releases.
Cheers,
Christoph
Tiger 10.4.1 OK
Tiger 10.4.1 OK
by UncleRobin on 2005-05-17 01:49:24 +0200
It appears, at least on my computer, the 10.4.1 update fixes the problem
with latency. My ping times are back to normal. :)
UR
Re: Tiger 10.4.1 OK
by jonathan mitchell on 2005-05-17 10:45:55 +0200
I can confirm that the 10.4.1 update restores the ping time. VNC and RDP
client performance back to normal.
Jonathan
Juniper Netscreen 25 working config
Juniper Netscreen 25 working config
by Robert on 2005-05-18 04:57:28 +0200
In case anyone is interested, I got Ipsecuritas to work with my Netscreen
25.
I used the documentation on the vpntracker.com site and configured the
vpn for use this vpntracker client (tested with the demo version) then
simply duplicated most of the settings with ipsecuritas (and did some trial
and error for settings that were not shown in vpntracker).
Hope this helps someone.
Here is the info:
I followed the steps in this document to setup the netscreen using the
single user setup.
http://www.equinux.com/cms_components/us/products/vpntracker/media
/files/HowTo_Netscreen_Rev_4.0.pdf
General
Host to Network
Remote Ipsec Device <ip address of your netscreen untrust interface>
Remote Network <internal network that you are connecting to
192.168.1.0/24>
Exchnage Mode Aggressive
Proposal Check Claim
Nonce Size 16
Phase 1
Lifetime 3600
DH Group Mod1024(2)
Encryption 3DES
Authentication SHA1
Phase 2
Lifetime 28800
PFS Group None
Encryption DES and 3DES checked
Authentication HMAC MD5 and HMAC SHA1 checked
Id/Auth
Local Identifier DN <identifier you used for the user you set up in the
Netscreen>
Remote Identifier Address
Preshared Secret <the secret you put in the netscreen setup>
Options
Compression Deflate grayed out but checked
IPSec DOI not checked
Verify Identifier not checked
Passive not checked
Generate Policy not checked
MIP6 checked
Verify Certificate not checked
Auto Start not checked
Re: Juniper Netscreen 25 working config
by Andre Knudsen on 2005-12-15 14:23:35 +0100
Thanks I've been looking for this for connection to a few 5GT's and 5XP's
Administrator rights at first startup?
Administrator rights at first startup?
by Michael Kussmaul on 2005-05-18 21:28:46 +0200
I like IPSecuritas, it works quite well!
I only have a quick question, I have not found an answer so far: When I first
startup IPSecuritas, it asks me to enter my administrator password, for what
operation does it need it? (E.g. which file(s) does it install/alter on the
system)
many thanks
Michael
Re: Administrator rights at first startup?
by cnadig on 2005-05-24 12:12:03 +0200
Hello Michael,
certain operations require administrator's priviledges (such as changing the
routing tables, adding security associations to the kernel and running
racoon, the IKE daemon). All of these operations are performed by a
background process called vpntool, which needs to have these priviledges in order to acquire them, the administrator's password is queried the first
time it runs (please note that this is part of the authentication and
authorisation framework of MacOS X - the password is not stored by nor is
it even visible to IPSecuritas).
Christoph
D-Link DI-804HV Compatability?
D-Link DI-804HV Compatability?
by hammer32 on 2005-05-20 14:45:58 +0200
Does anyone have any tips for configuring ISSecuritas with a D-Link
DI-804HV router?
Thanks!
-Sean
Re: D-Link DI-804HV Compatability?
by Mikael on 2005-10-18 14:27:01 +0200
Had a try, but didn't make it. Does not say it doesn't work, but it is,
apparently, not a straightforward setup. I will be trying something else...
by hammer32 on 2005-10-18 15:24:12 +0200
I tried VPNTracker, they didn't have one to test, but I was able to set it up
and have used it while on the road for several months. So far so good!
by Randall on 2006-02-11 06:51:32 +0100
[quote]Does anyone have any tips for configuring ISSecuritas with a D-Link
DI-804HV router?[/quote]
Has anybody found a setup since? I feel like I'm close, but it's not working..
by Randall on 2006-02-19 00:18:31 +0100
[quote author=Randall link=1116593158/0#3 date=1139637092]
Has anybody found a setup since? I feel like I'm close, but it's not working..
[/quote]
I got mine working (with two different DI-804HV's, actually). I think I had
the remote network address and subnet a little mixed up and that was
preventing success. Everything's good now, with a Rev A1 box with FW 1.40
and and a Rev C1 box with FW 1.42.
If anyone needs help, post here and I'll try to provide a little writeup.
Randy
by Red on 2007-01-09 20:49:06 +0100
I have an 804 at home and an 808 at the office, I would like to use them
with IPSecuritas. Your setup tips would be very much appreciated. The
D-Link docs are worthless.
I had a Trendnet VPN router before and it had MUCH better documentation
and configuration. Fairly easy to set up with IPSecuritas. The Trendnet just
didn't jive with the Riverstone/Lucent fiber-backbone router we connect to
and finally went nuts.
We have a SonicWall Firewall/VPN appliance in the server room, also no
problems with IPSecuritas on that. Great app.
AH Only configuration using ipsecuritas?
AH Only configuration using ipsecuritas?
by Terr-Oz on 2005-05-31 21:47:38 +0200
Has anyone been able to configure ipsecuritas for this setkey policy?
ah/transport/src-dst/require;
?
IPSecuritas appears to only configure racoon for esp.
Re: AH Only configuration using ipsecuritas?
by cnadig on 2005-06-07 08:37:45 +0200
Hello,
IPSecuritas does not support AH at the moment as I thought it was pretty
much obsolete. However, if the demand for AH is here, I think about
implementing it in the next major release.
Christoph
Re: AH Only configuration using ipsecuritas?
by tji on 2005-07-08 20:02:53 +0200
Terr-Oz: Many VPN devices don't support AH.. Instead, they use ESP with
NULL encryption, effectively achieving the same thing as AH.
One of the major reasons AH is not used is because Network Address
Translation (NAT), used on just about every broadband gateway, breaks AH.
ESP works through NAT, so more people use it.
IPSecuritas connectivity to SonicWall TZW
IPSecuritas connectivity to SonicWall TZW
by George Zervakos on 2005-06-03 15:43:14 +0200
Hello,
I was wondering if anyone has been successful in setting up a VPN tunnel
from Mac OS X with IPSecuritas to a SonicWall TZW or something similar?
I have been successful in getting the tunnel negotiation to succeed (at least
that's what logs on both ends would lead me to believe); I get a green arrow
in the IPSecuritas interface after hitting start ipsec, and I also see a green
icon LED in the SonicWall's GUI and a log entry stating that Phase 2 has
been successfully completed.
The problem comes in when I want to ping something (from the Mac) that is
on the LAN interface of the SonicWall. It seems that packets are not getting
sent through the tunnel at all. I see no entries in the SonicWall's logs. I
have put the SonicWall LAN subnet as the destination network in
IPSecuritas.
I might add that the Mac is behind a firewall and has a private IP that gets
NATted to a public IP. Will this scenario work with the NAT or does the Mac
need to have the private IP making it the edge device?
Does anyone have any troubleshooting ideas or places where I could look
for some help?
Thanks,
George
Re: IPSecuritas connectivity to SonicWall TZW
by cnadig on 2005-06-07 08:46:03 +0200
Hello,
most modern NAT routers support IPSec-Passthrough of at least one IPSec
tunnel, so this is probably not your problem - of course a direct connection
to the internet at least for tests would rule this out.
Another problem might be an address conflict between your local addresses
and the network your trying to reach - is your local address within the
remote network range?
Another problem could be that the remote firewall will not route private
addresses (other than the ones configured), so you might want to try
entering a different IP address into the Local Address field on the General
tab in IPSecuritas (your machine will then appear at this address for the
remote machines - if the field is empty, your default interface's address is
used instead).
There's also some problems with the new AES implementation in Tiger, I'd
recommend 3DES for best compatibility.
Christoph
Re: IPSecuritas connectivity to SonicWall TZW
by George Zervakos on 2005-06-09 22:58:20 +0200
Hello,
I did a tcpdump on the Mac OS X and I see that traffic bound for the remote
network is getting encapsulated in ESP.
The thing is, I'm running Mac OS X on a PC in a program called PearPC. In
order to get networking in PearPC, I had to share my PC's LAN connection
and assign a private IP to the Mac OS X. What happens is the Mac OS X has
a 192.168.0.0 IP and my PC has a 10.0.0.0 IP. While I can access the
Internet from PearPC using Safari for example, ESP packets are not getting
passed along from my PC out to the internet.
The Mac IP is getting NATted by my PC whose IP is in turn getting NATted
by my firewall.
There are no address conflicts with the VPN domains; these are distinct
subnets.
Geirge
Immediate Red X
Immediate Red X
by Kevin Mader on 2005-06-03 16:43:05 +0200
I am trying to setup a connection to a SonicWALL TZ 170 -SP Wireless and I
think I know all the correct settings, but when I put them in a red X apears
next to my connection icon before I even have time to connect. The log is
empty because all I have done is edit the connection.
Thank you
Checkpoint and IPSecuritas
Checkpoint and IPSecuritas
by Art_of_Noise on 2005-06-04 21:42:14 +0200
Hi everybody,
I'm trying to connect to my work network (firewall : Checkpoint). I'm using
a powerbook with Mac OS 10.4.1. My preferences are "host to network" and
the authentification is by address and preshared key.
The light becomes green, but I can't check my network. Here are the last of
the log. All seems to be okay, but when I test the connection (for example
making a traceroute), the text "msg 4 not interesting" is added in the log.
Can anybody help me ? Thanks a lot in advance.
Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG:
pfkey.c:1117:pk_recvupdate(): pfkey UPDATE succeeded: ESP/Tunnel
217.167.X.X->82.227.X.X spi=147717185(0x8cdfc41)
Jun 4 21:18:28 Ordinateur-de-MY racoon: INFO:
pfkey.c:1124:pk_recvupdate(): IPsec-SA established: ESP/Tunnel
217.167.X.X->82.227.X.X spi=147717185(0x8cdfc41)
pfkey.c:1162:pk_recvupdate(): ===
pfkey.c:195:pfkey_handler(): get pfkey ADD message
Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG2:
plog.c:199:plogdump():
Jun 4 21:18:28 Ordinateur-de-MY racoon: INFO:
pfkey.c:1351:pk_recvadd(): IPsec-SA established: ESP/Tunnel
82.227.X.X->217.167.X.X spi=2149506554(0x801eddfa)
pfkey.c:1356:pk_recvadd(): ===
Re: Checkpoint and IPSecuritas
by cnadig on 2005-06-07 08:35:09 +0200
Hello,
are you by any chance using AES256 or AES192 for encryption? The AES
encryption in 10.4 is not compatible wuith checkpoint's implementation
anymore. Use 3DES for best compatibility (AES128 seems to work in some
cases, so you might want to try this as well).
Christoph
by Art_of_Noise on 2005-06-07 08:54:00 +0200
are you by any chance using AES256 or AES192 for encryption? The AES
encryption in 10.4 is not compatible wuith checkpoint's implementation
anymore. Use 3DES for best compatibility (AES128 seems to work in some
cases, so you might want to try this as well).
Christoph[/quote]
Thanks for your response. But I'm already using 3DES for encryption in
phase 1 and phase 2.
by tji on 2005-07-08 19:59:12 +0200
There are also dependancies on the gateway configuration.. If the
administrator has enabled the client integrity checking features (where it
checks to make sure the host OS is patched up to date, antivirus is running,
etc.) it will only work with the Check Point client (SecureClient).
If the administrator turns that feature off, IPSecuritas will work fine.
Also, Check Point (finally) released their MacOS X VPN client not too long
ago. So, you may want to try that one out instead.
by MikeyG_U2 on 2005-07-12 18:42:42 +0200
I don't mean to jack your thread, I'm just hoping that by posting my
problem in your thread we might both find a solution...
I've also been having trouble accessing our Checkpoint VPN. I'm running
Tiger so the SecureClient doesn't work for me yet. I've followed all the
setup guides for both IPSecuritas and the Checkpoint firewall itself, but still
can't create a connection. The little red 'X' is all I get.
I'm using IPSecuritas 2.1(on Mac OS 10.4.1) and I've tried enabling only the
security protocols mentioned earlier in this topic. I admit that I am new to
IPSecuritas, only attempting to make it work after I upgraded to Tiger and
broke the SecureClient. So I've never had IPSecuritas working. If anyone
has any suggestions, I would greatly appreciate it. In case it helps, here is
my most recent connect log, I'm not getting nearly as far as Art_of_Noise...
Log output from IPSecuritas 2.1
Jul 12 11:15:06 mailman IPSecuritas: Parsing configuration
Jul 12 11:15:06 mailman IPSecuritas: Setting up racoon.conf
Jul 12 11:15:06 mailman IPSecuritas: Setting up setkey.conf
Jul 12 11:15:06 mailman IPSecuritas: Setting up psk.txt
Jul 12 11:15:06 mailman IPSecuritas: Setting up tunnel.conf
Jul 12 11:15:06 mailman IPSecuritas: Parsing configuration done
Jul 12 11:15:07 mailman IPSecuritas: Starting racoon...
Jul 12 11:15:08 mailman IPSecuritas: Racoon is running
Jul 12 11:15:08 mailman IPSecuritas: Set kernel keys
Jul 12 11:15:08 mailman racoon: DEBUG2: cfparse.y:1413:cfparse(): parse
successed.
Jul 12 11:15:08 mailman racoon: DEBUG: isakmp.c:1592:isakmp_open():
Jul 12 11:15:08 mailman racoon: DEBUG: isakmp.c:1610:isakmp_open():
192.168.69.69[4500] used as nat-t isakmp port (fd=9)
Jul 12 11:15:08 mailman racoon: DEBUG: pfkey.c:195:pfkey_handler(): get
pfkey X_SPDDUMP message
Jul 12 11:15:08 mailman racoon: DEBUG2: plog.c:199:plogdump():
Jul 12 11:15:08 mailman racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey
X_SPDDUMP failed: No such file or directory
Thanks in advance for any assistance.
-Mike
by Art_of_noise on 2005-07-29 10:20:32 +0200
Hi everybody,
Finally I got the green check... The Smartdashboard configuration was not
correct (checkbox agressive not checked). In the Smartdashboard tool, open
the line of your extern access, click on the left on VPN, then on the
"traditional mode configuration button". Be sure checking all the option to
match the options choosen in IPSecuritas (don't forget the "advanced"
button").
Hope this help
Kinds regards
by Art_of_noise on 2005-08-01 19:29:03 +0200
Well, another point of study ! All is currently OK in direct access, but I
would use the routing functionnality on my modem.
When I active this functionnality, I get the green check, but I can't ping
anything.
I currently use the "network to network" mode of operation.
Here are the router properties, I'm not sure of these ports (IP of my
computer : 192.168.0.1 ; IP of the modem : 192.168.0.254) :
Can anybody help me ?
Thanks in advance for any help.
P.S. The Tiger version of the Checkpoint VPN client will not arrive before 6
months, dixit the Checkpoint support !!!
by VPNmac on 2005-08-06 23:05:30 +0200
I am also trying to get IPSecuritas 2.1 on Mac OS X at home to work with
CheckPoint VPN at my University. After configuring and clicking the Start
IPSec button, I get: IPSec startuo failed. The log just says: Log output from
IPSecuritas 2.1
Could someone post screen captures of a configuration that works with
CheckPoint?
Any help most appreciated.
by VPNmac on 2005-08-07 02:14:10 +0200
OK, I can get IPSecuritas to start now, but the connection gets a red cross
on the right. The log says:
----------------Log output from IPSecuritas 2.1
Aug 7 02:09:22 Mac IPSecuritas: Parsing configuration
Aug 7 02:09:22 Mac IPSecuritas: Setting up racoon.conf
Aug 7 02:09:22 Mac IPSecuritas: Setting up setkey.conf
Aug 7 02:09:22 Mac IPSecuritas: Setting up psk.txt
Aug 7 02:09:22 Mac IPSecuritas: Setting up tunnel.conf
Aug 7 02:09:22 Mac IPSecuritas: Parsing configuration done
Aug 7 02:09:23 Mac IPSecuritas: Starting racoon...
Aug 7 02:09:23 Mac IPSecuritas: Racoon is running
Aug 7 02:09:23 Mac IPSecuritas: Set kernel keys
Aug 7 02:09:23 Mac racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv():
ignore information because the message has no hash payload.
Aug 7 02:09:23 Mac racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv():
ignore information because the message has no hash payload.
----------------------Any feedback most welcome.
by VPNmac on 2005-08-07 02:16:44 +0200
More from the log:
-----------Aug 7 02:09:55 Mac racoon: ERROR: isakmp.c:2045:isakmp_chkph1there():
phase2 negotiation failed due to time up waiting for phase1. ESP
150.214.231.234->172.26.0.2
Aug 7 02:09:55 Mac racoon: ERROR: isakmp.c:2045:isakmp_chkph1there():
phase2 negotiation failed due to time up waiting for phase1. ESP
150.214.231.234->172.26.0.2
Aug 7 02:11:23 Mac racoon: ERROR: isakmp.c:1706:isakmp_ph1resend():
phase1 negotiation failed due to time up.
3c45f68e73644412:f9fbeadda5cbbeda
Aug 7 02:11:23 Mac racoon: ERROR: isakmp.c:1706:isakmp_ph1resend():
phase1 negotiation failed due to time up.
3c45f68e73644412:f9fbeadda5cbbeda
---------------------
by VPNmac on 2005-08-24 22:59:38 +0200
This is what I get with IPSecuritas 2.1 on Mac OS X 10.4.2:
A red cross and the following log. Any help most appreciated.
-------Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Parsing
configuration
Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Setting
up racoon.conf
up setkey.conf
up psk.txt
up tunnel.conf
Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Parsing
configuration done
Aug 24 22:55:17 peters-power-mac-g4-agp-graphics IPSecuritas: Starting
racoon...
Aug 24 22:55:17 peters-power-mac-g4-agp-graphics IPSecuritas: Racoon
is running
Aug 24 22:55:17 peters-power-mac-g4-agp-graphics IPSecuritas: Set
kernel keys
Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG2:
cfparse.y:1413:cfparse(): parse successed.
Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG:
isakmp.c:1592:isakmp_open(): 192.168.1.2[500] used as isakmp port
(fd=8)
pfkey.c:195:pfkey_handler(): get pfkey X_SPDADD message
policy.c:184:cmpspidxstrict(): sub:0xbffff980: 192.168.1.2/32[0]
150.214.110.0/24[0] proto=any dir=out
policy.c:185:cmpspidxstrict(): db :0x306568: 150.214.110.0/24[0]
192.168.1.2/32[0] proto=any dir=in
Aug 24 22:56:18 peters-power-mac-g4-agp-graphics IPSecuritas: Flushing
kernel keys
Aug 24 22:56:18 peters-power-mac-g4-agp-graphics IPSecuritas:
Stopping racoon...
pfkey.c:195:pfkey_handler(): get pfkey X_SPDFLUSH message
Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: INFO:
session.c:331:check_sigreq(): caught signal 15
pfkey.c:195:pfkey_handler(): get pfkey FLUSH message
pfkey.c:195:pfkey_handler(): get pfkey FLUSH message
Only two connection at a time?
Only two connection at a time?
by Alexander Barton on 2005-06-07 20:32:15 +0200
Hi!
I'm using IPSecuritas 2.1 on Mac OS X 10.4.1 and it works great! Thank you
guys!
But I'm only able to establish at least two simultanous connections at a
time, if I select more IPSecuritas fails. All individual connections do work ok.
Am I doing something wrong or is this is limitation of IPSecuritas and/or
Mac OS X?
Thanks!
Alex
How to get connected through a Trustgate
How to get connected through a Trustgate
by Thomas Hoffmann on 2005-06-08 11:52:42 +0200
Hello YABBs
I' ve the problem How To Connect to a Trustgate 232R
I'd tried everything but it dind't work.
I cannot pass Phase I
The Trustgate Config
VPN Peers
Peer Name ( Remote ID): 192.168.200.203
Public IP Address : 0.0.0.0
Dynamic IP : empty
- Pre-Shared-Key
- ID Type : Domain Name
- Encryption Algo. : AES
- Hash Algo : SHA1
- Deffie-Hell.: 2 (1024 bits)
- Perfect Forward Sec.: On
IPSecuritas Config
General
- Mode of Op. : Host to Network
- Remote IPsec Device: Public IP of the Trustgate
- Remote network: 192.168.5.0 / 24
- Local Address: 192.168.200.203
- Exchange Mode: Main
- Proposal Check : Claim Nonce Size 16
PH1
- Lifetime : 28800 sec
- DH Droup: Mod1024 (2)
- Encryption: AES 128
- Authentication: SHA1
PH2
- Liftime: 28800 sec
- PFS Group: Mod1024 (2)
- Encryption: AES128
- Authentication: HMAC SHA1
Id/Auth
- Local Identifier: DN 192.168.200.203
- Remote Identifier: Address
- Authentication: Pre-Shared-Secret (Filled in as ASCII)
Options
- IPSec DOI: Y
- SIT_IDENTITIY_ONLY:Y
- Verify Identifier: N
- Initial Contact: Y
- Passive: N
- Generate Policy: N
- MIP6: Y
- Verify Certificate: N
- DHCP-Pass-Through:Y
- Establish IKE Immediatly: Y
- Auto Start: N
Re: How to get connected through a Trustgate
by Thomas Hoffmann on 2005-06-08 22:15:50 +0200
:) :) :) :) :)
If got the Solution iv any one has Problems Connection Mac though
Trustgate ask me ;D
IpSecuritas and Zyxel P334WT
IpSecuritas and Zyxel P334WT
by jayjhunski on 2005-06-10 08:56:02 +0200
is there anyone out there that has successfully established a VPN
connection using IPsecuritas and a Zyxel P-334WT wireless router. I'm
using Mac OSX 10.3.9.
In particular, I'm in need of configuration pointers for both the router and
IPSecuritas. I have a static IP address assigned to my router and a 2nd one
mapped using NAT to a private IP address on one computer in the office.
any help would be greatly appreciated! :)
Re: IpSecuritas and Zyxel P334WT
by DDA on 2006-01-31 23:34:58 +0100
I'd love an answer to this, too. I just got a P-334wt and have been totally
unsuccessful in getting any kind of VPN going. :-(
Re: IpSecuritas and Zyxel P334WT
by DDA on 2006-02-13 16:10:35 +0100
I *was* able to get a connection to the P-334wt when I hung it off my local
LAN for testing. I used Host-to-Host (Tunnel), Aggressive with the WAN IP
of the p-334wt as Remote IPSexc device and the LAN IP of the P-334wt for
Remote Address in General, 3DES, SHA1 and DH2 for Phase 1, 3DES, SHA1
no PFS for Phase 2 and DN (email address) for Authentication with
Preshared Secret. The tunnel terminated in the LANIP for the P-334wt and I
was able to connect and use the web interface to verify the tunnel.
When I tried it with my Mac behind NAT, it failed, leading me to believe that
the NAT-T part of OS X is not working (as others have claimed). But I didn't
try very hard because the single LANIP tunnels of the P-334wt aren't really
what I want; I'm replacing it with a Netgear FWG114p. I've set that up on the
local LAN and tested it with Host-to-Network and it works fine. Next I'll try
it from work behind NAT routers and see how that goes.
I hope this helps.
netgear fvs318 NAT-T and Tiger
netgear fvs318 NAT-T and Tiger
by waldo on 2005-06-11 07:38:03 +0200
has anyone had any luck using ipsecuritas 2.1 on 10.4.1 to connect to a
netgear fvs318 with nat traversal?
if yes, feel like sharing the recipe?
if no, any suggestions?
thanks!
Re: netgear fvs318 NAT-T and Tiger
by Cameron Wilhelm on 2005-07-05 21:25:08 +0200
I'm trying to essentially do this same thing, and I can't seem to get it to
connect.
I'm relatively new to VPN and I've tried everything I can think of from
allowing just me to connect, to attempting to allow the world to connect.
Worse, I can seem to get any useful info from any logs.
Nothing shows in the IPSecuritas log
This is all that shows on the 318 side:
[2005-07-05 11:22:45]**** RECEIVED FIRST MESSAGE OF AGGR MODE ****
[2005-07-05 11:22:45]<POLICY: > PAYLOADS: SA
[2005-07-05 11:22:45]SENDING NOTIFY MSG:
[2005-07-05 11:22:45]INVALID_ID_INFORMATION
[2005-07-05 11:22:45]**** SENT OUT INFORMATIONAL EXCHANGE
MESSAGE ****
[2005-07-05 11:22:45]<POLICY: > PAYLOADS: NOTIFY
Anyone have any ideas?
Thanks.
-Cameron Wilhelm
Re: netgear fvs318 NAT-T and Tiger
by jmizoguchi on 2006-01-29 19:51:37 +0100
if your FVS318 v2.4 then I have soluton at vpncasestudy.com
moving IPsecuritas configuration around
moving IPsecuritas configuration around
by maq on 2005-06-15 14:23:20 +0200
HI, I'm using IPSECURITAS with Netscreen 25. Works fine and really easy to
configure. My question iis what iis the quickest and easiest way to move a
config from one computer to another?
Is there a way to export the config into one file?
Or maybe copy the configuration files to the other computer?
Where are the configuration files?
Mounting samba share over VPN connection w/ Tiger
Mounting samba share over VPN connection w/ Tiger
by Mike on 2005-06-15 17:04:49 +0200
The latest version of IPSecuritas + Tiger 10.4.1 seems to have fixed the
ping time issues. Has anyone else had issues with attempting to browse
shares on the network after connecting to the VPN? Previous to Tiger I had
no issues with browsing file shares on the remote system (Apple Server
10.3), now I get spinning beachballs when attempting to browse shares.
Thanks in advance.
Mike
Re: Mounting samba share over VPN connection w/ Ti
by Jim Collis on 2005-06-30 21:17:04 +0200
I have experienced the same issue. I had the same issue when I upgraded
to Tiger and was directly connected to my network. I cleared that issue by
deleting my keychain containing the server password. I tried that over my
VPN and unfortunately that did not work.
by tji on 2005-07-08 19:52:17 +0200
I have manually connected to samba file shares via VPN with tiger. But, I
have not browsed networks..
I believe the SMB browsing relies on broadcasts on a local LAN, which would
not work over a VPN (broadcasts don't go beyond subnets). But, you may
be able to configure a WINS server in the samba config, to point to the
samba "name server" and find hosts over the VPN (I've never tried that, but
it might be worth checking out).
Any tips on how to "configure a WINS server . . . " I'm not sure I understand
what you've suggested.
Previous to 10.4.2, at least, I was able to connect to a Windows 2000 file
server and mount shares over the VPN. Now, spinning beachballs. The
share appears to mount to the desktop, but then it never shows any files
and just hangs the Finder.
-Randy
by Derek on 2005-08-25 15:19:37 +0200
[quote author=Mike link=1118847889/0#0 date=1118847889]The latest
version of IPSecuritas + Tiger 10.4.1 seems to have fixed the ping time
issues. Has anyone else had issues with attempting to browse shares on
the network after connecting to the VPN? Previous to Tiger I had no issues
with browsing file shares on the remote system (Apple Server 10.3), now I
get spinning beachballs when attempting to browse shares.
Thanks in advance.
Mike
[/quote]
Browsing shares is apparently a known issue. If you check your console.log
when this happens, you'll see tons of error messages, with an additional
note that you should report it as a bug, similar to these:
bug: ecnt = 33, but m_len = 0 and m_next = 0 (please report)
I emailed the makers of VPNTracker (Equinux) a few weeks ago and they
confirmed the problem to me with their product, so it's not restricted to
IPSecuritas. Apple has received at least two bug reports on the issue (one
from me, one from Equinux), so hopefully this finally gets resolved with the
next update...
by Jim Collis on 2005-09-03 08:03:44 +0200
I have been told by the tech support folks at Equinux that this is a know
bug in Tiger 10.4.2 in how SMB handles packets over the vpn. Until apple
fixes this problem there is no way around it. They said the entire SMB stack
was rewritten for Tiger and all the issues with Microsoft networking aren't
fixed. They were hopeful, but not encouraging, that this might be fixed in
10.4.3 or 10.4.4. Not an exciting answer.
Any word on whether the 10.4.3 update corrects the above problem?
-Randy
by Brian on 2005-11-01 15:54:53 +0100
10.4.3 did not fix the issue on our systems. >:(
We get the same 'please report' errors.
by Tsathul on 2006-01-20 02:32:40 +0100
Problem appears still to be there under 10.4.4. Lots of "kernel[0]: bug: ecnt
= 32, but m_len = 0 and m_next = 0 (please report)" entries in /var/log
/system.log, and the Finder hangs repeatedly necessitating relaunch. How
long can this go on?
by chuck_theobald on 2006-02-09 21:11:18 +0100
Yes, I can confirm this problem under 10.4.4 with VPN Tracker 2.2.6.
Supposedly, this version of VPN Tracker does not work with Tiger, but it
works for me. I am able to get all sorts of connectivity except SMB
browsing, either through the Finder, or trying to see the contents of a
volume mounted with mount_smbfs.
Waiting for the next apple to drop...
Any happiness with browsing SMB shares over VPN connection under
10.4.6? Will this ever be fixed?
-R
by chuck_theobald on 2007-12-24 20:01:28 +0100
I can confirm that this is still broken in 10.4.11 using IPSecuritas 3.0, build
1693. Connecting (Cmd-K) to a Samba server through the VPN connection
allows authentication and selection of the share, but Finder then goes out
to lunch with the pinwheel of death. I can still browse to a Windows-based
SMB server within my own network (not through the VPN) and all works fine.
I found a message on the Samba site (http://lists.samba.org/archive/samba
/2005-July/108903.html) that seems to indicate that this is limited to the
Tiger-Samba-VPN combination (note that this would include the
Samba-based OS X SMB server). I do not have a Windows-based SMB server
on the other side of the VPN to test this for myself, though.
In my system.log I get some 24 messages each second:
Dec 24 10:38:05 chuck-theobalds-powerbook-g4
33, but m_len = 0 and m_next = 0 (please report)
kernel[0]: bug: ecnt =
CPU and memory usage?
CPU and memory usage?
by Me Here on 2005-06-17 21:52:37 +0200
Using IPSecuritas 2.1 on Mac OS X 10.3.9 on a 1GHz powerbook connecting
via Airport to an IPCop box. Top lists CPU usage as at least 50%, usually
closer to 70%+ just sitting idle (no network activity besides IPSec stuff
itself), and RSIZE of 96M and VSIZE of 960M when IPSecuritas is up for any
length of time. Needless to say, system slows to a crawl, and it may literally
take over a minute to switch applications or close applications with alot of
disk swap activity.
Anyone else experience something similar? Any suggestions?
Thanks.
Re: CPU and memory usage?
by Me Again on 2005-06-17 23:06:41 +0200
I think I found the answer to my own problem. Posting just in case someone
makes the same mistake...
It seems that I changed the log level in IPSecuritas to DEBUG about a week
ago when I was initially setting it up, and never changed it back. Well my
system.log was up to nearly 3GB :o and IPSecuritas didn't play well because
of that. Turned it back to Normal logging and cleared system.log and all
seems well. 0% CPU and RSIZE of 16M.
I'll let it run for a while and see how it goes, but it seems all better.
IPSecuritas and Smoothwall
IPSecuritas and Smoothwall
by paschke on 2005-06-21 00:52:44 +0200
Hi,
Has anyone had any success getting IPSecuritas and Smoothwall VPN to talk
to each other? I am using IPSecuritas 2.1 on Tiger (10.4.1) and trying to
talk to a Smoothwall 3.1 VPN gateway. Using certificates for
authentication... I successfully loaded the certificates and get some
progress in the logs, but it always seems to die with the following two lines
in the log:
Jun 20 18:49:28 ashnazg racoon: ERROR:
Jun 20 18:49:28 ashnazg racoon: DEBUG:
isakmp_inf.c:869:isakmp_info_recv_n(): notification message 9:INVALIDMESSAGE-ID, doi=1 proto_id=1 spi=(size=0).
Does anyone have any clues?
Thanks!
Matt Paschke
Newbie looking for help
Newbie looking for help
by Tacitus on 2005-06-22 10:21:46 +0200
Hi all,
I am a newbie to VPN and am trying to connect from home using a PBk G4
running 10.3.9 (D-Link 504 with VPN passthrough) to a small office
network. The office fortunately runs on Macs also with 10.3.9. Sorry this ia
a bit long but here goes http://www.lobotomo.com/yabb/YaBBImages
/smiley.gif
IP securitas on PBk details:
General Mode of Operation: Host to Network
Office IPSec Device (Router/firewall): 64.x.x.x
Office Network: 192.168.1.1/24
Local Address (in office): 192.168.1.21
Exchange Mode: Main
Nonce Size: 16
Encryption: DES
Authentication: MD5
PFS Group: None
Encryption: DES & 3DES
Authentication: HMAC SHA1 & HMAC MD5
Id/Auth Local Identifier: 192.168.1.21 (This is the machine in the office)
Remote Identifier: blank
Preshared Secret: ***
Options Compression Deflate checked (greyed out)
IPSec DOI checked
MIP6 checked
all other options unchecked
IP Sec appears to be running but I can’t raise the office machine. Here’s
part of the PBk log:
Freds-Computer racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id
mismatched: my:2 peer:3
Freds-Computer IPSecuritas: Flushing kernel keys
Freds-Computer IPSecuritas: Stopping racoon...
Freds-Computer IPSecuritas: Racoon normally terminated
Sorry this is so long, but thanks to anyone who can help.
10.2 Incompatibility and "Can't connect twice
10.2 Incompatibility and "Can't connect twice
by Nat! on 2005-06-24 18:23:05 +0200
1. When I try to start IP Securitas on 10.2.8 I get a crash and the following
entry in the Console: [font=Courier]dyld: /Volumes/Users/Applications
/IPSecuritas.app/Contents/MacOS/IPSecuritas can't open library: /usr/lib
/libcrypto.0.9.7.dylib (No such file or directory, errno = 2)[/font]
2. When I use it under 10.4 I can sucessfully connect once to the firewall at
the remote site, but I can't connect a second time (doesn't matter if I just
quit IP Securitas, "properly Stop IPSEC" or even reboot my machine). The
sysadmin "over there" says, that the first session was not properly closed
and that their software therefore doesn't allow a second session to be
opened. The timeout on their machine appears to be greater than a day ::)
This might not be a problem of IP Securitas, but I figure it doesn't hurt to
ask, if this is a known problem with possibly a known solution :)
Re: 10.2 Incompatibility and "Can't connect t
by cdmaris1 on 2005-08-13 05:45:02 +0200
Were you ever able to resolve your problem with 10.2.8? I am get the sam
eerror message so would be very interested in finding out if there is a fix
for this.
thanks
Re: 10.2 Incompatibility and "Can't connect t
by David on 2005-11-03 16:58:02 +0100
I'm just looking for any confirmation on whether IPSecuritas 2.1 is
incompatible with 10.2.8 ? I get a crash log written when it fails to start up.
Static Routes setup with IPSecuritas?
Static Routes setup with IPSecuritas?
by Mike E on 2005-06-28 19:04:32 +0200
One of our developers is using IPSecuritas to VPN (host to network) onto
our subnet (10.191.2.0/24). He is setup to look like 10.191.1.140 (local
address).
He needs to be able to route 38.160.70.118 traffic through 10.191.2.34 on
our subnet, so I had him create a static route. But it doesn't work. Any
ideas?
Notice how the static route be binding to en0? seems like it should have
bound to gif0?
On Jun 27, 2005, at 2:02 PM, John wrote:
Here is the situation after "sudo route add 38.160.70.118 10.191.2.34"
Destination
Gateway
Flags Refs
Use Netif Expire
default
10.0.1.1
UGSc
71
11 en0
10.0.1/24
link#4
UCS
2
0 en0
10.0.1.1
0:d:93:25:3c:40 UHLW
72
1322 en0 1094
10.0.1.2
0:3:93:70:28:4e UHLW
0
122 en0 331
10.0.1.17
127.0.0.1
UHS
6
1065 lo0
10.191.2.0
10.191.1.140
UH
0
1 gif0
10.191.2/24
gif0
USc
6
1354 gif0
38.160.70.118
10.191.2.34
UGHS
0
2 en0
127
127.0.0.1
UCS
0
0 lo0
127.0.0.1
127.0.0.1
UH
20 245677 lo0
169.254
link#4
UCS
0
0 en0
Johns-Laptop:$ ping 38.160.70.118
PING 38.160.70.118 (38.160.70.118): 56 data bytes
ping: sendto: Cannot allocate memory
DHCP
DHCP
by Scott Hander on 2005-06-30 01:49:06 +0200
I am trying to get a VPN setup that will have remote machine request an IP
via DHCP from our firewall. We are using a Sonicwall 2040, and I can't seem
to get it to work. I can get everything to work with a good connection, just
no DHCP. I can assign a specific ip to the computer on the other end, but
the connection will not pass any traffic through to that address.
Does anyone have any thoughts or insights for this?
Thanks,
Scott Hander
10.4.1, packets gets lost inside kernel
10.4.1, packets gets lost inside kernel
by Henrik on 2005-07-04 21:20:18 +0200
Hi,
The VPN with OpenSWAN worked great with OS X 10.3.x. Upgraded to
10.4.1 and now nothing works (I even installed it from scratch).
I can create a successfull VPN connection (Host to Network), so IPSEC SA is
established and ESP packets are flowing to both directions (checked with
ethereal).
The downside is the the ESP packets seems somehow to be discared after
they are received. The same happens with and without NAT.
Any help is greatly apprechiated, since I'm leaving on holyday on saturday
and I *don't* want to change the a PC because of this.
Thanks,
Henrik
Finland
Re: 10.4.1, packets gets lost inside kernel
by cnadig on 2005-07-05 09:56:15 +0200
Hello Henrik,
are you by any chance using AES256 or AES192 in phase 2 - the
implementation has changed from 10.3 to 10.4 and leads to
incompatibilities.
I recommend using 3DES for best compatibility with other devices.
Hope this helps,
Christoph
Re: 10.4.1, packets gets lost inside kernel
by Henrik on 2005-07-05 11:44:22 +0200
Hi Christoph,
It worked! Actually the last thing I tried yesterday was 3DES, but at the
same time I broke my NAT when tweaking it, so no connection at all was
established.
Thanks!
Best regrads,
Henrik
Watchguard X-15 Edge
Watchguard X-15 Edge
by dd on 2005-07-08 13:31:07 +0200
hi
Has anyone successfully connected a VPN using IPSecuritas to a watchguard
X15 Edge?
I have PC MUVPN working successfully and a number of Edge to Edge
tunnels working, but dont seem to be able to succed with IPSecuritas.
If any body out there has got things to work with the X15, and feels like
sharing howto do it, it would save me having to lug a laptop pc as well as
my iBook around!
Many Thanks
???
Feature Requests: multiple subnets, dynamic PSK
Feature Requests: multiple subnets, dynamic PSK
by tji on 2005-07-08 20:17:07 +0200
IPSecuritas is a great tool. Thanks for providing such a nice piece of
software for free!
If/when you guys update it, could you look into the feasability of
implementing a few enhancements?
- Multiple Subnets: My office network has several /24 subnets, protected
by a Netscreen VPN device. I can define each subnet as a seperate
configuration, and enable each one of them individually. But, I cannot
enable multiple subnets at the same time (only the first subnet actually gets
negotiated).
Defining all the available subnets in one VPN config should
allow them to be all negotiated in one IKE session.
- Dynamic PSK -- external command/script: I set up a Linksys WRV54G at
my parents house, and I use that to connect back to their systems for
remote tech support. The quirky thing about the WRV54G is that they
have an HTTPS front end that is used to authenticate users and dynamically
generate the PSK before the IPSec/IKE session starts.
I have put together
a script to pull that PSK, and generate the IPSec config files. But, being
able to call a command/script from within IPSecuritas would be a better
solution. (There are probably some other authentication systems that
operate similarly (like S/Key). So, this feature would allow IPSecuritas to
work with more VPN gateways.)
- XAuth -- The updated IPSec tools project supports Xauth authentication
(and NAT-Traversal). Apple includes an older version of racoon, which
does not. Including an updated racoon binary would allow IPSecuritas to
support XAuth authentication.
m0n0wall ?
m0n0wall ?
by Sean McGrath on 2005-07-11 19:48:57 +0200
I can't get a connection to m0n0wall 1.1 or 1.2b9.
The error message in the log is
"racoon: ERROR: isakmp_inf.c:193:isakmp_info_recv(): ignore information
due to hash length mismatch".
The server logs show this happens during phase 2. MD5 and SHA1 hashes
both fail.
Any success stories?
Thanks
Re: m0n0wall ?
by stephenb on 2005-07-15 05:42:37 +0200
I got it up and running. I sent the settings to Christoph but he's probably
been too busy to post.
email me and I'll send you screen shots.
stephenbatmacdotcom
Sonicwall TZ170 failing phase 2
Sonicwall TZ170 failing phase 2
by spectre51 on 2005-07-12 06:07:27 +0200
Okay so I got my ibook setup with ipsecuritas and my netscreen 5gt at
home so I decided to hook it up to my sonicwall tz170 at work. I am trying
to use the GroupVPN option on the sonicwall which is on the latest SonicOS
Standard firmware. We are making it through phas 1 no problem but the
vpn continues to fail at phase 2. I'm wondering does the sonicwall have to
be the enhanced version? What should I put in the ID/Auth section under
Identification for local and remote identifier?
Re: Sonicwall TZ170 failing phase 2
by w_grace on 2006-02-21 19:02:23 +0100
Are you getting what I am getting?
My post...
Phase-1
Group 1
3DES
MD5
28000
Phase-2
ESP
3DES
MD5
Feb 21 16:31:35 HDGroup-01 racoon: ERROR:
pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA
to time up to wait.
to time up to wait.
to time up to wait.
to time up to wait.
by cnadig on 2006-02-21 23:37:42 +0100
due
due
due
due
Hello,
do you have access to the log of the Sonicwall?
Changing the log level of IPSecuritas to 'Verbose Debug' will give you
additional information about the unknown notification sent by the firewall.
Cheers,
Christoph
by Tim Pipes on 2006-03-02 21:27:45 +0100
We had been making a connection to our TZ170 without fail for a while
there. Upgraded to 10.4.4 and IPSecuritas stopped working. It also says that
it's failing at Phase 2 but none of the settings changed.
We have thought about setting up a new SA but instead have decided to
delve into this a little more as it was working.
IKE using preshared secret
Phase 1
DH Group: Group 1
Encryption: 3DES
Authentication: MD5
Lifetime: 28800
Phase 2
Protocol: ESP
Encryption: 3DES
Authentication: MD5
Enable Perfect Forward Secrecy: Unchecked
Advanced
Enable Windows Networking Broadcast: checked
that's it in Advanced.
Client
Cache XAUTH: never
Virtual Adaptor: DHCP Lease
nothing else checked.
As I said, it had been working flawlessly and now I have messed with just
about every setting in IPSecuritas and have not been able to make the
connection. I believe I am getting the same error output as w_grace (no
phase 2 handle found)
Any setup that works for anyone? Please fill me in.
cheers,
Tim
IPsecuritas and Linksys RV042
IPsecuritas and Linksys RV042
by jprsa on 2005-07-13 01:23:54 +0200
I have a linksys RV042 and having issues establishing a tunnel.
I previoulsy had a different Linksys vpn router model and that worked great.
I decided to upgrade to the new and improved router.
Linksys is of no help
Can anyone help me?
Re: IPsecuritas and Linksys RV042
by Mike O'Reilly on 2005-09-12 00:58:02 +0200
I just figured out the Linksys RV042 and RV082 with IPSecuritas and figured
that some other people might be having the same issues... It seems that
Linksys removed to the "connect from any" option in their routers, but it's
really still there!
Set up your tunnels just like you would have before (with another router)
but use the option "Dynamic IP + E-mail Addr.(USER FQDN) Authentication"
Input an email address (real or not, just a unique identifer) in the router for
the tunnel.
The magic is buried in the IPSecuritas help:
2. Domain Name (DN): This can either be a fully qualified distinguished
name (FQDN, e.g. lobotomo.com) or a user fully qualified distinguished
name (USER_FQDN, e.g. [email protected]).
This means just put that same email address in the Id/Auth dialog box
under the "DN" option for the Local Identifier and your connection should
work.
I hope this helps someone out there, if anyone needs screenshots of the
RV042 and IPSecuritas screens I can try and post them. Just reply to this
post...
by Alan H on 2005-09-20 17:11:20 +0200
Could you provide the screen shots please. Thanks
by Glenn Dallas on 2005-10-21 03:31:57 +0200
I'm trying to setup a vpn tunnel to a mobile user also and can't find any
good documentation. Could you send me the screenshots also. Thanks.
by Dave Story on 2005-11-12 05:03:17 +0100
Thanks for offering, could you send the screen shots along to me as well.
by Some Pinoy on 2005-11-16 01:57:26 +0100
Please send some pics that would be awesome! We just updated to the
RV016
by BJS on 2005-11-30 16:42:26 +0100
I would also appreciate the screenshots.
Thanks!
by Cbo on 2005-12-30 22:27:08 +0100
Could you send me the screenshot also. Thanks a lot !
by Jonathan Steuer on 2006-01-02 12:49:54 +0100
screen shots most appreciated! also firmware version of router, if you
please. i assume this should work identically with the RV082?
-j-
by Mike O'Reilly on 2006-01-04 04:56:22 +0100
Well, it looks like my post from Sept. 12 has sparked some discussion...
After a long testing period and some time in front of a graphics editor I
finally got the screenshots everyone has been asking for!
It looks like I can't post them directly in the forum here, so I'm going to put
them in a Yahoo! photo gallery:
http://pg.photos.yahoo.com/ph/mike_b_oreilly/album?.dir=
/8802&.src=ph&.tok=ph7NeMEBjUPy0h8U
If that URL is too long, try this TinyURL:
http://tinyurl.com/74e82
...and now for the description of what you're looking at:
IPSecuritas
#1 "General" tab
The red box is over the public IP address of my RV042, this could be a
public DNS name. I'm using DynDNS without any issues.
#2 "Phase 1" tab
The info here needs to match what you set on the router.
#3 "Phase 2" tab
The info here also needs to match what you set on the router.
#4 "ID/Auth" tab
This is where it got tricky; Use the "Local Identifier" "DN" Option. (For those
of you in the know, you know that this is the Domain Name... Not here!)
This is the email address that you will use to establish the tunnel. The email
address is the fully qualified address but doesn't need to be a real address;
Only the address needs to match what you set on the router!
This is also where you set the "preshared secret"; This is the VPN key that
you use as the password between IPSecuritas and the RV042.
#5 "Options" tab
I don't remember changing anything here, but who knows at this point. Just
follow the example and things should work for you.
#6 RV042 VPN Summary
This is a bit difficult to see, but it's the overview of how the tunnels are set
up. The red box on the left is the name of the tunnel (this could be
anything, name it something that helps you to identify the tunnel!) The
green box on the right will automagically populate with the email adress
entered when you set up the tunnel (this will match the address in image
#4). Don't worry about the black boxes, that's just to protect the users of
my VPN.
#7 Tunnel Summary Overview
This is where the actual tunnel details are set. The first red box is where the
tunnel name goes, this helps to identify who is connecting. The second red
box is not avaliable to edit, this is the IP address of the router. The 3rd and
4th red boxes are the email address that is used to identify the tunnel
between IPSecuritas and the RV042, this is the same email address entered
in image #4. Finally the 5th red box is the "preshared key" that is the
password between the router and VPN client.
#8. This is just the summary of what the VPN log should look like on the
RV042. I blocked off my tunnel's email address so that I can try to avoid
UMTS / GPRS
UMTS / GPRS
by lganzetti on 2005-07-16 18:00:43 +0200
IPSECURITAS not work with connection by UMTS or GPRS.
The VPN start without error, but when try to user VPN not work.
I try with modem56k and work correctly,
but with PHONE Nokia UMTS or GPRS not work.
Please Help me
Problem 2.1: Cannot change Nonce size
Problem 2.1: Cannot change Nonce size
by Andrea on 2005-07-18 13:40:24 +0200
This looks like a GUI problem...
In IPSecuritas 2.1 (MacOS 10.4.1) I cannot edit the Nonce
size field.
The default is 16, I can add a third digit then remove
it but I cannot set it to 64 as I wish!
Thank you for your attention!
Andrea
Re: Problem 2.1: Cannot change Nonce size
by cnadig on 2005-07-21 22:34:49 +0200
Hello Andrea,
I confirm that this is a bug - i will make an update available fixing the bug
in a few days.
Thank you very much,
Christoph
IPSecuritas not working on PB, but does on another
IPSecuritas not working on PB, but does on another
by Sean McNamara on 2005-07-26 00:21:21 +0200
Hi folx,
I've successfully gotten IPSecuritas connecting to a Netgear FVS318 VPN
router using the instructions [url]http://www.aaronadams.net/index.php
/2004/12/20/establishing_a_vpn_with_ipsecuritas_and[/url]. This PB was
using Panther originally, and now uses Tiger (we've had to use 128 bit for
Tiger, but otherwise all the same).
My client's PB running Panther and Tiger doesn't want to work, even if I
copy my IPSecuritas configuration. I've finally gotten him to send me a log
from IPSecuritas, so I'm hoping someone can point me in the right
direction:
Jul 26 07:53:53 dewG4laptop IPSecuritas: Parsing configuration
Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up racoon.conf
Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up setkey.conf
Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up psk.txt
Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up tunnel.conf
Jul 26 07:53:53 dewG4laptop IPSecuritas: Parsing configuration done
Jul 26 07:53:54 dewG4laptop IPSecuritas: Starting racoon...
Jul 26 07:53:54 dewG4laptop IPSecuritas: Racoon is running
Jul 26 07:53:54 dewG4laptop IPSecuritas: Set kernel keys
Jul 26 07:53:54 dewG4laptop racoon: DEBUG2: cfparse.y:1413:cfparse():
parse successed.
Jul 26 07:53:54 dewG4laptop racoon: DEBUG:
isakmp.c:1592:isakmp_open(): 192.168.1.5[500] used as isakmp port
(fd=8)
isakmp.c:1610:isakmp_open(): 192.168.1.5[4500] used as nat-t isakmp
port (fd=9)
address list
address list
Jul 26 07:53:55 dewG4laptop racoon: DEBUG: pfkey.c:195:pfkey_handler():
get pfkey ACQUIRE message
Jul 26 07:53:55 dewG4laptop racoon: DEBUG2: plog.c:199:plogdump():
pfkey.c:1551:pk_recvacquire(): suitable outbound SP found: 10.0.0.3/32[0]
192.168.0.0/16[0] proto=any dir=out.
Jul 26 07:53:55 dewG4laptop racoon: DEBUG: policy.c:184:cmpspidxstrict():
sub:0xbffff970: 192.168.0.0/16[0] 10.0.0.3/32[0] proto=any dir=in
Jul 26 07:53:55 dewG4laptop racoon: DEBUG: policy.c:185:cmpspidxstrict():
db :0x306618: 192.168.0.0/16[0] 10.0.0.3/32[0] proto=any dir=in
pfkey.c:1567:pk_recvacquire(): suitable inbound SP found:
192.168.0.0/16[0] 10.0.0.3/32[0] proto=any dir=in.
pfkey.c:1606:pk_recvacquire(): new acquire 10.0.0.3/32[0]
192.168.0.0/16[0] proto=any dir=out
proposal.c:826:printsaproto(): (proto_id=ESP spisize=4 spi=00000000
spi_p=00000000 encmode=Tunnel reqid=0:0)
Re: IPSecuritas not working on PB, but does on ano
by sean McNamara on 2005-07-26 00:22:34 +0200
...log continued...
oakley.c:260:oakley_dh_generate(): compute DH's private.
Jul 26 07:53:55 dewG4laptop racoon: DEBUG: plog.c:199:plogdump():
oakley.c:262:oakley_dh_generate(): compute DH's public.
Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp_agg.c:169:agg_i1send():
authmethod is pre-shared key
isakmp.c:2457:set_isakmp_payload(): add payload of len 52, next type 4
Jul 26 07:53:55 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto():
sockname 192.168.1.5[500]
send packet to xxx.xxx.xxx.xxx[500]
Jul 26 07:53:55 dewG4laptop racoon: DEBUG: sockmisc.c:570:sendfromto(): 1
618d997594493356:0000000000000000
sockname 192.168.1.5[500]
618d997594493356:0000000000000000
Jul 26 07:54:26 dewG4laptop racoon: ERROR:
isakmp.c:2120:isakmp_chkph1there(): phase2 negotiation failed due to time
up waiting for phase1. ESP xxx.xxx.xxx.xxx->192.168.1.5
Jul 26 07:54:26 dewG4laptop racoon: INFO:
sockname 192.168.1.5[500]
Re: IPSecuritas not working on PB, but does on ano
by Sean McNamara on 2005-07-26 00:23:37 +0200
...last bit...
618d997594493356:0000000000000000
sockname 192.168.1.5[500]
618d997594493356:0000000000000000
sockname 192.168.1.5[500]
618d997594493356:0000000000000000
sockname 192.168.1.5[500]
618d997594493356:0000000000000000
Jul 26 07:55:56 dewG4laptop racoon: ERROR:
isakmp.c:1772:isakmp_ph1resend(): phase1 negotiation failed due to time up.
618d997594493356:0000000000000000
Jul 26 07:56:40 dewG4laptop IPSecuritas: Flushing kernel keys
address list
address list
address list
Jul 26 07:56:40 dewG4laptop IPSecuritas: Stopping racoon...
Jul 26 07:56:40 dewG4laptop racoon: DEBUG: pfkey.c:195:pfkey_handler(): get
pfkey X_SPDFLUSH message
Jul 26 07:56:40 dewG4laptop racoon: DEBUG2: plog.c:199:plogdump():
Jul 26 07:56:40 dewG4laptop racoon: DEBUG: pfkey.c:195:pfkey_handler(): get
pfkey FLUSH message
Lucent IPSec
Lucent IPSec
by Bob on 2005-07-26 11:49:56 +0200
Hi
I was wondering if anyone has tips for getting IPSecuritas working with the
Lucent IPSec implementation.
The standard Lucent client works with Windows only and I'd love to get
access on my Mac.
BTW, it does ask for a username and password. I've read that some IPSec
implementations use something called xauth which I believe allows
proprietory authentication though I don't really understand the in's and
out's of how all this works.
Can someone please provide me with some advice or point me in a suitable
direction for more information? I've been searching google for weeks trying
to find a solution but haven't had any luck so far.
Thanks
Tiger, IPSecuritas, Sonicwall 2040 and NAT Trversl
Tiger, IPSecuritas, Sonicwall 2040 and NAT Trversl
by miles on 2005-08-01 19:38:18 +0200
we've been using IPSecuritas for some time, but suddenly it's stopped
working for all OS X users in my office.
We did recently upgrade the fw to SonicOS 3.1, but all windows users are
still able to VPN so we're wondering if this is tied to OS X 10.4.2 update last
week
In the client logs we see NO PROPOSAL CHOSEN for phase 2, and in the
firewall logs we see that NAT Traversal is failing on the client
any ideas? did something change in OS X?
thanks in advance
Re: Tiger, IPSecuritas, Sonicwall 2040 and NAT Trv
by David Chamberlin on 2005-08-16 02:04:06 +0200
I've been trying to setup IPSecuritas to a SonicWall 2040 as well with the
latest 3.1.7.x firmware and can't get past phase 2. It always gives a
NO-PROPOSAL-CHOSEN error. We are trying to connect to our group vpn
policy using preshared keys. Strangely, I tested using IPSecuritas (racoon)
on both 10.4.2 and 10.3.9 OS X with same result. Same result if I used the
other VPN clients that utilize racoon. So, I don't think it's related to racoon
version, unless you upgraded from much earlier OS X. Any ideas?
Re: Tiger, IPSecuritas, Sonicwall 2040 and NAT Trv
by miles on 2005-08-18 08:23:51 +0200
hey David, I've come to the conclusion it must be sonicos. just renewing our
support with sonicwall so I'll podt what I find out
may have to roll back to 2.1
IPSecuritas and SonicWall Pro 2040
IPSecuritas and SonicWall Pro 2040
by zervakos on 2005-08-02 15:39:17 +0200
Hello,
I have been successful in getting IPSecuritas to work with a SonicWall TZW,
and now I'm trying to get IPSecuritas to work with a SonicWall Pro 2040.
The problem I'm seeing is this in the logs of IPSecuritas:
Aug 2 06:26:41 vpnclient racoon: ERROR:
mode, but FQDN.
mode, but FQDN.
time up waiting for phase1. ESP sonicwall_ip->192.168.1.110
time up waiting for phase1. ESP sonicwall_ip->192.168.1.110
Aug 2 06:26:52 vpnclient racoon: INFO:
In the logs of the SonicWall, I see that phase I successfully completes, but I
also get this:
Warning Received packet retransmission. Drop duplicate packet public_ip_vpnclient_hides_behind 0.0.0.0 -
Has anyone come across this perhaps?
Re: IPSecuritas and SonicWall Pro 2040
by Mike on 2005-08-11 22:40:16 +0200
Bump on this but I get a different error message with mine. Here is what
mine is saying. Also Sonicwall is running latest firmware update version
3.1.0.6-75s
Sonicwall output
IKE Responder: IPSec proposal does not match (Phase 2)
IPsecuritas Output
Aug 11 13:39:35 Michael-Palfreys-Computer-2
configuration
racoon.conf
setkey.conf
psk.txt
tunnel.conf
configuration done
racoon...
running
IPSecuritas: Parsing
IPSecuritas: Setting up
IPSecuritas: Parsing
IPSecuritas: Starting
IPSecuritas: Racoon is
IPSecuritas: Set kernel keys
netgear fvs318 vpn setup
netgear fvs318 vpn setup
by mike on 2005-08-03 18:14:35 +0200
I set up a netgear fvs318 in a branch office that is using dsl to the internet.
I am trying to setup vpn connections from the computers in the branch
office back to the main office. We are using a cisco concentrator at the
main office and the cisco vpn client on the pc's in the branch office. I am
able to connect one computer back to the main office. when I attempt to
connect a second computer the first computer loses connection. from what
i understand the ng fvs318 is supposed to do nat'ing(one to many), says so
on the box. where in the web interface do i config nat and/or do i need
config seperat vpn tunnels for each pc. I only have one ip from my isp.
thanks
mike
Re: netgear fvs318 vpn setup
by cnadig on 2005-08-04 23:33:02 +0200
Hello Mike,
having multiple IPSec clients in a NAT'ed private network talking to the
same remote won't work unless you used NAT-T for all clients (the NAT
router cannot distinguish incoming IPSec traffic and will just send it on to
the last known client - resulting in the behaviour you described).
In your situation I'd recommend to permanently connect the two LANs
(branch office and main office) by the FVS318 itself - so instead of having
an individual tunnel for each PC, there is only one between the FVS318 and
the Cisco concentrator, tunneling the traffic for all PCs.
Hope this helps,
Christoph
Resolved Multiple Addresses
Resolved Multiple Addresses
by MikeyG_U2 on 2005-08-03 20:25:53 +0200
I'm in the process of configuring IPSecuritas to access a Checkpoint VPN-1
but have run into many problems. The one that is currently throwing me is
that it reports that it's resolving multiple addresses... Here is my log:
Aug 3 13:02:45 Panther IPSecuritas: Parsing configuration
Aug 3 13:02:45 Panther IPSecuritas: Setting up racoon.conf
Aug 3 13:02:45 Panther IPSecuritas: Setting up setkey.conf
Aug 3 13:02:45 Panther IPSecuritas: Setting up psk.txt
Aug 3 13:02:45 Panther IPSecuritas: Setting up tunnel.conf
Aug 3 13:02:45 Panther IPSecuritas: Parsing configuration done
Aug 3 13:02:46 Panther IPSecuritas: Starting racoon...
Aug 3 13:02:46 Panther IPSecuritas: Racoon is running
Aug 3 13:02:46 Panther IPSecuritas: Set kernel keys
Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr():
first one
first one
one
one
one
one
first one
first one
Aug 3 13:09:42 Panther racoon: ERROR:
Aug 3 13:09:42 Panther racoon: ERROR:
Aug 3 13:10:42 Panther IPSecuritas: Flushing kernel keys
Has anyone seen this issue? I can't figure out what is causing it. Oh,
192.168.69.69 is my internal IP (behind a Linksys router with IPSec
passthrough enabled) and 192.168.1.0 is the remote network and netmask
I'm connecting to.
Thanks for any insight.
-Mike
Re: Resolved Multiple Addresses
by VPNmac on 2005-08-07 10:12:37 +0200
More issues with Check Point here:
IPSecuritas behind FW to Bintec VPN25 ?
IPSecuritas behind FW to Bintec VPN25 ?
by avalon_s_de on 2005-08-14 16:48:08 +0200
Hello all,
i try to get a working connection to a funkwerk (afka Bintec) VPN Access 25.
The VPN Phase1 and Phase2 are established correctly, but i cannot ping any
host in the remote network.
I set up a Host-Network connection.
I use the following setup-details:
Phase1: 3des/MD5
Phase2: PFS 3des/MD5
Preshared key
remote-auth: adress
local-auth: fqdn
I get the VPN up, but reaching the remote-hosts dowsn't work
any hints / ideas ?
connection with VPN Tracker works correctly...
thx stefan
Re: IPSecuritas behind FW to Bintec VPN25 ?
by Florian on 2006-03-29 17:24:45 +0200
Hi Stefan,
how did you get your VPN to work?
Thanks a lot
florian
by Stefan Dietz on 2006-03-30 10:15:37 +0200
Florian,
i got the vpn working by setting up the traffic settings correctly ;) there
where some entries missing.
send an email when you have further questions.
regards,
-stefan
by netgoblin on 2006-05-17 11:19:47 +0200
Hey Florian,
see this Link
for more Info about Bintec / IPSecuritas write a EMail.
-thorsten
GB OS 3.7 Mac 10.4.2
GB OS 3.7 Mac 10.4.2
by Ryan.Haller on 2005-08-24 19:13:15 +0200
Hello,
GB-500 with GB OS 3.7 using a Mac 10.4.2 Client and IPSecuritas. Anyone
else have this setup? Still in the testing stage but I can not seem to get it to
work. Check box goes green, I show authenticated user and Active VPN but
I can not get anywhere on the local network. IPsecuritas seems to be
ignoring the getmyaddr response message.... possibly because I put it in
during configuration. it is msg #4 and or #5
If anyone has any insight, please help?
-Ryan
IPSecuritas 2.1 mysterious failure
IPSecuritas 2.1 mysterious failure
by Olaf Mьller-Michaels on 2005-09-12 19:32:06 +0200
Until today IPSecuritas worked great with the Bintec router in our firm.
Starting today, I cannot connect to the internal network anymore. Nothing
was changed on the company side. I also tried the same settings with VPN
Tracker and everything still works fine. However, with IPSecuritas I can
connect fine to the router, and it seems to establish a tunnel, but when I try
to ping our internal server, it does not work.
Maybe I can do a total reinstall of IPSecuritas, but I do not know where all
the settings sit; simply deleting IPSecuritas from the Applications folder is
not enough.
Any other ideas? On request, I can send the debug output. I do not want to
change to VPN Tracker, please ... ;D
Re: IPSecuritas 2.1 mysterious failure
by Olaf Mьller-Michaels on 2005-09-12 22:51:53 +0200
Intermittently it worked again, but very unreliable. This is what seems to
cause the problem, I get this message repeatedely:
Sep 12 22:49:28 Powerbook-OMM racoon: DEBUG:
Olaf
Mac Gateway Assistant
Mac Gateway Assistant
by mitchellzone on 2005-09-12 19:59:04 +0200
Anyone have any luck setting up a VPN that can be accessed by machines
behind a Mac OS X internet gateway, or know how this can be done? The
VPN appears to work fine on the gateway machine itself, but I can't get any
machines BEHIND the gateway to see the VPN.
Sure there's a routing trick that can make this work, but the route table
looks okay already, so not sure what's happening there...
/mike
IPSecuritas and SonicWALL SOHO3
IPSecuritas and SonicWALL SOHO3
by Louis Gephardt on 2005-09-13 22:10:45 +0200
I'm trying to connect to a SonicWALL SOHO3 device at a remote office and I
keep getting this in the log and it won't connect:
Sep 13 16:08:27 Mozart racoon: DEBUG:
be12e283176fab00:0000000000000000
Sep 13 16:08:27 Mozart racoon: DEBUG: isakmp.c:238:isakmp_handler():
===
208 bytes message received from 66.159.77.44[500]
Sep 13 16:08:27 Mozart racoon: DEBUG: plog.c:199:plogdump():
Sep 13 16:08:27 Mozart racoon: DEBUG: isakmp.c:539:isakmp_main():
Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:421:sendfromto():
sockname 10.0.0.102[500]
Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:423:sendfromto(): send
packet from 10.0.0.102[500]
Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:425:sendfromto(): send
packet to xxx.xxx.xxx.xxx[500]
Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:570:sendfromto(): 1
Sep 13 16:08:47 Mozart racoon: DEBUG:
be12e283176fab00:0000000000000000
===
208 bytes message received from xxx.xxx.xxx.xxx[500]
Sep 13 16:08:47 Mozart racoon: DEBUG: isakmp.c:539:isakmp_main():
Sep 13 16:09:07 Mozart racoon: ERROR:
up. be12e283176fab00:0000000000000000
Any ideas? I'm running 10.4.2 on my Mac and the SOHO3 has the latest
firmware.
known good sonicwall pro 230 settings
known good sonicwall pro 230 settings
by nunya biznas on 2005-09-17 16:58:14 +0200
I just got a sonicwall pro 230 work, here are my settings. omitted items are
blank or unchecked.
:General
host to network
static ip at work
first three numbers of work network with a zero on the end (192,168.1.0)
24
blank
main and agressive checked
obey
16
:Phase 1
28000
mod768(1)
3des
sha1
:phase 2
28800
none
des
3des
hmac sha1
:id/auth
address
address
preshared secret from sonicwall
:options
ipsec doi
sit_identity_only
initial contact
generate policy
dhcp pass-through
establish ike immediatly
:sonicwall
groupvpn
ike using pre-shared secret
group 1
28800
3des &sha1
strg enc and auth (esp 3des hmac sha1)
shared secret
:advanced
all unchecked
group 1
0.0.0.0
lan
(after changing items on this menu you must hit update on main screen for
items to take effect)
Re: known good sonicwall pro 230 settings
oops
am using Mac OS X 10.4.1
known good sonicwall tz 170 settings
known good sonicwall tz 170 settings
I just got a sonicwall tz 170 work, here are my settings. omitted items are
blank or unchecked.
:General
host to network
static ip at work
first three numbers of work network with a zero on the end (192,168.1.0)
24
blank
main and agressive checked
obey
16
:Phase 1
28000
mod768(1)
3des
sha1
:phase 2
28800
none
des
3des
hmac sha1
:id/auth
address
address
:options
ipsec doi
sit_identity_only
initial contact
generate policy
dhcp pass-through
establish ike immediatly
:sonicwall
groupvpn
:proposals
group 2
3des
sha1
28800
esp
des
md5
group 1
28800
:advanced
forward packets
0.0.0.0
lan
:Client
split tunnels
Re: known good sonicwall tz 170 settings
oops.
Am using Mac OS X 10.4.1
by w_grace on 2006-02-21 19:06:01 +0100
Hello,
Thats using the default settings on the Sonicwall, is it possible to change
anything from the default settings and still keep it working?
It seems strange that you can not change it from the default settings.
by Uptimejeff on 2006-03-08 17:19:30 +0100
No go for me...
OS X 10.4.5
Sonicwall TZ170 3.1.0.12-86s
I am able to make ipSEC connection to several Linksys devices, but have not
had any success connecting to a Sonicwall (tried several)
On the Sonicwall, I tried the defaults of the Group VPN with the settings as
described in this thread. It's not possible for me to be sure that all the
settings are the same because not all fields are listed. Screen shots might
be more accurate (and faster).
If anyone has a similar config running, I would be willing to email screen
shots of my ipSecuritas and Sonciwall setup or receive screenshots of your
working configuration.
Thanks
Jeff
by xrub on 2006-06-04 18:52:20 +0200
Doesn't work for me either with exact settings. OS X 10.4.6
Firmware SonicOS Standard 3.1.0.15-95s on TZ170W
I spent 3 hours trying to get this to work without success. Then
I downloaded VPN Tracker and set it up in 5 minutes. Is it worth the money?
Depends how much your time is worth. Personally, I think spending time
setting up a VPN connection is a gross waste of time. I'll gladly pay for a
good solution.
Re: My working TZ170 settings
by northben on 2006-07-29 06:31:15 +0200
I finally have this working except for dns. I can ping an ip address but it
apparently isn't getting the dns server (our Domain Controller, not the
Sonicwall). I opened up the sonicwall config page and copy the settings to
IP Securitas.
If anyone has questions, I'd be glad to help with what I can. email/IM me at
[email protected].
If anyone has any suggestions for dns, I'd be glad to know about it.
Troubles while installing certs
Troubles while installing certs
by Dennis on 2005-09-20 18:36:49 +0200
While installing the certs according to dividedsky.net/~equate/vpn/
I am told to do the follwing:
openssl pkc12 -in RoadCert.p12 -nodes -nokeys -clcerts -out
x509gate.pem
for extracting in PEM format.
openssl pkcs12 -nodes -nocerts -in RoadCert.p12 -out private.pem
for extracting the private key.
After that I try to import these files by using the Certificate Manager.
First the foreign, but while importing the private key I get this message:
"Failed to import priv.pem.
Please make sure the file contains a signed X.509 certifcate in PEM format."
Any hints?
VPN Broken in Mac OS X 10.4.2 ?
VPN Broken in Mac OS X 10.4.2 ?
For some reason I have a 10.4.1 laptop that works from home with a
sonicwall at work, yet my 10.4.2 G5 tower from home does not.
Identical settings in IPSecuritas.
Anyone know if I should post my log file and try to solve or just wait for
10.4.3?
thanks for any insight.
Re: VPN Broken in Mac OS X 10.4.2 ?
by jt on 2005-10-09 16:52:50 +0200
Wow, not a single reply. I'd a thought someone would let me know if 10.4.2
is or isn't broken. I have other problems with it as well, it broke some
networking features in Virtual PC.
;)
Here's my log output from a known good configuration with a sonicwall.
Again, I have a 10.4.1 laptop that, with the same configuration has no
problem connecting.
Oct 9 09:44:23 gtower IPSecuritas: Parsing configuration
Oct 9 09:44:23 gtower IPSecuritas: Setting up racoon.conf
Oct 9 09:44:23 gtower IPSecuritas: Setting up setkey.conf
Oct 9 09:44:23 gtower IPSecuritas: Setting up psk.txt
Oct 9 09:44:23 gtower IPSecuritas: Setting up tunnel.conf
Oct 9 09:44:23 gtower IPSecuritas: Parsing configuration done
Oct 9 09:44:24 gtower IPSecuritas: Starting racoon...
Oct 9 09:44:25 gtower IPSecuritas: Racoon is running
Oct 9 09:44:25 gtower IPSecuritas: Set kernel keys
Oct 9 09:44:25 gtower racoon: DEBUG2: cfparse.y:1413:cfparse(): parse
successed.
Oct 9 09:44:25 gtower racoon: DEBUG: isakmp.c:1592:isakmp_open():
Oct 9 09:44:25 gtower racoon: DEBUG: pfkey.c:195:pfkey_handler(): get
Oct 9 09:44:25 gtower racoon: DEBUG2: plog.c:199:plogdump():
Oct 9 09:44:25 gtower racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey
by jt on 2005-10-09 16:54:33 +0200
for completeness, this is my log
by jt on 2005-10-09 16:59:31 +0200
for completeness, this is my log off 10.4.2 to a different sonicwall. This
configuration also works fine off the 10.4.1 laptop.
Oct 9 09:53:56 gtower IPSecuritas: Parsing configuration
Oct 9 09:53:56 gtower IPSecuritas: Setting up racoon.conf
Oct 9 09:53:56 gtower IPSecuritas: Setting up setkey.conf
Oct 9 09:53:56 gtower IPSecuritas: Setting up psk.txt
Oct 9 09:53:56 gtower IPSecuritas: Setting up tunnel.conf
Oct 9 09:53:56 gtower IPSecuritas: Parsing configuration done
Oct 9 09:53:57 gtower IPSecuritas: Starting racoon...
Oct 9 09:53:57 gtower IPSecuritas: Racoon is running
Oct 9 09:53:57 gtower IPSecuritas: Set kernel keys
Oct 9 09:53:57 gtower racoon: DEBUG2: cfparse.y:1413:cfparse(): parse
successed.
Oct 9 09:53:57 gtower racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey
Oct 9 09:53:58 gtower racoon: DEBUG:
address list
address list
pfkey ACQUIRE message
Oct 9 09:53:58 gtower racoon: DEBUG: pfkey.c:1551:pk_recvacquire():
suitable outbound SP found: 10.0.12.1/32[0] 172.16.10.0/24[0] proto=any
dir=out.
Oct 9 09:53:58 gtower racoon: DEBUG: policy.c:184:cmpspidxstrict():
sub:0xbffff970: 172.16.10.0/24[0] 10.0.12.1/32[0] proto=any dir=in
Oct 9 09:53:58 gtower racoon: DEBUG: policy.c:185:cmpspidxstrict(): db
:0x306778: 172.16.10.0/24[0] 10.0.12.1/32[0] proto=any dir=in
Oct 9 09:53:58 gtower racoon: DEBUG: pfkey.c:1567:pk_recvacquire():
suitable inbound SP found: 172.16.10.0/24[0] 10.0.12.1/32[0] proto=any
dir=in.
Oct 9 09:53:58 gtower racoon: DEBUG: pfkey.c:1606:pk_recvacquire(): new
acquire 10.0.12.1/32[0] 172.16.10.0/24[0] proto=any dir=out
Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:826:printsaproto():
(proto_id=ESP spisize=4 spi=00000000 spi_p=00000000
encmode=Tunnel reqid=0:0)
Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:860:printsatrns():
(trns_id=DES encklen=0 authtype=1)
(trns_id=DES encklen=0 authtype=2)
(trns_id=3DES encklen=0 authtype=1)
(trns_id=3DES encklen=0 authtype=2)
Oct 9 09:53:58 gtower racoon: DEBUG: remoteconf.c:118:getrmconf():
by cnadig on 2005-10-10 08:38:34 +0200
Hello,
I'm not aware of any problems with 10.4.2. From what I can see in your log,
it seems that the remote router/firewall does not send an answer on your
side's request. Do you have access to the router's log?
Christoph
Got it working on my G5.
Turns out all I had to do was completely delete the settings I had been
working with out of the IPSecuritas menu and start over. Started working
first try.
RV042 Setup Needed
RV042 Setup Needed
by johnnj on 2005-10-14 19:08:40 +0200
I've got to say this router as driven me nuts! I can't get it to work with any
of our Mac OS X users.
I just want to set up 3 connections with mobile users. All using Mac OS X
(Hey OS X helps cut down on IT work for the mobile users).
I have read through most of the postings on this site for linksys routers and
only a few have stated that they have gotten it to work but don't supply
sufficent information. LinkSys claims that Mac OS X VPN software only
works with the Cisco routers. (Which is BS because I have to use a Cisco
VPN Client for their routers)
If anyone could please provide me with some help, links, advice, etc...
Thanks
JohnNJ
Re: RV042 Setup Needed
by Rand on 2005-12-09 06:45:56 +0100
Has anyone been succesful creating a VPN connection to a RV042/RV042?
by Heston on 2006-01-05 20:20:18 +0100
Hey - any joy with this?? I'm thinking of getting some RV042/RV082 for an
all mac environment - gulp.
Thanks
by macmouse on 2006-03-31 15:15:20 +0200
If anyone has gotten this to work an you please post the settings?
Thank you!
VPN/IPSec to LANCOM Routers
VPN/IPSec to LANCOM Routers
by Heiko Amft on 2005-10-17 00:47:58 +0200
Does anyone have success with vpn-IPSec-connection between Mac (10.4.2)
and a LANCOM-Router with preshared keys, especially LANCOM
DSL/I-1611 or the new 1611+ ?
I'm testing for a few days, it seems to be the ipsec-tunnel starts up but no
traffic in- or outgoing.
any ideas ?
greetings Heiko
Re: VPN/IPSec to LANCOM Routers
by Erik Roderwald on 2006-02-06 09:44:13 +0100
Hi Heiko!
First of all, do you have access to a windows machine? If you have you
should install the Lancom software which includes the Lancom Monitor.
That tool is very helpfull for looking up what's going wrong with your VPN
connection. Also the assistants are not bad.
I just made it for a client. Two things went wrong:
First of all make sure that there is for each VPN connection an entry in
configure (Konfigurieren), PPP connections (PPP-Verbindungen; I hope that I
retranslate it correctly; your name sounds german, so I gave you the
german items in the brackets). If there isn't an entry add one which
contains only the name of the wanted connection. You may activate IP
forwarding and NetBIOS over IP. The rest you leave blank.
The other thing which went wrong was the local and remote identifier. I
tried it with a full qualified user name which didn't work even though I
found it in several online documents to be configured like that. I changed it
to domain name and it worked fine. The router I named like
router.network.local and the clients like user1.network.local.
Well, I also called the Lancom hotline which is quite expensive but very
helpfull. They sent me a step by step help file (pdf; german). Unfortunately
it is not public. So I cannot give you an URL or send it to you. I'm sorry, you
have to call them and ask for it.
HTH
Erik
Tiger 10.4.2 and IPSecuritas 2.1 Problems
Tiger 10.4.2 and IPSecuritas 2.1 Problems
by Nick Rigby on 2005-10-18 14:03:26 +0200
Hi,
I'm having problems with my VPN (IPSecuritas 2.1) and Tiger 10.4.2.
I can create a connection with my work network, and can connect to a
couple of the server. However, some servers cause finder to hang and then
stop responding. It appears that it's only the servers with a large amount of
folders on them that I can't connect to.
Does anyone know of a problem, or the solution.
Thanks,
Nick
Re: Tiger 10.4.2 and IPSecuritas 2.1 Problems
by Nick Rigby on 2005-11-09 12:59:30 +0100
Still having problems, even with the 10.4.3 update. It certainly appears that
connecting to servers with a large amount of data (folders) causes finder to
crash.
AEBS setup examples?
AEBS setup examples?
by Sig on 2005-10-18 21:12:16 +0200
Can anyone help with a sample config or settings for an AEBS? I'm trying to
use IP2sec from a Powerbook, through the AEBS firewall (most likely have to
open ports, though I have no idea which one, guessing 24), and out to the
Internet. I would assume this would bypass all firewall settings without
some customization. A good and bad thing, though not real risky on OS X.
Thanks much in advance.
Acquiring IP address from Cisco 3000?
Acquiring IP address from Cisco 3000?
by WD40 on 2005-10-19 20:40:05 +0200
I just recently got IPSecuritas to connect to a Cisco 3000 Concentrator VPN.
One area that doesn't seem to be working, though, is that IPSecuritas
(racoon?) won't acquire an IP address from the Cisco unit.
If I leave "local address" blank, ifconfig shows "gif0" with no address, and
the VPN for the most part doesn't work. However, if I manually enter a
local address, the ipsec stuff works fine.
How can I set up IPSecuritas to request and use an IP address from the
remote IPSec device?
Thanks!
Early Replacement Of Name Servers
Early Replacement Of Name Servers
by goldharv on 2005-10-21 01:23:17 +0200
I love IPSecuritas, but I've run into a problem implementing it.
I've defined a default domain name and 2 name servers that are visable only
when connected to my VPNs. However, /etc/resolv.conf gets replaced
immediately after IPSecuritas starts IPSec. Unfortunately, my ISP changes
my IP address occasionally and I have to use a dynamic DNS service. My
VPNs are defined to use the fully qualified domain name of my home
firewall. The net result is that if my VPN does not come up soon enough,
my access to DNS servers is gone.
I'm mainly posting this as a warning to others. I spent an hour or two
trying to figure out what was going on. It would be great if IPSecuritas
waited until the VPN was established before switching resolv.conf, and if it
switched it back if the connection drops.
To be really snazzy, you should be able to tell if the DNS server is
accessible based on the network address of the VPN. For example, if I've
entered 192.168.0.1 and 192.168.2.1 as name server addresses and if one
of my VPNs connects to 192.168.0.0 and the other connects to
192.168.2.0, it should be obvious which connections have to be up before
modifying resolv.conf.
Harry
IPSecuritas Auto Start with certificates (10.3.9)
IPSecuritas Auto Start with certificates (10.3.9)
by SomeUser on 2005-10-27 22:24:21 +0200
IPSecuritas Auto Start in 10.3.9 is broken if you use certificates...
IPSecuritas stores certificates and config files in /private/tmp when you
click "Auto Start". Mac OS X runs /etc/rc.cleanup after boot, which deletes
all files in /private/tmp.
Solution:
1) Lobotomo could save the config/cert files somewhere more sensible like
/etc
2) Edit /etc/rc.cleanupto spare deletion of your config/cert files:
e.g.
(line 43)[code]
# Clean out /private/tmp.
if [ -d /private/tmp ]; then
# blow away any _tmp_ in case it exists as well
if [ -f /private/_tmp_ ]; then
chflags -R nouchg /private/_tmp_ && rm -rf /private/_tmp_
fi
echo -n " /private/tmp"
+ mkdir -m 1777 /private/_tmp_
+ find /private/tmp/* ! -name ipsecuritas\* -maxdepth 0 -exec mv {}
/private/_tmp_ \;
+ find /private/tmp/.[^.]* -maxdepth 0 -exec mv {} /private/_tmp_ \;
- mv /private/tmp /private/_tmp_
(chflags -R nouchg /private/_tmp_ && rm -rf /private/_tmp_) &
fi
- mkdir -m 1777 /private/tmp
[/code]
Netgear FVS124G
Netgear FVS124G
by David on 2005-11-01 17:47:26 +0100
I can connect to the likes of Netgear FVS318 just fine but this new FVS124G
is more complex - anyone else connecting to it?
Re: Netgear FVS124G
by Daniel Loewus-Deitch on 2006-01-19 22:25:21 +0100
I also am having no luck connecting to a Netgear FVS124G. If possible, can
anyone explain all the settings necessary on both the router and IPSecuritas
in order to make this VPN connection work?
I am really frustrated and I am hoping to avoid spending an exorbant
amount of money to buy VPN Tracker, just because Netgear is too lazy to
support Macs with their own VPN client.
If anyone has IP
Re: Netgear FVS124G
by danlode on 2006-01-19 22:35:07 +0100
To finish my post above:
If anyone has been able to get IPSecuritas to work with the Netgear
FVS124G, please post here or contact me at
[email protected].
Thank you so much!!
Regards
Re: Netgear FVS124G
by grep on 2006-05-10 03:55:14 +0200
I have recently purchased the FVS124g router to replace my linksys router
with service from verizon.dsl.
Nope doesn't work, so I took it back to the store and got another one. Nope
it doesn't work either. Then called tech support in India, level one was quite
good but couldn't make it work, Level 2 was so so, but couldn't make it
work, now level 3 is working on it but with no luck so far. My fix at the
moment is to unplug the netgear and plug the linksys back in, works
almost instantly and works fine. My current opinion of Netgear is probably
not very good.
Grep
Re: Netgear FVS124G
by rogerm on 2007-04-09 19:05:21 +0200
Greetings,
I was able to get this to work. As others did I looked at how VPN tracker
configured itself and adapted from there. Below is the info. (please note
the formatting got a bit messed up)
--------------------------------------------------------------Setting up IPSecuritas and FVS124G router.
Configuration of FVS124G VPN.
Log into your FVS124G router
1.Create and name a new IKE policy.
1.Direction Type : Responder
2.Exchange Mode: Aggressive.
3.Local. Select Local Gateway. Select Wan1, or Wan2 depending on which
port this policy will be active on.
1.Local Identity Type: FQDN – Fully Qualified Domain Name
2.Local Identity Data: netgearrouter.local. This can be anything you want
and will be used in the client configuration as well.
4.Remote. Remote Host Configuration Record : None
1.Remote Identity Type: FQDN – Fully Qualified Domain Name
2.Remote Identity Data: thevpncleint.com. This can be anything you want
and will be used in the client configuration as well.
5.IKE SA Parameters.
1.Encryption algorithm: 3DES
2.Authentication Algorithm: SHA1
3.Authentication Method: Select Pre-Shared Key
1.Enter the pre-shared key.
4.Diffle Hellman (DH) Group: Group 2 (1024 Bit)
5.SA Life Time: 3600
6.Select Apply to save the configuration.
2.Create a new VPN Policy.
1.IKE Policy: Select the name of the IKE Policy that you just created.
2.Remote VPN End Point:
1.Address Type: IP Address
2.Address Data: 0.0.0.0
3.SA Life Time
1.Seconds: 3600
2.Kbytes: 0
4.Check Box: IPSec PFS – no check.
1.PFS Key group: Ignored as step 4 contains no check.
5.Traffic Selector
1.Local IP: Subnet Address ( you will need to adjust this section with your
IP info)
1.Start IP Address: 192.168.254.0
2.Finish IP Address:
3.Subnet Mask: 255.255.255.0
2.Remote IP: Single Address
1.Start IP Address: 192.168.252.100
2.Finish IP Address
3.Subnet Mask:
3.AH Configuration
1.Check Box: Enable Authentication – no check
2.Authentication Algorithm. ignored with no check in section 3.1
4.ESP Configuration
1.Check Box: Enable Encryption – Check
1.Encryption Algorithm: 3DES
2.Check Box: Enable Authentication – Check
1.Authentication Algorithm: SHA-1
5.Select apply to save the configuration.
Re: Netgear FVS124G
by mpilch on 2007-04-15 01:30:08 +0200
rogerm:
I tried to mimic your configuration but still without success.
Which firmware do you have in your FVS124G ?
I have 1.1.38.
Also looks like you are not using "VPN wizard" to set your "IKE Policies" and
"VPN Policies".
So I have question: How did you set "VPN Client Policy". I assume this is one
you are using in your walkthrough?
There is no way (at list I can not find it) to add new "VPN Client Policy".
Manualy I can add only "VPN Policy". Only using "VPN Wizard" I can add
entry to "VPN Client Policy" and later edit it.
I also assumed you are using IPSecuritas v3 in your guide.
thanks,
Marek
Re: Netgear FVS124G
by mpilch on 2007-04-15 06:27:50 +0200
It works now. ;D
Thanks for great walk through. Good work.
Marek
Mac VPN Client using IPSecuritias Case Study is av
Mac VPN Client using IPSecuritias Case Study is av
by jmizoguchi on 2005-11-06 20:13:51 +0100
FYI
http://www.xtreme-racing-team.com/casestudy.html
Re: Mac VPN Client using IPSecuritias Case Study i
by jmizoguchi on 2006-01-29 19:48:25 +0100
New site is vpncasestudy.com
Zyxell Zywall 2 and IPsecuritas
Zyxell Zywall 2 and IPsecuritas
by tota on 2005-11-10 16:52:50 +0100
Did someone ever have luck to set up a Zyxell Zywall 2 and IPSecuritas that
way that both are working together?
For your information I give you the actual settings of the Zywall 2 as shown
below.
Hope someone may able to give me some advice.
Name:
VPN-Test
Key Management: IKE
Negotiation Mode: Main
Local
Address Type
: Subnet
Starting IP Address: 192.168.2.0
Ending IP Address / Subnet Mask: 255.255.255.0
Remote
Address Type
: Single Address
Starting IP Address: 0.0.0.0
Ending IP Address / Subnet Mask: 0.0.0.0
DNS Server (for IPSec VPN): 0.0.0.0
Authentication Method
Pre-Shared Key: securekey
Local ID Type: IP
Content: 130.60.32.95
Peer ID Type: IP
Content: 0.0.0.0
My IP Address
: 0.0.0.0
Secure Gateway Address: 0.0.0.0
Encapsulation Mode: Tunnel
Encryption Algorithm: DES
Authentication Algorithm: SHA1
Phase 1
Authentication Algorithm: MD5
SA Life Time (Seconds)
: 28800
Key Group: DH1
Phase 2
Active Protocol: ESP
Authentication Algorithm: SHA1
SA Life Time (Seconds): 28800
Encapsulation
: Tunnel
Perfect Forward Secrecy(PFS): None
Best regards for anyone's help and advice and tipps.
Greetings from Switzerland
Thomas Thaler
IPSecuritas & OpenBSD?
IPSecuritas & OpenBSD?
by Iggy on 2005-11-14 07:24:00 +0100
I was wondering if any has had sucess getting isakmpd work well with
mobile IPSecuritas clients. If you have I'd appreciate it if you can let me
take a looke at your isakmpd.conf and policy files as an example.
Re: IPSecuritas & OpenBSD?
by Iggy on 2005-11-14 07:47:08 +0100
Or even examples from Freebsd isakmpd.conf/policy will be great.
Re: IPSecuritas & OpenBSD?
by rical on 2006-01-14 19:05:46 +0100
for isakmpd on OBSD 3.6 to 3.8:
isakmpd.conf
[General]
Listen-on=
82.58.73.130
Policy-file=
/etc/isakmpd/isakmpd.policy
Default-phase-1-lifetime=
1800,360:28800
Default-phase-2-lifetime=
1800,360:28800
Retransmits=
3
[Phase 1]
Default=
company-Nomades
[Phase 2]
Connections=
[Iniflux-Nomades]
Phase=
Transport=
Local-address=
Address=
Configuration=
ID=
Authentication=
[company-gw]
ID-type=
Address=
[IPsec-Nomades]
Phase=
ISAKMP-peer=
Configuration=
Local-ID=
Remote-ID=
IPsec-Nomades
1
udp
82.58.73.130
0.0.0.0
Default-main-mode
company-gw
good-password
IPV4_ADDR
82.58.73.130
2
company-Nomades
Default-quick-mode
Internal
Nomades
[Internal]
ID-type=
Network=
Netmask=
IPV4_ADDR_SUBNET
192.168.1.0
255.255.255.0
[Nomades]
Id-type=
Address=
IPV4_ADDR
0.0.0.0
[Default-main-mode]
DOI=
EXCHANGE_TYPE=
Transforms=
IPSEC
ID_PROT
3DES-SHA
[Default-quick-mode]
DOI=
IPSEC
EXCHANGE_TYPE=
QUICK_MODE
Suites=
QM-ESP-3DES-SHA-SUITE
policy:
Re: Can't connect to Netgear FVS338
by Cryobat on 2005-12-21 14:19:11 +0100
I have the exact same problem on the exact same hardware! Did you have
any success in this? It seems like the Netgear router doesn't like IPSecuritas
to define the remote network or something? The router can't find the SPD
for this client...
I had the exact same messages in the log on the router from the beginning
when trying to configure the Netgear IPSec client for Windows machines,
but that was because I used the VPN Wizard instead of doing the "mode
config" by hand.
Does anyone know how to make IPSecuritas go through this last step?
by Ken Anderson on 2006-01-31 16:15:19 +0100
That makes three of us! Has anyone ever solved this?
by Ted Mittelstaedt on 2006-03-01 10:49:19 +0100
Hi All,
Yes there is a solution to this. Your all going to hate
it but it works.
The problem is the Netgear's view of what an IPSec VPN is, is basically a
classical LAN2LAN IPSec VPN. The so-called "VPN Client Policies" in the
Netgear's VPN Policies that appears to be usable for a single client to VPN in
with, is actually a nasty hack that was worked out with the old Secure ID
IPSec client, and nothing other than this client interoperates with it.
You can get a Mac (or other UNIX) system to connect in to the Netgear, but
you MUST use the standard VPN Policies, not the VPN Client policies, and
you must define it by hand. Also, most importantly, you MUST USE a
STATIC ip address. This is due to a bug in the Netgear's firmware which
when you define a Fully Qualified Domain Name as a peer, the Netgear
DOES NOT do a DNS lookup of that and substitute the remote peer IP
address. Instead it just substitutes 0.0.0.0 which makes the VPN code in
the netgear fall back to the borked Secure ID client method.
Basically what is going on here is we are defining a static peer on the
Netgear side and a static peer on the Mac side and they must be mirror
images of each other.
So, in summary - your going to have to pay extra to your DSL providers for
a static IP. Also, I do NOT think this will work if the client is BEHIND a NAT
router.
Here are the setup instructions. This is on Panther (MacOS X 10.3) running
the current MacOS patches and version 2.1 of IPSecuritas. The Netgear is
running
firmware version V1.6.47 Have phun with it! :-)
1) Setup your Mac client with a static IP number. In this case I'll use IP
address 75.75.97.32
Login into the Netgear admin interface and click on IKE Policies on the left,
then click Add. Here is the policy:
Policy Name: macattack
Direction Type: Responder
Exchange Mode: Agressive Mode
Local Identity Type: WAN IP Address
Locl Identity Data: leave blank!
Remote Host Configuration Record: None
Remote Identity Type: Remote WAN IP
Remote Identity Data: leave blank for now!
IKE SA
Authentication Method: Preshared Key
Preshared Key: freebsdkicksass
DH Group: Group 1
SA Life Time: 28800
X Authentication: None
Click Apply
by Cryobat on 2006-03-01 12:21:57 +0100
Ouch.... I wish it would work better somehow... how often do you have a
static IP when you're out working at another location....
Ohh well, I think setting up a PPTP server behind the firewall and playing
with port forwardning might be a better solution for Mac users then.
Thanks for your reply tho! That was a really good answer with precise
information on how to solve the problem! Thank you!
by Ted Mittelstaedt on 2006-03-04 08:55:03 +0100
Well, actually all you have to do is enable remote access on the Netgear,
then when your at a location, just obtain your IP address from
www.whatismyip.com or some such, then access the Netgear's
administrative page, change the IP addresses in the VPN policy and isakmp
policy, and your in business. Obviously this is tiresome and certainly not
an answer that you would want to give to your regular users! Might be
doable for system administrators, though.
As for setting up a PPTP server behind the Netgear, another possibility is
running a Linux/FreeBSD system in parallel with the Netgear, and running
poptop on that. I can confirm MacOSX Panther pptp will successfully
connect to that if you use 128bit encryption, since that is what we do. One
of our Tiger users claims it only works if encryption is switched off on
Tiger. One of these days I'm going to have to test that.
by Nathan Hilderman on 2006-05-06 21:32:10 +0200
I haven't got a FVS338, but I've had success with both an FVL328 and
FVX338.
I've noticed between the FVL and FVX familly a few differences, but did get
both to work. My main problem was with the 'ID/Auth' part in IPSecuritas I made the local and remote names 'fvx_host.com' on both IPSecuritas and
in the local/remote FQDN (Fully Qualified Domain Name) within Netgear's
IKE policy. Next hurdle (for me, anyways) was the IP settings - in
IPSecuritas the 'Remote Network' uses the slash notiation (i.e. /24) notation,
while Netgear wants a subnet address. To let it use your whole subnet (e.g.
10.0.0.0 /24), you have to set the subnet to 255.255.255.0 (e.g. 10.0.0.0
as start IP, 255.255.255.0 as subnet address). You can use whatever
subnet you want - but unless both sides are EXACTLY THE SAME you won't
ever get a proper connection. In fact, it seems there are VERY few settings
(SA Lifetimes, for example) that don't have to be identical for it to work.
Also, in case you haven't figured it out, when you connect take a look at the
VPN status to determine where your bad settings are. If you can't establish
Phase 1 even, then something in your IKE policy is wrong. If you can't
establish Phase 2, the problem is in your VPN Policy.
Oh, and I don't know about the FVS family, but on the FVX I also had to
make sure my VPN Policy was a 'VPN Policy' as opposed to a 'VPN Client
Policy', if that makes a difference.
Keep at it, you'll eventually get it to work.
by William Kyngesburye on 2006-05-13 01:42:06 +0200
Well, the FVS338 has been commandeered for a host-to-host VPN off our
main internal network (and thru a different ISP) all this time (just a few
Windoze computers there), so I haven't had a need to pursue this. Until
now. I'm getting ready to put it back on our main network and ISP and
decided to try it again. I doubled-checked settings on the FVS338 and in
IPSecuritas. One thing I noticed on my IPSec config was that the remote
subnet setting was 192.168.1.1/24. From Nathan's last post I got the idea
to try 192.168.1.0/24. Now it's working - VPN connection made. I'm sure I
tried this before. Maybe some OSX update since then affected something. I
didn't update the FVS firmware.
I'm at home now and don't have my notes, but I'll post a summary later. I
haven't been able to test file sharing yet - nothing really on the other end
right now - but I could ping the firewall's local IP. The real test will be
when I get the FVS on the main internal network, where the server, printers
and Macs are.
I can say that the FVS338 works with fvs_local.com and fvs_remote.com for
the identifiers, just as the FVS docs say. And the VPN policy vs. VPN client
policy distinction seems to be automatic, or something odd. I had a client
policy and host-host policy generated from the wizard, then deleted the
client policy that wasn't working. But when I added a policy, it
automatically became a client policy. There can only be one client policy it's used for the 50 client limit on the FVS338 (100 on the FVL328 and 200
on the FVX538) - and any more policies become the 'VPN Policies' (and then
the FVS became a little confused). That didn't make much sense, but the
VPN Client Policy works, I didn't need to make it a VPN Policy.
by kb on 2006-06-15 12:02:34 +0200
try with "A remote VPN client" option in VPN Wizard along with NG VPN
client installed in your windows, that must solve the problem
by pristine on 2006-06-15 12:35:09 +0200
has anyone tried Extended authentication in FVS338, have any one tried
modeconfig, any inputs for configuring modeconfig in FVS338 would be
appreciated.
IPSecuritas & Checkpoint
IPSecuritas & Checkpoint
by fiddelm3742 on 2005-11-23 07:12:54 +0100
I'm having some issues with my IPSecuritas/Checkpoint setup. I've got all
of the default IPSecuritas settings in as suggest via the forums and the
example. I do not have a key being my corporation has a managed
firewall(thank you quest :-/) Anywho, perhaps i'm missing a step. Anywho
my logs wont help anyone I"ve stopped and started IPsec via ipsecuritas but
my log doens't report anything usefull, Just
Nov 23 00:11:16 iBook IPSecuritas: Parsing configuration
Nov 23 00:11:16 iBook IPSecuritas: Setting up racoon.conf
Nov 23 00:11:16 iBook IPSecuritas: Setting up setkey.conf
Nov 23 00:11:16 iBook IPSecuritas: Setting up psk.txt
Nov 23 00:11:16 iBook IPSecuritas: Setting up tunnel.conf
Nov 23 00:11:16 iBook IPSecuritas: Parsing configuration done
Nov 23 00:11:17 iBook IPSecuritas: Starting racoon...
Nov 23 00:11:17 iBook IPSecuritas: Racoon is running
Nov 23 00:11:17 iBook IPSecuritas: Set kernel keys
No real connection info.
Now, with the windows client I just attempt to connect to something on our
network (206.99.156.0/24) and it then prompts me for the User/Pass
(which I already have setup in the software
Am I missing something here?
Re: IPSecuritas & Checkpoint
by fiddelm3742 on 2005-12-08 20:52:03 +0100
No one knows ehh?
Re: IPSecuritas & Checkpoint
by trs80 on 2005-12-15 16:45:14 +0100
You have to use Aggressive Mode under the phase 1 settings, and the rest
of the config has to match whatever's in the checkpoint policy (should be
able to get that info from the admins).
You also must have a user account in what's called the "Internal DB" (again,
the admins will know what that is), in the form of an email address.
Netgear FVS318V3
Netgear FVS318V3
by Tony on 2005-12-06 19:48:20 +0100
I see a lot of people were able to get IPSecuritas to work with the FVS318.
This wouldn't by any chance be V3 of the router would it? I have an
FVS318V3 that simply refuses to cooperate with IPSecuritas (my
understanding is that V3 is essentially a completely different router than V1
& V2).
Re: Netgear FVS318V3
by jmizoguchi on 2006-01-29 19:47:50 +0100
I think so too.FVS318, FVX538 doesn't seems to run. newer router has IKE
and VPN seperate and old V1,2.4 was differenent setup. I go to work on
v2.4. that is on my site at vpncasestudy.com.
if someone has done FVS318v3~ to work please submit your story to
[email protected]
compatible with FORTIGATE
compatible with FORTIGATE
by Sepp maier on 2005-12-13 11:54:00 +0100
IPSECURITAS works well with the fortinet Firewalls (IPSEC with fixed or
dynamic IP)
GREAT APP.
Re: compatible with FORTIGATE
by Gary S on 2005-12-14 21:53:41 +0100
I am trying to get that setup myself, but I don't have any experience with
fortigates. I don't think I am setting up the gateway right. Is there any
advice you could give me on getting this setup?
by Sebastien on 2006-01-02 14:21:33 +0100
Hi,
I tried to set up IP Securitas but I am not able to connect to the VPN
gateway F50A. I will provide logs this evening if somebody could help me.
Sebastien.
by stephan on 2006-01-03 13:34:09 +0100
hi, i'm just trying to connect to our fortigate 400.
i can't see anything in its logs, i don't even know if my mac tries to connect
to it.
are there any logs i could look for errors in on the mac side? haven't found
any...
by sebastien on 2006-01-10 08:19:01 +0100
I got invalid exchange type 6, any idea ?
Jan 10 08:15:33 sunnyday IPSecuritas: Parsing configuration
Jan 10 08:15:33 sunnyday IPSecuritas: Setting up racoon.conf
Jan 10 08:15:34 sunnyday IPSecuritas: Setting up setkey.conf
Jan 10 08:15:34 sunnyday IPSecuritas: Setting up psk.txt
Jan 10 08:15:34 sunnyday IPSecuritas: Setting up tunnel.conf
Jan 10 08:15:34 sunnyday IPSecuritas: Setting up DNS configuration
Jan 10 08:15:34 sunnyday IPSecuritas: Parsing configuration done
Jan 10 08:15:35 sunnyday IPSecuritas: Starting racoon...
Jan 10 08:15:36 sunnyday IPSecuritas: Racoon is running
Jan 10 08:15:36 sunnyday IPSecuritas: Set kernel keys
Jan 10 08:15:36 sunnyday racoon: DEBUG2: cfparse.y:1413:cfparse(): parse
successed.\n
Jan 10 08:15:36 sunnyday racoon: DEBUG: isakmp.c:1592:isakmp_open():
10.70.1.100[500] used as isakmp port (fd=8)\n
Jan 10 08:15:36 sunnyday racoon: DEBUG: isakmp.c:1610:isakmp_open():
10.70.1.100[4500] used as nat-t isakmp port (fd=9)\n
Jan 10 08:15:36 sunnyday racoon: DEBUG: pfkey.c:195:pfkey_handler(): get
pfkey X_SPDDUMP message\n
Jan 10 08:15:36 sunnyday racoon: DEBUG2: plog.c:199:plogdump():
\n02120200 00020000 00000000 00000395\n
Jan 10 08:15:36 sunnyday racoon: DEBUG: pfkey.c:210:pfkey_handler():
pfkey X_SPDDUMP failed: No such file or directory\n
Jan 10 08:15:36 sunnyday racoon: DEBUG:
grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n
Jan 10 08:15:37 sunnyday IPSecuritas: Setting ip-label.com|192.168.0.3
address list\n
address list\n
by sebastien on 2006-01-10 08:21:04 +0100
next ...
algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2278:oakley_skeyid_dae():
SKEYID_d computed:\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump():
\n2f74bea4 1d9d45d0 59b513c1 fa7e59af\n
SKEYID_a computed:\n
\n7f9756d6 71e1a348 d92dca61 ec3c22ce\n
SKEYID_e computed:\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n130facfb
a8d233e5 9f0f3758 41719485\n
algorithm.c:382:alg_oakley_encdef(): encription(des)\n
algorithm.c:252:alg_oakley_hashdef(): hash(md5)\n
oakley.c:2478:oakley_compute_enckey(): final encryption key computed:\n
a8d233e5\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2589:oakley_newiv(): IV
computed:\n
\n2d2fb498 79fe1ee8\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: ipsec_doi.c:3238:ipsecdoi_setid1():
use ID type of IPv4_address\n
oakley.c:871:oakley_ph1hash_common(): HASH with:\n
\nef3561d9 f0900c3e 029593fb 25841dd0 594e3fcd d5fe1b58 efe1df7c
08c9c8fd\n29b35525 9cb6f812 879bae26 ed82f54e c5eb274f 218b23eb
1f2d45ef 0dc9bc14\nd7763a03 4079501e d72bca21 3b3510e0 ff751e4d
ccbf2f04 ff67e2ad fceb1f9a\n56585bbe 55a48b2f af8596b7 ad5123b2
11762332 bb616f81 23b97c83 ef2da978\n2023db40 7cb9aace 919d4f1c
ce0aa8c6 bdac3f1d 5aa3135c 4e2902c6 66288852\n3ae66d81 de6a179b
f52962b0 17a65f1e ba74a423 1e9044e4 f04cb396 8f867c65\naba97d0c
c961d04b aa6c9521 fd2e762c 429e876c 03078ebb 6bfb6a60
2373be69\n42f79b97 1464ef99 76a9d436 3c3761fe b01a6cfb b9d5ff4e
fc74f5df d0f4a49b\nf79acfe3 3dc85eea 0bea0204 079f0db2 ecde9573
baad6157 f4435c0a cc0fc10f\nbcb0c6ae 998f0c93 f7855faf 89e0dc05
686f787a 98e3a555 76e3baa7 4e40401c\n69a05ea7 bd751de4 2e1fe8cf
e1be51d4 f9162b4b 23ec04d2 61f4ab22 1a70da86\n28bbbc8e 041d5253
70af87da 66c5c9b4 da9870a1 80574be5 050ed0a8 d7f067b7\n6f42de18
bdfa477e a83c25fb 8b970626 00000001 00000001 00000028
01010001\n00000020 01010000 800b0001 80
oakley.c:881:oakley_ph1hash_common(): HASH computed:\n
by sebastien on 2006-01-10 08:21:26 +0100
\n0800000c 011101f4 0a460164 00000014 123027b8 5e8928cd 11cbdddf
36911daa\n00000000 00000008\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2883:oakley_do_encrypt():
with key:\n
a8d233e5\n
encrypted payload by IV:\n
\n2d2fb498 79fe1ee8\n
save IV for next:\n
\ndd836560 cb31998b\n
encrypted.\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:421:sendfromto():
sockname 10.70.1.100[500]\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:423:sendfromto(): send
packet from 10.70.1.100[500]\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:425:sendfromto(): send
packet to 62.160.52.119[500]\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:570:sendfromto(): 1
times of 68 bytes message will be sent to 10.70.1.100[500]\n
\n6f42de18 bdfa477e a83c25fb 8b970626 05100201 00000000 00000044
b748f5c3\n3d61547d d39260d9 9620820e 4f7dfcb3 096ffa0f 887ea505
810acc28 dd836560\ncb31998b\n
6f42de18bdfa477e:a83c25fb8b970626\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:238:isakmp_handler():
===\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:239:isakmp_handler(): 60
bytes message received from 62.160.52.119[500]\n
\n6f42de18 bdfa477e a83c25fb 8b970626 05100201 00000000 0000003c
a016f50c\n60d392c7 245425dd b460723d ddb226d6 9eb4ce3c e5d6dbef
3a509b07\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2709:oakley_do_decrypt():
begin decryption.\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2723:oakley_do_decrypt():
IV was saved for next processing:\n
by sebastien on 2006-01-10 08:23:54 +0100
\nb34d0bdb 03fd6f25 f40ce451 8b0125cb\n
oakley.c:871:oakley_ph1hash_common(): HASH with:\n
\naba97d0c c961d04b aa6c9521 fd2e762c 429e876c 03078ebb 6bfb6a60
2373be69\n42f79b97 1464ef99 76a9d436 3c3761fe b01a6cfb b9d5ff4e
fc74f5df d0f4a49b\nf79acfe3 3dc85eea 0bea0204 079f0db2 ecde9573
baad6157 f4435c0a cc0fc10f\nbcb0c6ae 998f0c93 f7855faf 89e0dc05
686f787a 98e3a555 76e3baa7 4e40401c\n69a05ea7 bd751de4 2e1fe8cf
e1be51d4 f9162b4b 23ec04d2 61f4ab22 1a70da86\n28bbbc8e 041d5253
70af87da 66c5c9b4 da9870a1 80574be5 050ed0a8 d7f067b7\nef3561d9
f0900c3e 029593fb 25841dd0 594e3fcd d5fe1b58 efe1df7c
08c9c8fd\n29b35525 9cb6f812 879bae26 ed82f54e c5eb274f 218b23eb
1f2d45ef 0dc9bc14\nd7763a03 4079501e d72bca21 3b3510e0 ff751e4d
ccbf2f04 ff67e2ad fceb1f9a\n56585bbe 55a48b2f af8596b7 ad5123b2
11762332 bb616f81 23b97c83 ef2da978\n2023db40 7cb9aace 919d4f1c
ce0aa8c6 bdac3f1d 5aa3135c 4e2902c6 66288852\n3ae66d81 de6a179b
f52962b0 17a65f1e ba74a423 1e9044e4 f04cb396 8f867c65\na83c25fb
8b970626 6f42de18 bdfa477e 00000001 00000001 00000028
01010001\n00000020 01010000 800b0001 80
oakley.c:881:oakley_ph1hash_common(): HASH computed:\n
\nb34d0bdb 03fd6f25 f40ce451 8b0125cb\n
oakley.c:1197:oakley_validate_auth(): HASH for PSK validated.\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp_ident.c:695:ident_i4recv():
peer's ID:
\n01000000 3ea03477\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:838:ph1_main(): ===\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2633:oakley_newiv2():
compute IV for phase2\n
phase1 last IV:\n
\ne5d6dbef 3a509b07 705fe9e2\n
phase2 IV computed:\n
\n424f2cb7 f670fab8\n
oakley.c:752:oakley_compute_hash1(): HASH with:\n
\n705fe9e2 0000001c 00000001 01106002 6f42de18 bdfa477e a83c25fb
8b970626\n
oakley.c:762:oakley_compute_hash1(): HASH computed:\n
\n266ad6a8 f6e45dc4 5fb596ec 7d0e1603\n
begin encryption.\n
by sebastien on 2006-01-10 08:24:14 +0100
isakmp_inf.c:705:isakmp_info_send_common(): sendto Information notify.\n
Jan 10 08:15:40 sunnyday racoon: INFO: isakmp.c:2756:log_ph1established():
ISAKMP-SA established 10.70.1.100[500]-62.160.52.119[500]
spi:6f42de18bdfa477e:a83c25fb8b970626\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:885:ph1_main(): ===\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:238:isakmp_handler():
===\n
Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:239:isakmp_handler(): 68
bytes message received from 62.160.52.119[500]\n
\n6f42de18 bdfa477e a83c25fb 8b970626 08100601 532c13ae 00000044
fd7cc74d\nd84776b2 a5f0dc47 fd531bdd 431b17ae 96b7eab9 e371d10a
5daa0397 2c6e4af7\n4aa76e10\n
Jan 10 08:15:40 sunnyday racoon: ERROR: isakmp.c:767:isakmp_main():
Invalid exchange type 6 from 62.160.52.119[500].\n
isakmp.c:1153:isakmp_ph2begin_i(): ===\n
isakmp.c:1154:isakmp_ph2begin_i(): begin QUICK mode.\n
Jan 10 08:15:41 sunnyday racoon: INFO: isakmp.c:1158:isakmp_ph2begin_i():
initiate new phase 2 negotiation: 10.70.1.100[0]<=>62.160.52.119[0]\n
compute IV for phase2\n
phase1 last IV:\n
\ne5d6dbef 3a509b07 766e76a7\n
phase2 IV computed:\n
\na39303c3 e9f82df6\n
Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:795:pk_sendgetspi(): call
pfkey_send_getspi\n
Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:808:pk_sendgetspi(): pfkey
GETSPI sent: ESP/Tunnel 62.160.52.119->10.70.1.100 \n
Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp_quick.c:129:quick_i1prep():
pfkey getspi sent.\n
Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:195:pfkey_handler(): get
pfkey GETSPI message\n
Jan 10 08:15:41 sunnyday racoon: DEBUG2: plog.c:199:plogdump():
\n02010003 000a0000 00000001 00000396 00020001 01d84e96
00000001 00000014\n00030005 ff200000 10020000 3ea03477 00000000
00000000 00030006 ff200000\n10020000 0a460164 00000000
00000000\n
Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:879:pk_recvgetspi(): pfkey
GETSPI succeeded: ESP/Tunnel 62.160.52.119->10.70.1.100
by sebastien on 2006-01-10 08:24:30 +0100
\n764e1119 daad3630 d773ca44 7d163814 fd735244 bcf3b18a 4c7b78ae
2c3e225d\n1bcdab8f 1a9e3c2f f57e513f fb2add11 073ce657 5bfddfeb
f25d0c67 811edbc5\n45848390 3e4b9762 8e1b8ce3 7c639985 3d8cbe40
7089edb4 6fd50f19 47f2256d\n0a39e2d7 ee6ae265 02ea18b7 f057b4e7
18ff5fcc 68f93184 8c95904a 4d93753d\n8361dec0 5365272d 005298e5
7e85860d 3283b3f5 50c31319 7f02ad7d 1a22eab2\na0b073be f6ee8ad1
58420fe6 e1aa6bfb 41c9dbd7 20e0b0f0 382ada9c 6fc3d6a0\n
use local ID type IPv4_address\n
use remote ID type IPv4_subnet\n
isakmp_quick.c:206:quick_i1send(): IDci:
\n01000000 0a010364\n
isakmp_quick.c:208:quick_i1send(): IDcr:
\n04000000 c0a80100 ffffff00\n
isakmp.c:2457:set_isakmp_payload(): add payload of len 76, next type 10\n
oakley.c:752:oakley_compute_hash1(): HASH with:\n
\n766e76a7 0a000050 00000001 00000001 00000044 01030402 01d84e96
0300001c\n01020000 80010001 80020708 80040001 80050001 80030005
0000001c 02020000\n80010001 80020708 80040001 80050002 80030005
04000014 8cff85b9 59ed4658\nf8bd2bf5 24cba9cb 050000c4 764e1119
daad3630 d773ca44 7d163814 fd735244\nbcf3b18a 4c7b78ae 2c3e225d
1bcdab8f 1a9e3c2f f57e513f fb2add11 073ce657\n5bfddfeb f25d0c67
811edbc5 45848390 3e4b9762 8e1b8ce3 7c639985 3d8cbe40\n7089edb4
6fd50f19 47f2256d 0a39e2d7 ee6ae265 02ea18b7 f057b4e7
18ff5fcc\n68f93184 8c95904a 4d93753d 8361dec0 5365272d 005298e5
7e85860d 3283b3f5\n50c31319 7f02ad7d 1a22eab2 a0b073be f6ee8ad1
58420fe6 e1aa6bfb 41c9dbd7\n20e0b0f0 382ada9c 6fc3d6a0 0500000c
01000000 0a010364 00000010 04000000\nc0a80100 ffffff00\n
oakley.c:762:oakley_compute_hash1(): HASH computed:\n
Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n9c2c2ffc
9af360c2 8193a055 d306a357\n
begin encryption.\n
pad length = 8\n
\n01000014 9c2c2ffc 9af360c2 8193a055 d306a357 0a000050 00000001
Known Good Sonicwall TZ130 Settings
Known Good Sonicwall TZ130 Settings
If you have trouble, try removing the connection settings in IPSecuritas, quit
the application and start over by creating a New Connection. I do this
whenever I hit "Start IPSEC" in IPSecuritas and see "X_SPDDUMP failed: No
such file or directory" in the IPSecuritas log or nothing at all in the sonicwall
log, (they tend to happen at the same time).
I just got a sonicwall tz 170 to work with IPSecuritas on 10.4.3, here are the
settings.
Omitted items are blank or unchecked.
------IPSECURITAS-----:General
host to network / static ip at work
first three numbers of work network plus a zero (192.168.1.0)
24 / ip address of IPSecuritas machine / main / obey / 16
:Phase 1
28000 / mod1024(2) / 3des / sha1
:phase 2
28800 / mod768(1) / des / hmac md5
:id/auth
address / address
:options
ipsec doi / sit_identity_only / initial contact
generate policy / dhcp pass-through / establish ike immediatly
------SONICWALL-----:general
groupvpn
your secret here
:proposals
:phase1
group 2 / 3des / sha1 / 28800
:phase2
esp / des / md5 / group 1 / 28800
:advanced
forward packets / 0.0.0.0 / lan
:Client
always / this gateway only / use dhcp
IPSecuritas & Checkpoint VPN-1 Pro R60
IPSecuritas & Checkpoint VPN-1 Pro R60
by perezcr1 on 2006-01-03 19:58:07 +0100
I have manage to connect to the VPN, I can even connect to the VPN web
console. But If i try to do a ping Remote desktop , the firewall gets the
packet but doesn't let it pass. Have any one been able to work with this
configuration. I have OSX 10.4.3 and the latest version of IP Securitas.
Any help will be greatly appreciated.
ANN: 10.4.4 Update Broke IPSecuritas 2.1?
ANN: 10.4.4 Update Broke IPSecuritas 2.1?
by Lawrence Bean on 2006-01-12 17:33:16 +0100
I have been using IPSecuritas with 5 IPCop firewalls happily for a number of
months. Great product. I just this morning installed the 10.4.4 update from
Apple. Now when I start IPSecuritas, it says everything is OK and I get green
chechmarks, but I get no connectivity. I cannot ping anything on the
network. Even more distressing, even with IPSecuritas quit I cannot ping the
IPCop firewall at its public address. I can ping the gateway to all 5
buildings, but trying to ping the firewalls results in 100% packet loss. On
another computer right beside this one that does not have IPSecuritas and
has never used VPN but it otherwise *exactly* the same including the
10.4.4 update, I can ping both the gateway and the firewall happily. On this
machine, I can ping anywhere else on the network except my five firewall
addresses. As it happened to all five firewalls in very physically separated
buildings, that pretty much rules out the firewalls being the trouble, and as
it works on a computer next to this one that pretty much rules out the
network between here and there, leaving the problem with this machine.
My suspicion is that a config file somewhere has blown up, but I'm not sure
where to even begin looking. My next step will be an uninstall/reinstall of
IPSecuritas. In the meantime, and suggestions of how else to "clean house"
would be greatly appreciated.
Re: 10.4.4 Update Broke IPSecuritas 2.1?
by Flo Wagner on 2006-01-13 11:48:40 +0100
I have the very same problem as Lawrence. After installing the 10.4.4
update I cannot reach any client in the network after establishing an IPSec
connection with IPSecuritas 2.1 (the firewall is IPCop, too). Yet, I can ping
the firewall when IPSec ist stopped. Last entry in the IPCop log is "IPSec SA
established". So it may be some kind of routing error?!
Any hint would be greatly appreaciated.
Regards,
Flo
by LBean on 2006-01-13 16:13:24 +0100
Update: Complete uninstall of IPSecuritas including pref files followed by
reboot set things back to "right" as far as normal, non-vpn functions are
concerned. I can now ping the public side of everything and get the firewall
web interfaces. Reinstall and reconfiguration of IPSecuritas vpn with
certificates to a single firewall gave green checkmarks on both my side and
the firewall side. Both logs look correct as a normal establishment of a vpn.
However, no joy being able to ping any device on the remote Green
network, even the private side of the firewall, no ability to "lookup" any
hardcoded FQDN of a private host in Green, and traceroute to the private
side of the firewall times out without yeilding any useful information. I am
now officially in over my head. Good news: OpenVPN (tunnelblick) is now
working where it wasn't before uninstall/reinstall of IPSecuritas.
by cnadig on 2006-01-16 17:32:55 +0100
Hello,
I could not find any problems after upgrading to 10.4.4 - but this might be
very depending on the specific configurations used. In order to investigate,
could you please give a descripton of you settings and of your network
setup. Also, please supply the ouput of the following commands while IPSec
is running (the green check mark is visible):
sudo setkey -DP
sudo setKey -D
netstat -nr
ifconfig -a
(please replace confidential information like your public IP address with
anynomized information).
Thanks,
Christoph
by Vincent on 2006-01-18 16:04:49 +0100
Hello,
I have the same problem since installation of 10.4.4 but the check mark
stay red.
I deleted the pref file without success.
Both setkey commands return nothing.
The firewall is CheckPoint/Gateway R60 (NGX) HFA-01.
Vincent
by Flo Wagner on 2006-01-18 19:48:01 +0100
Output of the commands is as follows:
[code]$ sudo setkey -DP
0.0.0.0/0[any] 192.168.254.199[any] any
in ipsec
esp/tunnel/192.168.254.254-192.168.254.199/require
refcnt=1
192.168.254.199[any] 0.0.0.0/0[any] any
out ipsec
refcnt=1[/code]
[code]$ sudo setkey -D
192.168.254.199 192.168.254.254
esp mode=tunnel spi=1228686566(0x493c44e6)
reqid=0(0x00000000)
E: 3des-cbc [...]
A: hmac-md5 [...]
replay=4 flags=0x00000000 state=mature seq=1 pid=566
created: Jan 18 19:21:34 2006 current: Jan 18 19:23:21 2006
diff: 107(s) hard: 28800(s) soft: 23040(s)
last: Jan 18 19:23:06 2006
hard: 0(s)
soft: 0(s)
current: 6832(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 45 hard: 0 soft: 0
refcnt=2
192.168.254.254 192.168.254.199
esp mode=tunnel spi=162150579(0x09aa38b3)
reqid=0(0x00000000)
E: 3des-cbc [...]
A: hmac-md5 [...]
last:
hard: 0(s)
soft: 0(s)
current: 0(bytes)
hard: 0(bytes) soft: 0(bytes)
refcnt=1[/code]
[code]$ netstat -nr
Routing tables
Internet:
Destination
Gateway
Flags Refs
Use Netif Expire
default
192.168.254.254 UGSc
2
5 en1
127
127.0.0.1
UCS
0
0 lo0
127.0.0.1
127.0.0.1
UH
63
6335 lo0
169.254
link#5
UCS
0
0 en1
192.168.254
link#5
UCS
2
0 en1
192.168.254.199 127.0.0.1
UHS
0
0 lo0
192.168.254.254 0:5:5d:a2:de:6
UHLW
5
59 en1
1046[/code]
[code]$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: [...]
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST>
mtu 1500
inet6 ****::***:****:****:****%en1 prefixlen 64 scopeid 0x5
by Olaf Seifert on 2006-01-19 17:11:58 +0100
The same here, since running Mac OS X v.10.4.4. When trying to establish a
VPN-connection in the used manner, IPSecuritas 2.1 shows green
checkmark but my Mac can not reach anything behind IPCop-firewall
v1.4.10 (ping-time-out etc.)
???
by Nick Rutter on 2006-01-19 19:48:11 +0100
I've had the same problem!
I was happily using IPsecuritas 2.1 on 10.4.3, on a network using IPsec, and
all was well until I updated to 10.4.4. Now only local things work, and the
windows machines on the network all are still working, so I know that it's
me. Other mac users have suffered the same problem as me. Anybody
know how to fix this? Is apple going to release a fix? Is IPsecuritas going to
be updated?
by Chris Haas on 2006-01-19 23:25:21 +0100
On my mac IPSecuritas is working. On a other mac its broken.
The thing what is different:
I did the combo update. On the other mac it was the delta update.
Any exp. with that?
Chris
by LBean on 2006-01-20 02:05:49 +0100
>could you please give a descripton of your settings and of your network
setup
I am connecting to an IPCop 1.4.10 firewall from home over cablemodem.
Here is the writeup I use to configure IPSecuritas, which has worked fine for
months and no changes have been made:
----In the General tab, set the following:
Remote IPSec Device: [firewall IP]
Remote Network: [remote IP/mask]
Local Address: [blank]
Exchange Mode: Main
Nonce Size: 16
In the Phase-I tab, set the following:
Lifetime: 28800
Encryption: 3DES
In the Phase-2 tab, set the following:
Lifetime: 28800
Encryption: check "3DES" and "AES 128", uncheck all others
Authentication: check "HMAC SHA1", uncheck all others
In the ID/Auth tab, set the following:
FIRST: select "Certificates" at the bottom, change Local: to the name of your
private certificate, change Remote from "Check CA" to the name of the
building
SECOND: above, set both "Local Identifier" and "Remote Identifier" to
"Certificate"
In the Options tab, check everything EXCEPT Passive and Auto-Start
Click OK
When you want to connect, click "Start IPSec". If all was done correctly, after
a few moments, the red X should change to a green checkmark. You can
now use your remote computer on the school network just as though you
were at school.
----I do get the green checkmark, and the IPCop also shows a connection
successfully made. I'm told my message is too long, so I will post output
separately.
by LBean on 2006-01-20 02:06:23 +0100
>please supply the ouput of the following commands while IPSec is running
>(the green check mark is visible)
>sudo setkey -DP
"*" used to mask real numbers, but all numbers are correct. My local
address is assigned dynamically by RoadRunner, so I left it as is.
192.168.*.*/*[any] 24.198.95.95[any] any
in ipsec
esp/tunnel/*.*.*.*-24.198.95.95/require
refcnt=1
24.198.95.95[any] 192.168.*.*/*[any] any
out ipsec
esp/tunnel/24.198.95.95-*.*.*.*/require
refcnt=1
> sudo setKey -D
24.198.95.95 *.*.*.*
esp mode=tunnel spi=1437978041(0x55b5cdb9)
reqid=0(0x00000000)
E: 3des-cbc 9c637e10 e4be7f47 ef9ddde9 def83280 036657ba
8b29c7a1
A: hmac-sha1 92d7e0ab d08d7b87 ce0a09f0 5fb22b4e 46988358
last: Jan 19 19:36:44 2006
hard: 0(s)
soft: 0(s)
refcnt=2
*.*.*.* 24.198.95.95
esp mode=tunnel spi=191312427(0x0b67322b)
reqid=0(0x00000000)
E: 3des-cbc 842f4747 51ce44f1 3aaa2acd 401eb533 8d00d4a6
9c53aaf7
A: hmac-sha1 ca79cf33 f049c230 be103704 b7f96b4a 56c5d5d0
last:
hard: 0(s)
soft: 0(s)
current: 0(bytes)
refcnt=1
>netstat -nr
Routing tables
Internet:
Destination
Gateway
Flags Refs
Use Netif Expire
default
24.198.80.1
UGSc
15
105 en1
24.198.80/20
link#5
UCS
2
0 en1
24.198.80.1
0:5:74:f2:90:8c UHLW
15
0 en1 1200
24.198.93.26
0:a:95:72:b:b4
UHLW
1
9 en1
24.198.95.95
127.0.0.1
UHS
0
0 lo0
127
127.0.0.1
UCS
0
0 lo0
127.0.0.1
127.0.0.1
UH
10
1969 lo0
169.254
link#5
UCS
0
0 en1
by busta on 2006-01-20 15:06:29 +0100
Same problem here, just installed IPSecuritas 2.1 under Mac os X 10.4.4
and it isnt working. I don't seem to get much log output either. Sometimes
it logs, and sometimes it doesen't.
If i use VPN-tracker it works ok. I'm connecting to a Zywall 70.
by LBean on 2006-01-28 20:42:31 +0100
RE:Chris Haas and 10.4.4 combo
I just installed the 10.4.4 combo update over my current 10.4.4, but no
change. Still green checkmarks and both ends log a good connection, but
pings are 100% packet loss and traceroute shows nothing.
Chris, did you use the 10.4.4 combo to update 10.4.3? Are you connecting
to IPCop? If so, could you post your IPSecuritas settings and prefs and IPCop
settings so I could compare for differences?
by Trevor Baker on 2006-01-29 21:57:31 +0100
Hi,
Like other posters, I have the same problem since updating OS X to 10.4.4
(using the combo updater). Thinking that I have messed up, I re-installled
OS X from the original media and used software update to bring myself
back up to 10.4.4. Nothing has changed on my IPCop box, nor my
IPSecuritas configuration. The only change has been updating from 10.4.3
to 10.4.4.
I use my VPN to secure my wireless connection (IPCop blue interface) to the
LAN and Internet (Host to Anywhere). When the VPN is not started, I can
ping the WLAN intarface on my access point (10.0.1.3), the Blue interface
on my IPCop Box (10.0.1.1) and the Green interface (10.0.0.1). When
started, I can ping the access point (10.0.1.3), but cannot ping any anything
else on my network/Internet.
Both IPSecuritas and my IPCop box register an open VPN but no traffic can
pass. I have been able to verify the IPCop side with another (wired)
workstation. I am including my results from the terminal commands asked
for by cnadig.
sudo setkey -DP
10.0.1.1[any] 10.0.1.10[any] any
in none
refcnt=1
0.0.0.0/0[67] 10.0.1.10[any] any
in none
refcnt=1
0.0.0.0/0[68] 10.0.1.10[any] any
in none
refcnt=1
0.0.0.0/0[any] 10.0.1.10[any] any
in ipsec
refcnt=1
10.0.1.10[any] 10.0.1.1[any] any
out none
refcnt=1
10.0.1.10[67] 0.0.0.0/0[any] any
out none
refcnt=1
10.0.1.10[68] 0.0.0.0/0[any] any
out none
refcnt=1
10.0.1.10[any] 0.0.0.0/0[any] any
out ipsec
refcnt=1
sudo setkey -D
No SAD entries.
Sorry,
I forgot to close my prevoius post. Thank you for looking at my post, I
hope my information will be helpful in solving our problem.
Trevor
by Chris Haas on 2006-02-09 09:17:40 +0100
I noticed that the problem only exist if the ip adress of the mac is an
"official" ip adress and so the ip-adress of the mac is one end of the tunnel.
If I establish a tunnel when my Mac is behind a NAT-router (and so it has a
privat ip-adress) I can get traffic through the tunnel.
I tested it with 2 different Mac all with 10.4.4.
Chris
Re: 10.4.4 Update Broke IPSecuritas 2.1 WORKAROUND
by LBean on 2006-02-10 14:11:15 +0100
I can verify this! I just set my airport base station to "share a single IP
address using dhcp and nat" and my IPSecuritas worked perfectly. I went
back to having my base station as a "dumb hub" only and although I still
get the green connection checkmark I cannot connect to nor ping anything
on the remote network. Back to dhcp/nat on the airport, and I am pinging,
connecting to servers, and using Remote Desktop.
Now the BIG QUESTION .... *WHY*??? And what about those poor souls who
do not have an airport base station to carry around in their front pocket?
Does anyone from Lobotomo participate in this list? I've sent two emails to
their support address simply asking if they were aware of this thread, but
never got any reply, not even just a simple "yes" or "no".
by Erik Meitner on 2006-02-13 20:41:09 +0100
We have also run into this problem. Connecting to a Netscreen 5GT worked
great for our Macs until we updated them to 10.4.4. The Netscreen reports
that the phase-2 negotiations could not complete because there were no
acceptable phase-2 proposals.
The exact same VPN configuration works fine on non-10.4.4 Macs.
The Log shows the following after the VPN is brought up:
Feb 13 13:19:41 Horse-with-no-name-3 racoon: ERROR:
Feb 13 13:19:41 Horse-with-no-name-3 racoon: DEBUG:
isakmp_inf.c:869:isakmp_info_recv_n(): notification message 14:NOPROPOSAL-CHOSEN, doi=1 proto_id=1 spi=0b57ba623078e122
279132308d30c6b6 (size=16).
And in addition to my post above:
The generated racoon and setkey configs do not differ at all between our
Macs that work and those that don't(10.4.4).
by Jeremy cooke on 2006-02-14 12:35:46 +0100
I experienced the same problem and searched the web for a solution. I am
NON technical and didnt understand half of what was being said.Remote
connection for me was critical, so i decided to look for another VPN client
solution,connecting to an Exchange server. I downloaded and installed the
30 day demo of VPN tracker
and failed to configure it proerly because its way above my expertise. BUT
geuss what,almost immediately my IP securits connection came to life on a
hard wire connection and on the built in airport.dont know why or how but thats what happened.I geussi ts bad news for VPN Tracker sales, but
hey it did it for me.
I tried the VPN Tracker demo on the same 10.4.4 box that IPSecuritas does
not work on. VPN Tracker worked fine. As I understand it, it does not use
the BSD native 'racoon' IKE daemon so it is no surprise that it works.
I manually configured racoon and tried to establish a VPN. Phase-2
negatiations still fail. This is a known good configuration.
I tried reconfiguring the VPN for various phase-2 authentication and
encryption types with no success. Apple broke something. I think we need
to just wait for them to fix it.
by mrfett on 2006-02-14 20:21:09 +0100
[quote author=Jeremy cooke link=1137083596/15#19 date=1139916946]I
downloaded and installed the 30 day demo of VPN tracker
and failed to configure it proerly because its way above my expertise. BUT
geuss what,almost immediately my IP securits connection came to life on a
hard wire connection and on the built in airport.[/quote]
wait you just installed this app and IPSecuritas started working? i know my
issue is a little different than the one discussed here, but i'll give that a
shot...
by cnadig on 2006-02-14 22:04:56 +0100
Hello all,
thank you very much for your logs and other hints - they helped a lot in
tracking down the problem.
There were indeed a lot of changes in racoon (the IKE daemon, responsible
for the key exchange and some part of kernel configuration for IPSec)
between 10.4.3 and 10.4.4.
Unfortunately, these changes make it necessary for us to supply a new
version of IPSecuritas which includes its own, working version of racoon,
which will take one or two more days. We're very sorry for all
inconveniences!
The new version will be labeled 2.2 and will be announced through the
usual channels (www.versiontracker.com, www.lobotomo.com)
Thanks again,
Christoph
(Lobotomo Software)
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1?
Hi,
There's an update to Mac OS X (10.4.5) using Software Update. This fixed
my issue with IPSecuritas.
Thanks,
Trevor
by Flo Wagner on 2006-02-15 12:31:45 +0100
Thanks Trevor, installing the 10.4.5 update did it for me, too.
And thanks anyway to Christoph for his assistance!
Cheers,
Flo
by Vincent on 2006-02-17 14:03:27 +0100
I installed Combo 10.4.5 and no change.
I rebuild the preference file.
I have "IPSec started" but red X stay. No green check.
I can verify that the 10.4.5 update did fix the problem.
by yon on 2006-02-17 20:23:44 +0100
I am using 10.4.5 and I can't get an IP address from IPCOP behind the VPN.
Any ideas? My setup looks like the normal IPCop/IPSecuritas setup.
by xdavid on 2006-02-19 09:57:59 +0100
Another confirmation: 10.4.5 fixed it.
From the update release notes:
"... includes general operating system fixes, as well as specific fixes for the
following applications and technologies: ... -VPN connections to Cisco
servers when using NAT"
Interestingly, I thought this was a misleading note since I only got a
problem when I was on a public IP and it worked fine behind a NAT router
(Netgear). However, on further analysing where it worked and where it did
not, my 'public' IPs were all dynamically assigned by the ISP, whereas the
LANs where I was behind a NAT router actually had a static external IP
assigned to them. This suggests to me that there was more of a general
routing bug in 10.4.4 than just NAT.
This was the specific error in the logs where it broke down an would not
complete phase 2 negotiations (although it seemed to get a fair way
through them)...
Feb 18 13:27:09 Redpaw racoon: DEBUG:
dd03679ef51ce26e:ff15187961a5d0bf:2279bb6f\n
Feb 18 13:27:09 Redpaw racoon: ERROR: isakmp.c:196:isakmp_handler():
the length of the isakmp header is too big.\n
Feb 18 13:27:11 Redpaw racoon: ERROR: isakmp.c:183:isakmp_handler():
packet shorter than isakmp header size.\n
Anyway, all better now with the 10.4.5 update. ;D
Thanks Lobotomo for your continued support for IPSecuritas. I hope my
small contribution to your tip-jar allows you to continue your great work
for the Mac community!
-david
by Brian Reed on 2006-03-01 19:11:15 +0100
IPSecuritas 2.1 and MAC OS 10.4.5 is NOT working for us
by Vincent on 2006-03-01 21:33:28 +0100
[quote author=Brian Reed link=1137083596/15#29
date=1141236675]IPSecuritas 2.1 and MAC OS 10.4.5 is NOT working for
us[/quote]
I override /usr/sbin/racoon file with the 10.4.3 version and it's OK. I don't
know why...
Hi,
Just thought I'd drop a quick note. The Apple security update breaks the
10.4.5 "fix" again. VPN is down. According to Apple this update fixes an
IPSec issue with regards to remote DoS attacks. The blurb from Apple's site
follow.
BTW, how's the update for IPSecuritas coming? <grin> I'll gladly be a tester
if you like.
Also, Vincent, where can one find /usr/sbin/racoon from 10.4.3?
Trevor
----------------------------------Taken from
docs.apple.com--------------------------IPSec
CVE-ID: CVE-2006-0383
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X
v10.4.5, Mac OS X Server v10.4.5
Impact: Remote denial of service against VPN connections
Description: Incorrect handling of error conditions for virtual private
networks based on IPSec may allow a remote attacker to cause a service
interruption. This update addresses the issues by correctly handling the
conditions that may cause crashes. Credit to OUSPG from the University of
Oulu, NISCC, and CERT-FI for coordinating and reporting this issue.
by Vincent on 2006-03-02 02:28:52 +0100
Hi Travor,
I try the update Update 2006-001 without success.
I had installed 10.4 and Combo 10.4.3 on a external disk to obtain racoon.
Vincent
by Flo Wagner on 2006-03-20 14:13:27 +0100
The Security Update did break my setup again, too. But if 10.4.5 worked for
you, you can simply extract the racoon executable from the 10.4.5 Combo
Update, available here: http://www.apple.com/support/downloads
/macosxupdate1045combo.html.
Mount the .dmg and choose 'Show package content' from the context menu
of the .pkg file. Next unpack 'Archive.pax.gz' from the Content subdir of
the package. Then just overwrite /usr/sbin/racoon with the one you just
extracted (you must be root to do that). You can always revert to the latest
racoon version by simply installing 'Security Update 002'
(http://www.apple.com/support/downloads
/securityupdate2006002v11macosx1045ppc.html).
Regards,
Flo
P.S.: Do this at you own risk. I wont take any liability for damage (e.g. you
Mac explodes or something ;)). Also be careful when working as root, as
one can easily breake some vital system files.
Hi Gang,
The new OS X Tiger update, 10.4.6, again restores IPSecuritas functionality.
Just wanted to let everyone know. Any news on the update to 2.2 for
IPSecuritas?
Thanks,
Trevor
by Vincent on 2006-04-04 11:55:46 +0200
No success for me with 10.4.6 and CheckPoint NGX
Sometime it's work with 10.4.3 image of /usr/sbin/racoon
Vincent
Local Address with Sonicwall
Local Address with Sonicwall
by rtl on 2006-01-19 04:22:30 +0100
Hi,
I've been trying to get IPSecuritas 2.1 working with a Sonicwall TZ150. It
failed during Phase 2 with the following message...
"IKE Responder: No match for proposed remote network address"
I was able to resolve the issue by setting a remote address of 192.168.45.0
in the Sonicwall SA and setting my local address in IPSecuritas to
192.168.45.5, but I've never had to enter a local address for the settings
I've used for Netscreen firewalls.
Are there other Sonicwall/IPSecuritas users who have had this problem and
been able to resolve it? I've tried some of the setups listed on the boards
that say they work, but have not been able to get anything going until I
added the local address setup.
Thanks!
How to export a certificate that can go in to CM?
How to export a certificate that can go in to CM?
by GrandPA on 2006-02-01 23:26:33 +0100
Is there anyone who can tell me how to export a certificate (selsigned) from
the mac to one thats accepted by IPSecuritas?
Unable to Browse Network - BEFSX41
Unable to Browse Network - BEFSX41
by mrfett on 2006-02-06 21:44:34 +0100
I'm trying to use IPSecuritas to connect to a Linksys BEFSX41 running 1.52.9
firmware. My Mac is running OS X 10.4.4. I can successfully make a
connection (I get a green checkmark) but I am unable to see any of the
machines on the network. When I try to ping a machine, the message is "no
route to host". Can anyone offer some advice? I'm using 3DES and SHA if
that makes any difference. Thank you.
Re: Unable to Browse Network - BEFSX41
by mrfett on 2006-02-15 18:45:50 +0100
10.4.5 didn't help me, just FYI.
by yves_kayak on 2006-03-05 20:17:29 +0100
Hello,
If you get the green light and get a "no route to host" error, I think your
remote network config is wrong.
Edit your configuration. In the General tab, check the "remote network"
field. (If you're not sure, the network admin will provide you this
information). Also, check the other field on that line, the number of bits in
mask. If your mask is 255.255.255.0, use 24 bits; it your mask is
255.255.0.0 use 16 bits.
Hope this helps,
Yves
by mrfett on 2006-03-24 17:22:58 +0100
forgot to thank you for the advice. unfortunately, that config tip didn't help
either. i've gone over all the instructions pretty thoroughly, and can't see
what the issue could be. but thanks for the help.
Starting IPSec from command line
Starting IPSec from command line
by Peer Sandtner on 2006-02-08 20:57:43 +0100
How can I start/stop IPSec from the command line? It seems that IPSecuritas
is not scriptable. But perhaps there are other solutions out there.
Thanks,
Peer
Connecting to IPCOP IP Address (DHCP) Problem
Connecting to IPCOP IP Address (DHCP) Problem
by boblee on 2006-02-16 04:54:00 +0100
I am running OS X 10.4.5, and I am having the same issue with 10.4.4.
When connecting to IPCOP VPN I do not seem to get an IP address from
IPCOP via DHCP. Infact, I dont seem to have an IP address at my works
internal network at all.
Am I suppose to be getting an IP via DHCP from IPCOP? It's setup to give
out addresses, and when I plug in my laptop at work I get an address.
Once I am connected to through the VNP I can connect to pretty much any
machine in my works network, but every connection comes from my home's
private IP.
For example, if I ssh to one of our servers at its internal address of
192.168.1.158 and I check to see where I am connected from it'll show my
Home's NAT, so it would look something like 10.1.1.101
Any ideas? I'd like to get a private IP from IPCOP via DHCP just like I do
when I plug in my laptop at work.
Re: Connecting to IPCOP IP Address (DHCP) Problem
by Stephen on 2006-02-17 20:21:17 +0100
Are you suppose to get an IP from the VPN with IPSecuritas? So your system
has 2 IPS????
Re: Connecting to IPCOP IP Address (DHCP) Problem
by yon on 2006-03-10 23:45:59 +0100
I have the same problem with 10.4.5
Any solution??
IPSecuritas Working with Windows Server RRAS
IPSecuritas Working with Windows Server RRAS
by Jack Valko on 2006-02-16 08:16:06 +0100
Has anyone gotten IPSecuritas to connect to a Windows 2003 Server
running RRAS?
Universal Binary
Universal Binary
by Andreas Ley on 2006-02-20 02:06:30 +0100
Hey there. IPSecuritas rules - thanks for that!
I'm a proud owner of an Intel-based iMac, and as such I prefer using native
binaries (mostly for speed issues).
But, for the record, everything works completely fine under Rosetta, using
either 10.4.4 and 10.4.5.
As far as I understand, IPSecuritas is a GUI for the built-in "racoon" of
MacOS X, so the speed of the actual IPSec connection isn't affected by
IPSecuritas beeing PowerPC only. Since that may change with version 2.2, I
was wondering if I could provide any help to make IPSecuritas an universal
binary. I can do some compiles and tests, but my coding skills are below
average. :)
Also, I had a few ideas concerning interface enhancements (with some
additional icons, if you'd welcome that). Is it ok to drop you a mail with an
example?
Thanks for the great work; keep it up!
PS: I tried to register, but I couldn't get the forum script to actually send me
a mail in 15 minutes. But maybe it'll get to me later.
Re: Universal Binary
by cnadig on 2006-02-21 23:40:37 +0100
Hello Andreas,
thank you very much for your feedback - certainly I'd like to receive all of
your proposals, please just send me an e-mail to
[email protected].
I will start to port IPSecuritas 3.0 (which at the moment is in beta testing,
soon a public beta will be released) to the new Intel architecture as soon as
I can get hold of a Intel machine for a few days.
Cheers,
Christoph
checkpoint office mode IKE over TCP
checkpoint office mode IKE over TCP
by Yitz Jacob on 2006-02-21 10:34:21 +0100
I use checkpoint's secureclient (username & password, office mode, and IKE
over TCP being the only real configuration settings)
does this translate into something that can be configured in ipsecuritas..? i
would really love to use my ibook to do my work rather than my pc..
thanks :)
yitz
Sonicwall TZ170
Sonicwall TZ170
by w_grace on 2006-02-21 13:08:46 +0100
Hello,
I am trying to get connected to a Sonicwall TZ170 and I am getting the
following;
Verify Identifyer is not selected and i have set the Remote Identifyer to the
IP address of the Sonicwall, both these suggestions I have seen in relation
to this error.
Any ideas?
Re: Sonicwall TZ170
by w_grace on 2006-02-21 17:42:33 +0100
I get the same thing with VPN Tracker, and they suggest going back to the
Default settings on the Sonicwall, but that would kill other clients that are
logging in OK. This is the only Mac Client I have and I get the following all
the time.
Phase-1
Group 1
3DES
MD5
28000
Phase-2
ESP
3DES
MD5
to time up to wait.
to time up to wait.
to time up to wait.
to time up to wait.
Any help would be great. Thanks
due
due
due
due
Watchguard Firebox Edge: USER_FQDN ID?
Watchguard Firebox Edge: USER_FQDN ID?
by jmaynard on 2006-02-24 04:56:44 +0100
I'm trying to get IPSecuritas running with a Watchguard Firebox Edge X5. I
know it can do IPSec, because it's talking with VPN Tracker. Unfortunately, I
can't get it to work with IPSecuritas.
The problem is that the local identifier needs to be a USER_FQDN string,
and I can't see how to set that in IPSecuritas. The underlying racoon config
file has it as a valid my_identifier type, but I can't see where IPSecuritas is
keeping its racoon.conf so I can see if it'll work at all.
Can i get there from here?
Re: Watchguard Firebox Edge: USER_FQDN ID?
by DDA on 2006-02-25 04:18:03 +0100
You can indeed get there from here; simply select DN for the Local
Identifier in the Id/Auth page and fill it is with [email protected] (or
even just @domain.com) and IPSecuritas will send a USER_FQDN ID.
by jmaynard on 2006-02-25 05:19:23 +0100
[quote author=DDA link=1140753404/0#1 date=1140837483]You can
indeed get there from here; simply select DN for the Local Identifier in the
Id/Auth page and fill it is with [email protected] (or even just
@domain.com) and IPSecuritas will send a USER_FQDN ID.
[/quote]
Nice...except for one problem: it needs to be tagged as a USER_FQDN, but
it's just a user name with no @ or domain name attached. Is there a way I
can force it to USER_FQDN without that?
by DDA on 2006-02-25 17:35:28 +0100
I believe if you put an @ in front of it, it will be sent as a USER_FQDN. So if it
would normally be "myusername", try "@myusername".
From the help:
[i]2. Domain Name (DN): This can either be a fully qualified distinguished
name (FQDN, e.g. lobotomo.com) or a user fully qualified distinguished
name (USER_FQDN, e.g. [email protected]). Normally, IPSecuritas
determines the type itself (i.e. if there is a @ character in the name it's
automatically considered a USER_FQDN. If you want to force IPSecuritas to
always send the consider the identification as USER_FQDN, prepend one @
character in front of the FQDN, e.g. @lobotomo.com)[/i]
I don't know if this will send the @ or just force it to say it is a USER_FQDN
but give it a try! :-)
by jmaynard on 2006-02-25 22:15:18 +0100
[quote author=DDA link=1140753404/0#3 date=1140885328]If you want
to force IPSecuritas to always send the consider the identification as
USER_FQDN, prepend one @ character in front of the FQDN, e.g.
@lobotomo.com)[/quote]
It didn't work. I tried it with the @ both before and after the user name. I
think it's sending the @ while flagging it as a USER_FQDN.
The help quoted seems to say that you can send a domain name as
USER_FQDN. I need to send the user ID with no domain name or @
attached, as a USER_FQDN.
Netscreen 5XP login issues
Netscreen 5XP login issues
by Derek on 2006-02-27 16:58:54 +0100
I can connect from home to my Netscreen 5XP at work but I can only see a
few macs as active using Apple remote desktop. Most of them are NOT
visible. I can't even ping them. Any hints?
Re: Netscreen 5XP login issues
by TZ on 2006-03-30 20:40:09 +0200
Review your netscreen policies, there should be something there... ;)
Anyone using IPSecuritas/Mac OS X/Checkpoint VPN-1
Anyone using IPSecuritas/Mac OS X/Checkpoint VPN-1
by Jack sellers on 2006-02-28 01:53:42 +0100
I was told by someone at Checkpoint that IPSecuritas works connecting a
Mac running Panther or Tiger to a network running CheckPoint VPN-1. Is
there anyone out there who can help me?
Re: Anyone using IPSecuritas/Mac OS X/Checkpoint V
by Rolf Schmerder on 2006-03-05 17:43:11 +0100
Hi Jack! Yes - it can...or should I say ...under certain circumstances? I had a
connection running from my IBook with Tiger 10.4.x to our company LAN
beeing protected by CP-VPN-1 NGX. Unfortunately right now after an
update (my IBook to 10.4.5 it doesn' t work anymore. But I could give you
my config screenshots if you give me your email address.
Greets
Rolf, Hamburg - Northern Germany
Re: Anyone using IPSecuritas/Mac OS X/Checkpoint V
by Paul Donovan on 2006-03-05 18:55:30 +0100
I'm unable to get IPSecuritas 2.1 to connect to a CheckPoint VPN-1 network
either. I'm running 10.4.5.
I can connect successfully using the demo of VPN Tracker 4.6 but the demo
has an extremely annoying 3 minute timeout so I downloaded IPSecuritas.
I've only been using VPN since yesterday so I'm new to all this!
If you could give me the settings that used to work I can try those and see if
I can get anywhere.
I have a Mac mini still running 10.4.4 that I can test on too.
Thanks a lot,
Paul
(paul at donovansbrain dot co dot uk)
10.4.5 giveth, Security 2006-001 taketh away
10.4.5 giveth, Security 2006-001 taketh away
by Lawrence Bean on 2006-03-02 17:12:55 +0100
Saw IPSec listed in this Security Update released today by Apple, so I cloned
to a non-critical machine and tested. Same issue as with 10.4.4, but worse.
The NAT work-around works, so if your client running IPSecuritas is behind
a natted device and running in the 10.x.x.x, 192.x.x.x, or 172.x.x.x ranges
it works.
In the 10.4.4 trouble with a public address, I could get general internet but
could not ping/connect to the private network. Now in 10.4.5 with Security
Update 2006-001 applied and "Replace DNS ..." checkmarked, in addition
to not being able to ping/connect to the private network, I cannot get
general internet services.
Additional info: The client shows a green checkmark, and the IPCop firewall
shows an open connection with the client. It appears I can ping public IPs
by IP address. It appears I can lookup FQDNs and get their IP addresses. I
cannot ping the FQDN, though, and it times out with "could not resolve
host". I cannot ping the private network by IPAddress or FQDN, neither on
the inside private addresses, nor on the outside public address(es). I cannot
get any http, https, ftp, or ssh connections by FQDN. I can get ftp and ssh
by IPAddress. I seem to begin to load a web page by IPAddress, i.e. I get the
name of the page in the browser header, but loading stalls before the page
renders and I get a "You are not connected to the Internet" error. If I go to
IPSecuritas Preferences and uncheck "Replace DNS ...", this solves all the
general internet trouble and web, ftp, ssh are all back to normal, but still no
ping to private network on the inside or the outside addresses.
I'd be happy to provide any further info and run any further tests that the
Lobotomo team would like, including alphas and betas. Just ask.
Connection lost with SonicWall PRO 230
Connection lost with SonicWall PRO 230
by Yves Forget on 2006-03-05 18:04:54 +0100
Hello everyone,
I'm using IPSecuritas to connect to a SonicWall PRO 230 firewall/VPN Server.
It *does* work, but I lose the VPN connection every 10 minutes or so.
I have a Linksys BEFSR41 router on the client side, I don't know if it's part of
the problem.
When I use VPN Tracker 3 as the VPN Client it works fine. (on the same
Mac, connecting to the same server)
Re: Connection lost with SonicWall PRO 230
by Yves Forget on 2006-03-05 18:07:32 +0100
I'm on a PowerMac G5 with Mac OS X 10.4.5
Did anyone experience something similar ?
Thanks !
yves
by Tom Komadowski on 2006-06-07 20:00:17 +0200
It's dropping you because of the dead peer detection. turn that off on the
client and on the sonicwall and you will be fine.
by yves_kayak on 2006-10-07 04:40:15 +0200
Hi everyone,
A couple of months after posting this question, we found the problem !
I connect to work using the VPN. Many of my work colleagues have routers
too, and local IP addresses set the router's DHCP are often the same :
192.168.1.100
If someone is connected with that address and someone else comes it with
the same (local) IP address, the user that was logged on is kicked out.
Those who don't have a router are connecting with their Internet IP
address, which is obviously unique, so the problem only happens for people
having routers (or a really messy configuration...)
In a small business, users can manage to use different local IP addresses
(easily set on your router's config).
Our VPN server (SonicWall Pro 230) can be set to provide DHCP addresses to
users of the VPN, but see my post regarding that one....
Hope this may help,
Yves Forget
IPSecuritas to IPSecuritas in a server config?
IPSecuritas to IPSecuritas in a server config?
by Matt Warren on 2006-03-08 22:40:47 +0100
This seems like it should be obvious, but I've yet to find docs or info on it.
I'd like to set up a host to network vpn with IPSecuritas at both ends. Is this
possible? I'm looking to get access to my home network from various public
locations.
I assume the client is setup as Host to Network. But what's a proper setup
for the "server" end of things? And what ports would I forward on the home
network's router?
I've found all kinds of info on connecting to other devices, but little to none
on connecting to IPSecuritas its self.
Intel Mac minor problem
Intel Mac minor problem
by jmaynard on 2006-03-10 15:34:34 +0100
I've got a shiny new MacBook Pro. IPSecuritas runs and VPNs, but there's
one minor problem: the status icon next to the connection name is always
blank, making it somewhat difficult to tell if the VPN link is actually up.
I suspect this is just a matter of building a universal binary. Any idea when
that might happen?
Netgear DG834GB <- Connect to ?
Netgear DG834GB <- Connect to ?
by sukram33 on 2006-03-10 17:02:09 +0100
Hi,
has anyone experience with netgear dg834gb?
I am tryin to connect to this router, but do not succed ... anyway, I do not
really understand what I am doing ... ???
Here is my configuration:
In the office: router dg834gb, dyndns host name (dynamic ip adress), using
nat with lokal ip range.
at the remote location there is also a router with nat and i forwarded esp
and upd port 500 (router is a avm fritz box)
has anyone perhaps experiences with a connection between ipsecuritas and
the netgear dg834gb router with both sides using dynamic ip adresses ?
thanks markus
Re: Netgear DG834GB <- Connect to ?
by tghewett on 2006-04-10 13:01:30 +0200
I now have the DG834 router connecting with IPSecuritas. The DG834 VPN
service only responds to the IP address on the ADSL port, i.e. the one
usually negotiated with the ISP. If you set the IPSecuritas Remote IPSec
Device value to the LAN IP address of the DG834, it won't work.
Recommend a VPN router for home use
Recommend a VPN router for home use
by eullman on 2006-03-15 01:04:09 +0100
Greetings.
My Netgear WGR614 at home has died, and I'm looking to replace it with a
router that offers VPN client access from Tiger/IPSecuritas and Win XP
(built-in). I don't need Wi-Fi, and I'd like to spend less than $150 if
possible. QoS is not required, but would be an added benefit.
Anyone care to offer a recommendation?
Thanks in advance,
Eric
Re: Recommend a VPN router for home use
by DDA on 2006-03-17 03:57:05 +0100
Netgear FWG114Pv2 will do 2 IPSec tunnels, WPA2 and has a USB printserver port. I don't know if it will do PPTP (the WinXP VPN stuff) but it works
fine with IPSecuritas (PSK so far).
Around $100 at NewEgg.
Netscreen to Dlink VPN
Netscreen to Dlink VPN
by Kev on 2006-03-16 06:43:37 +0100
Has anyone managed to get a Dlink VPN router DI804 to talk to a Netscreen
using IKE. I am getting a "Received incorrect ID payload: ID type mismatch"
from the debug but I can't work out what is going wrong. It looks like the
peer id is wrong but I cant find where to set it on the Dlink. There is also
nothing on the Netscreen knowledge base about setting up VPNs to third
party routers.
Kev. ???
Another user trying to match VPN Tracker settings
Another user trying to match VPN Tracker settings
by Phil Delaney on 2006-03-22 21:07:49 +0100
Hi,
i've checked google and these forums, i'm trying to connect using
IPSecuritas 2.1 on OSX 10.4.5 through a SonicWall2040 Pro.
The
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
Mar
log says:
20 23:28:33
20 23:28:33
20 23:28:33
20 23:28:33
20 23:28:33
20 23:28:33
20 23:28:34
20 23:28:34
20 23:28:34
pd-pb
pd-pb
pd-pb
pd-pb
pd-pb
pd-pb
pd-pb
pd-pb
pd-pb
IPSecuritas:
IPSecuritas:
IPSecuritas:
IPSecuritas:
IPSecuritas:
IPSecuritas:
IPSecuritas:
IPSecuritas:
IPSecuritas:
Setting up racoon.conf
Setting up psk.txt
Starting racoon...
Racoon is running
Set kernel keys
but i do not get a tunnel/connection - and there is a red cross on the main
window next to my setting name.
SonicWall Log says:
1
03/22/2006 20:03:11.336
Error
VPN IKE
SA -payload
processing error
84.XXX.XXX.XXX, 500 (admin)
82.XXX.XXX.XXX, 500
2
03/22/2006 20:03:11.336
Warning
VPN IKE
IKE Responder:
IKE proposal does not match (Phase 1)
82.XXX.XXX.XXX, 500
3
03/22/2006 20:03:11.336
Info
VPN IKE
IKE Responder:
Received Main Mode request (Phase 1)
82.XXX.XXX.XXX, 500
4
03/22/2006 20:02:44.880
Info
Authenticated Access
WAN
zone administrator login allowed
84.XXX.XXX.XXX, 0, X1 (admin)
82.XXX.XXX.XXX, 443, X1
82.XXX.XXX.XXX = public ip on sonic wall (router)
84.XXX.XXX.XXX = public ip on user (router)
If i connect using VPN Tracker and then connect using IPSecuritas i get the
green tick!
my IPSecuritas settings are:
Host to Network
Exchange Mode: Main
Proposal Check: Obey, size :16
Phase 1
Lifetime: 28800
Encryption: 3DES
Auth: SHA1
Phase 2
Lifetime: 28800
PFS Group: None (I know it is EPS on the SW)
Encryption: 3DES
Auth: SHA1
ID/Auth
Address for both and a preshared secret
Re: Another user trying to match VPN Tracker setti
by Josh Carlson on 2006-07-08 07:08:59 +0200
I more or less have the same problem with the same sonicwall model. Any
thoughts?
by Phil on 2006-07-17 15:38:20 +0200
Nothing.... still.....!!!!
by northben on 2006-07-31 15:27:19 +0200
You could try using the "debug level" logs or whatever they are called. It
might help you see what exactly is wrong.
I was able to get my setup working (TZ170) by more or less copying the
settings from the Sonicwall configuration page to the IPSecuritas pages.
HTH.
by yves_kayak on 2006-10-07 04:58:00 +0200
Hi,
Did you double-check that your IPSecuritas settings match the VPN Server's
settings ? Make sure there's not a typo in your secret key, and if you
copy/pasted it, make sure you don't bring an extra space.
I use exchange mode "agressive" instead of "main" to connect to our
SonicWall Pro 230.
Also, you can try a couple of things in the "options" tab.
Hope this helps,
Yves
Anyone using a Cyberguard endpoint?
Anyone using a Cyberguard endpoint?
by Demani on 2006-03-23 20:05:26 +0100
I'm trying to find the right setup, but I haven't had any luck so far. I have a
SG560 running the 3.1.2 firmware. Running v2.1 on OSX 10.4.5. I believe I
have all the settings matched but its stalling during the Phase one
negotiation.
Settings I have so far:
Host to Network
Aggressive Exchange mode
Proposal check: Claim
Phase 1
lifetime: 3600
DH Group 2
Encryption: 3DES
Phase 2
Lifetime: 3600
PFS Group 2
Encryption: 3DES
ID has the Local DN option set to the Required Remote Identifier on the
Cyberguard ("Outside" in this case)
The IPSec/IKE options that are checked are IPSec DOI, SIT_IDENTITY_ONLY,
MIP6, Initial Contact, and DHCP Pass-Through.
Establish IKE immediately is on.
The line in the IPSecuritas log I see when the connection isn't working is:
DEBUG: isakmp_ph1resend():resend phase1 packet.
I can provide more info if needed.
Re: Anyone using a Cyberguard endpoint?
by rugby on 2006-03-31 18:13:41 +0200
I have the same router, the same firmware and the same problem, although
it's with VPN Tracker.
I am going to contact Cyberguard and see if they can assist with this.
Here's a log of the issue I'm having:
2006-03-31 11:04:07: INFO: isakmp.c:2102:isakmp_post_acquire():
IPSec-SA request for X.X.X.X queued due to waiting for phase1 connection
to complete.
2006-03-31 11:04:07: DEBUG: isakmp.c:1807:isakmp_ph1resend(): resend
phase1 packet to X.X.X.X[500] (d909f677273dd58c:0000000000000000)
2006-03-31 11:04:10: DEBUG: pfkey.c:1793:pk_recvacquire(): ignore the
acquire because phase2 found
2006-03-31 11:04:27: DEBUG: isakmp.c:1807:isakmp_ph1resend(): resend
phase1 packet to X.X.X.X[500] (d909f677273dd58c:0000000000000000)
Adtran IPSEC
Adtran IPSEC
by Mikel King on 2006-03-30 03:01:38 +0200
Does anyone know if there has been any success with any of the Adtran
VPN products.
IPSecuritas says that IPSEC is UP but am unable to pass any traffic to the
remote LAN.
Any pointers would be helpful...
cheers,
m
intel
intel
by Shaddow on 2006-04-04 21:44:43 +0200
Does this software work on the new intel macs under rosetta or is it
universal already?
Linksys WRV54G: can't connect
Linksys WRV54G: can't connect
by tiffert on 2006-04-07 01:56:14 +0200
I have never been able to establish a VPN tunnel using IPsecuritas with my
Linksys WRV54G router (firmware 2.38.6). It is a VPN endpoint. I am using
the same, proven configuration that works for my Linksys BEFVP41.
Is this a known issue? Has anyone gotten it to work?
I *CAN* establish a tunnel without IPsecuritas, using a curl script from:
http://forums.macosxhints.com/showthread.php?t=40920
Any chance of adding support for this router? It is a popular device.
OS X 10.4.6
Thanks!
Re: Linksys WRV54G: no tunnels
by Francis Tanzella on 2006-04-16 21:58:46 +0200
Since you're using IPSECuritas, I presume you're using the passthrough. If
you're using the hardware tunnel you probably don't need IPSECuritas.
I was able to establish a tunnel with IPSECuritas using this router with no
real problem. I was connecting to a Checkpoint IPSEC server. I failed using
the hardware tunnel because I need to use a certificate, which it doesn't
support. So I turned off the hardware VPN, turned off the the other 2
passthroughs and only checked the IPSEC passthrough. I used the same
configuration that worked without the router and it went through first time.
Since I couldn't use the hardware VPN, I "downgraded" to a WRT54G, saved
$100, and it works fine.
Re: Linksys WRV54G: no tunnels
by tiffert on 2006-04-16 22:40:29 +0200
Just to clarify, I am not trying to establish a VPN between the BEFVP41 and
the WRV54G routers. Rather I am trying to use IPSecuritas from a third
location to establish tunnels to each of those routers in their capacities as
remote VPN endpoints. Put another way, the BEFVP41 and WRV54G are in
different parts of the US, and I am in another country all together with my
laptop and IPSecuritas. I can establish a tunnel to the BEFVP41, but cannot
to the WRV54G. It gets stuck at Phase 1.
Since I am trying to use the WRV54G as a remote VPN endpoint, with
IPSecuritas on the local end, I need to have the WRV54G's "hardware VPN"
turned on, right?
Any further suggestions?
Thanks!
Glenn
Re: Linksys WRV54G: can't connect
by Niels S. Eliasen on 2006-05-08 11:40:37 +0200
Hi
Just wanted to say "mee to!" if anyone can get a connection working to
WRV54G, then please ! share the info!...
Re: Linksys WRV54G: can't connect
by tiffert on 2006-05-14 21:32:37 +0200
I am the original poster to this thread. The following is just anecdotal and
circumstantial, but I hope helpful:
I have not tried to establish a VPN for about 3 weeks to my WRV54G. I had
previously not been able to use IPSecuritas (Phase 1 failures), only the curl
script mentioned in my initial post.
However, today my curl script stopped working, and the log revealed Phase
1 failures. Nothing on the remote side has changed, and the only thing I
can think of on the local side that has changed is the installation of Apple
Security Update 2006-003 (5/11/06). I decided to try IPSecuritas again out
of curiousity.
Amazingly, IPSecuritas now works with exactly the settings that would not
work last month and all of the months before. Perhaps the Security Update
changed something that was blocking IPSecuritas? Don't know. But I am
happy.
Can't view folder
Can't view folder
by Keith W on 2006-04-24 16:08:40 +0200
Hi There,
I'm having a problem getting access to one of my folders on the remote
server. The VPN connects fine and I can get into a number of other folders
without a problem but it seems that whenever I try and open this one folder
the finder gets stuck on the spinning wheel and ends up crashing.
I have checked my access rights and I should be able to access it without a
problem and was able to do so previously.
The only thing I could think of is that the folder I am trying to view is too
big, it has around 80 sub folders within so perhaps it has a problem with
this?
Any Thoughts?
Thanks,
Keith
ISA VPN to Sonicwall problems
ISA VPN to Sonicwall problems
by CybermonkeyCK on 2006-05-06 00:24:05 +0200
I have an ISA 2004 system trying to site-to-site VPN to a Sonicwall TZ 150
(IPSec). I have been going over all of the logs and session info on ISA and
Sonicwall. The Sonicwall says that the VPN tunnel is open and the ISA shows
a session of the remote computer. All the routing and firewall rules are in
place (On the ISA for sure and the Sonicwall… I think). But I can’t RDP,
telnet, Ping, browse, anything; both directions. I have the same type of VPN
with the same rules and everything the only difference is its to another ISA.
The ISA system does have multiple external IP’s… could this be a problem?
Has anyone ever had this problem?
CheckPoint NGX, can't connect (Aggressive mode)
CheckPoint NGX, can't connect (Aggressive mode)
by bgentry on 2006-05-10 22:54:37 +0200
We just upgraded our Checkpoint firewall from NG (R54) to NGX R60.
Checkpoint has removed support for Aggressive mode from Phase I
negotiations. This is a known security hole according to my VAR.
Apparently there are several publicly available exploits to allow one to
hijack IPSEC connections that use aggressive mode.
Consequently, IPSecuritas on OSX can no longer connect to our firewall. I
have tried using Basic and Main modes, as well as changing the NONCE size
to various values, changing options, and verifiying that the Phase I
encryption types were proper.
According to the logs, Checkpoint seems to not understand the IKE tunnel
probe that is being sent with NAT traversal. I'm trying to connect from
behind a consumer (Linksys) NAT router like you find at everyone's house.
So, I'm not sure where to go. Does the IPSEC support built in to OSX
include support for Main or Base ? If so, does IPSecuritas properly
implement those modes? Any ideas on how to get this working again?
Does anyone have OSX establishing a VPN connection to a CheckPoint NGX
firewall?
Thank you for any help or insight you can provide.
Brian.
Re: CheckPoint NGX, can't connect (Aggressive mode
by flruiz on 2006-06-30 11:39:32 +0200
Have you got it? I have the same problem
Regards
vpn certificate connection
vpn certificate connection
by johnlehardos on 2006-05-11 12:12:33 +0200
Hi,
I am trying to connect my macOSx to an Arkoon firewall VPN. We are
actually using the vpn connection on winXP hosts through a netscreen client
and it work perfectly with my certificate (not a pre-shared key).
But now I can't succeed th ipsecuritas working with the certificate.
my host is now configured with the ip address : 192.168.161.61
the vpn server address is : 213.41.xx.xx
the lan i want to connect is : 172.27.0.0 /16
I have converted my p12 certificate to a pem one, using an openssl
command (found on the internet). I have successfully imported the two
certificates in the certificate manager.
I have configured the ipsecuritas client as same as he netscreen windows
client was, phase1, phase2 and authentication. But when i try to connect I
get the following log debug :
[code]
May 11 11:08:54 playmobile racoon: DEBUG: pfkey.c:195:pfkey_handler():
get pfkey ACQUIRE message\n
May 11 11:08:54 playmobile racoon: DEBUG2: plog.c:199:plogdump():
\n02060003 00260000 00000033 00000000 00030005 ff200000
10020000
[...]
00000000\n
May 11 11:08:54 playmobile racoon: DEBUG: pfkey.c:1567:pk_recvacquire():
suitable outbound SP found: 192.168.161.61/32[0] 172.27.0.0/16[0]
proto=any dir=out.\n
May 11 11:08:54 playmobile racoon: DEBUG: policy.c:184:cmpspidxstrict():
sub:0xbffff970: 172.27.0.0/16[0] 192.168.161.61/32[0] proto=any
dir=in\n
May 11 11:08:54 playmobile racoon: DEBUG: policy.c:185:cmpspidxstrict():
db :0x306998: 172.27.0.0/16[0] 192.168.161.61/32[0] proto=any
dir=in\n
suitable inbound SP found: 172.27.0.0/16[0] 192.168.161.61/32[0]
proto=any dir=in.\n
new acquire 192.168.161.61/32[0] 172.27.0.0/16[0] proto=any dir=out\n
May 11 11:08:54 playmobile racoon: DEBUG: proposal.c:826:printsaproto():
(proto_id=ESP spisize=4 spi=00000000 spi_p=00000000
encmode=Tunnel reqid=0:0)\n
May 11 11:08:54 playmobile racoon: DEBUG: proposal.c:860:printsatrns():
(trns_id=3DES encklen=0 authtype=2)\n
May 11 11:08:54 playmobile racoon: DEBUG: remoteconf.c:118:getrmconf():
configuration found for 213.41.xx.xx.\n
May 11 11:08:54 playmobile racoon: INFO:
isakmp.c:2028:isakmp_post_acquire(): IPsec-SA request for 213.41.xx.xx
queued due to no phase1 found.\n
May 11 11:08:54 playmobile racoon: DEBUG:
isakmp.c:1009:isakmp_ph1begin_i(): ===\n
192.168.161.61[500]<=>213.41.xx.xx[500]\n
isakmp.c:1019:isakmp_ph1begin_i(): begin Aggressive mode.\n
isakmp.c:2340:isakmp_newcookie(): new cookie:\n5961a56996cec897 \n
localconf.c:328:getpathname(): filename: /tmp/ipsecuritas_certs
/cert.pem.cert\n
Apple Keychain support for certs?
Apple Keychain support for certs?
by Bill Burns on 2006-05-16 01:06:41 +0200
I was disappointed to see that this program uses its OWN certificate
database. Are there any plans to support the mac OS X keychain instead?
Or support PKCS#11 security modules?
I have smartcard users that can use their certificates with the suite of Apple
applications (because their certs and keys show up in the Apple Keychain
via the tokend mechanism), and several Mozilla applications (because they
have a PKCS#11 module).
It seems that with minimal code changes, your application could choose to
use either native Keychain support or even a PKCS#11 module.
thanks,
bill
IPSec (setkey+racoon)
IPSec (setkey+racoon)
by BALEX on 2006-05-29 16:42:45 +0200
IPsec work with SETKEY and RACOON.
spdadd x.x.x.x y.y.y.y any -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/use;
spdadd y.y.y.y x.x.x.x any -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/use;
All traffic direct into tunnel
How to destroy tunnel, if remote address (B.B.B.B) unreachable?
How to Force all traffic thru tunnel
How to Force all traffic thru tunnel
by clay perreault on 2006-06-08 21:30:59 +0200
Hi. I've set up IPSecuritas on my mac os x and am successfully connecting
to a host and bringing a tunnel up.
I can ping and connect through the tunnel to devices on the internal tunnel
subnet, but I want to force ALL traffic from my laptop through the tunnel.
with the current config, only traffic destined for the internal network
traverses the tunnel and other traffic such as web surfing still goes out my
normal gateway.
Is there a setting somewhere to FORCE ALL traffic through the tunnel?
Re: How to Force all traffic thru tunnel
by who me on 2006-06-27 23:47:12 +0200
This is done on the vpn "server" side. Nothing can be done on the client.
Normally, a company does NOT want all traffic to go through their vpn.
Connected once but no more
Connected once but no more
by apu on 2006-06-13 17:10:41 +0200
IPSecuritas 2.1, Mac OS X 10.4.6, trying to connect to a Netgear FVS318
with v2.4 firmware.
My end of the tunnel is behind a Linksys router/access point right now
(same as when it worked) but is mobile; the other end of the tunnel is
connected directly to a DSL modem -- the IP address changes occassionally
but has a fixed dyndns.org host name (and has not changed since this
worked yesterday).
I got it to connect (green checkmark) once and was able to successful use
the tunnel. But, ever since, IPSecuritas continues to display the red X and I
am unable to use the IPsec tunnel that is created. However, on the FVS318,
the VPN Status page shows what appears to be a normal, active connection.
Re: Connected once but no more
by apu on 2006-06-13 17:25:41 +0200
p.s.
I have a "verbose" log file from IPSecuritas which I has going to post but its
too big and I would have to chop it up into pieces. I can if its of value. But,
the only error found in it is
[code]
racoon: ERROR: pfkey.c:756:pfkey_timeover(): PUB.LIC.IP.VPN give up to get
IPsec-SA due to time up to wait.
[/code]
where PUB.LIC.IP.VPN is the VPN gateway's public IP address.
Re: Connected once but no more
by yves_kayak on 2006-10-07 05:08:02 +0200
Did you get it to work while you were connected via a wired linksys router,
and now you're trying with a mobile connection (Linksys wireless router) ?
If so, check the router's settings. In particular, my Linksys router has a
"VPN Passthrough" option that needs to be turned on.
Hope this helps,
Yves
Can't get it to autostart at boot 10.4.6
Can't get it to autostart at boot 10.4.6
by Jason on 2006-06-22 01:03:48 +0200
I have it working great with an Ipsec tunnel to my monowall at the office,
however, I cannot get it to autostart. I have the option checked in the
options menu, but when I reboot, the tunnel is down until I manually start
the program.
Thoughts anyone? or, how can I script it to auto start the program and the
Ipsec tunnel?
Re: Can't get it to autostart at boot 10.4.6
by Jason on 2006-06-22 04:17:50 +0200
Well, I've found that you can't run a GUI program from cron so I guess I
need to figure out how to open the ipsec tunnel and close it all from the
command line, so my nightly backup can work without leaving an account
logged in.
IPSecuritas -> Linksys RV082
IPSecuritas -> Linksys RV082
by Rainer Kormann on 2006-06-27 22:13:09 +0200
Hi,
anyone ever connected IPSecuritas with an Linksys RV082 VPN Router? I am
trying for days now...
Any help would be great!!!
Thanks in advance,
Rainer.
Re: IPSecuritas -> Linksys RV082
by incognito on 2006-07-19 18:39:52 +0200
I have a Linksys RV016 and can't get it to work either.
In my logs, it shows this:
Jul 19 00:29:30 2006
VPN Log
Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x53713ffa
(perhaps this is a duplicated packet)
Jul 19 00:29:10 2006
VPN Log
Cannot respond to IPsec SA
request because no connection is known for 192.168.1.0/24==="ip
address"
[[email protected]]...1.2.10.12[[email protected]]===192.168.1.101/32
Jul 19 00:29:10 2006
VPN Log
[Tunnel Negotiation Info] <<<
Responder Received Quick Mode 1st packet
Jul 19 00:29:09 2006
VPN Log
type IPSEC_INITIAL_CONTACT
Received informational payload,
Jul 19 00:29:09 2006
VPN Log
[Tunnel Negotiation Info]
Responder Cookies = bbd6 581f d355 338
Jul 19 00:29:09 2006
VPN Log
Cookies = c94a 10c2 8f9 8fbc
[Tunnel Negotiation Info] Initiator
Jul 19 00:29:09 2006
VPN Log
[Tunnel Negotiation Info]
Aggressive Mode Phase 1 SA Established
Jul 19 00:29:09 2006
VPN Log
ID_USER_FQDN: '[email protected]'
Aggressive mode peer ID is
Jul 19 00:29:09 2006
VPN Log
Responder Received Aggressive Mode 3rd packet
Jul 19 00:29:09 2006
VPN Log
[Tunnel Negotiation Info] >>>
Responder Send Aggressive Mode 2nd packet
Jul 19 00:29:09 2006
from 64.149.107.132
VPN Log
Jul 19 00:29:09 2006
VPN Log
ID_USER_FQDN: '[email protected]'
Responding to Aggressive Mode
Aggressive mode peer ID is
Jul 19 00:29:09 2006
VPN Log
Responder Received Aggressive Mode 1st packet
Jul 19 00:29:09 2006
VPN Log
= [draft-ietf-ipsec-nat-t-ike-02_n]
Ignoring Vendor ID payload Type
Jul 19 00:29:09 2006
VPN Log
= [draft-ietf-ipsec-nat-t-ike-02]
Ignoring Vendor ID payload Type
Jul 19 00:29:09 2006
[4df37928e9fc4fd1...]
VPN Log
Ignoring Vendor ID payload
Jul 19 00:29:09 2006
[4a131c8107035845...]
VPN Log
Ignoring Vendor ID payload
by truckstop on 2006-10-17 05:28:31 +0200
Hmm, my RV042 works without an issue.
I assume that you sorta know what you are doing so I am not going to trace
through every step. Here are the relevant settings:
*******
*RV042*
*******
Client to Gateway
FQDN: yourmac.local
PHASE1: Group5, AES-256, SHA, 3600s
PFS: enabled.
PHASE2: Group5, AES-256, SHA-1, 3600s
**********
* Your Mac *
**********
PHASE1: 3600s, Group5, AES-256, SHA, Agressive, Strict, 16
PHASE2: 3600s, Group5, AES-256, SHA-1
Local ID: yourmac.local
Remote ID: address
OPTIONS: IPSec DOI, SIT_IDENTITY_ONLY, Initial Contact, Generate Policy,
Support Proxy, Nat-T disabled. (All listed = checked - All others =
unchecked)
Basically the "Verify Identifier" option seems to break the tunnel when
enabled. You can do pretty much whatever else as long as it is off.
It kinda is lame that it requires aggresive mode, but watch are you gonna
do?
by cbo on 2006-11-30 17:12:00 +0100
Hi !
I would like to know how you can put some AES-256 in linksys RV042 / 082
?
If you look at the product spec, there's no support of AES (even 128)...
So truckstop, are you sure you are using a linksys RV042 ???
Thx
Cbo
PS : i have stopped trying to make ipsecuritas work with this product one
year ago... now i work with Zyxel product s which are more powerfull and
for professional use.
by truckstop on 2006-12-02 08:29:59 +0100
cbo - unless you are sure about something you shouldn't go spouting off. I
AM using AES-256 with an RV042. I have a screen capture but I am too lazy
to set up a flickr account just to prove a point. Maybe tomorrow I'll get to it.
You're right in the fact that it's not in the spec sheet. However the device
supports AES-128, AES-192, and AES-256. They must have been added to
the firmware after the specs were released. They are definately options in
1.3.7.10
Personally I use SonicWALL devices anywhere I need a "pro" device. And let's
face it with download speeds in my area now up to 25Mbps it is getting to
the point where you need a "pro" device at home just to handle your
connection.
[quote author=cbo link=1151439189/0#3 date=1164903120]Hi !
I would like to know how you can put some AES-256 in linksys RV042 / 082
?
If you look at the product spec, there's no support of AES (even 128)...
So truckstop, are you sure you are using a linksys RV042 ???
Thx
Cbo
PS : i have stopped trying to make ipsecuritas work with this product one
year ago... now i work with Zyxel product s which are more powerfull and
for professional use.
[/quote]
Always on IPSecuritas
Always on IPSecuritas
by iamchris on 2006-06-29 21:10:51 +0200
On OSX 10.4.2 I can't get IPSecuritas to autoload on boot.
If I could get it to autoload, I'd like it to autoconnect, and then to reconnect
if it gets disconnected, and if it can't reconnect, continue to retry at short
intervals until it succeeds. How can I get IPSecuritas to work that way?
Couldn't find the pskey
Couldn't find the pskey
by Ian on 2006-06-29 22:26:08 +0200
oakley.c:2146:oakley_skeyid(): couldn't find the pskey for x.x.x.x.
I have setup a Host -> Network profile in IPsecuritas, but whenever I try to
connect I find the error message above in the log file.
I entered a preshared key into the IPSecuritas GUI, but this makes it sound
like racoon can't find it?
Any help would be greatly appreciated.
Netgear FVS318 connects, no traffic. Routing?
Netgear FVS318 connects, no traffic. Routing?
by dfaulkner on 2006-07-04 19:22:51 +0200
Hi all,
I've browsed/searched here briefly and can't find the answer I need. So,
here goes:
I used Aaron Adams tutorial to set up IPSecuritas with my Netgear FVS318
(firmware version 2.4). When I click "Start IPSEC," everything appears to start
fine and a ping turns the red X into a green check, but the ping doesn't
return.
A traceroute reveals that my traffic is still going out to the Internet,
apparently though unencrypted channels:
$ traceroute 191.168.55.20
traceroute to 191.168.55.20 (191.168.55.20), 64 hops max, 40 byte
packets
1 192.168.1.1 (192.168.1.1) 5.650 ms 1.102 ms 1.102 ms
2 ip72-204-64-1.fv.ks.cox.net (72.204.64.1) 11.034 ms 10.766 ms
11.747 ms
3 wsip-70-182-122-97.ks.ks.cox.net (70.182.122.97) 11.410 ms
10.611 ms 35.684 ms
13.787 ms 12.128 ms
25.273 ms 10.975 ms
So, I run ifconfig, and see the following for gif0:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 10.1.1.1 --> 127.0.0.1
inet 10.1.1.1 --> 192.168.55.0 netmask 0xffffff00
From netstat -nr, I get
Destination
Gateway
default
192.168.1.1
192.168.43.0
10.1.1.1
192.168.43
gif0
Flags
UGSc
UH
USc
Refs
Use Netif Expire
38
2435 en1
0
1 gif0
1
202 gif0
Looks to me like a routing/gateway problem, but I'm not sure what to do to
fix this. Any thoughts?
IPSecuritas 3.0 Public Beta released
IPSecuritas 3.0 Public Beta released
by Forum Admin on 2006-07-05 23:51:28 +0200
We're proud to announce the release of the first public beta release of
IPSecuritas 3.0.
Please go to http://www.lobotomo.com/products/IPSecuritas/beta.html for
more information.
The IPSecuritas Team.
Re: IPSecuritas 3.0 Public Beta released
by Roberto Carlos Navas on 2006-07-07 08:55:30 +0200
Hello:
I'm testing the new Public Beta and it looks very promising.
However I found a problem trying to connect to my corporate network when
I'm behind a NAT router.
The error I get is:
Jul 07, 00:50:05 Info
APP IKE daemon started
Jul 07, 00:50:05 Info
APP IPSec started
Jul 07, 00:50:05 Debug APP State change from IDLE to RUNNING after
event START
Jul 07, 00:50:06 Info
IKE Foreground mode.
Jul 07, 00:50:06 Info
IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net)
Jul 07, 00:50:06 Info
IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct
2005 (http://www.openssl.org/)
Jul 07, 00:50:06 Info
IKE Resize address pool from 0 to 255
Jul 07, 00:50:06 Debug IKE parse successed.
Jul 07, 00:50:06 Debug IKE my interface: 127.0.0.1 (lo0)
Jul 07, 00:50:06 Debug IKE my interface: ::1 (lo0)
Jul 07, 00:50:06 Debug IKE my interface: fe80::1%lo0 (lo0)
Jul 07, 00:50:06 Debug IKE my interface: fe80::211:24ff:fe84:7f3e%en0
(en0)
Jul 07, 00:50:06 Debug IKE my interface: 192.168.1.100 (en0)
Jul 07, 00:50:06 Debug IKE configuring default isakmp port.
Jul 07, 00:50:06 Debug IKE 5 addrs are configured successfully
Jul 07, 00:50:06 Info
IKE 192.168.1.100[500] used as isakmp port
(fd=6)
Jul 07, 00:50:06 Info
IKE fe80::211:24ff:fe84:7f3e%en0[500] used as
isakmp port (fd=7)
Jul 07, 00:50:06 Info
IKE fe80::1%lo0[500] used as isakmp port (fd=8)
Jul 07, 00:50:06 Info
IKE ::1[500] used as isakmp port (fd=9)
Jul 07, 00:50:06 Info
IKE 127.0.0.1[500] used as isakmp port (fd=10)
Jul 07, 00:50:06 Debug IKE get pfkey X_SPDDUMP message
Jul 07, 00:50:06 Debug IKE
Jul 07, 00:50:06 Debug IKE 02120200 00020000 00000000 000036fc
Jul 07, 00:50:06 Debug IKE pfkey X_SPDDUMP failed: No such file or
directory
I managed to narrow down when this happens:
My remote network is 192.168.0.0/16 and my local address is
192.168.1.100... if i try to connect to a different remote network (let's say
172.25.0.0/16) the VPN will be established. But if my local address overlaps
the remote network, then this error happens and NO VPN setup is ever
attempted.
This same scenaria works fine with IPSecuritas 2.1
I'm running MacOS X 10.4.7 in a Powerbook G4.
Regards,
by Philip on 2006-07-07 13:46:23 +0200
I get the following errors when trying to make a connection.
Am I doing somethins worng or is this a bug ?
Jul 07, 13:42:07 Error IKE /Library/Application Support/Lobotomo
Software/IPSecuritas/racoon.conf:58: ";" algorithm mismatched
Jul 07, 13:42:07 Error IKE fatal parse failure (1 errors)
Jul 07, 13:42:07 Error IKE racoon_vpn1: failed to parse configuration file.
Jul 07, 13:42:07 Error IKE Foreground mode.
Regards,
Philip
by Mini on 2006-07-10 16:12:55 +0200
Same error as above..
Please help
by Roberto Carlos Navas on 2006-07-10 23:36:54 +0200
Hello,
I noticed that the problem reported above:
Jul 07, 13:42:07 Error IKE /Library/Application Support/Lobotomo
Software/IPSecuritas/racoon.conf:58: ";" algorithm mismatched
Jul 07, 13:42:07 Error IKE fatal parse failure (1 errors)
happens when you create a new connection using the wizard... if you
re-create that connection manually, without using the wizard, then it
works.
Still... I have no workaround for the problem when using a local IP address
that overlaps the remote network.
Regards,
by cnadig on 2006-07-11 16:36:21 +0200
Hello,
I can confirm a bug in the wizard templates causing the error described
above. I will release a new beta version with updated wizard templates soon
(some more testing required this time I guess :-).
Many thanks to the numerous contributions helping to find this bug!
Christoph
Lobotomo Software
by cnadig on 2006-07-12 10:06:29 +0200
Hello,
Version 3.0b6 is available for download (see top posting for link).
IMPORTANT: connections created with the Wizard in earlier versions won't
work in 3.0b6 and need to be deleted! Please recreate them in 3.0b6.
Christoph
Lobotomo Software
by iamchris on 2006-07-21 20:19:33 +0200
I've tried unsuccessfully to connect correctly to a Symantec Gateway
Security (SGS) appliance... I spent several hours on the phone with a Level 2
tech trying to get it working properly. He offered to put an IPSecuritas
developer in touch with an SGS developer as to aid in getting the program
working properly.
Any takers?
by cnadig on 2006-07-24 15:49:52 +0200
Hello Chris,
could you please send me the contact details of the person that made you
the offer to [email protected] - I will then get in touch with
him/her.
Thanks a lot,
Christoph
by pchernoff on 2006-07-25 16:32:37 +0200
After upgrading our SonicWall 2040 (enhanced OS) our VPN stopped
working(IPSecuritas 2.1) so I decided to try out IPSecuritas 3.0b6 and it
worked great once I figured out the settings. We have installed IPSecuritas
3.0b6 on other Macs, I exported my settings and imported them onto other
Macs. The results have been mixed. I am using Mac OS X 10.4.7.
Another user also uses 10.4.7. Unfortunately he never gets the green
checkmark (he gets a yellow x) and was unable to mount a server volume
across the VPN. He sent me his log and it looks like he is connecting to our
VPN server. He also sent me screenshots of his IPSecuritas setup and it
looks OK. Here is the contents of his log:
IPSecuritas 3.0b6 build 534, Tue Jul 11 22:00:26 CEST 2006, nadig
Darwin 8.4.0 Darwin Kernel Version 8.4.0: Tue Jan 3 18:22:10 PST 2006;
root:xnu-792.6.56.obj~1/RELEASE_PPC Power Macintosh
Jul 24, 18:58:21 Info
Jul 24, 18:58:21 Info
APP IPSec started
Jul 24, 18:58:21 Info
Jul 24, 18:58:21 Info
Jul 24, 18:58:21 Info
Jul 24, 18:58:21 Info
Jul 24, 18:58:21 Info
Jul 24, 18:58:21 Info
Jul 24, 18:58:23 Info
IKE IPsec-SA request for 216.194.197.194 queued
due to no phase1 found.
Jul 24, 18:58:23 Info
IKE initiate new phase 1 negotiation: 10.0.0.4[500]
<=>216.194.197.194[500]
Jul 24, 18:58:23 Info
IKE begin Aggressive mode.
Jul 24, 18:58:23 Info
IKE received Vendor ID: RFC 3947
Jul 24, 18:58:23 Info
IKE received Vendor ID: DPD
Jul 24, 18:58:23 Warning IKE No ID match.
Jul 24, 18:58:23 Info
IKE Selected NAT-T version: RFC 3947
Jul 24, 18:58:23 Info
IKE Hashing 10.0.0.4[500] with algo #2
Jul 24, 18:58:23 Info
IKE NAT-D payload #-1 doesn't match
Jul 24, 18:58:23 Info
Jul 24, 18:58:23 Info
IKE NAT-D payload #0 verified
Jul 24, 18:58:23 Info
IKE NAT detected: ME
Jul 24, 18:58:23 Info
IKE KA list add:
10.0.0.4[4500]->216.194.197.194[4500]
Jul 24, 18:58:23 Info
IKE couldn't find the proper pskey, try to get one
by the peer's address.
Jul 24, 18:58:23 Info
IKE Adding remote and local NAT-D payloads.
Jul 24, 18:58:23 Info
Jul 24, 18:58:23 Info
Jul 24, 18:58:23 Info
IKE ISAKMP-SA established
10.0.0.4[4500]-216.194.197.194[4500]
spi:668d5adfd265129f:fe2028ac928b6eda
Jul 24, 18:58:24 Info
IKE initiate new phase 2 negotiation:
10.0.0.4[4500]<=>216.194.197.194[4500]
Jul 24, 18:58:24 Info
IKE NAT detected -> UDP encapsulation
(ENC_MODE 1->3).
Jul 24, 18:58:24 Info
IKE Adjusting my encmode UDP-Tunnel->Tunnel
Jul 24, 18:58:24 Info
IKE Adjusting peer's encmode
UDP-Tunnel(3)->Tunnel(1)
Jul 24, 18:58:24 Info
IKE IPsec-SA established: ESP/Tunnel
216.194.197.194[4500]->10.0.0.4[4500] spi=134320294(0x80190a6)
Jul 24, 18:58:24 Info
10.0.0.4[4500]->216.194.197.194[4500] spi=960951546(0x3946f4fa)
Re: IPSecuritas 3.0 Public Beta releasedI am
by AaronA1975 on 2006-10-27 18:17:57 +0200
I am completely unable to get split DNS to work in 3.0b14. Are there any
troubleshooting steps I can try or is there any way to help you fix this
problem?
by kramericafsu on 2006-11-09 05:11:48 +0100
Has there been any headway with configuring the Symantec Gateway 320? I
have hit a road block!
Zyxel P-334WT anc IPSecuritas 3.0b5
Zyxel P-334WT anc IPSecuritas 3.0b5
by Thomas Thaler on 2006-07-10 23:47:23 +0200
Does anyone have sucssesfully setup IPSecuritas and a Zyxel P-334WT
Firewall to setup a IPSec tunnel?
It's hard to find out what on one side does compare to the same function
on the otherside.
If needed, I can provide snapshots of the Zyxel Settings.
Best regards for anyones help
Greetings from Switzerland
Thomas Thaler
Where is HMAC 3.0b6
Where is HMAC 3.0b6
by LittleDan on 2006-07-12 16:41:28 +0200
I have installed 3.0b6 and it keeps failing on Phase 2 with "No Proposal is
Chosen". I thought maybe it had something to do with HMAC not being
under authentication in the Phase 2 config optiosn. Anyone have any
suggestions?
Mac OS X 10.4.7 w/ SonicWall PRO 200 using XAUTH
Note: XAUTH is passing on the router log.
Re: Where is HMAC 3.0b6
by LittleDan on 2006-07-12 18:44:48 +0200
Made a good connection now what?
Forgive me ignorance this is my first mac since the IIe days, I have since
been a windows guy.
Log errors when trying to connect to home
Log errors when trying to connect to home
by CdtDelta on 2006-07-14 18:35:28 +0200
Hey all,
I've been using IPSecuritas for a while with my smoothwall firewall. It
worked fine with version 2.x, but I'm having some issues with 3.0b5 (and I
just tried it with b6 as well). I'm not sure if it's a configuration issue on my
part or not.
I've gotten it where it shows I'm connected to my home network. And I can
see on my firewall that the connection has been established. However, if I
try to ping any machines on my local network, I notice this error pop up:
"the length in the isakmp header is too big"
For each ping packet I send out. Now it is possible that the network I'm on
right now is part of the problem. Because this worked a couple of days ago
no problem at a hotel I was at. However I was back at the same hotel last
night and I had the issue I have now. I can get connected, but not access
anything on my home network.
So I'm looking for suggestions on where to look (I'm not entirely sure if all
my settings are correct).
Thanks ahead of time....
Re: Log errors when trying to connect to home
by cnadig on 2006-07-14 21:45:40 +0200
Hello,
this look like a problem with NAT-T - is it enabled in your configuration (if
it is, please try disabling it, if it isn't, please try enabling or even forcing it
[Options tab])
Hope this helps,
Christoph
IPsecuritas, Parallels and Internet Sharing
IPsecuritas, Parallels and Internet Sharing
by msolsona on 2006-07-16 01:13:29 +0200
I am having problems connecting to my company intranet using IP securitas
from the Parallels virtual Machine (XP).
Has anybody had this working?
IPsecuritas 3.0b6 installed and running in 10.4.7(Intel)
Airport connection to the world
Internet sharing from Airport to the Parallels interface (en2)
Parallels is connecting properly to the Internet (yahoo, google, etc) but it
cannot reach the Intranet.
Has anybody got it work?
Doing TCPdump on en1 (Airport, external interface) of Macbook, I do see
UDP-encap packets going out and coming back from GW. But they are not
reaching the virtual machine.
marc
Netgear FVS318v3
Netgear FVS318v3
by jscooper on 2006-07-22 20:46:05 +0200
Hi folks,
I've seen a bunch of postings about this, but no solutions. Does anyone
have the settings to get a working tunnel from a remote machine (roaming
user/dynamic IP) to a FVS318v3?
Thanks!
Jeff
ps - Cool app, go it working with a couple of different VPNs (just not the
netgear so far).
Re: Netgear FVS318v3
by jscooper on 2006-07-26 04:22:30 +0200
Update:
I was able to get it working, but I had it in a test environment: I made a
subnet for the router and had it's "WAN" be the main router of my LAN (a
dlink wireless). I was able to establish a VPN (green arrow and ping) the
netgear from a laptop wirelessly connected to the dlink.
I thought I was set until I put the netgear to use as a real router/gateway
(WAN->LAN). It's working fine as a gateway; traffic can get out. But, when I
try to establish a VPN to it from a different location (using the exact same
settings), it gets hung up on Phase 2. Below is the client log (actual WAN IP
replaced by x.x.x.x). It keeps trying to "initiate new phase 2 negotiation":
Jul 25, 14:31:50 Info
Jul 25, 14:31:50 Info
APP IPSec started
Jul 25, 14:31:50 Info
Jul 25, 14:31:50 Info
Jul 25, 14:31:50 Info
Jul 25, 14:31:50 Info
Jul 25, 14:31:50 Info
(fd=6)
Jul 25, 14:31:50 Info
(fd=7)
Jul 25, 14:31:51 Info
IKE IPsec-SA request for x.x.x.x queued due to no
phase1 found.
Jul 25, 14:31:51 Info
192.168.22.21[500]<=>x.x.x.x[500]
Jul 25, 14:31:51 Info
Jul 25, 14:31:54 Info
192.168.22.21[500]-x.x.x.x[500]
spi:3238789ff58aba9f:9b586d8ffd398608
Jul 25, 14:31:55 Info
192.168.22.21[500]<=>x.x.x.x[500]
Jul 25, 14:32:07 Info
192.168.22.21[500]<=>x.x.x.x[500]
Jul 25, 14:32:19 Info
192.168.22.21[500]<=>x.x.x.x[500]
Jul 25, 14:32:25 Error IKE x.x.x.x give up to get IPsec-SA due to time up
to wait.
Jul 25, 14:32:37 Info
192.168.22.21[500]<=>x.x.x.x[500]
to wait.
Jul 25, 14:32:49 Info
192.168.22.21[500]<=>x.x.x.x[500]
to wait.
Jul 25, 14:33:01 Info
192.168.22.21[500]<=>x.x.x.x[500]
to wait.
Jul 25, 14:33:19 Info
192.168.22.21[500]<=>x.x.x.x[500]
to wait.
Jul 25, 14:33:31 Info
192.168.22.21[500]<=>x.x.x.x[500]
to wait.
by bradisa on 2006-07-31 09:04:16 +0200
Got it working with the following settings:
Please note that I do not need to browse the Mac clients; I only needed them
to access a server behind the FVS318. I have not attempted to access the
macs, so you'll have to test it out:
[b][u]ON THE FVS318[/u][/b]
Local IPSec Identifier: 10.0.3.1 {local IP address of FVS318}
Remote IPSec Identifier: 192.168.1.2 {local IP address of Mac}
Tunnel can be accessed from: any local address
Tunnel can access: a subnet of remote addresses
Remote LAN start IP Address: 192.168.1.2 {local IP address of Mac}
Remote LAN IP Subnetmask: 255.255.255.0 {subnet of Mac}
Remote WAN IP or FQDN: xxxxx.dyndns.info {for dynamic ip of Mac; using
Dynamic DNS Host service}
Secure Association: Main Mode
Perfect Forward Secrecy: Enabled
Encryption Protocol: 3DES
PreShared Key: AnyKeyY0uCh00se
Key Life: 28800 Seconds
IKE Life Time: 28800 Seconds
Netbios: Enabled
[b][u]On the Mac using IPSecuritas[/u][/b]
[b][i]General[/i][/b]
Remote IPSec Device: XXXXXXXX.com {FQDN or Dynamic Host Service}
Local Side: Endpoint Mode: Network
Network Address: 192.168.1.1 {local IP address of router for Mac}
Remote Side: Endpoint Mode: Network
Network Address: 10.0.3.0
[b][i]Phase 1[/i][/b]
DH Group: 1024(2)
Encryption: 3DES
Exchange Mode: Main
Nonce Size: 16
[b][i]Phase 2[/i][/b]
PFS Group: 1024(2)
Encryption: {Check box for 3DES ONLY}
Authentication: {Check box for SHA1 ONLY}
[b][i]ID[/i][/b]
Authentication Method: Preshared Key
Preshared Key: AnyKeyY0uCh00se {of course must match entry on FVS318}
[b][i]Options[/i][/b]
Check boxes for:
IPSec DOI
SIT_IDENTITY_ONLY
Verify Identifier
Initial Contact
If anyone viewing this sees any serious flaws in this configuration, please post
by bradisa on 2006-07-31 17:48:14 +0200
FYI, Here are the log files:
[b][i]IPSecuritas:[/i][/b]
IPSecuritas 3.0b6 build 534, Tue Jul 11 22:00:26 CEST 2006, nadig
Darwin 8.4.0 Darwin Kernel Version 8.4.0: Tue Jan 3 18:22:10 PST 2006;
root:xnu-792.6.56.obj~1/RELEASE_PPC Power Macintosh
Jul 31, 08:09:04 Info
Jul 31, 08:09:04 Info
APP IPSec started
Jul 31, 08:09:04 Info
Jul 31, 08:09:04 Info
Jul 31, 08:09:04 Info
Jul 31, 08:09:04 Info
Jul 31, 08:09:04 Info
Jul 31, 08:09:05 Info
IKE IPsec-SA request for x.x.x.x queued due to no
phase1 found.
Jul 31, 08:09:05 Info
192.168.1.2[500]<=>x.x.x.x[500]
Jul 31, 08:09:05 Info
IKE begin Identity Protection mode.
Jul 31, 08:09:08 Info
192.168.1.2[500]-x.x.x.x[500] spi:xxxxx:xxxxxx
Jul 31, 08:09:09 Info
192.168.1.2[500]<=>x.x.x.x[500]
Jul 31, 08:09:12 Info
x.x.x.x[0]->192.168.1.2[0] spi=xxxxx
Jul 31, 08:09:12 Info
192.168.1.2[0]->x.x.x.x[0] spi=xxxxxx
[b][i]Netgear FVS318:[/i][/b]
Mon, 07/31/2006 07:08:51 - xxxxx IPsec:Receive Packet address:0x1807194
from x.x.x.x
Mon, 07/31/2006 07:08:51 - xxxx IPsec:main_inI1_outR1()
Mon, 07/31/2006 07:08:51 - xxxxx IKE: Peer Initialized IKE Main Mode
Mon, 07/31/2006 07:08:51 - xxxxx IKE:[Mac] RX << MM_I1 : x.x.x.x
Mon, 07/31/2006 07:08:51 - xxxxx IPsec:New State index:5, sno:32
Mon, 07/31/2006 07:08:51 - xxxxx IPsec:responding to Main Mode
Mon, 07/31/2006 07:08:51 - xxxxx IPsec: Oakley Transform 1 accepted
Mon, 07/31/2006 07:08:51 - xxxxx IKE:
OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024
Mon, 07/31/2006 07:08:51 - xxxxx IKE:[Mac] TX >> MM_R1 : x.x.x.x
Mon, 07/31/2006 07:08:51 - xxxxx IPsec:inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #32
from x.x.x.x
Mon, 07/31/2006 07:08:51 - xxx IPsec:main_inI2_outR2()
Mon, 07/31/2006 07:08:51 - xxxx IPsec:inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #32
from x.x.x.x
Mon, 07/31/2006 07:08:53 - xxxxx IPsec:main_inI3_outR3()
Mon, 07/31/2006 07:08:53 - xxxxx IPsec: Decoded Peer's ID is
ID_IPV4_ADDR:192.168.1.2 and 192.168.1.2 in st
Mon, 07/31/2006 07:08:53 - xxxxx IPsec:inserting event EVENT_SA_EXPIRE,
timeout in 28980 seconds for #37
by truckstop on 2006-10-17 05:33:42 +0200
Whenever I enable a tunnel to an FVS318v3 like this it breaks the internet
connectivity on the FVS318v3 side. Looks like a more than dns thing
because pings disappear however traffic does go through the tunnel.
DHCP with SonicWall
DHCP with SonicWall
by yves_kayak on 2006-10-07 04:48:10 +0200
Hello everyone,
I'm using IPSecuritas for a while to connect to the office's SonicWall Pro 230
VPN server.
Our sysadmin changed the VPN Server's config to assign DHCP addresses to
the VPN clients. After that change, I can't connect anymore. In IPSecuritas
log, there's an error message "NO-PROPOSAL-CHOSEN" at phase 2.
Is that feature supported by IPSecuritas ? It seems to be a new feature in
version 4 of VPN Tracker. They call that "DHCP over IPSec".
Thanks,
Yves Forget
Re: DHCP with SonicWall
by Manuel on 2007-03-15 16:07:39 +0100
Same problem/question here: is DHCP over IPSec supported by IPSecuritas?
I am using 3.0RC and I'm only able to get it working if I enable "Virtual
adapter settings: DHCP Lease or manual configuration" on our Sonic Pro
3060 Enhanced.
Since I'm the sysadmin it doesn't really matter (to me), but it would be nice
if IPSecuritas could support DHCP somehow, also to avoid IP conflicts for
users who use NAT'ed IP addresses.
Re: DHCP with SonicWall
by jgrange on 2007-03-22 02:12:37 +0100
Okie, ive been trying to get version 3, to work with my 3060 Pro, but have
been unsuccesfull, I keep geting invalid ID messages, can someone share
with me how to properly set this up, as it seems i must be missing
something fairly simple if serveral people seem to have this working! Any
help or ideas would be very much apreacated!
XAuth not working?
XAuth not working?
by gdanko on 2006-10-09 16:44:22 +0200
Hi all,
I was helping to test 3.0b1 several months ago and I could get the
username/password prompt for my SonicWall 5060. The only thing not
working was the DHCP.
I am now trying 3.0b14 and I am no longer prompted for username and
password.
I use both a Cisco 3020 and a SonicWall 5060 and TZ170. Does someone
have a configuration example I can use for either of these? The Cisco 3020
uses Group Authentication. Can IPSecuritas accommodate this?
Thanks in advance!
Cannot connect to SonicWALL TZ170
Cannot connect to SonicWALL TZ170
by gdanko on 2006-10-09 19:32:03 +0200
==On the SonicWALL==
:General
Authentication Method: IKE using Preshared Secret
Name: WAN GroupVPN
Share Secret: xxxxx
-Proposals
Phase 1
DH Group: Group 2
Encryption: 3DES
Phase 2
Protocol: ESP
Encryption: 3DES
Enable PFS: Disabled
:Advanced
Enable Windows Networking Broadcase: Checked
Enable Multicast: Unchecked
Default Gateway: 0.0.0.0
:Client
Cache XAUTH User Name and Password on Client: Single Session
Virtual Adapter Settings: DHCP Lease
Set Default Route as this Gateway: Unchecked
Require Global Security Client for this Connection: Unchecked
Use Default Key for Simple Client Provisioning: Unchecked
==In IPSecuritas==
:General
Remote IPSec Device: xxxxx
Local Endpoint Mode Host:
Remote Endpoint Mode Network: 172.16.10.0/24
:Phase 1
DH Group: 1024(2)
Encryption: 3DES
Authentication: SHA-1
Exchange Mode: Main, Aggressive
Nonce Size: 16
:Phase 2
PFS Group: None
Encryption: 3DES
Authentication: HMAC-SHA-1
:ID
Authentication Method: XAuth PSK
Preshared Key: xxxxx
Re: Cannot connect to SonicWALL TZ170==SonicWALL L
by gdanko on 2006-10-09 19:33:39 +0200
==SonicWALL Log==
10/09/2006 10:26:06.704 - Info - VPN IKE IKE Responder: Received
Main Mode request (Phase 1) - [NAT'D IP], 139 (admin) [SONICWALL],
500 10/09/2006 10:26:07.352 - Info - VPN IKE NAT Discovery : Peer IPSec
Security Gateway behind a NAT/NAPT Device 0.0.0.0 0.0.0.0 10/09/2006 10:26:07.880 - Info - VPN IKE IKE Responder: Main Mode
complete (Phase 1) - [NAT'D IP], 43746 (admin) [SONICWALL], 4500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs
10/09/2006 10:26:27.720 - Warning - VPN IKE - Received packet
retransmission. Drop duplicate packet [NAT'D IP], 43746 (admin) [SONICWALL], 4500 VPN Policy: WAN GroupVPN
10/09/2006 10:26:27.736 - Warning - VPN IKE - Failed payload
validation - [NAT'D IP], 43746 (admin) [SONICWALL], 4500 VPN
Policy: WAN GroupVPN
==Connection Log from IPSecuritas==
IPSecuritas 3.0b14 build 1019, Wed Oct 4 15:19:10 CEST 2006, nadig
Darwin 8.8.1 Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006;
root:xnu-792.13.8.obj~1/RELEASE_I386 i386
Oct 09, 10:22:24 Info
Oct 09, 10:22:24 Info
APP IPSec started
Oct 09, 10:22:24 Error IKE Foreground mode.
Oct 09, 10:22:24 Info
Oct 09, 10:22:24 Info
Oct 09, 10:22:24 Info
IKE Reading configuration from "/Library
/Application Support/Lobotomo Software/IPSecuritas/racoon.conf"
Oct 09, 10:22:24 Info
Oct 09, 10:22:26 Error IKE Xauth mode config request but peer did not
declare itself as Xauth capable
Oct 09, 10:22:26 Error IKE ISAKMP mode config exchange with immature
phase 1
Oct 09, 10:22:46 Warning IKE No ID match.
Oct 09, 10:22:46 Error IKE No SIG was passed, hybrid auth is enabled, but
peer is no Xauth compliant
Oct 09, 10:22:46 Error IKE none message must be encrypted
Oct 09, 10:22:56 Error IKE phase2 negotiation failed due to time up
waiting for phase1. ESP [REMOTE][500]->172.16.129.16[500]
Re: Cannot connect to SonicWALL TZ170
by sibble-comp on 2007-06-12 00:54:04 +0200
Success!!! After about 4 or 5 days playing with this, several hours on the
phone with Sonicwall support, I can successfully connect to a TZ170 running
SonicOS Enhanced 3.1.0.14-49e. Box is using the GroupVPN for the pc users
using GVC in automated mode (end users type in ip address, username and
password in GVC to connect) with Xauth enabled. Also using DHCP relay so
clients get an address from the internal dhcp server, NOT the sonicwall box
itself.
I am using IPSecuritas 3.0 build 1693
After several hours on the phone with Sonicwall support today and the tech
finally saying he was out of ideas to try, I went back to basics,
removed/reverted all the changes we had been made during testing.
Sonicwall is setup thusly
Security Policy TAB
IPsec Keying Mode: Ike using preshared secret
Name: Wan GroupVPN
Shared Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxx
Proposals TAB
IKE (phase 1) Proposal
DH Group: Group 2
Encryption: 3DES
Life Time: 28800
IPSEC (Phase 2) Proposal
Protocol: ESP
Encryption: 3DES
Enable PFS is checked
DH Group: Group 2
Life Time: 28800
Advanced TAB
Enable Windows Networking Broadcast is checked
Require Authentication of VPN Clients via XAUTH is checked
(clients authenticate against radius server on windows 2003 AD machine)
Client TAB
Cache XAUTH Username and Password on Client: Single Session
Virtual Adapter Settings: DHCP Lease or Manual Configuration
Use Default Key for Simple Client Provisioning.
If an item is not listed above or below, it's because it wasn't enabled or used
for this configuration.
Setup on IPSecuritas
General TAB
Remote Ipsec device: wan ip of sonicwall
Local Side Endpoint mode: host (ip address field blank)
Remote Side Endpoint Mode: Network address set to the lan behind the
sonicwall
Phase 1 TAB
DH Group: 1024 (2)
by TimothyFerrell on 2007-06-12 05:31:25 +0200
I was very hopeful after reading how you got your connection to come up,
but very disappointeted to find your instructions don't quite work for me. I
adopted all your settings, and the VPN comes up, but disconnects after
about 2 minutes.
The log shows scrolling errors starting with
"No ID match"
"attribute has been modified"
"inappropriate sadb acquire message passed."
"attribute has been modified"
"libipsec failed pfkey check (Invalid SA type)"
""unknown information element received"
If anyone knows what settings and on which side I should be looking at
tinkering with, any suggestions would be appreciated. The client side is IP
Securitas 3.0. The Sonicwall hardware in my case is a Pro 2040 on Standard
2.1.0.1 firmware. Windows computers are not having any trouble
connecting with the SonicWall client. Hoping not to have to buy VPN
tracker to get this up.
by sibble-comp on 2007-06-12 07:39:30 +0200
Hmm, there is some info in another thread about that unknown info
message involving turning up the logging level in ipsecuritas to debug to
find out what the unknown info actually is.
Also from what I understand, there's a fair bit of difference between
standard and enhanced firmware and also between 2.xx and 3.xx.
IIRC, when they went to 3.xx was when they dropped support for Safenet
based vpn clients, but don't quote me on that ;-)
Thank you for you prompt reply. I will try to figure out where to go to
increase the logging level and get back with my results.
Re: Cannot connect to SonicWALL
by kduane on 2009-01-27 08:13:14 +0100
This worked for me on a Sonicwall 3060 with Enhanced OS and IPSecuritas
3.1 (build 1860)
Just a few diffs:
=== on sonicwall ==
Proposals TAB
IPSEC (Phase 2) Proposal
Enable PFS is unchecked
Advanced TAB
Enable Windows Networking Broadcast is unchecked
Client TAB
Virtual Adapter Settings: none
== in ipsecuritas ==
DNS TAB
Enable Domain Specific DNS servers is unchecked
Domains: blank
Name Server Addresses: blank
OPTIONS TAB
The following are (checked) enabled
IPSEC DOI
SIT_IDENTITY_ONLY
Initial Contact
Support Proxy
Request Certificate
Send Certificate
Unique SAs
IKE Fragmentation
DISABLE NAT-T
Thanks for all your work... I know there has to be a lot of people out there
looking for the same info... Screw VPN Tracker
[quote author=sibble-comp link=1160415123/0#2
date=1181602444]Success!!! After about 4 or 5 days playing with this,
several hours on the phone with Sonicwall support, I can successfully
connect to a TZ170 running SonicOS Enhanced 3.1.0.14-49e. Box is using
the GroupVPN for the pc users using GVC in automated mode (end users
type in ip address, username and password in GVC to connect) with Xauth
enabled. Also using DHCP relay so clients get an address from the internal
dhcp server, NOT the sonicwall box itself.
I am using IPSecuritas 3.0 build 1693
After several hours on the phone with Sonicwall support today and the tech
finally saying he was out of ideas to try, I went back to basics,
removed/reverted all the changes we had been made during testing.
Sonicwall is setup thusly
Security Policy TAB
IPsec Keying Mode: Ike using preshared secret
Name: Wan GroupVPN
Shared Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxx
FVG318 examples?
FVG318 examples?
by machelp on 2006-10-16 21:22:51 +0200
Has anyone had any success using IPSecuritas to connect to a Netgear
FVG318?
I'd love to see some examples.
Thanks!
Beta 14 certificate bug.
Beta 14 certificate bug.
by truckstop on 2006-10-17 01:25:47 +0200
I am pretty sure that there is an error in the IPSecuritas Beta 14 where the
generated racoon.conf file uses the same certifcate identifier for both the
system cert and the peer cert.
For example this is what I have found in my racoon.conf:
certificate_type x509 "5e0963d3-ffe1-4c46-a389-6f6ac4136ad0.cert"
"5e0963d3-ffe1-4c46-a389-6f6ac4136ad0.priv";
peers_certfile x509 "5e0963d3-ffe1-4c46-a389-6f6ac4136ad0.cert";
So if you can't get Beta 14 to work with IPCOP that is why.
Re: Beta 14 certificate bug.
by bmc303 on 2006-10-19 22:13:37 +0200
I tried to find the entry in my racoon.conf. But it doesn't seem that
IPSecuritas changed anything.
When I for example search for my IPCops IP Adress or it's hostname nothing
is matched.
Do you have any idea what the reason for this could be?
Goodbye!
by bmc303 on 2006-10-19 22:44:01 +0200
Aaah! I finally found the menu entry to see the log and the configuration
file. I can confirm what the original poster stated.
certificate_type x509 ...
peers_certfile x509 ...
both rely on the same cert.
I'm back to version 2.2. Works nice! :-)
by houser on 2006-10-21 10:39:28 +0200
Hello,
Iposted a question regarding use of a Netscreen firewall and IPsecuritas
3.0b14
and it seems I have found the same issue as you guys.
2.2 works perfectly AFAIK...and our log indicates the very same bug as you
have reported.
FWIW.
all the best
Janne A.
DNS in IPSecuritas vs VPN Tracker
DNS in IPSecuritas vs VPN Tracker
by witchdoctor on 2006-10-19 21:58:32 +0200
I'd like to do a straight replacement of VPN Tracker with IPSecuritas 3.0b14
on my network for the Mac folk. Problem is, DNS lookups don't seem to
work. The search domain is ournetwork.local, and I've specified the local
DNS server address. VPN Tracker works fine, but IPSecuritas doesn't resolve
the names at all. Tried dig / traceroute and it simply doesn't resolve the
hostname under IPSecuritas' tunnel.
Any ideas?
Netscreen 5GT
Netscreen 5GT
by houser on 2006-10-20 13:37:50 +0200
Hello,
Thanx for a great freeware VPN client!
I am trying to set up IPSecuritas with a firewall from Juniper Netwoks,
namely a 5GT.
Any documentation / hints on how to set this up?
I have it working with version 2.2 and would ideally just need a config for
IPsecuritas 3 that works with the exisiting setup.
It seems there is a bug or at least a change in 3 from 2.2 that stops the
connection in middle of it.
I have copied the settings from 2.2 to 3 and get this error:
waiting for phase1. ESP xxx.xxx.xxx.xx[500]->10.0.1.2[500]
greatful for any feedback or hints
TIA and regards
janne a.
Re: Netscreen 5GT
by Umeboshi on 2006-10-21 11:27:01 +0200
I had a very good experience with 3b-6 beta that was available just before
Lobotomo took their time out. I had to tweek the 2.1 config a little to get it
to work (the parameters and settings are not identical) but it worked really
well. After Lobotomo's return and the release of 3b-14 I was quick to try it
again (since the 3b-6 had expired) but to this point with the same config
that worked with 3b-6 it hasn't worked yet.
My environment is basically the same as yours: Netscreen 5GT. I can get the
current 2.2 version to work with no problems but not the 3b-14 version.
I am getting a PSK not found error in the logs so it seems that my problem
may be a little different.
I continue to work on this as time permits and will post again if I come
across anything that may be useful but ask you (and everone else with this
same type of problem) to post whatever you find as well.
Thanks
Re: Netscreen 5GT
by houser on 2006-10-21 18:47:10 +0200
Thanx for your reply.
Sure, I will try some trix too.
I get various errors but no success.
What would be the point of using 3 over 2 anyway at this point?
it does not offer anything important new, AFAIK?
ah well, best
Janne A.
Re: Netscreen 5GT
by Umeboshi on 2006-10-22 10:35:13 +0200
The things I saw in 3b-6 that I really liked were:
1. The auto connection feature. Currently 2.2 tells you that the system has
gone into sleep mode and the connection has been shutdown. 3b-6 just
reconnected when the network came back up as long as it was flamed-on.
Security wise possibly a little dangerous but a nice feature. I believe there is
also an on/off for this setting as well.
2. The XAuth support. Although the XAuth support didn't work as
anticipated - I had hoped for a popup window for username and password
entry (similar to the functionality of the Netscreen Windows client) - but it
did work which allowed a little more generic settings between Mac and
Windows on the Netscreen 5GT itself.
So if I can get the current 3b-14 beta to work I am sure to use it.
Thanks
Re: Netscreen 5GT
by houser on 2006-10-22 20:06:34 +0200
Allright, thanx.
I liked the menuitem that allows on off without opening the app.
Let me know if you get it to work, and I will do the same.
best
Janne A.
Fortinet, FortiGate100
Fortinet, FortiGate100
by Bones on 2006-10-20 14:36:42 +0200
Hi,
Anyone got good settings for FortiGate100, I have no problems getting it to
get the VPN runnign in VPN Tracker. I have set all the settings like in
Tracker but still no go...
Here is the log...
Oct 20, 19:12:47 Info
Oct 20, 19:12:47 Info
APP IPSec started
Oct 20, 19:12:47 Info
Oct 20, 19:12:47 Info
IKE @(#)This product linked OpenSSL 0.9.7i 14
Oct 2005 (http://www.openssl.org/)
Oct 20, 19:12:47 Info
Oct 20, 19:12:47 Info
Oct 20, 19:13:00 Info
Oct 20, 19:13:00 Warning IKE Ignored short attribute XAUTH_USER_NAME
Oct 20, 19:13:00 Warning IKE Ignored short attribute
XAUTH_USER_PASSWORD
Oct 20, 19:13:16 Info
APP IPSec stopping
Oct 20, 19:13:17 Info
APP IKE daemon terminated
Anyone :-)
/b
NetgearFVS124G<-->LinksysBEFSX41
NetgearFVS124G<-->LinksysBEFSX41
by SteveC on 2006-10-26 08:03:45 +0200
Using beta 3.
No matter what I do I get the dreaded "time out from phase 1" error.
What is the basic issue here?
Same with v2 of IPSecuritas AND VPNTracker4
TWRoadRunner is the ISP for both.
Is this a blocked port issue?
Help!
Steve
Connecting to Sonicwall
Connecting to Sonicwall
by surfer on 2006-11-05 02:15:25 +0100
Hi Guys,
I am having a battle with communicating ipsecuritas 3.0b14 to talk to
Sonicwall TZ170. after debugging the log seems like ipsecuritas doesn't
recognise Sonicwall as supporting Xauth authentication.
I was wondering if anyone's got Xauth working with Sonicwall? I mean both
software and hardware support it so it should work. I will keep trying to get
this working. I red the post where one of the guys got a username and
password prompt while authenticating using ipsecuritas 3.0b1 but that got
dissapared in 3.0b14.
If i have any luck i will post my findings.
Regards,
.
Re: Connecting to Sonicwall
by deanpence on 2006-11-27 19:49:32 +0100
Any luck on this? This is hat I'm getting:
No ID match.
fatal NO-PROPOSAL-CHOSEN notify message, phase1 should be deleted.
I'm on a Powerbook G4 connecting to a SonicWall TZ 170 with XAuth and
PSK.
Re: Connecting to Sonicwall
by yves_kayak on 2006-11-28 05:24:41 +0100
Hello,
I'm using a PowerMac G5 with OS X 10.4.8 and IPSecuritas 3.0b14 and
connecting to a SonicWall Pro 230.
I get the message "couldn't find the proper pskey, try to get one by the
peer's address." as part of a "normal" (working) connection process. (It's
the last message I get in the log, on a successful connection).
I used to have the "fatal NO-PROPOSAL-CHOSEN notify message, phase1
should be deleted." message too. After a while I was able to get our
sysadmin to set the SonicWall's DHCP optional, and now it works. I don't
remember exactly, but in the Sonic's config, it was the last tab on the right
(client config or something), and then the last thing at the bottom of the
page (client address via DHCP). Choices are "none", "DHCP", or "both".
At the beginning it was set to "NONE", and the clients were using their local
IP addresses (obtained from their ISP) but people with routers were
disconnected because of IP conflicts (with addresses obtained from the
router's DHCP).
Then the sysadmin changed the setting to DHCP. It solved the routers' IP
conflicts for people on Windows, but IPSecuritas was unable to connect.
(BTW, VPN Tracker 4.0 supports the DHCP setting).
Changing the setting to "both" allows IPSecuritas to connect, but Mac users
using routers must be careful to configure their routers to avoid IP conflicts
: do not use 10.0.1.100, since most people do...
By the way, be patient. After setting the DHCP to "both" on the server, it
often takes IPSecuritas 10 or 15 seconds before you get the green light. I
believe it was much faster before we use DHCP on the SonicWall's server.
I'm connecting with XAuth and PSK too.
Hope this helps,
Yves
what's new in IPSecuritas 2.2 ?
what's new in IPSecuritas 2.2 ?
by favincen on 2006-11-06 15:13:57 +0100
Hi,
IPSecuritas 2.2 is available for download, but both the web page and the
readme file need to be updated as both still refer to version 2.1.
Could you give some details about what's new in version 2.2?
thanks and regards
show version
show version
by niko on 2006-11-06 22:48:00 +0100
Hello Everyone
Am trying to find out if a netscreen 5gt that we want to setup in our office
in Brasil has the "export version" of the software but I can't - the command
show version doesn't work
Any idea?
Thanks Niko
Sonicwall Config
Sonicwall Config
by darken9999 on 2006-11-10 12:43:56 +0100
Wow, this message board software is falling apart. Images don't work,
profiles can't be adjusted.
Anyway, here's my config to connect to a Sonicwall 2040 using the 3.0 beta.
I figure it should be good for most current Sonicwall stuff. It's not
comprehensive, since I've been using VPNTracker for awhile, but it should
at least get you in the ballpark. I use XAUTH and DHCP for my config.
Start a new config. I'm only showing the things you have to change. I don't
use DNS on the VPN, so I'm leaving it alone.
--- On the Sonicwall --- Use the VPN wizard to get things started, using the defaults.
- In the general VPN settings, change the unique firewall identifier to the
Sonicwall's public IP.
- In the advanced VPN policy for the groupvpn, require XAUTH (trusted
users).
- In the client settings for the groupvpn, change virtual adapter settings to
DHCP Lease or Manual Configuration.
-- In IPSecuritas ----- General
- Remote Device: <Sonicwall IP>
- Remote side network address: <Remote VPN network>
--- Phase 1
- DH Group: 1024 (2)
- Encryption: 3DES
- Authentication: SHA-1
- Exchange Mode: Agressive
- Proposal Check: Claim
--- Phase 2
- PFS Group: None
- Encryption: Only DES & 3DES
- Authentication: Only MD5 & SHA-1
--- ID
- Authenticaiton Method: XAuth PSK
- Preshared Key: <from the Sonicwall>
- Username/Password: <the user/pass you created on the Sonicwall with
VPN priviledges>
Connect to Remote Client
Connect to Remote Client
by surfincajun on 2006-11-15 20:11:52 +0100
Hello,
I have no idea how to set this up to work correctly. I have tried setting it up
and all i get is on the last line:
Resize address pool from 0 to 255.
Settings I need are as follows (From remote Firewall)
shared secret: XXXXXX (This is have no problems with)
IKE negotiation every 1440 seconds
Phase 1:
3DES, SHA1, DH group 2
Pase 2:
AES-256, MD5, DH group 2
Our Networks inside the tunnel:
10.70/16
10.50/16
192.168.14.0/24
IP address of our firewall:
xx.xx.xx.xxx (Full IP Address of Firewall WAN)
If anyone can point me in the right direction or let me know what additional
settings I need to complete the tunnell I would greatly appreciate it.
Beta version will expire soon
Beta version will expire soon
by yves_kayak on 2006-11-28 05:00:58 +0100
Hello everybody,
I installed IpSecuritas 3.0 beta 14 on October 11. When I start the
application, I get a popup :
"This is a beta version of IPSecuritas, which will expire in 6 days. Please
download a more recent version from our web page."
I went to the web site, and it seems that Beta 14 is currently the most
recent version.
Did someone get this message a couple of days ago ? What happened after
the delay expired ? Is someone aware of a new version available within a
couple of days ? Can I reinstall beta 14 and use it until a new version
comes out ?
Thanks,
Yves Forget
Re: Beta version will expire soon
by Forum Admin on 2006-11-28 09:22:15 +0100
Hello,
we will make the release candidate available in the coming couple of days.
The release candidate will not expiry anymore and will be replaced by the
final version hopefully soon.
Cheers,
Christoph
Actiontec GT701-WG
Actiontec GT701-WG
by Cam on 2006-12-01 21:32:38 +0100
Does anyone have an experience using IPSecuritas through an Actiontec
GT701-WG to get into a Netscreen 5GT? We have a remote user who cannot
get VPN to work and I'm not having much luck connecting to her modem
remotely to attempt troubleshooting.
IPSecuritas 3.0 Release Candiate
IPSecuritas 3.0 Release Candiate
by Forum Admin on 2006-12-02 17:40:59 +0100
We're proud to announce the release candiate of IPSecuritas 3.0.
Please go to http://www.lobotomo.com/products/IPSecuritas/beta.html for
more information.
The IPSecuritas Team.
Re: IPSecuritas 3.0 Release Candiate
by robotguy on 2007-02-08 14:43:20 +0100
Thanks for the release candidate!
I am able to get this working with my firewall and love the changes. You
mention in your feature list that XAUTH will be included but there are some
forum posts that go both ways on this. Is it yet-to-be-included or is it
there and I can't find it. I would expect a username/password field
somewhere in the ID section or perhaps a popup requesting these when
logging in.
For now, I am not using XAUTH and things work but I will need to change
this in the long run to please our system administrator.
Any news on this?
by houser on 2007-02-09 16:44:33 +0100
Hello,
This version seems to work great for us, thanx for making a nice bit of
code!
Just a quick question:
Everything seems to work perfectly...
..but if I set log level to "warning" I get this when I logon:
[code]IPSecuritas 3.0rc build 1040, Fri Dec 1 21:00:13 CET 2006, nadig
Darwin 8.8.3 Darwin Kernel Version 8.8.3: Wed Oct 18 21:57:10 PDT 2006;
Feb 09, 16:37:00 Warning IKE Foreground mode.
Feb 09, 16:37:07 Warning IKE ignore RESPONDER-LIFETIME notification.
Feb 09, 16:37:07 Warning IKE attribute has been modified.
[/code]
All seems to work as expected.
Is my VPN safe still?
Is there any setting I should tweak
thanx for your time!
best
Janne A.
by cnadig on 2007-02-09 18:02:05 +0100
Hi Janne,
don't worry - the notification is sent by the remote side to indicate that the
time your side proposes for phase is longer than what the remote side
allows. You might see some connection iterruption after the remote time
has bee reached.
Security is not affected.
To get rid of the warning, just lower the lifetime value in phase 2 to a value
that the remote side accepts.
Hope this helps,
Christoph
by houser on 2007-02-11 12:04:24 +0100
Thanx very much for that, I will give it a whirl...
I assume you mean the "lifetime" setting in phase 2?
It is now 28800secs.. and I can't find the appropriate setting on
the remoteside ( Juniper, NETSCREEN 5GT) to correspond to.
I can't get these things in the log to go away:
So I guess I can ignore that then for now......
Thanx so much for listening!
best
Janne A.
[code]IPSecuritas 3.0rc build 1040, Fri Dec 1 21:00:13 CET 2006, nadig
Feb 11, 11:58:19 Error IKE Foreground mode.
Feb 11, 11:58:24 Warning IKE attribute has been modified.
[/code]
by budy on 2007-02-22 15:39:36 +0100
Hi Christoph,
I am running 3.0rc on my MBP connecting to our VPN-1 NGX R62. As os in
Beta 14 of 3.0 it seems that I cannot get the DNS to work at all.
I have setp up our main domain jvm.de in the DNS section and have also
setup our internal DNS servers, but I am not able to lookup any internal
host.
I know that this wa sa bug in beta 14 and I hoped that it would have been
resolved in this version.
Thanks,
Budy
by budy on 2007-02-22 15:55:45 +0100
Hi,
I have to jump in here again. It seems that the problem is more related to
lookupd on my Mac OS X installation. As I have just noticed, IPSeciritas
places its <domain>.ipsecuritas file in /etc/resolvers but lookupd just
seems to ignore it.
Even after restarting lookupd I still can not look up any hosts from that
domain.
Any ideas, anyone?
Thanks,
Budy
by budy on 2007-02-22 17:21:27 +0100
Now, that's fun. It turns out that the only application that does not make
use of /etc/resolver/... seems to be the terminal.
And tobe hornest, that was the one I tried first. All other apps connect to
our internal server just fine.
Cheers,
Budy
by glamm on 2007-03-22 20:02:51 +0100
[quote author=robotguy link=1165077659/0#1 date=1170942200]Thanks
for the release candidate!
I am able to get this working with my firewall and love the changes. You
mention in your feature list that XAUTH will be included but there are some
forum posts that go both ways on this. Is it yet-to-be-included or is it
there and I can't find it. I would expect a username/password field
somewhere in the ID section or perhaps a popup requesting these when
logging in.
Any news on this?[/quote]
I would love to have XAUTH + Certificate authentication as supported by
Secure Computing's Sidewinder product. Any news on if this is possible or
expected?
by omega_red on 2007-03-26 00:08:46 +0200
Feature Request:
Select profile's from menu and widget.
Im using the profiles to connect to various company's, if i dont use the
profiles i will connect to all the company's eatch time i start ipsec. Or is
there a way to connect to only one connection if they are in the same
profile?
If this feature is included and the xauth problem with the zywall 5 is
solved(see my topic on the forum: [url]http://www.lobotomo.com/cgi-bin
/yabb/YaBB.pl?board=IPSecuritas;action=display;num=1173957250[/url]),
this is the absolute best ipsec software for the mac!
One issue with RC3
by coreyva on 2007-05-11 03:30:50 +0200
Exporting then importing a protected connection requires a password
before connection start even if unchecked.
by Forum Admin on 2007-05-12 11:25:36 +0200
Hi,
thank you very much for the bug report - I fixed it.
In the meantime, uncheck both 'Admin Password' and 'Query Password' and
you shoulnd't be asked for a password.
Cheers,
Christoph
XAuth bug in the 3.0RC build 1040
XAuth bug in the 3.0RC build 1040
by signal15 on 2006-12-06 19:56:41 +0100
When connecting to a Netscreen, I get the following error on the netscreen:
[code]
Rejected an IKE packet on untrust from y.y.y.y:2399 to x.x.x.x:4500 with
cookies e808852d932c2964 and b20e19b73074190d because a Phase 2
packet arrived while XAuth was still pending.
[/code]
Have others had this problem? It appears that it's not sending the
password.
[SOLVED] VPN to multiple networks
[SOLVED] VPN to multiple networks
by mtoivo on 2006-12-20 14:45:03 +0100
Hi all.
I'm trying to get IPSecuritas to route two remote networks (10.0.0.0/24 and
10.0.1.0/24) via the same connection. I've set them up in 'Connections' as
remote side endpoint mode (networks), but after connection is established,
only the upper network in the list gets routed. I tried increasing the
netmask to 23 (to cover addresses from 10.0.0.1 to 10.0.1.254) with no
luck. Funny enough, I couldn't get it work with vpntracker either. Firewall
(sonicwall tz170) isn't the problem, I'm sure of that, because it routes
similiar networks constantly. And if I'm fast enough, I'm able to ping the
other network too while connection is being established, but after that it
doesn't respond anymore. Is there any way of debugging the mac os x
ipsec-layer in a way that I could see routes and stuff?
Thanks!
Mikko Toivola
Re: [SOLVED] VPN to multiple networks
by mtoivo on 2006-12-20 15:55:24 +0100
Ah, I forgot to set 'Unique SAs' at the options tab. I must have disabled that
while trying to make it establish the connection at first. I'm kind of newbie
to these VPN-thingies, didn't even know what that meant.
IP range ...
IP range ...
by thegnorf on 2006-12-20 16:18:42 +0100
Hello !
Perhaps can someone help me in this trouble :
I used to play with IPSec 2 for a while, and I'm now testing the 3rd version
(3.0) ...
I found that I can't have a "local side host IP" in the same range my "Remote
Side Network IP".
This configuration used to work with the IPsec v.2 , but now only pop up a :
"collision between local and remote network" warning.
Did someone had the same difficulties ? Is it a bug or will this never work
again ?
Of course, I could change all my IP ranges but .... it wouldn't be fun ; -)
Thank you !
Re: IP range ...
by brlandy on 2006-12-26 23:12:05 +0100
I had the same problem, I'm using OpenBSD as my remote gateway. In the
end I reconfigured the OpenBSD side using the newer, easier, ipsec.conf
file. At that point it properly routed to my client address even if I specified
a client address outside of the remote network's range. This ended up
working a lot better than my old setup, which required something like arpd
on the gateway to route properly.
So, I decided the warning was reasonable and a better setup was needed to
avoid it.
3.0rc: XAuth and mode cfg working?
3.0rc: XAuth and mode cfg working?
by frankly on 2006-12-27 11:47:58 +0100
Hi,
is xauth and mode_cfg supposed to work? I cannot establish a connection
using it :(
(works with VPN tracker, if mode cfg is switched on)
Thanks
Frank
Re: 3.0rc: XAuth and mode cfg working?
by helium on 2007-01-20 22:09:58 +0100
I ran the version of racoon that ships with IPSecuritas manually and had it
dump the parsed config file, and rather than parse the xauth config
directive correctly racoon thinks it should use gss. Try it yourself with
racoon -C on the config file IPSecuritas generates - you can grab it by
starting a connection and making a copy of the racoon.conf and psk.txt
that end up in /Library/Application Support/Lobotomo/IPSecuritas while a
connection is running.
UPDATE: I grabbed the latest CVS of ipsec-tools, compiled them myself,
and found it followed the same behavior. In algorithms.[ch], there's a static
struct defined that contains mappings for the config tokens to functions
that implement each algorithm, and for reasons I've not yet uncovered the
wrong one is being selected when any of the hybrid_* or xauth_* directives
are being given.
racoon crash (with 3.0rc)
racoon crash (with 3.0rc)
by frankly on 2007-01-03 06:57:40 +0100
Hi,
still trying to use xauth togehter with mode_cfg.
racoon crashes during connection:
** racoon.crash.log:
Date/Time:
2007-01-03 06:34:42.826 +0100
OS Version:
10.4.8 (Build 8L127)
Report Version: 4
Command: racoon
Path: /Library/StartupItems/IPSecuritasDaemon/racoon
Parent: IPSecuritasDaemon [215]
Version: ??? (???)
PID: 5739
Thread: 0
Exception: EXC_BAD_ACCESS (0x0001)
Codes:
KERN_PROTECTION_FAILURE (0x0002) at 0x00000001
Thread 0 Crashed:
0 racoon
0x0002c3f0 getsockmyaddr + 76
1 racoon
0x00006120 isakmp_send + 260
2 racoon
0x00006454 isakmp_ph2resend + 152
3 racoon
0x00037240 schedular + 132
4 racoon
0x00002998 session + 520
5 racoon
0x00002468 main + 648
6 racoon
0x00001bfc _start + 392
7 dyld
0x8fe01048 _dyld_start + 60
Binary Images Description:
0x1000 - 0x69fff racoon
/Library/StartupItems/IPSecuritasDaemon
/racoon
0x8fe00000 - 0x8fe51fff dyld 45.3
/usr/lib/dyld
0x90000000 - 0x901bcfff libSystem.B.dylib
/usr/lib/libSystem.B.dylib
0x90214000 - 0x90219fff libmathCommon.A.dylib
/usr/lib/system
/libmathCommon.A.dylib
0x91a0c000 - 0x91ad3fff libcrypto.0.9.7.dylib
/usr/lib
/libcrypto.0.9.7.dylib
0x94f68000 - 0x94f85fff libresolv.9.dylib
/usr/lib/libresolv.9.dylib
** from the IPsecuritas log:
IPSecuritas 3.0rc build 1040, Fri Dec 1 21:00:13 CET 2006, nadig
Jan 03, 06:34:19 Info
Jan 03, 06:34:19 Info
APP IPSec started
Jan 03, 06:34:19 Debug APP State change from IDLE to RUNNING after
event START
Jan 03, 06:34:19 Debug APP Received SADB message type X_SPDUPDATE
- not interesting
- not interesting
Jan 03, 06:34:19 Error IKE Foreground mode.
Jan 03, 06:34:19 Info
two simultaneous connections?
two simultaneous connections?
by zoomin on 2007-01-03 20:15:00 +0100
Hello,
I am using IPSecuritas v2.2 with Intel MacBook OSX 10.4.8.
It works really well with Fortigate-60 vpn firwalls from Fortinet, but I can
only establish one tunnel at a time. Is this by design or what am I missing? I
can connect to either one just fine but once connected, the other tunnel will
not connect. They are Host to Network tunnels and the remote networks
ARE different (192.168.24.0/24 and 192.168.31.0/24).
Thanks very much.
Re: two simultaneous connections?
by mtoivo on 2007-01-09 10:24:04 +0100
Stumbled to this same problem too, see my topic a bit lower here :).
Resolution was to set "Unique SAs" option for the connection. I'm using
3.0rc version, but I think that's the reason. After that I managed to set up
two individual tunnels or configure a connection with host to networks
mode. Remote endpoint is Sonicwall TZ170.
Re: two simultaneous connections?
by zoomin on 2007-01-15 17:49:03 +0100
[quote author=mtoivo link=1167851700/0#1 date=1168334644]Stumbled
to this same problem too, see my topic a bit lower here :). Resolution was
to set "Unique SAs" option for the connection. I'm using 3.0rc version, but I
think that's the reason. After that I managed to set up two individual
tunnels or configure a connection with host to networks mode. Remote
endpoint is Sonicwall TZ170.[/quote]
Thanks for the intel, but I think my situation is different, in that I am not
trying to setup a route to two subnets via a single ipsec connection, I am
trying to establish two or more IPSEC connections to different subnet (and
different endpoints) at the same time.
i.e. I am trying to get my IPSEC tunnel to a branch office in Burnaby to be up
at the same time as my IPSEC tunnel to Vancouver, etc.
IPSecuritas 3.0rc and Lookupd
IPSecuritas 3.0rc and Lookupd
by nickl on 2007-01-04 07:32:03 +0100
This is a Mac OS X 10.4.8 system on a MacBook Pro with IPSecuritas 3.0rc.
Has anyone had troube with IPSecuritas killing the resolver and
authentication services?
This appears to be a reproducible issue after having restarted a VPN session
multiple times. Lookupd will crash; manually restarting it doesn't help. Any
attempts at user authentication with sudo or programs requesting admin
access will fail. This can be really annoying when waking the computer from
sleep and it won't accept your password. A full reboot appears to be the
only solution.
Re: IPSecuritas 3.0rc and Lookupd
by mtoivo on 2007-01-09 10:19:03 +0100
I have exactly same issues with ne 3.0rc too, talkin' about annoying feature.
Didn't manage to trace it back to lookupd, allthough I saw it crashing in the
reports. I figured it had to be ipsecuritas fault, since after installing it this
started happening. I removed some other old services (like xgrid and such)
which also seemed to be crashing. Now the only solution is to kill all VPNs
before putting computer to sleep.
I came to this forum because I can't get /etc/resolver -thing to work at all.
IPSecuritas sets it up correctly (file named domain.tld, which contains
correct nameserver -statement) and queries to the server works with dig no
prob. Restarting lookupd or -flushcache doesn't help.
by graabein on 2007-01-16 00:45:53 +0100
Exact same problem, exact same versions of Mac OS X and IPSecuritas
(10.4.8 and 3.0rc).
This problem has been driving me nuts and has caused me to have real
data loss. Needless to say I'd like to see it fixed... (not least because
IPSecuritas is a brilliant little utility).
I've been running with DNS resolver enabled for all my connections (and it
works for me, BTW), so I thought I'd try to disable that feature first and see
if that helps.
Anyone else who've seen this IPSecuritas/lookupd problem had any luck
with just disabling the DNS resolver functionality of IPSecuritas?
Gunnar
by Forum Admin on 2007-01-16 22:58:13 +0100
Hello,
thank you very much for your feedback! I can confirm this behaviour and a
bug fix is currently in testing.
I will release another 3.0 Release Candidate fixing this and a few other
issues shortly.
Christoph
by mtoivo on 2007-01-19 09:17:34 +0100
Glad to know this is known bug now. My /etc/resolver -issues was not a
problem after all. 'host' -command just didn't look from there, ping,
web-browser etc worked fine. I just might turn off DNS resolver-thing until
fix comes out, I have statically set /etc/resolver -file so there's no need for
ipsecuritas to set it.
3.0rc Host -> Anywhere Setup
3.0rc Host -> Anywhere Setup
by nickl on 2007-01-04 07:56:17 +0100
I've been having trouble getting packets to route over the VPN with a host
to anywhere configuration. The gif0 interface doesn't appear to have been
brought up and no routes are configured to send packets through the
tunnel. Should I be able to get this working?
If I change the IPSecuritas settings to use a fixed IP address (10.1.0.x) to
our 10.20/16 network, packets will be tunneled as expected. Other than
this change in the connection's general tab, the IPSecuritas settings are
identical.
I'm attaching two sets of setkey/netstat data below.
Host -> Anywhere Info
$ sudo setkey -DP
0.0.0.0[any] 172.16.1.7[any] any
in ipsec
esp/tunnel/xxx.xxx.xxx.xxx-172.16.1.7/require
refcnt=1
0.0.0.0[500] 172.16.1.7[500] any
in none
refcnt=1
172.16.1.7[any] 0.0.0.0[any] any
out ipsec
esp/tunnel/172.16.1.7-xxx.xxx.xxx.xxx/require
refcnt=1
172.16.1.7[500] 0.0.0.0[500] any
out none
refcnt=1
$ sudo setkey -D
172.16.1.7 xxx.xxx.xxx.xxx
esp mode=tunnel spi=1423428023(0x54d7c9b7)
reqid=0(0x00000000)
E: rijndael-cbc 5bd78fe6 d2a9caa6 8de03783 37d4a984
A: hmac-sha1 693c10b7 0e2045d9 fe5b9aa5 eee29d7d 946f218a
last: Jan 3 20:09:44 2007
hard: 0(s)
soft: 0(s)
refcnt=2
xxx.xxx.xxx.xxx 172.16.1.7
esp mode=tunnel spi=18373546(0x01185baa) reqid=0(0x00000000)
E: rijndael-cbc eb32ead6 62d69f39 b5c218f6 b344ad21
A: hmac-sha1 9c65fb38 c8ceed5b 4a5d71de 11fda7a2 6eaa729d
last:
hard: 0(s)
soft: 0(s)
current: 0(bytes)
refcnt=1
$ netstat -rn
Routing tables
Re: 3.0rc Host -> Anywhere Setup
by nickl on 2007-01-04 07:57:14 +0100
IP Address -> Subnet Info
$ sudo setkey -DP
10.20.0.0/16[any] 10.1.0.2[any] any
in ipsec
esp/tunnel/xxx.xxx.xxx.xxx-172.16.1.7/require
refcnt=1
10.1.0.2[any] 10.20.0.0/16[any] any
out ipsec
esp/tunnel/172.16.1.7-xxx.xxx.xxx.xxx/require
refcnt=1
$ sudo setkey -D
172.16.1.7 xxx.xxx.xxx.xxx
esp mode=tunnel spi=1690473783(0x64c29537) reqid=0(0x00000000)
E: rijndael-cbc 883a30eb f9cb44f4 8f27afb2 73065665
A: hmac-sha1 559fa16e 9815adde 2575519d 26b411b5 e6519408
diff: 61(s)
hard: 28800(s) soft: 23040(s)
last: Jan 3 21:53:39 2007
hard: 0(s)
soft: 0(s)
refcnt=2
xxx.xxx.xxx.xxx 172.16.1.7
esp mode=tunnel spi=12559986(0x00bfa672) reqid=0(0x00000000)
E: rijndael-cbc d0f55e15 697e60e1 20ee4d91 41053bdb
A: hmac-sha1 6faff285 34ae44f3 06565f6e 5c5d3db7 c5bffcb0
diff: 61(s)
hard: 28800(s) soft: 23040(s)
last: Jan 3 21:53:39 2007
hard: 0(s)
soft: 0(s)
refcnt=1
$ netstat -rn
Routing tables
Internet:
Destination
Gateway
Flags Refs
Use Netif Expire
default
172.16.1.1
UGSc
19
9 en1
10.20.0.0
10.1.0.2
UH
1
9 gif0
10.20/16
gif0
USc
2
0 gif0
127
127.0.0.1
UCS
0
0 lo0
127.0.0.1
127.0.0.1
UH
20
6430 lo0
169.254
link#5
UCS
0
0 en1
172.16.1/24
link#5
UCS
1
0 en1
172.16.1.1
0:3:93:e4:86:12 UHLW
19
147 en1 1031
172.16.1.7
127.0.0.1
UHS
0
2 lo0
Internet6:
Destination
Gateway
Flags
Netif Expire
::1
::1
UH
lo0
fe80::%lo0/64
fe80::1%lo0
Uc
lo0
fe80::1%lo0
link#1
UHL
lo0
fe80::%en1/64
link#5
UC
en1
fe80::216:cbff:fe05:cff%en1
0:16:cb:5:c:ff
UHL
lo0
ff01::/32
::1
U
lo0
by Keen on 2007-02-07 16:55:25 +0100
Hi!
it's bug in SPD entries: "any" must be set like 0.0.0.0/0[any], but we see
only host configuration: 0.0.0.0[any]. setkey use default mask /32 insted of
/0. Developers, read documentation attentively!
PS: Sorry for my english.
by cnadig on 2007-02-07 17:59:17 +0100
Thanks for the hint - fixed it and will be part of the release.
Thanks,
Christoph
by smpte on 2007-02-19 16:52:59 +0100
So for those of us trying to do a -> anywhere connection, for now, what do
we do prior to the release? Default route in the -> network set up?
Cannot connect to WatchGuard Firebox X550e
Cannot connect to WatchGuard Firebox X550e
by trehune on 2007-01-05 23:04:44 +0100
Hi,
I'm trying out the IPSecuritas 3.0rc but I can't get it to work with an
WatchGuard Firebox X550 running Fireware 8.3.
I have worked alot with VPN but I can't really get this up and running.
My private IP: 192.168.1.103
My firewalls IP: 222.250.45.240
X550e public IP: 213.85.37.3
The Firewall I'm behind is a WatchGuard Edge X5 Wireless, which support
IPSec passtrough.
Firebox log:
01-05 22:29:22 iked Searching ID: user domain - myData [MUVPN-Test]
peerId [MUVPN-Test]
01-05 22:29:22 Process INFO_EXCHANGE : EncryptBit set before SA
created new_msg=" Process INFO_EXCHANGE : EncryptBit set before SA
created"
01-05 22:29:22 CreateIsakmpSA : get rasUserGroupId=2 new_msg="
CreateIsakmpSA : get rasUserGroupId=2 "
01-05 22:29:22 iked Phase 1 started by peer with policy [MUVPN-Test_mu]
from 222.250.45.240:500 aggressive mode
01-05 22:29:22 iked Sending second message with policy [MUVPNTest_mu] to 222.250.45.240:500 aggressive mode
01-05 22:29:22 Process INFO_EXCHANGE : EncryptBit set before SA
created new_msg=" Process INFO_EXCHANGE : EncryptBit set before SA
created"
01-05 22:29:22 iked Cannot process the inform message from
222.250.45.240:500 cookies i=f38b8b37 c924f37c r=a81072e4 f2a7f6eb
01-05 22:29:28 Deny 222.250.45.240 213.85.37.3 icmp-Dest_Unreach
code(3) 0-External Firebox icmp error with data src_ip=213.85.37.3
dst_ip=192.168.1.103 pr=ike/udp src_port=500 dst_port=500
src_intf='0-External' dst_intf='0-External' can not match any flow, drop
this packet 56 50 (internal policy) src_user="testuser1@Firebox-DB"
01-05 22:29:34 iked Cannot process the inform message from
222.250.45.240:500 cookies i=f38b8b37 c924f37c r=a81072e4 f2a7f6eb
01-05 22:29:34 iked Drop negotiation due to peer 222.250.45.240:500
phase one retry timeout
IPSecuritas log:
Jan 05, 22:29:20 Info
Jan 05, 22:29:20 Info
APP IPSec started
Jan 05, 22:29:20 Info
Jan 05, 22:29:20 Info
IKE @(#)This product linked OpenSSL 0.9.7l 28
Sep 2006 (http://www.openssl.org/)
Jan 05, 22:29:20 Info
Jan 05, 22:29:20 Info
Jan 05, 22:29:21 Info
Jan 05, 22:29:21 Error IKE No SIG was passed, hybrid auth is enabled,
but peer is no Xauth compliant
Jan 05, 22:29:24 Info
Re: Cannot connect to WatchGuard Firebox X550e
by cman on 2008-11-19 06:04:39 +0100
Did you ever solve this problem? I am having the same with a Watchguard
X700
Linksys WRV54G
Linksys WRV54G
by jrr316 on 2007-01-08 18:26:46 +0100
I am trying to connect to a link WRV54G from a Mac running OSX 10.4.8
using IPSecuritas. I am a little stuck. I can get the linksys utility to connect
from my Windows install, but on the mac it gets stuck on authentication.
Anyone get this working that would share screen shots of router
configuration and IPSecuritas?
[email protected]
Thanks!
-Justin
Re: Linksys WRV54G
by gogojohn on 2007-04-24 19:40:58 +0200
I'm working on this as well. I have both a WRV54g and a WRV200 which I
need to connect to.
Since 3.0rc has support for the WRV200, that's what I'm focusing on first. I
doubt that the WRV54g will be much different to get working afterward.
Once I have some success, I'll share what I find with you.
Re: Linksys WRV54G
by gogojohn on 2007-04-24 23:01:06 +0200
After spending about a day trying to figure out how to establish a
connection to the WRV54G, I tried out VPN Tracker. It worked. So this
confirms that it [i]is[/i] possible to connect to the unit with my PowerBook.
I'll keep trying to get IPSecuritas 3.0rc to work. But in the meantime, I'll use
the VPN Tracker solution, so that at least I can get on with my business.
If/when I do come across a solution, I will share it.
For sake of providing any useful details on the problems that I've been
experiencing though, here's the rundown:
[list]
[*] cannot get past phase1 of negotiating the connection
[*] using pre-shared key, but this isn't working
[*] have attempted in various ways to use the username and password that
can be created to provide individual accounts for QuickVPN (this is the
same set that I know works fine with my PC using QuickVPN), to no avail
[*] upon inspection the only difference between the settings for the two
tools is that VPN Tracker allows PFS (Perfect Forward Secrecy) to be enabled
and disabled
[*] apart from that, all the other configuration details appear to be the same
[*] during testing, I've been using a dial-up connection as I haven't had
access to a nearby open AP, or from another location (does IPSecuritas have
issues with PPP connections?)
[*] the profile in VPN Tracker that worked was for the Linksys BEFVP41
[/list]
And finally: I haven't yet had a chance to work with the WRV200. The one
that I use is at a remote location and appears to need a reboot... so I'll try it
later and provide success/failure details. Perhaps it will also help to shed
some light upon the WRV54G situation?
Where is the config saved?
Where is the config saved?
by praenti on 2007-01-10 23:58:28 +0100
Hi,
anybody here who can tell me where the configuration is saved?
Needed a new harddisk in my iBook and want to migrate the old config
from the old harddisk to the new one.
But I haven't found the configuration file and joping you can tell me, where
it is.
Cheers,
Mike
P.S.: The forum has some problems to access graphics and the profile so I
cannot change my password. Please correct that.
Re: Where is the config saved?
by mtoivo on 2007-01-11 01:28:56 +0100
Hi. I think the configs are in /Library/Application Support/Lobotomo
Software/IPSecuritas There seems to be file 'configuration.data', which I
thought might be the configuration file, but can't say since it's binary.
Strange way to save such configuration as system wide, in user's Library
there's nothing.
Re: Where is the config saved?
by praenti on 2007-01-11 09:26:29 +0100
Thank you for the quick response.
Sorry that I cannot give you any more information if this answer is correct,
because the expected headcrash of my old harddrive happened yesterday...
:-(.
(harddrive changed because of a bearing damage of the spin motor which
can result in a headcrash)
But a additional note. My VPN connection is running now again ;-).
Cheers,
Mike
3.0rc connecting to a Cisco PIX?
3.0rc connecting to a Cisco PIX?
by helium on 2007-01-18 23:42:42 +0100
Anyone had any luck connecting to a PIX with 3.0rc? I can't seem to get past
phase 1 negotiation.
On the PIX side, I'm using vpngroups for username/password
authentication. On the IPSecuritas side, I've selected Hybrid and entered the
username/password there.
My phase 1 settings on the client match those on the PIX, and yet for the
life of me I can't manage to make a connection.
I've looked through the racoon.conf and psk.txt file IPSecuritas temporarily
generates at runtime, and both look reasonable enough.
I've tried enabling/disabling MODE_CFG, situation identity only, DOI, unique
SA's and initial contact, but perhaps i'm missing the right combination.
All suggestions/feedback welcome.
Thanks.
Re: 3.0rc connecting to a Cisco PIX?
by helium on 2007-01-19 16:27:36 +0100
[quote author=helium link=1169160162/0#0 date=1169160162]Anyone
had any luck connecting to a PIX with 3.0rc? I can't seem to get past phase
1 negotiation.
On the PIX side, I'm using vpngroups for username/password
authentication. On the IPSecuritas side, I've selected Hybrid and entered the
username/password there.
My phase 1 settings on the client match those on the PIX, and yet for the
life of me I can't manage to make a connection.
I've looked through the racoon.conf and psk.txt file IPSecuritas temporarily
generates at runtime, and both look reasonable enough.
I've tried enabling/disabling MODE_CFG, situation identity only, DOI, unique
SA's and initial contact, but perhaps i'm missing the right combination.
All suggestions/feedback welcome.
Thanks.[/quote]
I manually figured out the issue. To connect, you need to use
pre_shared_key as the algorithm, and local identifier needs to be in the
form of 'my_identifier keyid tag "remote_username"'.
Any chance the interface for 3.0 could be updated to allow KeyID as one of
the selections, and then have the above config syntax output when it's
selected? Obviously, the "remote_username" would be whatever is entered
into the text field when KeyID is selected.
Thanks.
IPSec mobile clients and split horizon
IPSec mobile clients and split horizon
by lonnie on 2007-01-27 20:34:51 +0100
Hi,
Client: Mac OS 10.4, IPSecuritas 3.0rc
Server: m0n0wall 1.22, Soekris net4801, WAN, LAN, DMZ
I had a common problem with others here, using IPSec mobile clients and
the resulting split horizon, ie. only traffic to your local network is sent over
the tunnel, all other traffic is sent direct, un-encrypted.
The particular problem for me was my public POP3 and SMTP servers. One
solution would be to run some sort of local proxy for these services, but I
prefer that solution as last resort.
I have solved this problem, and all comments are welcome.
In my IPSec client (IPSecuritas 3.0 on Mac OS 10.4) I define my local
endpoint as "Host" and remote endpoint as "Networks" (plural).
I need to specify a local address for the "Host" (so the routing works), so I
use an unused address in the DMZ. (Would a static route be a better thing
to do?)
The Networks are:
10.10.10.0/24 # local LAN
216.x.y.z/32 # public POP3 server
68.a.b.c/32 # public SMTP server
The final 'trick' is in the 'Options' tab is to check "Unique SAs". This forces
m0n0wall to make policies for each of these networks.
In this scenario, remote traffic to the private LAN and public POP3 and SMTP
servers are included in the IPSec tunnels.
Hope this helps others.
Lonnie
IPSecuritas 3.0rc Menu
IPSecuritas 3.0rc Menu
by lonnie on 2007-01-27 20:57:27 +0100
First, I want express how wonderful IPSecuritas 3 is, definitely worth a
paypal donation.
May I make a suggestion (feature request) for the new menu bar menu.
Since I use both PPTP and IPSec, it would be nice, for the sake of
consistency, that they worked similarly.
My suggestion...
-/ /-----------------VPN: Idle / Connected / Authenticating (item Disabled)
-----------------Connect / Disconnect / Cancel
-----------------IPSec (item Disabled)
o Home VPN
o Office VPN
-----------------Profie (item Disabled)
Other (active profile checked)
Work
-----------------Open IPSecuritas...
------------------
Key points:
1) Change profiles via menu. Show active profile.
2) Open IPSecuritas application via menu.
3) Act similar to PPTP menu.
Any other ideas?
Lonnie
Netgear FVS338
Netgear FVS338
by superglu on 2007-01-30 01:05:32 +0100
Has anyone got the FVS338 to work with IPSecuritas? I know it supports
FVS328, but how about 338?
Thanks!
3.0rc "Connection Surveillance" Defaults
3.0rc "Connection Surveillance" Defaults
by lonnie on 2007-01-31 04:40:02 +0100
IPSecuritas -> Preferences -> "Connection Surveillance" [Ping Interval: and
Ping Timeout:]
Does anyone else think the defaults for 'Ping Interval' and 'Ping Timeout' are
reversed?
My suggestion is:
Ping Interval: 30 sec.
Ping Timeout: 3 sec.
If not, please tell me the error of my thinking.
Lonnie
Connection to Cisco VPN Concentrator 3000
Connection to Cisco VPN Concentrator 3000
by nacho319 on 2007-02-01 13:20:24 +0100
I'm trying to connect to a Cisco VPN Concentrator and I can't get past Phase
1. I've done network traces comparing what my Mac does to attempt to
connect versus what my Windows machine running the Cisco client does to
connect.
Right now, I think the problem is that I can't get the Mac to use an ID type
of KEY_ID, type 11. The options are Address, FQDN, User FQDN, and
Certificate. So I think that would be my stumbling block at this point.
Is there a way to make IPSecuritas use that identity type? Right now, the
Cisco won't even send a reply packet to me with the offer I send it.
thanks,
Chris
Re: Connection to Cisco VPN Concentrator 3000
by nacho319 on 2007-02-01 13:28:31 +0100
Ok, so the Cisco didn't really care about that at all. It just wanted me to
change my ID from Hybrid to Xauth-PSK. Stupid machine, I thought
Xauth-PSK isn't secure, and Hybrid is better......
lost packets connecting to SonicWall
lost packets connecting to SonicWall
by Dave on 2007-02-05 04:37:05 +0100
I've been having a consistent problem with 3.0RC when connecting to
work's SonicWall (TZ150, I think); the problem shows up as lost packets.
The connection is to a network using Xauth-PSK and while I get the "green
light" and can ping fine, I can't view internal websites if they contain a lot of
data; simple sites load fine. For example, I'll get a redirect response or a
authentication needed response fine but the full page won't load; it just sits
there waiting. It feels very similar to a problem I've seen before, namely
fragmented packets being dropped. So a small packet containing just a 30x
redirect will get through but the full website packets will all be fragmented
and dropped.
In the past (beta 6), simply setting my MTU would fix it and all would be
fine. But now, setting that doesn't seem to help at all; the page still stalls
(and eventually times out, sometimes).
So my question is, does IPsecuritas do automatic MTU adjustment? If not, is
there some way I can trace this to determine who, if anyone, is dropping
the packets? The logs don't really show anything interesting.
P.S. Thanks for fixing the icons and other aspects of the site. I can't register
with my preferred username because it is in that 1/2 registered state where
it was trying to send me the email but couldn't.
Re: lost packets connecting to SonicWall
by Manuel on 2007-03-15 16:10:40 +0100
That's interesting, I was having the same problem connecting to our Pro
3060 - it looked like an MTU size problem. What's even more interesting is
that the problem only showed up when I was opening a tunnel to multiple
networks, *and* when the networks were from both the LAN and the DMZ.
Opening a tunnel to the LAN or the DMZ only didn't trigger the problem.
Then I uninstalled everything and started from scratch, and it doesn't do it
anymore. I have no idea of what I did to fix it, but now it works... sorry I
can't help, it's just to tell you that the problem does exist, and that it can be
fixed - somehow.
by Dave on 2007-03-17 22:26:37 +0100
[quote author=Manuel link=1170646625/0#1 date=1173971440]Then I
uninstalled everything and started from scratch, and it doesn't do it
anymore.[/quote]
I also installed VPN Tracker but was having the same issue so I uninstalled
IPSecuritas completely, including logging out. When I reinstalled, I had to
drop the MTU to 1400 but it would connect! I tried it yesterday with the
MTU at 1500 and it [i]still[/i] connects. Yay! :D The only issue I have now is
that an https connection still stalls but that isn't that big a deal since I can
get to that (internal) site in other ways.
The final test will be rebooting and seeing if things still work. But I think
they will so thanks! :-)
by Dave on 2007-03-27 23:26:12 +0200
Update: I rebooted and it [i]didn't[/i] work; it stalled in the "usual" place.
However, setting the MTU down to 1400 allowed it to connect and then
setting it back to 1500 didn't change its ability to connect. So, for some
reason, the MTU has to be jiggled but it only appears to be required once
per login/reboot.
IPSecuritas / Firewall / Apple Remote Desktop
IPSecuritas / Firewall / Apple Remote Desktop
by mangobuzz on 2007-02-08 06:11:01 +0100
Hello,
Can anyone verify that ipsecuritas 3.0rc disables the firewall settings in
system prefs --- sharing--- firewall. Everytime I start the vpn, if I click on
the firewall tab in the sharing prefs I get a notice that "Other Firewall
software is running...." As soon as I disable the vpn tunnel, my firewall
settings go back to normal ( You will need to close system prefs and
re-open the sharing prefs). Can anyone verify that this is normal or not?
Can someone also verify if Apple Remote Desktop 3.1 works correctly with
ipsecuritas 3.0rc. Currently I am unable to use the upgrade client software
feature and i'm unable to copy files to the remote computer, however
everything else seems to work. I have a feeling that the firewall problem
might be causing Apple Remote Desktop to not work fully. Any
suggestions? Thanks
Re: IPSecuritas / Firewall / Apple Remote DesktopH
by cnadig on 2007-02-09 20:49:20 +0100
Hello,
IPSecuritas does not disable your firewall or any of the settings. It adds
rules for NAT-T to work (in a nutshell: MacOS X does not provide proper
NAT-T support and therefore IPSecuritas handles the NAT-T traffic. By
adding these rules NAT-T relevant traffic is routed through IPSecuritas).
The firewall prefpane does not allow editing while other applications have
set their own rules - that's why you get this (a bit misleading) error
message when you try.
You can list the active firewall rules with the following command (in a
Terminal window):
ipfw list
I might move the NAT-T code to a kernel extension one day, making the
additional rules obsolete.
If you prefer IPSecuritas not to make any of these additional rules, disable
NAT-T on all tunnels.
Hope this helps,
Christoph
Re: IPSecuritas / Firewall / Apple Remote Desktop
by houser on 2007-02-11 17:00:16 +0100
I can confirm that ARDT is working just fine here with Firewall switched on
in OSX.
Latest OSX and latest IP securitas RC.
I have noticed that these ports seem more"sensitive" to partially incorrect
settings, for lack of a better word, than others like 80 etc...
For example, I had my mobile 3G connection set with an outdated APN
and everything was working apart from ARDT.
Support updatredmy APN and now that works too, without changing
anything in IpSecuritas..
FWIW,YMMV
best
Janne A.
Linksys BEFSX41 Connection
Linksys BEFSX41 Connection
by jim_julian on 2007-02-12 01:45:20 +0100
Has anyone been able to establish a VPN with IPSecuritas 2 or 3 and the
subject VPN Endpoint router? I haven't :'(
With RC 3 I get Phase 1 timeout ...
Feb 11, 16:21:17 <ISProperAPP IKE daemon started
Feb 11, 16:21:17 <ISProperAPP IPSec started
Feb 11, 16:21:17 <ISProperIKE Foreground mode.
Feb 11, 16:21:17 <ISProperIKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net)
Feb 11, 16:21:17 <ISProperIKE @(#)This product linked OpenSSL 0.9.7l 28
Feb 11, 16:21:17 <ISProperIKE Reading configuration from "/Library
Feb 11, 16:21:17 <ISProperIKE Resize address pool from 0 to 255
Feb 11, 16:22:00 <ISProperIKE phase2 negotiation failed due to time up
waiting for phase1. ESP xx.xxx.xxx.xxx[500]->10.0.1.3[500]
Feb 11, 16:22:02 <ISProperIKE phase2 negotiation failed due to time up
Feb 11, 16:22:28 <ISProperAPP IPSec stopping
Feb 11, 16:22:29 <ISProperAPP IKE daemon terminated
Re: Linksys BEFSX41 Connection
by BertMac on 2007-02-21 14:06:34 +0100
I'm trying the same thing with no luck. Everything matches on both sides so
I'm not sure where the break down is.
The little box says it is "up" however the red x never goes away, telling me
it didn't actually make a connection.
I suppose this wouldn't be so hard if I had access to the vpn router to look
at it's logs from where I am at. :-/
Any direction appreciated!
by jim_julian on 2007-02-21 15:36:08 +0100
It's hard to believe that Linksys doesn't really provide any support to help
with problems such as this ... sigh.
by BertMac on 2007-02-23 02:07:09 +0100
I just posted on the Linksys forum...we'll see how it goes.
I'll be sure to update this [i]when[/i] Ifinally figure this out. :-?
by mrfett on 2007-02-23 13:38:32 +0100
this has been frustrating me as well. interesting thing, when i connect from
my neighbors connection (next door, same cable provider) i can get in to
my network fine. from anywhere else though (Panera, campus network) i
get the timeout messages. dunno what to think. seems odd that it works in
the first instance.
by mrfett on 2007-02-23 14:32:47 +0100
i'm thinking my issue might have to do with setting the proper NAT
traversal settings. if anyone knows anything about this topic, please
enlighten :)
by mrfett on 2007-02-24 20:56:13 +0100
if anyone can comment on whether or not it's possible to run an ipsec
tunnel from a cable modem network (befsx41) to a laptop connected to a
public wifi network, please respond. i'm unsure if i'm wasting my time
trying to troubleshoot this or not. i tried all the NAT-T settings and none
did the trick. still got the error message posted up top.
by mrfett on 2007-03-01 00:49:40 +0100
no one has answers about this issue, huh? still a mystery to me. could it be
that things are timing out? should the timeout be made longer? seems
unnecessary to me... it seems odd more ppl aren't running into this.
by Dave on 2007-03-01 01:34:39 +0100
One thing I would suggest is to crank up the debug level so you perhaps
pinpoint why the phase 1 timeout is occurring. Do you have access to the
router at the other end to see if there is any info in its logs that might help?
by mrfett on 2007-03-01 03:41:09 +0100
ahh good idea. i'll try that tomorrow when i'm on another network. thanks!
by mrfett on 2007-03-01 17:44:00 +0100
ok so now i have big log files to share. hopefully they'll shed some light on
this:
From the Linksys BEFSX41:
2007-03-01 11:37:17 IKE[6] Tx >> MM_R1 : 129.2.175.20 SA
2007-03-01 11:37:17 IKE[6] ISAKMP SA CKI=[15519997 de5465d8]
CKR=[a58c90c7 9d7cae7a]
2007-03-01 11:37:17 IKE[6] ISAKMP SA DES / MD5 / PreShared /
MODP_768 / 28800 sec (*28800 sec)
2007-03-01 11:37:38 IKE[6] Rx << MM_I1 : 129.2.175.20 SA, VID, VID,
VID, VID, VID, VID, VID, VID, VID, VID, VID, VID
2007-03-01 11:37:38 IKE[6] Tx >> MM_R1 : 129.2.175.20 SA
2007-03-01 11:37:38 IKE[6] ISAKMP SA CKI=[15519997 de5465d8]
CKR=[50eecdd2 65f6de12]
2007-03-01 11:37:38 IKE[6] ISAKMP SA DES / MD5 / PreShared /
MODP_768 / 28800 sec (*28800 sec)
by mrfett on 2007-03-01 17:48:07 +0100
From IPSecuritas:
Mar 01, 11:35:10 Debug IKE msg 5 not interesting
Mar 01, 11:35:11 Debug APP Send ping packet to 192.168.1.0/24 of
connection DB94
connection DB94
connection DB94
connection DB94
Mar 01, 11:35:15 Debug IKE 320 bytes from 10.105.5.212[500] to
68.50.31.23[500]
Mar 01, 11:35:15 Debug IKE sockname 10.105.5.212[500]
Mar 01, 11:35:15 Debug IKE send packet from 10.105.5.212[500]
Mar 01, 11:35:15 Debug IKE send packet to 68.50.31.23[500]
Mar 01, 11:35:15 Debug IKE 1 times of 320 bytes message will be sent
to 68.50.31.23[500]
Mar 01, 11:35:15 Debug IKE
Mar 01, 11:35:15 Debug IKE c805d786 20d54aeb 00000000 00000000
01100200 00000000 00000140 0d000034
Mar 01, 11:35:15 Debug IKE 00000001 00000001 00000028 01010001
00000020 01010000 800b0001 800c7080
Mar 01, 11:35:15 Debug IKE 80010001 80030001 80020001 80040001
0d000014 4a131c81 07035845 5c5728f2
Mar 01, 11:35:15 Debug IKE 0e95452f 0d000014 8f8d8382 6d246b6f
c7a8a6a4 28c11de8 0d000014 439b59f8
Mar 01, 11:35:15 Debug IKE ba676c4c 7737ae22 eab8f582 0d000014
4d1e0e13 6deafa34 c4f3ea9f 02ec7285
Mar 01, 11:35:15 Debug IKE 0d000014 80d0bb3d ef54565e e84645d4
c85ce3ee 0d000014 9909b64e ed937c65
Mar 01, 11:35:15 Debug IKE 73de52ac e952fa6b 0d000014 7d9419a6
5310ca6f 2c179d92 15529d56 0d000014
Mar 01, 11:35:15 Debug IKE cd604643 35df21f8 7cfdb2fc 68b6a448
0d000014 90cb8091 3ebb696e 086381b5
Mar 01, 11:35:15 Debug IKE ec427b1f 0d000014 16f6ca16 e4a4066d
83821a0f 0aeaa862 0d000014 4485152d
Mar 01, 11:35:15 Debug IKE 18b6bbcd 0be8a846 9579ddcc 00000014
afcad713 68a1f1c9 6b8696fc 77570100
Mar 01, 11:35:15 Debug IKE resend phase1 packet
c805d78620d54aeb:0000000000000000
connection DB94
connection DB94
Mar 01, 11:35:16 Debug IKE get pfkey ACQUIRE message
by mrfett on 2007-03-01 17:49:02 +0100
Mar 01, 11:35:16 Debug IKE 02060003 00260000 00000055 00000000
00030005 ff200000 10020000 0a6905d4
Mar 01, 11:35:16 Debug IKE 00000000 00000000 00030006 ff200000
10020000 44321f17 00000000 00000000
Mar 01, 11:35:16 Debug IKE 00020012 00020200 00000049 00000000
001c000d 20000000 00030000 00000000
Mar 01, 11:35:16 Debug IKE 01000800 00000000 00000001 00000001
00000000 00000000 00000000 00000000
Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00015180
00000000 00007080 00000000 00000000
Mar 01, 11:35:16 Debug IKE 00040000 00000000 010001c0 00000000
00000001 00000001 00000000 00000000
Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00000000
00000000 00015180 00000000 00007080
Mar 01, 11:35:16 Debug IKE 00000000 00000000 000c0000 00000000
01000100 00000000 00000001 00000001
Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00015180
Mar 01, 11:35:16 Debug IKE 00000000 00007080 00000000 00000000
Mar 01, 11:35:16 Debug IKE suitable outbound SP found:
10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out.
Mar 01, 11:35:16 Debug IKE sub:0xbffff560: 192.168.1.0/24[0]
10.105.5.212/32[0] proto=any dir=in
Mar 01, 11:35:16 Debug IKE db :0x308b48: 192.168.1.0/24[0]
10.105.5.212/32[0] proto=any dir=in
Mar 01, 11:35:16 Debug IKE suitable inbound SP found:
192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in.
Mar 01, 11:35:16 Debug IKE new acquire 10.105.5.212/32[0]
Mar 01, 11:35:16 Debug IKE (proto_id=ESP spisize=4 spi=00000000
Mar 01, 11:35:16 Debug IKE (trns_id=DES encklen=0
authtype=hmac-md5)
Mar 01, 11:35:16 Debug IKE (trns_id=3DES encklen=0
authtype=hmac-md5)
Mar 01, 11:35:16 Debug IKE (trns_id=AES encklen=256
authtype=hmac-md5)
authtype=hmac-md5)
authtype=hmac-md5)
Mar 01, 11:35:16 Debug IKE in post_acquire
Mar 01, 11:35:16 Debug IKE configuration found for 68.50.31.23.
Mar 01, 11:35:16 Info
IKE request for establishing IPsec-SA was queued
connection DB94
connection DB94
connection DB94
connection DB94
connection DB94
connection DB94
connection DB94
connection DB94
by mrfett on 2007-03-01 17:50:35 +0100
there's more, but i think it just starts repeating. hopefully someone finds
this insightful. thanks for any help you guys can give!
by Dave on 2007-03-02 16:42:33 +0100
Unfortunately, the ping lines make the log file HUGE; I really wish there was
a way to turn them off (and the fact it is pinging even when the check box
isn't checked is worrisome). But if you can strip those out, you might be
able to see what is going on. All the "queued" bit means is that Phase 1 isn't
done, which appears to be the entire problem.
Are you using MAIN mode? And is the laptop behind any kind of NAT
router? I've only been able to connect with Aggressive mode since I'm not
using certificates and I'm behind a NAT router.
by mrfett on 2007-03-02 20:08:48 +0100
I am using main mode, and I am behind a router. My whole issue is that I
can connect from my neighbor's wireless network next door, but when I go
to my campus or to a cafe, I cannot connect. In both instances I'm behind a
firewall, but something about the public places prevents a connection. I can
go try aggressive mode. Do I put both the router and the client in
aggressive mode? Thank you for your help. I've edited the log file and I'll
post that now.
by mrfett on 2007-03-02 20:09:15 +0100
68.50.31.23[500]
Mar 01, 11:35:15 Debug IKE 1 times of 320 bytes message will be sent
to 68.50.31.23[500]
01100200 00000000 00000140 0d000034
Mar 01, 11:35:15 Debug IKE 00000001 00000001 00000028 01010001
00000020 01010000 800b0001 800c7080
Mar 01, 11:35:15 Debug IKE 80010001 80030001 80020001 80040001
0d000014 4a131c81 07035845 5c5728f2
c7a8a6a4 28c11de8 0d000014 439b59f8
c85ce3ee 0d000014 9909b64e ed937c65
5310ca6f 2c179d92 15529d56 0d000014
0d000014 90cb8091 3ebb696e 086381b5
83821a0f 0aeaa862 0d000014 4485152d
afcad713 68a1f1c9 6b8696fc 77570100
c805d78620d54aeb:0000000000000000
Mar 01, 11:35:16 Debug IKE 02060003 00260000 00000055 00000000
00030005 ff200000 10020000 0a6905d4
Mar 01, 11:35:16 Debug IKE 00000000 00000000 00030006 ff200000
10020000 44321f17 00000000 00000000
Mar 01, 11:35:16 Debug IKE 00020012 00020200 00000049 00000000
001c000d 20000000 00030000 00000000
Mar 01, 11:35:16 Debug IKE 01000800 00000000 00000001 00000001
00000000 00000000 00000000 00000000
Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00015180
00000000 00007080 00000000 00000000
Mar 01, 11:35:16 Debug IKE 00040000 00000000 010001c0 00000000
00000001 00000001 00000000 00000000
Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00000000
00000000 00015180 00000000 00007080
Mar 01, 11:35:16 Debug IKE 00000000 00000000 000c0000 00000000
01000100 00000000 00000001 00000001
Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00015180
Mar 01, 11:35:16 Debug IKE 00000000 00007080 00000000 00000000
10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out.
10.105.5.212/32[0] proto=any dir=in
10.105.5.212/32[0] proto=any dir=in
192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in.
by mrfett on 2007-03-02 20:09:57 +0100
Mar 01, 11:35:28 Debug IKE 02060003 00260000 00000055 00000000
00030005 ff200000 10020000 0a6905d4
Mar 01, 11:35:28 Debug IKE 00000000 00000000 00030006 ff200000
10020000 44321f17 00000000 00000000
Mar 01, 11:35:28 Debug IKE 00020012 00020200 00000049 00000000
001c000d 20000000 00030000 00000000
Mar 01, 11:35:28 Debug IKE 01000800 00000000 00000001 00000001
00000000 00000000 00000000 00000000
Mar 01, 11:35:28 Debug IKE 00000000 00000000 00000000 00015180
00000000 00007080 00000000 00000000
Mar 01, 11:35:28 Debug IKE 00040000 00000000 010001c0 00000000
00000001 00000001 00000000 00000000
Mar 01, 11:35:28 Debug IKE 00000000 00000000 00000000 00000000
00000000 00015180 00000000 00007080
Mar 01, 11:35:28 Debug IKE 00000000 00000000 000c0000 00000000
01000100 00000000 00000001 00000001
Mar 01, 11:35:28 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00015180
Mar 01, 11:35:28 Debug IKE 00000000 00007080 00000000 00000000
10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out.
10.105.5.212/32[0] proto=any dir=in
10.105.5.212/32[0] proto=any dir=in
Mar 01, 11:35:28 Debug IKE suitable inbound SP found: 192.168.1.0/24[0]
10.105.5.212/32[0] proto=any dir=in.
authtype=hmac-md5)
authtype=hmac-md5)
authtype=hmac-md5)
authtype=hmac-md5)
authtype=hmac-md5)
Mar 01, 11:35:28 Info
68.50.31.23[500]
Mar 01, 11:35:35 Debug IKE 1 times of 320 bytes message will be sent to
68.50.31.23[500]
01100200 00000000 00000140 0d000034
Mar 01, 11:35:35 Debug IKE 00000001 00000001 00000028 01010001
00000020 01010000 800b0001 800c7080
Mar 01, 11:35:35 Debug IKE 80010001 80030001 80020001 80040001
0d000014 4a131c81 07035845 5c5728f2
by mrfett on 2007-03-02 20:10:31 +0100
10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out.
10.105.5.212/32[0] proto=any dir=in
10.105.5.212/32[0] proto=any dir=in
10.105.5.212/32[0] proto=any dir=in.
authtype=hmac-md5)
authtype=hmac-md5)
authtype=hmac-md5)
authtype=hmac-md5)
authtype=hmac-md5)
Mar 01, 11:35:37 Info
Mar 01, 11:35:38 Error IKE phase2 negotiation failed due to time up
waiting for phase1. ESP 68.50.31.23[500]->10.105.5.212[500]
Mar 01, 11:35:38 Info
IKE delete phase 2 handler.
Mar 01, 11:35:48 Info
IKE delete phase 2 handler.
Mar 01, 11:35:49 Debug IKE 02060003 00260000 00000056 00000000
00030005 ff200000 10020000 0a6905d4
Mar 01, 11:35:49 Debug IKE 00000000 00000000 00030006 ff200000
10020000 44321f17 00000000 00000000
Mar 01, 11:35:49 Debug IKE 00020012 00020200 00000049 00000000
001c000d 20000000 00030000 00000000
Mar 01, 11:35:49 Debug IKE 01000800 00000000 00000001 00000001
00000000 00000000 00000000 00000000
Mar 01, 11:35:49 Debug IKE 00000000 00000000 00000000 00015180
00000000 00007080 00000000 00000000
Mar 01, 11:35:49 Debug IKE 00040000 00000000 010001c0 00000000
00000001 00000001 00000000 00000000
Mar 01, 11:35:49 Debug IKE 00000000 00000000 00000000 00000000
00000000 00015180 00000000 00007080
Mar 01, 11:35:49 Debug IKE 00000000 00000000 000c0000 00000000
01000100 00000000 00000001 00000001
Mar 01, 11:35:49 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00015180
Mar 01, 11:35:49 Debug IKE 00000000 00007080 00000000 00000000
10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out.
10.105.5.212/32[0] proto=any dir=in
10.105.5.212/32[0] proto=any dir=in
by mrfett on 2007-03-02 20:11:11 +0100
01100200 00000000 00000140 0d000034
Mar 01, 11:35:55 Debug IKE 00000001 00000001 00000028 01010001
00000020 01010000 800b0001 800c7080
Mar 01, 11:35:55 Debug IKE 80010001 80030001 80020001 80040001
0d000014 4a131c81 07035845 5c5728f2
c7a8a6a4 28c11de8 0d000014 439b59f8
c85ce3ee 0d000014 9909b64e ed937c65
5310ca6f 2c179d92 15529d56 0d000014
0d000014 90cb8091 3ebb696e 086381b5
83821a0f 0aeaa862 0d000014 4485152d
afcad713 68a1f1c9 6b8696fc 77570100
c805d78620d54aeb:0000000000000000
Mar 01, 11:35:58 Debug IKE 02060003 00260000 00000057 00000000
00030005 ff200000 10020000 0a6905d4
Mar 01, 11:35:58 Debug IKE 00000000 00000000 00030006 ff200000
10020000 44321f17 00000000 00000000
Mar 01, 11:35:58 Debug IKE 00020012 00020200 00000049 00000000
001c000d 20000000 00030000 00000000
Mar 01, 11:35:58 Debug IKE 01000800 00000000 00000001 00000001
00000000 00000000 00000000 00000000
Mar 01, 11:35:58 Debug IKE 00000000 00000000 00000000 00015180
00000000 00007080 00000000 00000000
Mar 01, 11:35:58 Debug IKE 00040000 00000000 010001c0 00000000
00000001 00000001 00000000 00000000
Mar 01, 11:35:58 Debug IKE 00000000 00000000 00000000 00000000
00000000 00015180 00000000 00007080
Mar 01, 11:35:58 Debug IKE 00000000 00000000 000c0000 00000000
01000100 00000000 00000001 00000001
Mar 01, 11:35:58 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00015180
Mar 01, 11:35:58 Debug IKE 00000000 00007080 00000000 00000000
10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out.
10.105.5.212/32[0] proto=any dir=in
10.105.5.212/32[0] proto=any dir=in
10.105.5.212/32[0] proto=any dir=in.
authtype=hmac-md5)
authtype=hmac-md5)
by mrfett on 2007-03-02 20:14:41 +0100
I think posting more would be repeating what's already there.
by Dave on 2007-03-03 00:01:54 +0100
[quote author=mrfett link=1171241120/15#15 date=1172862528]I am
using main mode, and I am behind a router. My whole issue is that I can
connect from my neighbor's wireless network next door, but when I go to
my campus or to a cafe, I cannot connect. In both instances I'm behind a
firewall, but something about the public places prevents a connection.
[/quote]
Note that your neighbor's router probably has VPN-passthru enabled; most
home routers do this automatically. The cafe/campus router might not and
that will definitely prevent you from connecting. Or the Cafe/Campus might
have a limit on the number of passthru connections it can support and,
again, you might be over that limit.
For your campus, I'd suggest talking to the network admins and see if they
can tell you any info about VPN passthru or how to create a VPN connection
outbound.
I'd also suggest trying NAT-T Enable but you said you already did that,
right?
by mrfett on 2007-03-03 00:29:59 +0100
Yeah, I did try that. Hmm. So you think most public wifi spots block VPN
traffic? Has that been your experience? It just seems strange other people
aren't complaining about this. I'm tempted to get another brand of router to
try. Well, I appreciate your time. I'll report back if I do get another router to
work so people know not to use this one in this situation.
by Forum Admin on 2007-03-04 14:28:44 +0100
Hi,
I don't think a different router will work better. Telling from the logs, your
router receives the inital packet and sends a reply, which just never arrives,
most probably because it's filtered in the local firewall/router. If possible,
inquiry the local sysadmin about the handling of incoming UDP packets on
port 500.
VPN or IPSec passthru only comes into play once the connection is
established and doesn't work with more than one VPN client in the local
network, therefore I recommend using NAT-T whenever possible (NAT-T
encapsulates the VPN traffic in UDP packets, circumventing the need for
VPN passthru).
My experience with public hotspots differs: VPN with NAT-T works in
almost all cases. So far I only had trouble in hotspots that were part of a
larger network (and at some point in the network, there was a proper
firewall).
Hope this helps,
Christoph
by mrfett on 2007-03-04 17:06:01 +0100
Thanks so much for the explanation, Christoph. That does help explain
what's happening. I'll try out a few more locations and see if it'll work any
better. The campus network is part of a much larger one (I'm at the
University of Maryland in College Park, and there's wifi spread all over the
campus). One question: when I use NAT-T, does it matter if I use Enable,
Force, or Checkpoint?
by Forum Admin on 2007-03-04 23:27:44 +0100
Hi,
when set to enabled, the two peers try to find out if NAT-T is necessary and
supported (i.e. if one of the two peers are in a NATed network and the
remote peers supports NAT-T) - force enforces NAT-T, regardless if it is
really necessary (this is usually the better choice if you know the router
supports NAT-T).
Checkpoint makes only sense if the remote peer is a Checkpoint (VPN-1 for
example) router.
Cheers,
Christoph
by mrfett on 2007-03-05 19:07:29 +0100
Well all i have to say is YOU GUYS ROCK! Indeed, the campus network I was
connecting to did block VPN access. The solution was to use a newer
"secure" network the university set up recently. Once I configured my
system to use the correct network, I was able to connect with IPSecuritas
with no issues. If you hadn't nudged me to look into this, I never would've
found this out. Thanks so much. I still have to figure out the local Panera
(whose coffee I'm addicted to), but this is a huge first step. Many, many
thanks.
IPSecuritas 3.0rc doesn't work with Airport Update
IPSecuritas 3.0rc doesn't work with Airport Update
by bigboy on 2007-02-13 01:26:13 +0100
I have been using 3.0RC successfully until I did a system update to patch an
Airport vulnerability. Now 3.0RC doesn't work. It can log into my VPN server
(Zywall 2), but then as soon as I start exchanging data, the connection
freezes up and ends up taking down the Finder (darn single-threaded
Finder).
I have a MBP (Core Duo) 15" with 2GB of memory running MacOS X 10.4.8 +
all the updates.
Re: IPSecuritas 3.0rc doesn't work with Airport Up
by budy on 2007-02-22 15:34:42 +0100
Hi,
I have just downloaded and installed 3.0rc on my MBP running all updates
and I have no issue at all connecting to our CP VPN-1 via Airport.
Anything in the logs?
Cheers,
Budy
Cannot connect to IPCop
Cannot connect to IPCop
by worcester4x4 on 2007-02-14 09:54:52 +0100
Hi all.
A client wants a roadwarrior connection from his Macbook (OSX10.4.?) to
his office LAN. Firewall is IPCop 1.4.10 (similarish to Smoothwall if that
helps anyone) and the authorisation method is host and user certificates.
I have only recently started dabbling with Macs so am a bit of a novice.
The certificates generated OK on the IPCop box, were parsed OK via
terminal on the MB and imported OK into IPSecuritas.
IPSecuritas runs and IPSec is shown as "up" but the damned red cross won't
go away so there's obviously no connection.
Also whilst IPSecuritas is running the client reports that he cannot access
websites from the MB.
Can someone tell me where the IPSecuritas logfiles are located? And what to
look for in them once I find them?
Any other hints?
Many thanks for your help.
Pete
Re: Cannot connect to IPCop
by worcester4x4 on 2007-02-23 23:19:03 +0100
Update.
The VPN is now fine and the roadwarrior can see the email OK.
However we still can't access the document server because I can't see any
way of putting an IP address into Finder. Does anyone know how, or
alternatively can IPSecuritas preferences be set up to convert a share name
into an IP address?
Pete
Re: Cannot connect to IPCop
by Dave on 2007-02-23 23:46:04 +0100
I connect to Windows shares all the time using the "Connect to Server"
menu item under the Go menu in the Finder. I enter the address like this for
the share "myShare" on machine 192.168.0.232:
smb://192.168.0.232/myShare
You can also tell IPSecuritas to use an alternate DNS server for things inside
the tunnel. There have been some reports that this has problems but it
might do what you need.
Problem connecting to Juniper Netscreen
Problem connecting to Juniper Netscreen
by antg on 2007-02-18 01:09:35 +0100
Hi there,
I have setup a VPN connection between IPsecuritas and a Netscreen 25,
sometimes the connection works really well, and other times it seems to
stall a lot, and I have to disconnect and reconnect the tunnel. When this
happens I see the message "msg 'x' not interesting" in the Log, and most of
the time the msg number is 5.
Just wondering if anybody knows where to start looking to try and fix this,
and whether it's likely a problem with the NetScreen or with my config of
IPsecuritas.
When this happens, I can still ping the WAN interface of the netscreen, so I
don't think it's related to my internet connection..
Cheers,
Ant.
Re: Problem connecting to Juniper Netscreen
by houser on 2007-02-19 07:52:36 +0100
We had a VPN tunnel set up for VPN Tracker.
Setting the latest IP Securitas to exactly the same setting
works and is a good starting point.
you can probably d-loadmanuals for that at the VPN tracker site.
Hope this helps
jtm
Re: Problem connecting to Juniper Netscreen
by Rob_Z on 2007-03-21 20:59:31 +0100
[quote author=antg link=1171757375/0#0 date=1171757375]Hi there,
I have setup a VPN connection between IPsecuritas and a Netscreen 25,
sometimes the connection works really well, and other times it seems to
stall a lot, and I have to disconnect and reconnect the tunnel.[/quote]
Hello,
Can you share your Netscreen configuration ?
TIA
-Rob
Connect to Symantec VPN 200R
Connect to Symantec VPN 200R
by JCSF on 2007-02-22 13:14:21 +0100
I'm connecting to a network through a Symantec Firewall VPN 200R using
the client software in Windows, and I want to connect from a Mac, but the
setup of the client it's different than the IPSecuritas/Mac VPN. How can I
configure. Thanks.
Watchguard Firebox Success !!!
Watchguard Firebox Success !!!
by hb9wad on 2007-02-24 14:47:42 +0100
With help of an article from Watchguard support site
https://www.watchguard.com/support/advancedfaqs/mac_vpntrackerfb7x.asp#mac5f
I have managed to connect my
Apple iMac 24"
Mac OS X 10.4.8
with
IPsecuritas 3.0rc Build 1040
behinde a
Zyxel Prestige 652-R13 ADSL Router/Firewall
ZyNOS F/W Version: V3.40(FW.7) | 6/18/2003
DSL FW Version: Alcatel, Version 4.9.10
with NAT and dynamic external IP Address
to our
Watchguard Firebox X700
WFS 7.41
with NAT and fix public external IP Addres.
On the Firebox configure 'Network -> Branche Office VPN -> Manual
IPSec...' .
Create a new gateway with parameters:
Key Negotiation Type:
isakmp (dynamic)
Remote ID Type:
User Name
Gateway IP Address:
<empty>
Gateway Identifier:
[email protected]
Shared Key:
mypassword
Phase 1 Settings:
Local ID Type:
IP Address
Authentication:
SHA1-HMAC
Encryption:
DES-CBC
Diffie-hellmann Group:
1
Enable Perfect Forward Secrcy:
OFF
Enable Aggressive Mode:
ON
Negotiation Timeout:
0 kB ; 8 hours
Create a new tunnel and assign the gateway created before:
Phase 2 Settings:
Type:
ESP (Encapsulated Security Payload)
Authentication:
SHA1-HMAC
Encryption:
3DES-CBC
Foce key expiration:
ON
every
0 kB
every
24 hours
Create a new IPSec Routing Policy:
Local:
Network:
company network>
Remote:
Host:
<IP Subnet / SubnetBits of
<free IP Addr out of unused
Netgear FVG318
Netgear FVG318
by colinresys on 2007-02-25 18:52:39 +0100
Has anyone had any luck with the Netgear FVG318? If so, could you please
share your config?
Colin
problems connecting to rv042
problems connecting to rv042
by mstoops on 2007-02-26 06:49:48 +0100
I'm having a connection issue with IPSecuritas 3.0rc (Mac OS X 10.4.8) to a
Linksys rv042. I've successfully VPN'd over a dial-up account (thanks to
these forums); the issue is I cannot connect over a DSL connection from
behind a router using NAT. The main error I'm getting in the rv042 log file
is this:
Cannot respond to IPsec SA request because no connection is known for
10.0.1.0/24===111.222.333.444...555.666.777.888[@dusty.local]===192.168.0.2/32
(Obviously the central IP addresses are bogus to hide my network.)
I've tried enabling NAT-T with no effect.
Here are my IPSecuritas settings:
-----------------------------------General:
Remote IPSec Address: <rv041 address>
Local Side:
Endpoint Mode: Network
IP Address: <empty>
Remote Side:
Endpoint Mode: Network
Network Address 10.0.1.0/24
Phase 1:
Lifetime: 3600s
DH Group: (5)
Encryption: AES 256
Auth: SHA-1
Exch Mode: Aggressive
Proposal Check: Strict
Nonce Size: 16
Phase 2:
Lifetime: 3600s
PFS Group: (5)
Encryption: AES 256
Auth: SHA-1
ID:
Local ID: FQDN
dusty.local
Remote ID: Address
Auth Method: PSK
Options (checked):
IPSec DOI
SIT_IDENTITY_ONLY
Initial Contact
Generate Policy
Support Proxy
Req Cert
Send Cert
-------------------------------All the settings on the rv042 seem to be properly set (they work when I VPN
over dialup), so I don't think the issue lies there.
Any help would be greatly appreciated. I'm not an expert at this stuff so I'm
Working -- a new question
by mstoops on 2007-03-05 04:12:57 +0100
Ok, so I've gotten this working, although the solution not perfect. I found
that when I put the public IP address (public side of NAT router) into
IPSecuritas' "Local Side IP Address," everything connects perfectly. It's
round-about because I have to input the public IP every time I want to set
up a VPN, which is a little frustrating when I'm moving around to different
locations.
New Question: can anyone tell me how I can make this work without having
to find and enter the public IP every time? (I find it using a Dashboard
widget called Network Stat: http://www.widgetschmie.de/widgets
/NetworkStat/)
Re: problems connecting to rv042
by mstoops on 2007-03-06 22:36:57 +0100
This is fun, I seem to be having a great running dialog with myself on this.
Anyway, I seem to have figured the latest issue out -- no more need to put
in the local public IP address. This seems to require two (actually, 3) things:
0. Make sure you have the latest firmware update, currently 1.3.8.2. Not
sure if this is necessary but I don't remember the following config option.
1. On the rv042, within the VPN Tunnel configuration, click on the
"Advanced +" button at the bottom and check the "NAT Traversal"
checkbox.
2. In your IPSecuritas connection configuration, me sure that Options -->
NAT-T is Disabled.
Worked like a charm, connected from a local cafй without having to modify
IPSecuritas' configuration.
Now, I want to make this work using an Exchange Mode of Main, since it's
supposed to be more secure than Aggressive. Anyone? Yeah, I thought so
;D
Learning as I go. Hope this helps someone.
v3.0 RC Menu Item
v3.0 RC Menu Item
by psfolliesmis on 2007-02-26 22:42:28 +0100
I have installed the 3.0 RC on a couple of machines, and it seems that the
menu item will not stay on the menu bar after a logout. When I log back in,
the menubar item will be gone, and if I open IPSec and go to preferences,
the Show Status in Menubar is still checked. I have to check and uncheck to
get it to reappear, then it is gone the next time I restart. Is this just me?
Client Virtual IP address
Client Virtual IP address
by colinresys on 2007-02-28 11:37:54 +0100
It seesm that to connect to most ProSafe Netgear routers IPSecuritas has to
be configured with a virtual IP address that won't be hidden by any
intervening NAT device. I can't find instructions for this, using either
IPSecuritas or the command line. Has anyone any idea of how to do it?
Re: Client Virtual IP address
by senzex on 2007-04-20 19:16:35 +0200
in ipsecuritas enter anything you want in the field :
GENERALTAB->Local Side - Endpoint mode (HOST) : (192.168.0.6 or
10.10.2.3 or whatever)
in the Netgear (FVS124G for me) in the VPN POLICIES->traffic selector->
remote IP->choose single address and fill in the IP (192.168.0.6 or
10.10.2.3 or whatever).
by the way avoid same subnets : I means if at your location your are on
192.168.[b]X[/b].[b]z[/b], just choose anything but the [b]X[/b].
so if you have a local IP 192.168.[b]0[/b].1 then choose 192.168.[b]1[/b].1
for example.
that's all.
hope it helps.
Need L2TP Support
Need L2TP Support
by omnibyte on 2007-03-01 17:07:46 +0100
I have a Sonicwall Pro 3040 running, with L2TP VPN Server Setup... The
Windows Clients can establish the VPN connection without any problems
with their build-in VPN client...
I know, the build in VPN Client of the latest OS-X will just work with the OS
X Server...
Is there a way to get L2TP getting working on OS X with a SonicWall L2TP
Server?!?!
If someone can help me out, i would give support on the Sonicwall side to
test this stuff!!!!
Cheers
Thomas from Switzerland
Re: Need L2TP Support
by cwolf on 2007-03-22 03:32:19 +0100
Funny, I have the exact opposite issue connecting to my Sonicwall L2TP
Server.
L2TP works perfect on my 10.4.9 clients using the built-in client. Windows
boxes cannot connect.
Re: Need L2TP Support
by cwolf on 2007-03-22 03:35:48 +0100
you said :
I know, the build in VPN Client of the latest OS-X will just work with the OS
X Server... :
Umm, this couldn't be further from the truth. The built-in client on the mac
works with almost any PPTP or L2TP solution out there. It works way better
than the built in windows client, and is always consistent. I say almost
because I haven't tested all of them, but I have yet to have a VPN
(L2TP/PPTP using built-in, IPSec using IPSecuritas) that I can't connect to.
ZyXEL ZyWALL 5
ZyXEL ZyWALL 5
by omega_red on 2007-03-15 12:14:10 +0100
Does anyone know how to configure the ZyWALL?
Ive tried it with VPN Tracker and it worsk great! (For 3mins than the demo
version expieres the connection)
Ive copied all settings from VPN Tracker and connected IPsecuritas but i
keep getting the following errors:
[list][*]Warning: ignore INTIAL-CONTACT notification, becouse it is only
accepted after phase1[/list]
[list][*]Error: No SIG was passed, hybrid auth is enabled but peer is not
Xauth compliant[/list]
[list][*]Error: phase2 negotiation failed due to time up waiting for phase1.
ESP (remote vpn server internet-ip)[500]->(local internet-ip)[500][/list]
Can anyone help? thxx!!
Re: ZyXEL ZyWALL 5
by prahn on 2007-03-16 07:50:52 +0100
Hi!
Sounds definitely that IPSecuritas wants to connect with Xauth
authentication, but the ZyWall doesn't like it.
I searched for "Hybrid Auth" and "Xauth" in the IPSecuritas config, but
diddn't find anything.
I also have problems with my ZyWall 2 and do not find a solution.
See here: [url]http://www.lobotomo.com/cgi-bin
/yabb/YaBB.pl?board=IPSecuritas;action=display;num=1173990319[/url]
Maybe buying VPN Tracker is easier... but I want a manu item like
IPSecuritas provides!!
Greets,
prahn
Re: ZyXEL ZyWALL 5
by Forum Admin on 2007-03-17 01:36:06 +0100
Hi,
the following settings will work with Zyxel's ZyWall series:
General:
Exchange Mode: Main
Nonce Size: 16
Phase 1:
Life time: 8 hours (or less)
DH Group: Mod768
Encryption: DES
Authentication: MD5
Phase 2:
PFS Group: Mod768
Encryption: 3DES
Identification:
Local Identification: FQDN (enter a name)
Remote Identification: Address
Authentication: Preshared Key (enter a password)
Options:
IPSec DOI: Enabled
SIT_IDENTITY_ONLY: Enabled
Verify Identifier: Disabled
Initial Contact: Enabled
Passive: Disabled
MODE_CFG: Disabled
NAT-T: Enabled
Generate Policy: Disabled
Support Proxy: Disabled
Request Certificate: Enabled
Verify Certificate: Disabled
Send Certificate: Enabled
Unique SA: Disabled
On The ZyWall, use the following settings:
Gateway Policy:
NAT Traversal: Enabled
My ZyWALL Adress: 0.0.0.0
Remote Gateway Address: 0.0.0.0
Enabled Preshared Key (enter the same password as in IPSecuritas)
Local ID Type: IP (enter 0.0.0.0)
Peer ID Type: DNS (enter the same name as in IPSecuritas)
Encrption Algorithm: DES
SA Life Time: 28800
Key Group: DH1
Enabled Multiple Proposals: Disabled
Network Policy:
Active: Enabled
Name: anything
Protocol: 0
Re: ZyXEL ZyWALL 5
by Dave on 2007-03-17 22:29:50 +0100
[quote author=prahn link=1173957250/0#1 date=1174027852]I searched
for "Hybrid Auth" and "Xauth" in the IPSecuritas config, but diddn't find
anything.[/quote]
XAuth is in the release candidate for 3.0 (RC1) and can be found on the ID
tab as one of the choices in the Authentication Method dropdown. Both
Xauth PSK and Hybrid are there along with PSK and Certificate.
Re: ZyXEL ZyWALL 5
by omega_red on 2007-03-22 17:25:49 +0100
[quote author=Forum Admin link=1173957250/0#2 date=1174091766]Hi,
General:
Exchange Mode: Main
Nonce Size: 16
Phase 1:
DH Group: Mod768
Encryption: DES
Authentication: MD5
Phase 2:
PFS Group: Mod768
Encryption: 3DES
Identification:
Options:
IPSec DOI: Enabled
Passive: Disabled
MODE_CFG: Disabled
NAT-T: Enabled
Unique SA: Disabled
Gateway Policy:
SA Life Time: 28800
Key Group: DH1
Network Policy:
Active: Enabled
Name: anything
Protocol: 0
Re: ZyXEL ZyWALL 5
by omega_red on 2007-03-22 18:25:29 +0100
It works! But i had to turn of the xauth.
My settings: IPSecuritas 2.2
[img]http://www.vanheest.nl/pf/1.tiff[/img]
10.0.0.20 is a fake address ofcourse ;D
Re: ZyXEL ZyWALL 5
by omega_red on 2007-03-22 19:08:50 +0100
Ive managed to get it working on both 2.2 and 3.0rc, but i still had to
disable xauth in both versions, so that was the couse of the error's
described in my first post. I hope it will be able to use xauth when the final
version arrives.
thanks for the great app!
Re: ZyXEL ZyWALL 5
by nob on 2007-05-27 22:25:12 +0200
I didnt get it to work. I am behind a Zywall 5 on the net, trying to connect
to the destination Zywall. Used the Settings your Guys getting to work.
May 27, 22:21:20 Error IKE Foreground mode.
May 27, 22:21:21 Error IKE inappropriate sadb acquire message passed.
May 27, 22:21:22 Warning IKE ignore INITIAL-CONTACT notification,
because it is only accepted after phase1.
May 27, 22:21:22 Error IKE mismatched ID was returned.
May 27, 22:21:22 Error IKE failed to pre-process packet.
May 27, 22:21:22 Error IKE phase2 negotiation failed.
May 27, 22:21:53 Error IKE 217.173.146.167 give up to get IPsec-SA
due to time up to wait.
I tried different Settings, mostly i get the mismatched ID.
Zywall Log says:
7
2007-05-27 21:21:19
Receive IPSec packet, but no corresponding
tunnel exists
87.175.225.55
217.173.146.167
IPSEC
8
2007-05-27 21:21:13
IKE Packet Retransmit
217.173.146.167
87.175.225.55
IKE
Re: ZyXEL ZyWALL 5
by bernard on 2007-07-01 00:37:19 +0200
After lots of trial-and-error, I managed to establish a VPN between my
MacBook Pro/IPsecuritas and remote Zywall 5. Very cool :).
However, there is one problem: while the VPN tunnel is established, the
Zywall log shows:
[code]Receive IPSec packet, but no corresponding tunnel exists[/code]
exactly every 20 seconds, even when I don't do anything with this tunnel.
These are the only errors in the Zywall log.
Here is the IPSecuritas log:
[code]
IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig
Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007;
root:xnu-792.18.15~1/RELEASE_I386 i386
Jun 30, 18:29:32 Info
Jun 30, 18:29:32 Info
APP IPSec started
Jun 30, 18:29:32 Error IKE Foreground mode.
Jun 30, 18:29:32 Info
Jun 30, 18:29:32 Info
Jun 30, 18:29:32 Info
Jun 30, 18:29:32 Info
Jun 30, 18:29:33 Info
APP Initiated connection bernard-wpb
Jun 30, 18:29:33 Error IKE inappropriate sadb acquire message passed.
Jun 30, 18:29:33 Warning IKE ignore INITIAL-CONTACT notification,
Jun 30, 18:29:35 Warning IKE attribute has been modified.
Jun 30, 18:32:47 Info
APP IPSec stopping
Jun 30, 18:32:48 Info
[/code]
Any idea? I did not enable connection check (of course).
Thanks,
Bernard
Re: ZyXEL ZyWALL 5
by nob on 2007-12-09 16:06:42 +0100
bump
Is there a possibility to get my errors why connecting via WLAN?
Re: ZyXEL ZyWALL 5
by rmarinheira on 2008-04-23 12:40:37 +0200
Hi!
I get this error on Zywall 5:
2008-04-23 10:39:06 vs. My Remote [0.0.0.0]-[0.0.0.0]
2008-04-23 10:39:06 Recv ID: SINGLE, [192.168.1.38]-[192.168.1.38]
2008-04-23 10:39:06 [ID] : Rule [] Verifying Remote ID failed:
2008-04-23 10:39:03 Receive IPSec packet, but no corresponding tunnel
exists (Repeated: 18)
2008-04-23 10:39:00 IKE Negotiation is in process
What should be wrong?
Regards
Re: ZyXEL ZyWALL 5
by inky on 2008-11-07 15:04:43 +0100
I get this same error on my P-662HW-D1 (not sure if this is a Zywall 5
device?)
The ID settings available on the Zyxel are only IP, DNS and Email.
Does anybody know what I need to use in IPSecuritas to align with any of
the above?
Ta.
IPSecuritas to Sonicwall doesn't delete IPSec SA
IPSecuritas to Sonicwall doesn't delete IPSec SA
by Manuel on 2007-03-15 17:54:01 +0100
I'm having a problem with connecting IPSecuritas 3.0RC to a Sonicwall Pro
3060 with Enhanced firmware 3.2.0.3. I'm connecting to the Sonic's "WAN
GroupVPN" policy using XAUTH and a pre-shared secret.
The connection works very well. The problem only shows up when
disconnecting (stopping) the tunnel: according to the firewall log,
IPSecuritas apparently only sends an "IKE SA delete request", without
sending an "IPSec SA delete request" first (OTOH, Sonic's Global VPN client
does). The result is that the tunnel remains active indefinitely on the
Sonicwall.
If I now try connecting again, it will somehow connect, but the connection
won't work, until I manually trigger a "renegotiate connection" on the
Sonicwall and try again.
Is there a way to tell IPSecuritas to send that "IPSec SA delete request" as
well? Maybe some checkbox in the "options" tab that I missed?
Thanks
-Manuel
RC1 and ZyWall P2
RC1 and ZyWall P2
by prahn on 2007-03-15 21:25:19 +0100
The new IPSecuritas looks very nice, especially the menu item!
Thanks for the good work!
When trying to connect to our new Zywall 2 Plus I get teh following errors:
Mar 15, 21:19:28 Error IKE Foreground mode.
Mar 15, 21:19:29 Warning IKE remote address mismatched.
db=2.3.4.5[500], act=2.3.4.5[58137]
db=2.3.4.5[500], act=2.3.4.5[58137]
Mar 15, 21:19:30 Error IKE ignore information because ISAKMP-SAhas
not been established yet.
db=2.3.4.5[500], act=2.3.4.5[58137]
I replaced our public IP with "2.3.4.5"
What's wrong here? I tried so much varieties!
Connecting with the VPN Tracker Demo works!?!
Pls help! Thx.
Re: RC1 and ZyWall P2
by Forum Admin on 2007-03-17 01:36:27 +0100
Hi,
General:
Exchange Mode: Main
Nonce Size: 16
Phase 1:
DH Group: Mod768
Encryption: DES
Authentication: MD5
Phase 2:
PFS Group: Mod768
Encryption: 3DES
Identification:
Options:
IPSec DOI: Enabled
Passive: Disabled
MODE_CFG: Disabled
NAT-T: Enabled
Unique SA: Disabled
Gateway Policy:
SA Life Time: 28800
Key Group: DH1
Network Policy:
Active: Enabled
Name: anything
Protocol: 0
by prahn on 2007-03-17 08:29:50 +0100
Hi!
Thanks a lot for your detailed answer. But this did not help... :-[
No specific error, but also no connection! Here is the actual log:
Mar 17, 08:27:32 Info
APP IPSec started
Mar 17, 08:27:32 Info
Mar 17, 08:27:32 Info
Mar 17, 08:27:32 Info
Mar 17, 08:27:32 Info
Mar 17, 08:27:38 Info
IKE the packet is retransmitted by
2.3.4.5[43397].
:'( :'( :'( :'(
by Forum Admin on 2007-03-17 20:11:06 +0100
Hello,
please set the log level to Debug (in IPSecuritas' preferences). Could you
also provide a log from the ZyWall?
Thanks,
Christoph
by prahn on 2007-03-17 20:38:33 +0100
Hi!
Thanks for your help, I will e-mail the Log-files to you.
by omega_red on 2007-03-23 22:58:45 +0100
concider reading my topic about the zywall 5, perhaps it helps.
xauth does not work in combination with te zywall in my case.
Netgear FVS114 and IPSecuritas
Netgear FVS114 and IPSecuritas
by ckofer on 2007-03-22 18:59:16 +0100
Does anyone here have these working together? I tried the search feature
on the forum but found nothing (not even on the term netgear).
Thanks in advance.
Chris in NH (USA)
Re: Netgear FVS114 and IPSecuritas
by uocooper on 2007-10-26 06:46:40 +0200
I have it working with firmware V1.1_01. I originally had problems getting
IPSecuritas to work because I had also installed VPN Tracker. Once I
completely uninstalled VPN Tracker it worked great.
Coneecting to a Linksys WRVS4400N?
Coneecting to a Linksys WRVS4400N?
by croatoan on 2007-03-24 15:55:06 +0100
Uhm, where to begin?
I am using the QuickVPN setup on the router and all I get is the yellow dot
on IPSecuritas.
Any ideas?
Re: Coneecting to a Linksys WRVS4400N?
by DistortedLoop on 2007-04-15 09:02:47 +0200
[quote author=croatoan link=1174748106/0#0 date=1174748106]Uhm,
where to begin?
I am using the QuickVPN setup on the router and all I get is the yellow dot
on IPSecuritas.
Any ideas?[/quote]
You cannot use QuickVPN settings.
I just finally got my WRVS4400N working with a MacBookPro by using
ipsecuritas.
The short version is: on the VPN tab, select IPSEC, and then create a new
tunnel entry with a unique name.
Local security group is your LAN ip series (ie., WRVS4400N defaults to
192.168.1.0 and 255.255.255.0).
Assuming your dialing in from various locations, set Remote Security group
and gateway to "any."
Key maanagement is Auto, Encryption 3DES, Authentication SHA1, PFS
enable, enter your preshared key, key lifetime 28800 secs.
Save the configuration, hit okay through the warning about using "any" not
working with QuickVPN.
Click Advanced Settings tab.
Operation mode = main.
Local and Remote identity use the ip address circles on both.
Phase 1 encryption = 3DES and SHA1 with 1024-bit and 3600 sec.
Phase 2 = #DES and SHA1, PFS enable, 768-bit, key life 28800.
Save settings.
In IPSECURITAS version 3 setup as follows:
General Tab - enter ip address of the WRVS4400N's internet presence.
Local side is Host, leav ip addres blank
Remot side is Network and input the 192.168.10, CIDR=24
Phase1 tab should match what's on the advanced settings of the router
listed above, you can leave proposal check on claim and nonce size as 16.
Phase2 tab match to the router as well.
ID tab = Address in both the identifiers; Authenitcation is your Presharked
Key and password.
Options tab you shouldn't need to touch, but you can enable NAT-T and
add a keep alive ping if you want.
That's good enough to get me a green light on the connection on the mac,
and an "up" status in the VPN's web interface.
I'm able to ping known ip addresses on the internal network, but no joy in
seeing network shares. I'll post about that in another thread.
by croatoan on 2007-04-15 13:50:39 +0200
Thank you!
I ditched the Linsys WRVS4400N after calling them when two MacBooks in
our office were losing connectivity while the PCs were not. They only repled
"Well, I don't really know much about Macs" and without trying to transfer
me to someone who did.
I bought an Apple Express and it works great. I am going to use a G4
running IPSecuritas.
Your tips on the settings help a lot!
[quote author=croatoan link=1174748106/0#2 date=1176637839]Thank
you!
I ditched the Linsys WRVS4400N after calling them when two MacBooks in
our office were losing connectivity while the PCs were not. They only repled
"Well, I don't really know much about Macs" and without trying to transfer
me to someone who did.[/quote]
You're welcome; wish I'd been more timely in figuring this out for both our
sakes. They didn't offer to transfer you to someone who knows anything
about Macs because no one at Linksys knows, or even cares about Macs.
I've noticed that with the router set to mixed g/n speeds, that both our Mac
and PC laptops drop connections, or slow down to 1mbps connections,
which is very frustrating. We switched them to our old Linksys WRT54g
routers set up as Access Points (using DD-WRT firmware) and they get rock
solid connectons again. In N-only mode, the WRVS4400n doesn't seem to
have the problem.
To be fair to Linksys, from my web searches looking for an alternative to
the WRVS4400n, I don't think any brand does care about Macs for Draft-N
class devices. I could not find a single device to get N-speed service on my
MacBookPro - I had to resort to stealing the Airport Extreme 802.11n board
out of my MacPro desktop and taking apart my laptop to replace the older
model with that one (works great, but that's another story).
There's certainly a lack of interest in the Mac community for this
WRVS4400n device - and given some of the hassles of setting this thing up,
not sure many will bother with it. The built in VPN (ipsec) and gigabit make
it, in theory, a sweet 802.11n class device - much better than Apple's
Airport Extreme Base Station AEBS which lacks gigabit ethernet and only
does passthrough on the VPN. I was tempted to take mine back, but I think
I've had it longer than the return period, and with things started to gel, I'm
starting to be satisfied with it.
[quote]I bought an Apple Express and it works great. I am going to use a G4
running IPSecuritas.
Your tips on the settings help a lot![/quote]
Did you buy the Express or the new Airport Extreme Base Station (AEBS)?
The Express is the little $99 thing about the size of a deck of cards. I have
the new AEBS in our mix; this device only supports VPN passthrough, and
there appears to be issues with that as seen on this Apple Support Thread:
http://discussions.apple.com/thread.jspa?messageID=4046689
Depending on what you'll be using to actually host the VPN service, you
could probably just use OS X's built-in client rather than needing
ipsecuritas.
by croatoan on 2007-04-17 01:28:15 +0200
Yeah, I got the AEBS in place of the WRVS4400n. I like the AEBS ALOT more
then the WRVS4400n. The set up interface is so much better. I knew about
the gigabit ethernet but I have a gigabit switch that they run through so
that was not a big deal. It is a 4 person real estate office.
I a Customer Support Engineer for Cisco Systems back in 1996-99. We used
to care about all our customers. Also Cisco was actually an all Apple outfit
back then but in 2000 they went to the dark side. If we did not know
something we used to walk around to findsomeone who did. I was hoping
since they bought Linksys they would have aquired some of that attitude. I
guess not.
So, was your purpose in trying the 4400N to get 802.11n, or to get a
hardware VPN solution. If 802.11, the AEBS sure works better with Macs in
terms of connection speed and data throughput, but if you were after VPN,
AEBS is only passthrough, so how are you protecting your LAN from the
WAN side?
p.s. - on a side note, I think yahoo mail is killing email notifications from
this forum as spam - they're not even making it into my junk folder. Can
someone post the email address they come from so I can add it to my
address book? Or does that feature not work here?
by croatoan on 2007-04-18 15:59:02 +0200
>So, was your purpose in trying the 4400N to get 802.11n, or to get a
hardware VPN solution.
I wanted it all! I was hoping it would be a complete solution. The 4400N
said nothing about Macs not being able to connect. You would think that a
VPN was a VPN. :-? I remember the day when an RFC was an RFC.
As far as protection, I have not set up VPN or anything yet. The AEBS has a
decent firewall.
Yeah, we all want it all. ;-)
In retrospect, now that I've gotten VPN to work with the Mac and the
4400N, I have no regrets, and it seems easy now. IPsec has a bit of a
reputation as being "voodoo" or "black magic" to set it up. The problem
with our Macs is that the Mac only supports L2 or PPTP vpn out of the
operating system, hence the need the third party stuff. That's a Mac issue,
not the WRVS4400N's problem. Part of the allure of Linksys products was
the QuickVPN solution which is supposed to make it an idiot-proof
connection; and to Linksys's defense I'll say that the box does say Windows
under system requirements.
Like I said, once I figured out that the trick was just getting something like
IPSecuritas or VPNTracker on the same page as Linksys, it's a no-brainer
now. Hindsight is 20/20, though. I have to go to the Linksys forums and
correct some posts I made stating that IPsecuritas wouldn't work with the
4400N. It might not have worked with the old version; I am using the
newer one.
I have both the AEBS and 4400N in the mix. Both have issues, but both are
very good at what they do in terms of the things they do right.
by mdaitzman on 2007-04-25 06:31:43 +0200
Thank you thank you thank you thank you thank you . . . . . .
I've been banging my head against this for a few weeks . . . . I'd just about
given up when I saw your post and - hurray!!!! It worked.
Thanks again!
by mdaitzman on 2007-04-25 16:16:51 +0200
Hmm - worked last night from home (vpn and my PC on a switch both
running PPOE.)
When I got the office, different internet connectin (both Verizon FIOS) and
tried to connect I received the following:
Apr 25, 09:55:58 Error IKE Foreground mode.
Apr 25, 09:56:09 Error IKE fatal INVALID-ID-INFORMATION notify
messsage, phase1 should be deleted.
Apr 25, 09:56:28 Error IKE fatal INVALID-MESSAGE-ID notify messsage,
phase1 should be deleted.
Apr 25, 09:56:33 Error IKE phase2 negotiation failed due to time up
Apr 25, 09:56:38 Error IKE 71.248.163.15 give up to get IPsec-SA due
to time up to wait.
to time up to wait.
to time up to wait.
Any ideas on how to fix?
Thanks!
by mdaitzman on 2007-05-07 22:39:41 +0200
I thought this was due to an issue with the actiontec router, it turns out that
it doens't work from anyplace except plugged into the same swtich as my
wrvs4400n - so, any ideas what causes those kinds of errors? (Note, I wil
ltry with newer RC to see if it helps and update. )
by corbywan on 2007-06-22 05:40:03 +0200
OK, I'm going crazy. I'm new to the world of VPN but I had a CCNA and
CCDA back in the day, so I'm not totally clueless.
I've been trying to use the instructions above to get into my WRVS4400N
with no luck. Setup is exactly as described. Looking through the logs here
is what I've found.
I fought for a few hours with some messages I don't have anymore that
were to effect of my local IP subnet was the same as the remote IP subnet.
Here at my house I have a Linksys WRT54 setup to use 192.168.1.0 for IPs.
That's the same thing that is set up at the office. That must be a bad thing
because after I changed my network here at home to a 10net range I at
least started to get a yellow light. Are there any other givens I need to know
about, or should this not have been a problem?
I think I'm failing in phase 1. I tried VPNTracker and its log was helpful to
figure that out. Here is the log from IPSecuritas
[code]Jun 21, 20:26:08 Info
Jun 21, 20:26:08 Info
Jun 21, 20:26:08 Info
APP Initiated connection huh
Jun 21, 20:26:09 Error IKE fatal INVALID-ID-INFORMATION notify
Jun 21, 20:26:14 Error IKE fatal INVALID-MESSAGE-ID notify messsage,
Jun 21, 20:26:15 Info
Jun 21, 20:26:22 Info
Jun 21, 20:26:24 Error IKE OFFICE.IP.ADDRESS.HERE give up to get
Jun 21, 20:26:29 Info
Jun 21, 20:26:29 Error IKE fatal INVALID-ID-INFORMATION notify
Jun 21, 20:26:36 Info
Jun 21, 20:26:41 Warning APP Connection huh timed out
Jun 21, 20:26:41 Warning APP Giving up
Jun 21, 20:26:41 Error IKE unknown Informational exchange received.
Jun 21, 20:26:44 Error IKE OFFICE.IP.ADDRESS.HERE give up to get
Jun 21, 20:27:24 Info
APP IPSec stopping
Jun 21, 20:27:25 Info
APP IKE daemon terminated[/code]
Can someone please help? Does this give anyone a clue? I recommended
the purchase of this box because I saw that people got it working with this
app on Macs. The office is an all Mac outfit so if I can't get this to work we
are going to have to figure something else out. Thanks in advance.
by Forum Admin on 2007-06-22 10:58:54 +0200
Hello,
the INVALID-ID-INFORMATION notification you're getting means that either
the local or the remote endpoint address is not what the router expects.
Most probably the 10.x.x.x range you're using is not what the router
accepts - have a look at the router for the remote network range, choose an
address from that range and enter it into the local endpoint address field in
IPSecuritas to override the real local address which is taken if you leave the
field blank.
The reason you got the red dot before you changed your local LAN address
was a collision between the local endpoint address and the remote endpoint
network (both had the same range). If you want to do this, you have to
enable the 'Local IP in remote Network' option for this connection (please
note that it very much depends on the router if this is supported at all)
Hope this helps,
Christoph
by corbywan on 2007-06-22 23:56:28 +0200
Thanks for the info. Still no joy. I set my home network back to a
192.168.1.0/24. Here's the deal.
Office Network: Behind the router it's a 192.168.1.0/24 network.
Home Network: Behind the router it's a 192.168.1.0/24 network.
At home I have assigned my laptop 192.168.1.50, an address I know that
no other machine on either network is using. I'm still getting basically the
same log as above with all the INVALID-MESSAGE-ID stuff.
Is the problem I'm having an IP addressing problem? I think all the security
stuff is working fine.
by corbywan on 2007-06-23 16:48:30 +0200
I was doing some more testing with VPNTracker and it looks like I'm failing
phase 2.
Interestingly enough, it won't even try to connect if my local subnet is the
same as the remote subnet. I have to change it to anything other than
whatever the remote subnet is and it make an effort.
Also, this is an aside to anyone using the WRVS4400N. If you are using
Safari to manage your router, you need to turn "Block pop-up windows" off
or you won't be able to access the Advanced Settings options. The Log
pop-up works fine, every other pop-up works fine, but just that one won't.
Hope that helps someone because it killed me for a few hours.
by Dave on 2007-06-24 01:24:34 +0200
[quote author=corbywan link=1174748106/0#14
date=1182610110]Interestingly enough, it won't even try to connect if my
local subnet is the same as the remote subnet. I have to change it to
anything other than whatever the remote subnet is and it make an effort.
[/quote]
The local and remote subnets [b]must[/b] be different or it will never work;
that is a requirement for any VPN client that I know of.
I'd suggest turning up the logging level with IP Securitas (in the
Preferences...) and then see if you can figure out why it is failing Phase 1.
by corbywan on 2007-06-24 01:55:57 +0200
See, that's what I thought to until someone told me to turn on the option
for local IP on remote network, but the effects were still the same.
And it seems to be passing Phase 1 and choking on Phase 2. Here is a link
to the log file for the curious (link because it's too long to paste here). I
have replaced the IP of the Linksys for obvious reasons.
[url]http://www.stephensfam.net/ph2fails.txt[/url]
by corbywan on 2007-06-24 06:14:47 +0200
Is there anything I need to do with my home router other that set it to VPN
passthrough? I'm not trying to bridge my home network to the office, just
one computer.
by Dave on 2007-06-25 17:03:07 +0200
[quote author=corbywan link=1174748106/15#17 date=1182658487]Is
there anything I need to do with my home router other that set it to VPN
passthrough? I'm not trying to bridge my home network to the office, just
one computer.[/quote]
Did you enable NAT for this connection? If you are behind a home router
(and given the IP address you're using, it looks like you're doing NAT), this
has to be enabled for IP Securitas to work. From your log:
[i]phase2 negotiation failed due to time up waiting for phase1. ESP
71.59.168.142[500]->192.168.2.101[500]
[/i]
Phase 1 failed and given the connection ports, it looks like you aren't doing
NAT-T; when I enable this, it connects through port 4500 instead.
So try enabling NAT on the Options page, I believe, and see if that helps.
by corbywan on 2007-06-25 20:30:05 +0200
Thanks for the suggestion. NAT-T is set to enable, and I set the Exchange
to mode Aggressive as well. I'm still seeing port 500 in the log. I even tried
NAT-T on force and no such luck.
by corbywan on 2007-06-28 15:16:20 +0200
Christopher from Lobotomo was a HUGE help for me. Really too the time to
personally help me.
He found that you could not have the Remote Security Group set to any,
that it had to be set to your specific IP (your private one behind your local
LAN). If you set that, and then also enter that same IP in the General tab
under Host, you could connect. You can then create a tunnel for the various
IPs that will be able to connect in.
I tried setting mine to Subnet so I wouldn't have to worry about specific IPs
but that didn't seem to work either. It's curious that the same router can
work for some people with one set of settings and not for others.
Anyway, that's what did it for me. Cheers to Christopher!
by corbywan on 2007-07-04 18:00:42 +0200
OK. This is getting a little irritating. I can get a green light every time I
connect, but I'm only really connected 25% of my attempts. I can have a
green light but the Status of my 4400 shows the tunnel as Down. I cannot
ping the internal IP of the 4400 nor any IP on the network.
Any ideas? Here is a sample from the log after a green connection. This
basically repeats.
[code]Jul 04, 08:59:06 Debug IKE ===
Jul 04, 08:59:06 Debug IKE 284 bytes message received from
71.59.168.142[4500] to 192.168.2.101[4500]
Jul 04, 08:59:06 Debug IKE 715c2b68 b5221021 a571a22a adb72c05
08102001 b73b8825 0000011c 00cdca15
Jul 04, 08:59:06 Debug IKE 5da4aea8 2dea5cbb 30630e5a 7da5a09b
8b49e65f 01420c81 129e7c9c 35c02772
Jul 04, 08:59:06 Debug IKE 71cf88d8 e3ff16cc 3e9c2f79 def46aef
c9d1a904 2ad32eab 66bda644 9174d6b7
Jul 04, 08:59:06 Debug IKE 72428a62 4ce56262 db6be7fb 9630b0bb
41d918b0 d3205e5a 86522942 88c7f078
Jul 04, 08:59:06 Debug IKE 3cdfa8fe 1e1cca63 64c384e7 fae3a92e
f76b0709 b18ae995 c2a4d7c6 bc797cb3
Jul 04, 08:59:06 Debug IKE 4fbfa4a6 5a90df19 7ec4d1fd 7d788f63
62d89fe1 206b3d09 e951d992 3ff25821
Jul 04, 08:59:06 Debug IKE 1f1cd1e5 6fdd8aca 4482beda 60eca6f2
971eeefd a89f8053 a2c799cc 1c234d3a
Jul 04, 08:59:06 Debug IKE 5f4f5630 1504ad97 9d8607cb 18ddea60
5f66bf50 336ff580 09bc244a 6f68cfdd
Jul 04, 08:59:06 Debug IKE 073470cc 6cea7b0d b541d062 83a2367c
5a90a295 c20c0adc dbf0d3c8
Jul 04, 08:59:06 Debug IKE configuration found for 71.59.168.142.
Jul 04, 08:59:06 Debug IKE new cookie:
Jul 04, 08:59:06 Debug IKE 4010463c6e3d15a1
Jul 04, 08:59:06 Debug IKE Marking ports as changed
Jul 04, 08:59:06 Debug IKE Adding NON-ESP marker
Jul 04, 08:59:06 Debug IKE 44 bytes from 192.168.2.101[4500] to
71.59.168.142[4500]
Jul 04, 08:59:06 Debug IKE sockname 192.168.2.101[4500]
Jul 04, 08:59:06 Debug IKE send packet from 192.168.2.101[4500]
Jul 04, 08:59:06 Debug IKE send packet to 71.59.168.142[4500]
Jul 04, 08:59:06 Debug IKE 1 times of 44 bytes message will be sent to
71.59.168.142[4500]
Jul 04, 08:59:06 Debug IKE 00000000 715c2b68 b5221021 4010463c
6e3d15a1 0b100500 ade98364 00000028
Jul 04, 08:59:06 Debug IKE 0000000c 00000001 01000004
Jul 04, 08:59:06 Debug IKE sendto Information notify.
Jul 04, 08:59:06 Error IKE can't start the quick mode, there is no
ISAKMP-SA, 715c2b68b5221021:a571a22aadb72c05:b73b8825
Jul 04, 08:59:15 Debug IKE ===
[/code]
Linksys RVS4000
Linksys RVS4000
by Kender on 2007-03-27 03:45:47 +0200
Has anyone had any success connecting to a Linksys RVS4000 VPN router?
Every time I try to connect I get the following log entries:
[code]
Mar 26, 16:36:11 Info
Mar 26, 16:36:11 Info
Mar 26, 16:36:11 Info
Mar 26, 16:36:11 Info
Mar 26, 16:38:16 Info
APP IPSec stopping
Mar 26, 16:38:17 Info
Mar 26, 16:38:17 Info
Mar 26, 16:38:17 Info
APP IPSec started
Mar 26, 16:38:17 Info
Mar 26, 16:38:17 Info
Mar 26, 16:38:17 Info
Mar 26, 16:38:17 Info
Mar 26, 16:38:17 Info
waiting for phase1. ESP 1.1.1.1[500]->2.1.1.2[500][/code]
And then it repeats. Any ideas?
This happens from home (behind an Airport Extreme) and "barenaked" to
the Internet.
Re: Linksys RVS4000
by Dave on 2007-03-27 05:39:09 +0200
All that says is that the phase 1 negotiations failed; I'd suggest increasing
the log level in the Preferences to capture more info. While the log will get
rather large, you should be able to get a better idea why the phase 1 failed.
Re: Linksys RVS4000
by mrchew on 2007-04-23 16:53:12 +0200
Has anyone been able to get the Linksys RVS4000 working with IPSecuritas?
If yes, can you please post detailed configuration details.
thanks
Re: Linksys RVS4000
by Kender on 2007-06-02 15:37:34 +0200
Well I finally got around to this - here is the full debug log of the issue.
[code]IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig
Jun 02, 09:30:25 Info
Jun 02, 09:30:25 Debug IKE lifetime = 3600
Jun 02, 09:30:25 Debug IKE lifebyte = 0
Jun 02, 09:30:25 Debug IKE encklen=0
Jun 02, 09:30:25 Debug IKE p:1 t:1
Jun 02, 09:30:25 Debug IKE 3DES-CBC(5)
Jun 02, 09:30:25 Debug IKE MD5(1)
Jun 02, 09:30:25 Debug IKE 768-bit MODP group(1)
Jun 02, 09:30:25 Debug IKE pre-shared key(1)
Jun 02, 09:30:25 Debug IKE compression algorithm can not be checked
because sadb message doesn't support it.
...
Jun 02, 09:30:25 Info
APP Initiated connection Remax-GV
Jun 02, 09:30:25 Debug IKE get pfkey ACQUIRE message
...
Jun 02, 09:30:25 Debug IKE get pfkey ACQUIRE message
Jun 02, 09:30:25 Debug IKE 02060003 14000000 27000000 9f4b0000
03000500 ff200000 10020000 0a00012a
Jun 02, 09:30:25 Debug IKE 00000000 00000000 03000600 ff200000
10020000 42b853a2 00000000 00000000
Jun 02, 09:30:25 Debug IKE 0a000d00 20000000 000c0000 00000000
00010001 00000000 01000000 01000000
Jun 02, 09:30:25 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 80510100 00000000
Jun 02, 09:30:25 Debug IKE 80700000 00000000 00000000 00000000
02001200 02000200 07000000 00000000
Jun 02, 09:30:25 Debug IKE suitable outbound SP found:
10.0.1.42/32[0] 192.168.10.0/24[0] proto=any dir=out.
Jun 02, 09:30:25 Debug IKE sub:0xbffff55c: 192.168.10.0/24[0]
10.0.1.42/32[0] proto=any dir=in
Jun 02, 09:30:25 Debug IKE db :0x308b78: 192.168.10.0/24[0]
10.0.1.42/32[0] proto=any dir=in
Jun 02, 09:30:25 Debug IKE suitable inbound SP found:
192.168.10.0/24[0] 10.0.1.42/32[0] proto=any dir=in.
Jun 02, 09:30:25 Debug IKE new acquire 10.0.1.42/32[0]
192.168.10.0/24[0] proto=any dir=out
Jun 02, 09:30:25 Debug IKE (proto_id=ESP spisize=4 spi=00000000
Jun 02, 09:30:25 Debug IKE (trns_id=3DES encklen=0
authtype=hmac-sha)
Jun 02, 09:30:25 Debug IKE in post_acquire
Jun 02, 09:30:25 Debug IKE configuration found for xx.xxx.xx.162.
Jun 02, 09:30:25 Info
IKE IPsec-SA request for xx.xxx.xx.162 queued
Jun 02, 09:30:25 Debug IKE ===
Jun 02, 09:30:25 Info
10.0.1.42[500]<=>xx.xxx.xx.162[500]
Jun 02, 09:30:25 Info
IKE begin Base mode.
Jun 02, 09:30:25 Debug IKE new cookie:
Jun 02, 09:30:25 Debug IKE 88c9d13eecd614ad
Re: Linksys RVS4000
by Dave on 2007-06-03 03:53:03 +0200
One thing that is kind of odd is that it is doing BASE mode negotiation.
Most VPN endpoints do either Main (for certificates, I think) or Aggressive
(required if you're being a NAT router, I believe).
Try using Main, Aggressive or just Aggressive and see what you get.
Re: Linksys RVS400
by cheese2 on 2007-06-06 01:00:14 +0200
I am pretty much in the same boat - cant connect to my brand new rvs4000
for love nor money. My log looks just exactly like Kender's (except for the
ips of course...)
One question I do have - in the previous firmware for the 4000 you could
specify the remote security gateway as Any but in the most recent version
you must specify either an ip or an ip + domain name. You can specify the
remote group as any. By my understanding this means that it wont work
with a roaming endpoint (ie my macbook running IPSecuritas) or am I
confused? (Probably)
Even when I do put my ip address in still wont connect...
Re: Linksys RVS4000
by corbywan on 2007-06-25 08:52:14 +0200
I've posted in another thread on this and I know people are looking into it. I
have a WRSV4400N and am having the same issue. My log looks pretty
much identical.
Re: Linksys RVS4000
by corbywan on 2007-06-28 15:15:35 +0200
Christopher from Lobotomo was a HUGE help for me. Really too the time to
personally help me.
He found that you could not have the Remote Security Group set to any,
that it had to be set to your specific IP (your private one behind your local
LAN). If you set that, and then also enter that same IP in the General tab
under Host, you could connect. You can then create a tunnel for the various
IPs that will be able to connect in.
I tried setting mine to Subnet so I wouldn't have to worry about specific IPs
but that didn't seem to work either. It's curious that the same router can
work for some people with one set of settings and not for others.
Anyway, that's what did it for me. Cheers to Christopher!
Re: Linksys RVS4000
by jklinephd on 2007-07-04 08:23:09 +0200
Can you outline the settings both for the router and the settings for the
computer connecting to the server.
I cannot get this to work.
thanks
Jeff
Re: Linksys RVS4000
by cnadig on 2007-07-04 09:31:57 +0200
Hi,
basically, follow the setup description for the Linksys WRV200
(http://www.lobotomo.com/products/IPSecuritas/howto
/Linksys%20WRV200%20HOWTO.pdf), but don't set the Remote Secure
Group (page 3) to Any but any other address instead (preferrably any
private address from RFC 1918 like 10.x.x.x - should not be part of the
LAN behind the router). Enter the same address as a virtual IP address
IPSecuritas (page 6).
If multiple users need simultanous access, you need a seperate tunnel for
each (identical settings except for the remote secure group address preshared secret must be the same for all tunnels!)
Hope this helps,
Christoph
Re: Linksys RVS4000
by davewu on 2007-08-01 12:44:14 +0200
Hallo,
I have the same problem, but christophers succestions did not work for me.
Can some one please post a working setup.
thanks
David
Re: Linksys RVS4000
by rnoser on 2007-11-27 08:47:22 +0100
I would truly appreciate any info anyone can give regarding getting the
RVS4000 to work with IPSecuritas. It feels like I've been beating my head
against a wall trying to get it to work. It's probably something real easy,
but it feels like I've had every setting/option in every possible
configuration.
Thanks in advance!
Re: Linksys RVS4000
by roborino on 2007-11-28 12:34:27 +0100
I am in the same boat. I have tried just about anything and would really
appreciate some help. The notes above have been tried without success.
Any assistance would be much appreciated. I have tried to follow the
how-to-guide on the WRV200 to no avail.
Thanks!
Re: Linksys RVS4000
by roborino on 2008-02-28 15:27:26 +0100
Really hard to believe that no one has a working version of this with the
RVS4000. Is there a better solution? Desperately need a VPN solution that
works within a Mac environment?
Thanks in advance!!!
Re: Linksys RVS4000
by marcus178 on 2008-06-30 11:46:41 +0200
Has anyone found a way to connect to the rvs4000? Tried all sorts and just
can't get it to work.
Problem with connection
Problem with connection
by epoc1000 on 2007-03-31 13:08:23 +0200
Hi,
I have a problem, when I try to connect to our Sonicwall. I have this error
logs. I configured everything simular to VPN-Tracker where it worked
perfectly. Can anyone tell me, where I can track for errors or what I can do:
192.168.2.10/32[0] 192.168.1.0/24[0] proto=any dir=out.
192.168.2.10/32[0] proto=any dir=in
Mar 31, 13:00:48 Debug IKE db :0x308958: 192.168.1.0/24[0]
192.168.2.10/32[0] proto=any dir=in
192.168.1.0/24[0] 192.168.2.10/32[0] proto=any dir=in.
Mar 31, 13:00:48 Error IKE failed to get sainfo.
Everytime it ends with "failed to get sainfo".
Bye
Re: Problem with connection
by Dave on 2007-04-01 03:36:22 +0200
The first thing I always suggest is to turn up the debugging level in the
Preferences; it might make it easier to see what is going on before things
fail. I'm guessing that sainfo is "Security Association Info" but I don't know
any more than that. Given that both of these addresses are "fake," might
you need to turn on NAT-T?
Anyone have success w/ xAuth yet?
Anyone have success w/ xAuth yet?
by leopard on 2007-04-13 02:59:39 +0200
Has anyone had success getting xAuth to work against any appliance? :-?
Re: Anyone have success w/ xAuth yet?
by Dave on 2007-04-13 04:17:39 +0200
I've got xAuth working against a SonicWall TZ170 (I think that is the model).
I have to drop the MTU down to 1400 manually to get the connect not to
fragment and drop packets but once it is working, I can bring it back up to
1500.
But the xAuth part works flawlessly.
by leopard on 2007-04-13 16:00:58 +0200
I have a FortiGate 100A that I can get VPN access to. But the second I
implement xAuth my phase 1 negation fails. FortiGate support can not
deduce what is failing. IPSecuritas log shows the following
Apr 09, 10:38:46 Info
Apr 09, 10:38:47 Info
Apr 09, 10:38:47 Warning IKE Ignored short attribute XAUTH_USER_NAME
Apr 09, 10:38:47 Warning IKE Ignored short attribute
XAUTH_USER_PASSWORD
Anyone have any input?? Thanks.
by pingu on 2007-04-30 18:24:39 +0200
We've got it working with a Sonicwall 3060, finicky, but it works eventually.
No luck getting the Sonicwall to look up XAuth user info from
OpenDirectory though. Anybody had luck with this?
Dan
by lleung on 2007-05-23 08:26:37 +0200
Just to add my $.02 into the the pot..
I have 4 Fortigate's. 300A, 100A, 60ADSL and 60M. (they're all linked via
ipsec tunnels)
Like everyone else, everything works on all 4 of them except xauth.
it if means anything, I also have a vpn tracker. vpn tracker handles it fine in
aggressive mode, + xauth using pap
if anyone is lobotomo is interested, I can set up a test connection for you to
experiment on.
by cnadig on 2007-05-25 14:39:36 +0200
Hello,
the problem could be solved thanks to the great support from Lynda
(lleung) in providing a test account. The fix will be included in the final 3.0
release to be released coming Sunday, and will work on other types of
firewalls too, if any of the following log lines appeared when using XAUTH:
Ignored short attribute XAUTH_USER_NAME
Ignored short attribute XAUTH_USER_PASSWORD
Cheers,
Christoph
Using 3.0 to connect to Windows in transport mode
Using 3.0 to connect to Windows in transport mode
by Athanyel on 2007-04-13 21:44:24 +0200
I am aiming to establish IP Security in transport mode to a Windows 2003
server for just the standard SMB/CIFS ports (UDP 137 and 138, TCP 139 and
445).
I have built a Windows server that requires IPSec on these four ports and
uses certificates for authentication. All of my Windows machines (both on
my domain and off of my domain) are working just fine. I hope to use 3.0
as the primary IPSec UI for our Macintosh customers. The ability to easily
import both the configuration and PKCS#12 certificates in 3.0 would greatly
simplify the deployment of IPSec to my user community.
With 2.2, I am able to establish an IPSec connection to my Windows server
with certificate based authentication. I can then connect to the locked
down ports with IPSecuritas. Once the connection is established, 2.2 is
encrypting ALL traffic to the server. I haven't found a way (if there is) to
only encrypt traffic on the four ports.
With 3.0, I am able to connect (I get the little green ball) and the Windows
server declares that main mode and quick mode were successfully
negotiated and that a security association is in place. Once established, I
cannot actually connect to the secured ports on my server.
I am testing the IPSec connection to the server by pinging the server and
attempting to connect to both a port that I do not protect (WebDAV over
SSL on port 443) and a port I do protect (SMB/CIFS on port 139). When 2.2
is connected, the pings do not go through and I cannot connect to port 443
but can connect to 139. As soon I as stop IPSec on 2.2, the pings go
through, I can connect to the WebDAV share and lose my connection to port
139. With 3.0, I can ping the server and connect to port 443 but cannot to
port 139 regardless of what 3.0 declares the state of the IPSec connection
is.
My primary concern is making 3.0 work in a similar fashion to 2.2. I'm not
really worried about the client blindly attempting to encrypt all traffic to my
server. I just need to make sure that I am actually encrypting the data that I
need to have encrypted.
Does anyone know of anything I can modify/test? I am establishing my
connection as follows:
GENERAL
Remote IPSec device is set to the DNS name of the server I am attempting to
connect to.
Both the Local and Remote Side are set to Host with Transport Mode
checked.
PHASE 1
Lifetime
8 hours
DH Group
1024 (2)
Encryption
3DES
Authentication
SHA-1
Exchange Mode
Main
Proposal Check
Obey
Nonce Size
16
PHASE 2
Lifetime
8 hours
PFS Group
1024 (2)
Encryption
3DES
Authentication
HMAC SHA-1
Re: Using 3.0 to connect to Windows in transport m
by Dave on 2007-04-13 23:53:57 +0200
I'll recommend setting the MTU on the Mac down to 1400 and see if things
work then. I've had to do this once a connection is established to get
packets not to fragment and get dropped. Oddly enough, once packets are
flowing, I can boost up the MTU back to 1500 and it still works! :)
But try that and see if it lets you connect.
by Athanyel on 2007-04-14 00:24:06 +0200
I followed the instructions in http://docs.info.apple.com
/article.html?artnum=303192 and set the MTU to 1400. I then shut down
the 3.0 Daemon (Command+Option+Q) and restarted IPSecuritas 3.0. I
repeated my tests as outlined in the original post. No joy. :-[
by Dave on 2007-04-14 04:22:57 +0200
That's not what I did. I changed the MTU to 1400 [i]while[/i] the connection
was active; that seemed to "wake it up." Short of that, you can try pinging in
the Windows box using the "Do not Fragment" bit and increasingly higher
ping packet size until it fragments and see what happens.
I can't say if this will fix anything, only that it worked for me.
by Athanyel on 2007-04-16 17:13:59 +0200
Argh! No luck there either!
I toggled the MTU all over the map (every hundred from 500 to 1500) and
nothing at all. Next up, I bombarded it from the Windows server...nothing
(from tiny packets to packets bigger than the client's MTU). It's like the
policy on the IPSecuritas side is "don't encrypt anything" It's
negotiating...and then not encrypting!
Do you know of a way to view the active policy? In Windows, it's really
straight forward.
Thanks!
by Athanyel on 2007-04-17 21:11:22 +0200
I got it!
If you're using 3.0rc in Transport mode, you need to first clear the
"Transport Mode" checkbox on the General page for your connection.
Specify the IP address of the machine you want to connect to in the "IP
Address" field of the "Remote Side" area of the General page. Then check
"Transport Mode" option again.
In 2.2, setting the Mode of Operation to "Host To Host (Transport)" appears
to use the Remote IPSec Device to determine the IP address that data will be
encrypted to.
In my mind, 3.0 should be operating the same way as 2.2 (i.e. when 3.0 is
in Transport mode, the policy should be defined by the "Remote IPSec
Device" and not by the "IP Address" field in the "Remote Side" area of the
"General" page).
I'll be sending this along to the [email protected] address as well.
by Forum Admin on 2007-04-20 12:56:13 +0200
Hi,
this is indeed a bug, thank you very much! I have fixed this and it will have
to release a final release candidate soon.
Cheers,
Christoph
by Athanyel on 2007-05-30 23:38:02 +0200
Alright, I've now gone back and tried this with the final release...and it
stopped working!
My configuration has not changed since what I listed here. I've got two
Macs set up. Both are clean installs of 10.4 and updated to 10.4.9. One
has 3.0rc installed and the other 3.0 final.
In the 3.0rc build, I was able to establish the connection after:
[list][*]Clearing the "Transport Mode" checkbox on the General page for
your connection[*]Setting the IP address of the machine I want to connect to
in the "IP Address" field of the "Remote Side" area of the General
page.[*]Checking the "Transport Mode" option again.[/list]In 3.0 final, I click
"Start" and the main window shows "IPSec active" then very quickly "IPSec
inactive". The debug log shows that ISAKMP-SA is established between the
two hosts. Immediately after, it declares "begin QUICK mode" and then
reads "IKE daemon terminated" after "compute DH's private" and "compute
DH's public".
HELP!
Unable to see network shared drives
Unable to see network shared drives
I did a bit of searching and can't find if this has been asked before - forgive
me if it's an asked and answered question,
I've managed to get my MacBookPro to connect into my LAN using
ipsecuritas v3rc.
The router is a Linksys WRVS4400N. The router shows a valid ipsec tunnel
in place, and I am able to ping all valid addresses on the internal network,
and I can access those devices (a network attached storage device and
several routers/acces points) that have webinterfaces by typing their ip
address into Safari.
The problem is I can't see any of my network drives, or other Mac machines
in Finder's Network. Should I be able to? The whole purpose of VPN into
the network is to have access to shared files while on the road.
Any ideas what I am doing wrong?
Should Bonjour work? I've read it doesn't through a VPN.
I do have "windows sharing" turned on in OSX system preferences, and the
network attached drive plugs straight into the router's ethernet ports.
UPDATE: If I look real close at Finder, just as my VPN connection finishes
negotians, I see the network shares flash momentarily in Finder, and then
disappear. I'm also able to get dir listings of SMB/CIFS shares by using the
smbclient command in Terminal, though the "get" command seems to fail
for actually transferring a file.
Any ideas?
Re: Unable to see network shared drives
Okay! Figured out a workaround for this "problem" (if indeed it is a
problem and not a design feature) all on my own:
Once the VPN tunnel is established, I can go to the Finder Menu Bar, Select
Go, Connect To Server (Command-K), then type in the ip address of the
shared drive I am looking for. The normal connect menu from Finder then
pops up and allows you to select which particular share you're looking to
connect to.
I've loaded every drive on the network this way, except for one - the USB
drive that's shared on my Airport Extreme Base Station. This one may take
some more time to figure out.
profiles and mode_cfg
profiles and mode_cfg
by coreyva on 2007-04-17 08:09:56 +0200
Using 3.0rc, I created a few profiles for various connections. The problem is
I am unable to change the profile from the pulldown. Selecting it does
nothing. Anyone else seen this?
My bigger issue is with mode_cfg. I need to be able to specify a ippool on
my firewall (netscreen 25), but once I do, and enable mode_cfg, I can no
longer connect. I am able to with VPN tracker, using that configuration.
Aside from those two issues, it works great for me.
Re: profiles and mode_cfg
by coreyva on 2007-04-17 18:09:36 +0200
Actually, the pulldown does work, but it wil only activate at the very bottom
edge of the pulldown. Still not getting mode_cfg to function. XAUTH works
nicely though.
IPSECURITAS working everywhere but not on MACPRO
IPSECURITAS working everywhere but not on MACPRO
by senzex on 2007-04-20 19:05:47 +0200
Hello there,
I've set up some NETGEAR FVS124G, and I'm able to connect to them with
no pb in almost anywhere. My problem is, that I'm working 4 days a week at
a Office at which I'm happy to drive a MacPro.
I've entered the exact same settings on the MacPro and it is a NO GO.
Nothing, nada.
the red pill status stays [b] RED[/b], it does not even get [b]orange[/b]
(meaning something is going on). just to be sure I log on the web interface
to check the VPN STATUS window but, nothings happens everythings stays
IDLE.
I just don't understand.
I've installed Bootcamp and was, until not long only working on W$ ;(Not
MY choice).
For now on I'm using Parrallels with much Joy so I'm back at my favorite OS.
I thought first that some how parrallels was the culprit, but with or without
it nothing happens.
Another thing is that we are behind 2 IPCOP boxes (v3 !! I know it's just so
old.... as IPCOP is now at v10 or v11... but I can't make them change this
for now) -> so I was wondering if IPCOP may be the one(s) that tricks me.
again I don't know.
@ home or others oFFices, as soon as I'm connected it's just OK in a bunch
of seconds and I can see any of all the computers on the remote networks
(via apple Remotedesktop and or finder).
And here just nothing happens.
So if anyone has any idea, I'll be glad to read it ;)
Cause right I have to launch Apple remote desktop on the Macpro, then
remote connect to my "home" server, them from here start IPSECURITAS and
launch remote desktop and from there I can see what I want. but it's just
not very simple nor handy (it works but... U know I just want to get it from
here the Office I'm talking about).
Office1->remotedesktop->Server->IPSEC+remotedesktop->Target
Office(s) pfff many connections.
Hope I was clear enough and pardon my Bad english.
IPsecuritas 3 is just what I wanted and saved me some applescript coding to
switch settings ;), it just rocks....
IPSecuritas works /w Check Point VPN-1 NGX (R65)
IPSecuritas works /w Check Point VPN-1 NGX (R65)
by dantro on 2007-04-24 14:03:43 +0200
Hi,
after struggling with the software a bit I finally got IPSecuritas 3.0 rc
working with our Check Point VPN-1 NGX (R65) firewall. Respect to the
Lobotomo dev team. Now we are not limited anymore to Check Point's
aged SecureClient R65 for OSX. It always slowed down our hosts once
installed.
Best regards,
Danny Trommer
CCSA/CCSE/CCSE+
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6
by skyb on 2007-05-21 13:36:56 +0200
Hi Danny,
currently I have problems to connect with our Checkpoint, too.
I would be great if you could tell me how it worked for you.
Christoph
by Mr.Bove on 2007-10-22 19:28:09 +0200
[quote author=dantro link=1177416223/0#0 date=1177416223]Hi,
after struggling with the software a bit I finally got IPSecuritas 3.0 rc
working with our Check Point VPN-1 NGX (R65) firewall. Respect to the
Lobotomo dev team. Now we are not limited anymore to Check Point's
aged SecureClient R65 for OSX. It always slowed down our hosts once
installed.
Best regards,
Danny Trommer
CCSA/CCSE/CCSE+[/quote]
I'm new to the MAC world, I would really like to know how to configure the
IP Securitas client to work with Checkpoint VPN-1 NGX. Without revealing
too much info can you send me what you did?
by pstouffer on 2007-11-02 22:06:02 +0100
trying to get IPSecuritas to talk to Checkpoint VPN-1. Has anyone gotten
this to work and if so what settings needed to be changed from the wizard
settings.
Pete
by asnow_hk on 2007-11-17 06:22:55 +0100
I am also trying to get this to work, but have not been able to. In my
CheckPoint setup I have the following:
Authentication:
Scheme:
SecurID
User name: <my username>
"Use Key FOB hard token"
Profile: Advanced:
"Office Mode"
Once connected I have the following in the Status:
Office Mode IP: 10.88.8.xxx (can I assume that the network is
10.88.8.0/24)
So essentially I use my username, password and tokencode to log in. I've
not noticed any tokencode prompt in IPSecuritas. Is there one!?
Is it possible for someone to help me please? I'd like to know how to
translate this seemingly simple setup into an IPSecuritas Connection.
by mangus on 2007-11-18 18:13:59 +0100
I have had both success and failures trying to connect to our Checkpoint
VPN-1 Firewall using the Wizard set up.
Once I achieved success connecting I thought my troubles were over, but
unfortunately this was not to be the case. Since the initial success I later
had problems connecting with the same settings. Not knowing much about
the technical aspects of VPN I decided to save a debug-log for the failed
attempts and then compare them to a successful attempt.
I just now managed to get a connection again, and here's my findings
comparing the two log-files. Please note that just before achieving success
again I had been connected to the firewall through the Checkpoint client
inside of VMware Fusion. This may or may not be the key to success. I have
still to verify this, when I'm back to failing.
Anyhow... Here's what I can see when I compare the log-files:
Just above the log-row that reads: "Initiated connection Checkpoint" I get a
"msg 5 not interesting" in the successful attempt. Not so in the failed
attempt.
Later, after negotiations on encryption, hash and authentication seem to be
finished, the log states: "Adding NON-ESP marker" and then the client
sends 88 bytes of data. In the successful attempt the firewall responds with
a 1652 bytes long message, while in the failed attempt only 76 bytes are
received. After this, things seem to go really bad in the failed attempt,
spawning messages like: "Short payload" and "mode config 6 from
xxx.xxx.xxx.xxx[4500], but we have no ISAKMP-SA."
As I said, I don't know anything about anything VPN, but maybe this could
help somehow...
(Update: Since finishing this post I was back to failing, so I launched
VMware and connected with the Checkpoint client to see if this would help
IPSecuritas, but it didn't. So WMware doesn't seem to have anything to do
with success/failure rates.)
by mmulin on 2007-12-11 12:45:45 +0100
Hey Guys,
at least for the ones who get partial success, could you please publish your
IPSecuritas settings?
Am not trying to be smart here but, 1st, other's might be able to help
better and for the ones, like me, who have no success at all, it might bring
them on the right path..
Thanks
by bugfish on 2007-12-13 00:35:19 +0100
Well, I upgraded to Leopard, which killed Secureclient. After some fiddling, I
got IPSecuritas working with our Checkpoint setup at work, and since
people are asking, here are all the settings I'm using. Of course some of
these are probably sepecific to my place of employment.
i usd the wizard and chose Checkpoint VPN-1, but i made a few changes.
here are the settings from each tab. I HOPE THIS HELPS SOMEONE!
General:
Remote IPSec Device: (our vpn ip at work)
Local Side:
Endpoint Mode: Host
remote Side:
Endpoint Mode: Anywhere
Phase1:
Lifetime: 10 minutes
DH Group: 1024 (2)
Encryption: 3DES
Exchange Mode: Main
Nonce Size: 16
Phase 2:
Lifetime: 10 minutes
PFS Grpoup:
768 (1)
Encryption: DES, 3DES, AES 256, AES 192, AES 128 (the rest are
unchecked)
Authentication: HMAC MD5, HMAC SHA-1 (the rest are unchecked)
ID:
Local Identifier: User FQDN
(filled in with my user name at work)
Remote Identifier: User FQDN
(filled in with my user name at work)
Authentication Method: XAuth RSA
Username: (filled in with my user name at work)
Password: (filled in with my current password at work)
DNS:
(all blank)
Options:
IPSec DOI, SIT_IDENTITY_ONLY, Initial Contact, Request Certificate,
Send Certificate, Unique SAs, IKE Fragmentation
NAT-T: Force
Action after connection timeout: Retry immediately
by mmulin on 2007-12-13 08:11:26 +0100
Thanks, that actually helped me too. I have one problem though. My routes
are not locally updated as it would happen with SecureClient. I need to
specify all 120 networks under the "remote networks" settings manually.
Now, I wonder, if I use the same configuration and choose the "Anywhere"
option it doesn't connect at all. Any thoughts there?
by travelguy2500 on 2007-12-29 23:51:16 +0100
I followed all of bugfish's suggestions and it connects just fine (thanks!!)
but I can't browse any web pages. I'm new to MAC (my first mac - have
always been a pc person) and was wondering if anybody has any assist on
how to get web pages to view.
by bugfish on 2007-12-30 01:10:33 +0100
The inability to get to web pages with my setup is probably because I left
the DNS settings all blank. I left mine blank because I don't need them for
what I connect to work for (it's all IP address based). But if you know the
DNS ip addresses at work and plug those in, you'll probably get the web
back.
by travelguy2500 on 2007-12-30 03:50:13 +0100
thanks for the prompt reply. tried adding in my local dns server ip
addresses but still no luck. i'm getting the green light to show a
connection but something isn't allowing me to get to any internet
addresses. I tried to ping the dns server but that's coming back failed. any
ideas?
by macman365 on 2008-01-18 08:16:26 +0100
Based on the setting posted by bugfish (thanks!), I can now connect to my
work VPN. I did specify "Anywhere" for the remote side endpoint and that
does allow me to see every network on my office LAN.
However, I need to access my local network at the same time (for printing),
but if I set the local side endpoint mode to "Network" rather than "Host" the
connection isn't even attempted.
Below is the full "Debug" log when I try to connect:
[font=Courier New]IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST
2007, nadig
Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT
2007; root:xnu-792.22.5~1/RELEASE_I386 i386
Jan 18, 07:12:09 Info
APP IPSec authenticating
Jan 18, 07:12:09 Info
Jan 18, 07:12:09 Debug APP State change from AUTHENTICATING to
RUNNING after event TIMER
Jan 18, 07:12:09 Info
APP IPSec started
Jan 18, 07:12:09 Warning IKE Foreground mode.
Jan 18, 07:12:09 Info
Jan 18, 07:12:09 Info
Jan 18, 07:12:09 Info
Jan 18, 07:12:09 Info
Jan 18, 07:12:09 Debug IKE parse successed.
Jan 18, 07:12:09 Debug IKE open /Library/Application
Support/Lobotomo Software/IPSecuritas/admin.sock as racoon
management.
Jan 18, 07:12:09 Debug IKE my interface: fe80::1%lo0 (lo0)
Jan 18, 07:12:09 Debug IKE my interface: 127.0.0.1 (lo0)
Jan 18, 07:12:09 Debug IKE my interface: ::1 (lo0)
Jan 18, 07:12:09 Debug IKE my interface: 172.16.1.14 (en1)
Jan 18, 07:12:09 Debug IKE my interface: fe80::21c:42ff:fe00:0%en2
(en2)
Jan 18, 07:12:09 Debug IKE my interface: fe80::21c:42ff:fe00:1%en3
(en3)
Jan 18, 07:12:09 Debug IKE configuring default isakmp port.
Jan 18, 07:12:09 Debug IKE 8 addrs are configured successfully
Jan 18, 07:12:09 Info
Jan 18, 07:12:09 Info
IKE fe80::21c:42ff:fe00:1%en3[500] used as
isakmp port (fd=7)
Jan 18, 07:12:09 Info
Jan 18, 07:12:09 Info
IKE fe80::21c:42ff:fe00:0%en2[500] used as
isakmp port (fd=9)
Jan 18, 07:12:09 Info
(fd=10)
Jan 18, 07:12:09 Info
Jan 18, 07:12:09 Info
Jan 18, 07:12:09 Info
Jan 18, 07:12:09 Debug IKE get pfkey X_SPDDUMP message
Jan 18, 07:12:09 Debug IKE 02120200 02000000 00000000 b50c0000
Jan 18, 07:12:09 Debug IKE pfkey X_SPDDUMP failed: No such file or
directory
[/font]
The last line of the log appears to be the real clue. What file or directory is
it looking for?
by brantwinter on 2008-01-20 14:05:27 +0100
I am having the same issue.
My VPN ( IPSecuritas -> Draytek 2800 ) was working fine yesterday, but
today keeps failing with error:
Funny thing is, I have another profile in IPSecuritas set up that goes off to a
different VPN endpoint that continues to work fine.
I have used Frameseer to look at the outgoing traffic on both setups, the
one that works does a DNS lookup first, the failing VPN configuration sends
NO traffic out the interface at all.
Just out of interest, my psk.txt file in:
/Library/Application Support/Lobotomo Software/IPSecuritas/
is empty...
Obviously psk.txt gets overwritten each time the vm config loads. When I
use the vpn config for my working vpn I have entries in the psk.txt file. In
my non-working vpn setup, the psk.txt remains empty. WTF?????
As I said previousy, this same vpn config worked fine yesterday....
by macman365 on 2008-01-22 16:45:12 +0100
I've found this thread on another forum:
http://ubuntuforums.org/showthread.php?t=441078
Does this help anyone more knowledgeable than me...?
by gajos on 2008-01-29 22:50:39 +0100
Hi, my first time here.
I need to connect to CheckPoint Safe@Office but using Checkpoint VPN
client under Tiger was really problematic (if connection was successful then
I had connection only to LAN without Internet), now I have Leopard and
Checkpoint won't install. IPSecuritas 3.1 still doesn't connect.
I tried to configure connection as [b]bugfish[/b] suggested previously but
still nothing.
Here is log:
Jan 29, 20:50:56 Info
Jan 29, 20:50:56 Info
Jan 29, 20:50:56 Debug APP State change from AUTHENTICATING to
Jan 29, 20:50:56 Info
APP IPSec started
- not interesting
- not interesting
- not interesting
- not interesting
- not interesting
- not interesting
Jan 29, 20:50:56 Info
Jan 29, 20:50:56 Info
Jan 29, 20:50:56 Info
Jan 29, 20:50:56 Info
Jan 29, 20:50:56 Debug IKE lifetime = 600
Jan 29, 20:50:56 Debug IKE lifebyte = 0
Jan 29, 20:50:56 Debug IKE encklen=0
Jan 29, 20:50:56 Debug IKE p:1 t:1
Jan 29, 20:50:56 Debug IKE 3DES-CBC(5)
Jan 29, 20:50:56 Debug IKE SHA(2)
Jan 29, 20:50:56 Debug IKE 1024-bit MODP group(2)
Jan 29, 20:50:56 Debug IKE Hybrid RSA client(64221)
Jan 29, 20:50:56 Debug IKE compression algorithm can not be checked
Jan 29, 20:50:56 Debug IKE parse successed.
Jan 29, 20:50:56 Debug IKE open /Library/Application
management.
Jan 29, 20:50:56 Info
(fd=6)
Jan 29, 20:50:56 Info
Jan 29, 20:50:56 Debug IKE get pfkey X_SPDDUMP message
Jan 29, 20:50:56 Debug IKE 02120000 0f000200 05000000 720f0000
03000500 ff000000 10020000 00000000
Jan 29, 20:50:56 Debug IKE 00000000 00000000 03000600 ff200000
10020000 c0a80102 00000000 00000000
Jan 29, 20:50:56 Debug IKE 07001200 02000100 20000000 00000000
28003200 02035800 10020000 59ab6892
Jan 29, 20:50:56 Debug IKE 00000000 00000000 10020000 c0a80102
Problem with Fortinet Fortigate 50A
Problem with Fortinet Fortigate 50A
by mspr on 2007-04-27 13:16:54 +0200
Hello,
I hope that you can help me...
I have a problem with IPSecuritas 3.0 Release Candidate and my Fortinet
Fortigate 50A
I tried to configure a VPU with a preshared key and XAuth but every time I
receive a notify message "fatal NO-PROPOSAL-CHOSEN, phase1 should be
deleted" and I cannot start my VPN
I tried to disable the XAuth procedure and the VPN seems to work fine (only
Preshared key authentication)
These are my VPN parameters:
[b]IPSecuritas Preferences[/b]
[URL=http://img63.imageshack.us/my.php?image=07uu0.jpg][IMG]http:
//img63.imageshack.us/img63/3673/07uu0.th.jpg[/IMG][/URL]
[b]Connections General[/b]
[URL=http://img101.imageshack.us/my.php?image=01lr6.jpg][IMG]http:
//img101.imageshack.us/img101/7812/01lr6.th.jpg[/IMG][/URL]
[b]Connections Phase 1[/b]
[URL=http://img230.imageshack.us/my.php?image=02xl5.jpg][IMG]http:
//img230.imageshack.us/img230/3806/02xl5.th.jpg[/IMG][/URL]
[b]Connections Phase 2[/b]
[URL=http://img170.imageshack.us/my.php?image=03id8.jpg][IMG]http:
//img170.imageshack.us/img170/4381/03id8.th.jpg[/IMG][/URL]
[b]Connections ID[/b]
[URL=http://img230.imageshack.us/my.php?image=04sp3.jpg][IMG]http:
//img230.imageshack.us/img230/157/04sp3.th.jpg[/IMG][/URL]
I tried to insert Username/Psswd directly in this panel but I received the
same message error
If possible I would like that IPSecuritas asks me the Username/Psswd on
VPN login
[b]Connections DNS[/b]
[URL=http://img145.imageshack.us/my.php?image=05qs1.jpg][IMG]http:
//img145.imageshack.us/img145/7426/05qs1.th.jpg[/IMG][/URL]
[b]Connections Options[/b]
[URL=http://img291.imageshack.us/my.php?image=06ho1.jpg][IMG]http:
//img291.imageshack.us/img291/8168/06ho1.th.jpg[/IMG][/URL]
[b]This is the log:[/b]
IPSecuritas 3.0rc build 1040
Info
Info
APP IPSec started
Error IKE Foreground mode.
Info
IKE @(#)ipsec-tools CVS (http://ipsec-tools.sourceforge.net)
Info
IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct 2005
(http://www.openssl.org/)
Info
IKE Reading configuration from "/Library/Application
Support/Lobotomo Software/IPSecuritas/racoon.conf"
Info
Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should
be deleted.
Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should
be deleted.
Error IKE phase2 negotiation failed due to time up waiting for phase1.
ESP My server IP XXX.XXX.XXX.XXX[500]-> My computer IP
192.168.XXX.XXX[500]
Re: Problem with Fortinet Fortigate 50A
by Forum Admin on 2007-04-27 15:53:06 +0200
Hi,
have you tried 'Hybrid' instead of XAUTH PSK?
Christoph
by mspr on 2007-04-27 16:01:35 +0200
[quote author=Forum Admin link=1177672614/0#1 date=1177681986]Hi,
have you tried 'Hybrid' instead of XAUTH PSK?
Christoph[/quote]
Hi, yes I tried to set "Hybrid" instead of XAuth but it doesn't work
by Forum Admin on 2007-04-27 18:10:49 +0200
Hi again,
could you please provide logs with log level set to 'Verbose'?
Thanks alot,
Christoph
by mspr on 2007-05-03 11:27:52 +0200
[quote author=Forum Admin link=1177672614/0#3 date=1177690249]Hi
again,
could you please provide logs with log level set to 'Verbose'?
Thanks alot,
Christoph[/quote]
Hi, Christoph,
I sent you by email the logs (XAuth and Hybrid)
Thank you
VPN Case Study.com has solution for VPN Client
VPN Case Study.com has solution for VPN Client
by jmizoguchi on 2007-05-03 18:59:04 +0200
I have two new documents using FVS124G
IPSecuritas 3 (Mac OS X) using Prosafe VPN/Firewall Router FVS124G
VPN Tracker 4 (Mac OS X) using Prosafe VPN/Firewall Router FVS124G
http://vpncasestudy.com/casestudy/others/casestudy.html
www.vpncasestudy.com
If these docuemens help you. please e-mail me at [email protected]
for your testimonials
Dynamic dns as host
Dynamic dns as host
by omega_red on 2007-05-04 13:01:09 +0200
when i set my dynamic dns hostname in the Remote IPSec Device field i
cannot connect to my ZyWALL 5 UTM but when i enter my remote ip(witch
changes every day) it works.
im using the beta client
thanks!
ping to remote site impossible
ping to remote site impossible
by Joe on 2007-05-05 14:38:11 +0200
I have installed ipsecuritas 3.0rc3 for the first time on my Macbook Pro (OS
X 10.4.9).
First of all: very nice and helpful tool !!
I established a connection to my remote site without problems, the light
shows 'green' and the router log tells me: ...connection established....
My problem: i am not able to ping any host at the remote site ?
Trying it with the exact same settings in a windows box (parallels session
with win xp on the same Mcbook) is working without any problems!
How can i manage this on the Mac OS site ?
Re: ping to remote site impossible
by Joe on 2007-05-05 16:17:35 +0200
Followup (is this the correct engl. expression ? sorry for my bad english):
if i take a look at my if-settings and routing tables i'm really wondering
about, that there are no settings at all for the established vpn connection ?!
After that, i tried this:
# ifconfig gif0 172.16.0.10 192.168.23.0 netmask 255.255.255.0
# route add 192.168.23.0 172.16.0.10
# ping 192.168.23.200
PING 192.168.23.200 (192.168.23.200): 56 data bytes
64 bytes from 192.168.23.200: icmp_seq=0 ttl=126 time=57.507 ms
64 bytes from 192.168.23.200: icmp_seq=1 ttl=126 time=56.945 ms
...
So, now it works.
My question is now: do i have to do it by hand with IPSecuritas after
establishing a connection, or are there any automatisms which i can use for
that?
Endpoint mode: anywhere still not work in 3.0rc3
Endpoint mode: anywhere still not work in 3.0rc3
by Keen on 2007-05-05 21:34:06 +0200
Last log messages:
May 05, 23:20:22 Debug
May 05, 23:20:22 Debug
May 05, 23:20:22 Debug
directory
IKE get pfkey X_SPDDUMP message
IKE 02120200 00020000 00000000 00003790
IKE pfkey X_SPDDUMP failed: No such file or
Re: Endpoint mode: anywhere still not work in 3.0r
by nickl on 2007-05-11 04:31:51 +0200
I got it to work with my configuration by enabling the "Local IP in Remote
Network" option.
Re: Endpoint mode: anywhere still not work in 3.0r
by Forum Admin on 2007-05-12 11:26:25 +0200
Hello,
thank you very much for this answer - I removed the necessity to enable
this option for host to anwhere mode.
Christoph
Phase 2 trouble
Phase 2 trouble
by ad_agent on 2007-05-16 03:01:27 +0200
When I initiate a connection, Phase 1 seems to complete but Phase 2 fails.
Below is a relevant portion of the IPSecuritas log.
Host is an iBook G4 running MacOS X 10.4.8. Testing is over Earthlink
dialup as representative of service offered in many hotels. Network router is
Netgear FVX538. Version of IPSecuritis is 3.0rc3. I would post my host and
network settings gladly, but am not doing so now since I hope to get
preliminary analysis of problem just posting log excerpts.
LOG EXCERPTS (certain IP addresses redacted)
May 15, 20:09:19 Debug IKE begin QUICK mode.
May 15, 20:09:19 Info
4.249.6.45[500]<=>x.x.x.x[500]
May 15, 20:09:19 Debug IKE compute IV for phase2
May 15, 20:09:19 Debug IKE phase1 last IV:
May 15, 20:09:19 Debug IKE 5be42a2e 67590499 e50b77d1
May 15, 20:09:19 Debug IKE hash(sha1)
May 15, 20:09:19 Debug IKE encryption(3des)
May 15, 20:09:19 Debug IKE phase2 IV computed:
May 15, 20:09:19 Debug IKE d1077c37 bd8058ce
May 15, 20:09:19 Debug IKE call pfkey_send_getspi
May 15, 20:09:19 Debug IKE pfkey GETSPI sent: ESP/Tunnel
x.x.x.x[0]->4.249.6.45[0]
May 15, 20:09:19 Debug IKE pfkey getspi sent.
May 15, 20:09:19 Debug IKE get pfkey ACQUIRE message
............
May 15, 20:09:19 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00015180
May 15, 20:09:19 Debug IKE 00000000 00007080 00000000 00000000
00020012 00020200 0000000d 00000000
May 15, 20:09:19 Debug IKE ignore the acquire because ph2 found
May 15, 20:09:19 Debug IKE get pfkey GETSPI message
May 15, 20:09:19 Debug IKE 02010003 000a0000 00000012 00000134
00020001 0b9edf00 40060000 7f000001
May 15, 20:09:19 Debug IKE 00030005 ff200000 10020000 44a34441
00000000 00000000 00030006 ff200000
May 15, 20:09:19 Debug IKE 10020000 04f9062d 00000000 00000000
May 15, 20:09:19 Debug IKE pfkey GETSPI succeeded: ESP/Tunnel
68.163.68.65[0]->4.249.6.45[0] spi=194961152(0xb9edf00)
May 15, 20:09:19 Debug IKE use local ID type IPv4_address
May 15, 20:09:19 Debug IKE use remote ID type IPv4_subnet
May 15, 20:09:19 Debug IKE IDci:
May 15, 20:09:19 Debug IKE 01000000 c0a83202
May 15, 20:09:19 Debug IKE IDcr:
May 15, 20:09:19 Debug IKE 04000000 c0a80100 ffffff00
May 15, 20:09:19 Debug IKE add payload of len 284, next type 10
May 15, 20:09:19 Debug IKE HASH with:
............
May 15, 20:09:19 Debug IKE hmac(hmac_sha1)
May 15, 20:09:19 Debug IKE HASH computed:
May 15, 20:09:19 Debug IKE begin encryption.
May 15, 20:09:19 Debug IKE encryption(3des)
May 15, 20:09:19 Debug IKE pad length = 8
...............
May 15, 20:09:19 Debug IKE 39bb3b63 ee17ccbd a4bcf648 0500000c
01000000 c0a83202 00000010 04000000
May 15, 20:09:19 Debug IKE c0a80100 ffffff00 104609a6 2903de07
NetScreen SSG5
NetScreen SSG5
by glancyguy on 2007-05-18 23:24:09 +0200
Hello,
I downloaded the latest stable version of IPSecuritas today from the main
site. I am trying to configure it for a NetScreen SSG5. This is a managed
firewall/VPN device that I do not have access to. We have a windows client
and corresponding policy file. Using the windows file, I believe I have
reverse engineered the settings. I also downloaded "VPN Tracker" and
configured it. It worked out of the box with our NetScreen. I copied the
settings from the VPN Tracker into the IPSecuritas config screen.
The only setting that did not map is the ID. The NetScreen uses an email
address for local ID and the VPN Tracker software makes that specification.
The IPSecuritas only allows for a DN. I am not sure if this makes a
difference. I used a the email address in the DN field of the IP Securitas
software.
I enabled verbose logging. And tried to connect to the NetScreen. I am
getting hung in Phase 1 and timing out. I have attached the log file to this
message. I am hoping that someone can pull something out of the debug
to help. I would much rather use this product than the VPN tracker.
Here are interesting erors from the log:
May 18 16:07:56 darren-hochs-computer racoon: DEBUG:
pfkey.c:210:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or
directory\n
pfkey.c:195:pfkey_handler(): get pfkey REGISTER message\n
pfkey.c:234:pfkey_handler(): not supported command REGISTER\n
May 18 16:07:56 darren-hochs-computer racoon: INFO:
isakmp.c:2047:isakmp_post_acquire(): IPsec-SA request for 216.128.24.73
queued due to no phase1 found.\n
75d194a46e9b155f:0000000000000000\n
sockmisc.c:421:sendfromto(): sockname 192.168.1.105[50]
May 18 16:08:27 darren-hochs-computer racoon: ERROR:
time up waiting for phase1. ESP 216.128.24.73->192.168.1.105 \n
May 18 16:08:27 darren-hochs-computer racoon: INFO:
Re: NetScreen SSG5
by Dave on 2007-05-19 17:17:26 +0200
I'm not sure if it will help but in the ID section of IPSecuritas, you can select
FQDN which is basically an email address. Note that I'm using the RC3
version of 3.0; if you have 2.2, it might be called something else.
Fortigate 300A to optain DHCP on using IPSecuritas
Fortigate 300A to optain DHCP on using IPSecuritas
by lleung on 2007-05-23 12:53:45 +0200
Have anyone had problems with IPSecuritas getting a DHCP address from a
Fortigate 300A (Firmware 3.00, Build0477,070126) ?
I seem to have no problems getting the windows (Parallels VM) ipsec client
(Forticlient) to connect and request an address from it's DHCP server. But
no luck doing that natively. I can however get around this by defining a
static address for the connection. But of course, that's messy when there
are multiple users..
Re: Fortigate 300A to optain DHCP on using IPSecur
by varruss on 2007-07-21 23:02:01 +0200
I figured this one out yesterday. :) You need a rule on the FG
Inside--Your subnet--outside--all--DHCP---Encrypt.
Leave the rule after your inside-outside-any rule.
If you have any Fortigate questions don't hesitate ask.
Zyxel ZyWALL 35
Zyxel ZyWALL 35
by steffen on 2007-05-24 17:39:56 +0200
Hi All,
it took some time to make IPSecuritas work with our ZyWALL 35. So I've
decided to let you know a working configuration for both.
- ZyWALL 35 firmware: V4.01(WZ.3) | 12/04/2006
- IPSecuritas 3.0rc
- Mac OS X 10.4
The configuration works for dynamic client IP Adresses. You'll find the
screenshots of the ZyWALL's web configuration utilitity and the IPSecuritas
VPN client here: [url]http://www.semture.de/images/stories/external
/ipsecutitas-screenshots.zip[/url]
Re: Zyxel ZyWALL 35
by nob on 2007-05-27 18:20:55 +0200
This looks good, but did not work for me. I get a Error, tried different other
settings. But i canґt get it to work....
Error in IPSecuritas:
inappropriate sadb aquire message passed
Error in Zywall Log:
Recv:[HASH][NOTFY:ERR_ID_INFO]
IPSecuritas 3.0rc3
Zywall 5W, Firmware Version V4.01(XD.2)
NAT in VPN-Rule is off.
Re: Zyxel ZyWALL 35
by steffen on 2007-05-27 22:14:07 +0200
Hi nob,
the error indicates that you are using a different ID in IPSecuritas and the
Zywall. First check the FQDN entries (or what ever you choose for
identification/ID). Secondly even if you choose FQDN the adress ranges
must match too. So compare the "Remote side" entry for "Network Adress"
of IPSecuritas with the "Local Network" settings in the ZyWALL setup. Maybe
you've translatet the Subnet mask to a wrong CIDR, if so have a look at
[url]http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing[/url] for
computing it.
Hope it helps
Steffen
Re: Zyxel ZyWALL 35
by steffen on 2007-05-27 22:19:10 +0200
Hi all,
I've noticed that if your Mac OS client is behind a firewall too, you have to
switch the NAT-T to "Disabled" in IPSecuritas. You can (should?) leave
NAT-Traversal in the Zywall enabled.
Support Apple Keychain
Support Apple Keychain
by dbertolo on 2007-05-25 09:04:25 +0200
Hi
I am currently evaluating IPsec clients for Mac OS X. I came across
IPSecuritas which I find is doing great and is probably my favorite. But
unfortunately, one requirement is not met. Our new client should support
the Apple Keychain to store the user certificates.
Would be nice, if this feature will be implemented in the near future.
Regards,
Daniel Bertolo
Lost internet at VPN network...
Lost internet at VPN network...
by aklschnapps on 2007-05-25 20:17:41 +0200
I've run into an odd situation.
- Macbook Pro on external wifi network.
- Sonicwall Pro 2040 acting as firewall/dhcp/vpn for internal network.
I can connect to my sonicwall 2040 with VPN Tracker without any problems.
It took me a while to tweak the settings and get IPSecuritas to connect to
the VPN. However, when it succeeds all of the computers on the internal
network (connected to the sonicwall) lose their internet connection! As
soon as I disconnect IPSecuritas from the VPN the internet connection
resumes.
Any thoughts? Anything I should do to test further? I've looked in the
sonicwall logs but can't see anything odd after I've connected with
IPSecuritas. Unfortunately I can't leave it connected for long periods to test,
as it cuts off the entire office from the internet.
Any help would be much appreciated!
Here's my configuration in IPSecuritas:
Host to Network
Aggressive, Claim 16
Phase 1, Mod1024, 3DES, SHA1
Phase 2, None, 3DES, HMAC SHA1
Checked Options:
IPSec DOI
SIT_IDENTITY_ONLY
Initial Contact
MIP6
DHCP Pass-Through
IPSecuritas and racoon
IPSecuritas and racoon
by lithium on 2007-05-30 13:46:23 +0200
Is there a reason for IPSecuritas to install and use another version of
racoon?
-r-xr-xr-x 1 root wheel 877932 Jan 3 08:38 /usr/sbin/racoon
-rwxr-xr-x 1 root wheel 1232888 May 27 18:43 /Library/StartupItems
/IPSecuritasDaemon/racoon
Re: IPSecuritas and racoon
by cnadig on 2007-05-30 16:33:34 +0200
Hi,
yes, the version of racoon included with MacOS doesn't support XAUTH and
only offers limited, outdated NAT-T support as well as a few more things
that are available with the racoon version that comes with IPSecuritas.
Cheers,
Christoph
by Athanyel on 2007-05-31 00:13:08 +0200
Does the version of racoon that ships with IPSecuritas support
GSSAPI/Kerberos? This would be ideal for large IPsec deployments.
by cnadig on 2007-05-31 09:41:35 +0200
No, while there is support for it in the code, it is disabled.
According to the documentation, it is very experimental and will most
probably only work with very few firewalls.
Christoph
by Athanyel on 2007-06-01 03:43:49 +0200
Well, for IPsec implementations in Transport mode (vs. Tunnel mode for
VPNs and firewalls), Kerberos would be a huge benefit for large
deployments. I'd love to see it long term. Thanks for all the great work on
this!
by .guru on 2008-02-29 22:29:16 +0100
As racoon and the ipsec-tools are open source projects it would be great to
see your modifications to the code. Is it possible to publish your MacOS X
compatible version of racoon as sources?
.guru
Sonicwall & X-AUTH
Sonicwall & X-AUTH
by mpgough on 2007-05-30 18:13:09 +0200
Hi,
I have installed v3 today but am unable to connect to either of my two sites.
Both Sonicwall TZ-170's which I can connect to fine using VPN Tracker but
no IPSecuritas.
I have tried configuring both connections using the wizard and also copying
the config from VPN Tracker to IPSecuritas, also reducing my mtu to 1400
but no joy.
I have attached the error Im getting but my suspision is its something to do
with the handling of XAUTH??
May 30, 17:12:51 Info
May 30, 17:12:51 Info
APP IPSec started
May 30, 17:12:51 Info
May 30, 17:12:51 Info
May 30, 17:12:51 Info
May 30, 17:12:51 Info
May 30, 17:12:52 Info
APP Initiated connection KP Couriers
May 30, 17:12:52 Warning IKE No ID match.
May 30, 17:12:52 Info
May 30, 17:12:53 Error IKE fatal NO-PROPOSAL-CHOSEN notify
May 30, 17:12:53 Error IKE Message: 'v No proposal is chosen'.
May 30, 17:12:54 Info
APP IPSec stopping
May 30, 17:12:55 Info
Re: Sonicwall & X-AUTH
Make sure your phase 1 is set to aggressive mode. If that doesn't do
anything for you, I'd try matching the settings from the post "Cannot
connect to Sonicwall TZ170."
I am getting the same error about no ID match even with copying his
settings. Good luck.
losing settings...
losing settings...
by lithium on 2007-06-03 21:41:34 +0200
Every time when I make some changes to a connection in IPSecuritas 3.0
(e.g. Change phase 1 information) it seems that my configuration is lost. I
don’t mean that my settings in the different menus are lost but whenever I
start an IPSEC connection I get an error mentioning a missing key file. I
understand the warning in the log because /Library/Application
Support/Lobotomo/IPsecuritas/psk.txt is empty and Library/Application
Support/Lobotomo/IPsecuritas/racoon.conf is missing some vital
information about just about everything (there is something mentioning
padding…and that is it).
The only solution I found is killing the IPSecuritas daemon, removing
everything from Library/Application Support/Lobotomo/IPsecuritas. After
restarting IPSecuritas and setting up a new connection everything works
fine…until I have the need to change some settings.
Any ideas about this problem?
Quick mode to Windows Server 2003 fails!
Quick mode to Windows Server 2003 fails!
by Athanyel on 2007-06-06 00:09:38 +0200
Please see the topic "Using 3.0 to connect to Windows in transport mode"
([url]http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas;
action=display;num=1176493464[/url]) for a brief description of what I'm
trying to do.
The above worked in 3.0rc and 3.0rc3. In 3.0 Final, it's broken. The client
completes the main mode, begins quick mode and immediately fails.
Here's an excerpt from the connection log:
[code]Jun 05, 09:57:43 Info
x.x.x.x[500]-y.y.y.y[500] spi:04a82d40810af54e:142c9e35ad31af0b
Jun 05, 09:57:43 Debug IKE ===
Jun 05, 09:57:44 Debug IKE ===
Jun 05, 09:57:44 Debug IKE begin QUICK mode.
Jun 05, 09:57:44 Info
IKE initiate new phase 2 negotiation: x.x.x.x[500]
<=>y.y.y.y[500]
Jun 05, 09:57:44 Debug IKE compute IV for phase2
Jun 05, 09:57:44 Debug IKE phase1 last IV:
Jun 05, 09:57:44 Debug IKE 5699e40c ca453648 e41a1ab6
Jun 05, 09:57:44 Debug IKE hash(sha1)
Jun 05, 09:57:44 Debug IKE encryption(3des)
Jun 05, 09:57:44 Debug IKE phase2 IV computed:
Jun 05, 09:57:44 Debug IKE 54bdd941 4c341df1
Jun 05, 09:57:44 Debug IKE call pfkey_send_getspi
Jun 05, 09:57:44 Debug IKE pfkey GETSPI sent: ESP/Transport
y.y.y.y[0]->x.x.x.x[0]
Jun 05, 09:57:44 Debug IKE pfkey getspi sent.
Jun 05, 09:57:44 Debug IKE get pfkey GETSPI message
Jun 05, 09:57:44 Debug IKE 02010003 0a000000 01000000 07010000
02000100 0ae31793 00000000 00000000
Jun 05, 09:57:44 Debug IKE 03000500 ff200000 10020000 ac107c90
00000000 00000000 03000600 ff200000
Jun 05, 09:57:44 Debug IKE 10020000 803e5e12 00000000 00000000
Jun 05, 09:57:44 Debug IKE pfkey GETSPI succeeded: ESP/Transport
y.y.y.y[0]->x.x.x.x[0] spi=182654867(0xae31793)
Jun 05, 09:57:44 Debug IKE hmac(modp1024)
Jun 05, 09:57:44 Debug IKE compute DH's private.
Jun 05, 09:57:44 Debug IKE 4928d074 54d4d6e4 b2aa3856 9cc570c2
ca8aad46 3bbe69c1 80913006 43a81766
Jun 05, 09:57:44 Debug IKE b8d6c017 1d924020 cc701d58 8070c3eb
0d226a5c d422672a a8486b61 7f96ce81
Jun 05, 09:57:44 Debug IKE ac1e2050 06205d44 23ca1723 fc7926b2
5d9be4bf 15b8e4a2 f270e305 3684b9ee
Jun 05, 09:57:44 Debug IKE 6e677469 c7df9a57 611a6837 b24e51e5
e4358ee1 5a8deac4 8dab7505 ca1822f9
Jun 05, 09:57:44 Debug IKE compute DH's public.
Jun 05, 09:57:44 Debug IKE c3a4f9dc ffd616ca 650fcd03 1c7c1ad7
66cb5e88 b8694dc1 bb1ee61a bf521f56
Jun 05, 09:57:44 Debug IKE 418313d7 2073a766 f12b36ca 31274310
be9301ef 141564fc 565bdc95 76c95823
Jun 05, 09:57:44 Debug IKE c12ba88e 34ca7282 cb64b967 e0f231c5
053abf72 a547040a 8407d74c 9a5e7040
Jun 05, 09:57:44 Debug IKE efb70f61 bf2a9fc5 08ab2e1d 475687be
748c114d 3ea47a16 55827b84 2dc19c7c
Jun 05, 09:57:45 Info
Jun 05, 09:57:45 Debug APP State change from RUNNING to IDLE after
event RACOON TERMINATED
Jun 05, 09:57:45 Debug APP Received SADB message type X_SPDDELETE
Re: Quick mode to Windows Server 2003 fails!
by Athanyel on 2007-06-07 01:18:39 +0200
After a bit more digging, it appears that Racoon is crashing. I'm running on
a MacBook Pro with an Intel Core Duo. I'm going to try downloading the
application again...but I'm not sure what else I can do to try to fix this.
[code]Host Name:
alexs-computer
Date/Time:
2007-06-06 18:13:26.620 -0500
OS Version:
10.4.9 (Build 8P2137)
Report Version: 4
Command: racoon
Path: /Library/StartupItems/IPSecuritasDaemon/racoon
Parent: IPSecuritasDaemon [110]
Version: ??? (???)
PID: 255
Thread: 0
Codes:
Thread 0 Crashed:
0 racoon
0x00064f05 0x1000 + 409349
1 racoon
0x0003f739 0x1000 + 255801
2 racoon
0x00033d11 0x1000 + 208145
3 racoon
0x00018551 0x1000 + 95569
4 racoon
0x0000900f 0x1000 + 32783
5 racoon
0x000257a2 0x1000 + 149410
6 racoon
0x00023e37 0x1000 + 142903
7 racoon
0x00002de8 0x1000 + 7656
8 racoon
0x00002618 0x1000 + 5656
9 racoon
0x000021ee 0x1000 + 4590
10 racoon
0x00002115 0x1000 + 4373
Thread 0 crashed with X86 Thread State (32-bit):
eax: 0x00000004 ebx: 0x0003f703 ecx: 0x00000080 edx: 0x00309114
edi: 0x00000004 esi: 0x00000001 ebp: 0xbffff568 esp: 0xbffff530
ss: 0x0000001f efl: 0x00010206 eip: 0x00064f05 cs: 0x00000017
ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037
Binary Images Description:
0x1000 - 0x86fff racoon
/Library/StartupItems/IPSecuritasDaemon
/racoon
0x8fe00000 - 0x8fe4afff dyld 46.12
/usr/lib/dyld
0x90000000 - 0x90170fff libSystem.B.dylib
/usr/lib/libSystem.B.dylib
0x901c0000 - 0x901c2fff libmathCommon.A.dylib
/usr/lib/system
/libmathCommon.A.dylib
0x90bd0000 - 0x90bd7fff libgcc_s.1.dylib
/usr/lib/libgcc_s.1.dylib
0x9193a000 - 0x919ecfff libcrypto.0.9.7.dylib
/usr/lib
/libcrypto.0.9.7.dylib
0x949d0000 - 0x949edfff libresolv.9.dylib
/usr/lib
/libresolv.9.dylib[/code]
Re: Quick mode to Windows Server 2003 fails!
by Forum Admin on 2007-06-07 09:51:29 +0200
Hello Athanyel,
this seems to be a bug in racoon - I will contact you by mail for further
investigation on this.
Thanks,
Christoph
Attempting to connect to Netscreen 5gt
Attempting to connect to Netscreen 5gt
by lysistbp on 2007-06-07 17:38:20 +0200
Hey guys,
I'm a Windows user that recently made the switch a month ago. I'm also an
IT guy who knows little about VPNs unfortunately when it comes to
troubleshooting (I use Netscreens with their software. It's pretty basic)
Below is a log of when I try to connect to one of my clients. Can somebody
explain what this is saying and tell me what changes should be made? The
"red dot" next to the connection name states "network collision". Thanks
in advance.
Jun 07, 11:33:10 Debug APP State change from IDLE to
AUTHENTICATING after event START
Jun 07, 11:33:10 Info
Jun 07, 11:33:10 Info
APP IPSec started
Jun 07, 11:33:10 Debug APP State change from AUTHENTICATING to
RUNNING after event AUTHENTICATED
Jun 07, 11:33:10 Info
Jun 07, 11:33:10 Info
Jun 07, 11:33:10 Info
Jun 07, 11:33:10 Info
Jun 07, 11:33:10 Info
Jun 07, 11:33:10 Debug IKE parse successed.
Jun 07, 11:33:10 Debug IKE open /Library/Application
management.
Jun 07, 11:33:10 Debug IKE my interface: ::1 (lo0)
Jun 07, 11:33:10 Debug IKE my interface: fe80::1%lo0 (lo0)
Jun 07, 11:33:10 Debug IKE my interface: 127.0.0.1 (lo0)
Jun 07, 11:33:10 Debug IKE my interface: fe80::217:f2ff:feec:7f3c%en1
(en1)
Jun 07, 11:33:10 Debug IKE my interface: 10.10.1.109 (en1)
Jun 07, 11:33:10 Debug IKE my interface: fe80::201:23ff:fe45:6789%en2
(en2)
Jun 07, 11:33:10 Debug IKE my interface: fe80::210:32ff:fe54:7698%en3
(en3)
Jun 07, 11:33:10 Debug IKE configuring default isakmp port.
Jun 07, 11:33:10 Debug IKE 9 addrs are configured successfully
Jun 07, 11:33:10 Info
Jun 07, 11:33:10 Info
IKE fe80::210:32ff:fe54:7698%en3[500] used as
isakmp port (fd=8)
Jun 07, 11:33:10 Info
(fd=9)
Jun 07, 11:33:10 Info
IKE fe80::201:23ff:fe45:6789%en2[500] used as
isakmp port (fd=10)
Jun 07, 11:33:10 Info
(fd=11)
Jun 07, 11:33:10 Info
IKE fe80::217:f2ff:feec:7f3c%en1[500] used as
isakmp port (fd=12)
Jun 07, 11:33:10 Info
Jun 07, 11:33:10 Info
Jun 07, 11:33:10 Info
Jun 07, 11:33:10 Debug IKE get pfkey X_SPDDUMP message
Re: Attempting to connect to Netscreen 5gt
by lysistbp on 2007-06-07 17:54:03 +0200
Alright sweet . . . I got it working (green light) but I cannot ping or rdp into
anything. Below is a copy of the ping. The forum is yelling at me if I try to
paste my log . . . Any ideas guys?
steve-taylors-computer:~ Steve$ ping 192.168.0.2
PING 192.168.0.2 (192.168.0.2): 56 data bytes
36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication
prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks
Src
Dst
4 5 00 5400 3889 0 0000 3d 01 78ff 10.10.1.109 192.168.0.2
Src
Dst
4 5 00 5400 388b 0 0000 3d 01 78fd 10.10.1.109 192.168.0.2
Src
Dst
4 5 00 5400 388c 0 0000 3d 01 78fc 10.10.1.109 192.168.0.2
Src
Dst
4 5 00 5400 388f 0 0000 3d 01 78f9 10.10.1.109 192.168.0.2
Src
Dst
4 5 00 5400 3891 0 0000 3d 01 78f7 10.10.1.109 192.168.0.2
Src
Dst
4 5 00 5400 3893 0 0000 3d 01 78f5 10.10.1.109 192.168.0.2
Src
Dst
4 5 00 5400 3894 0 0000 3d 01 78f4 10.10.1.109 192.168.0.2
Src
Dst
4 5 00 5400 3896 0 0000 3d 01 78f2 10.10.1.109 192.168.0.2
Src
Dst
4 5 00 5400 3897 0 0000 3d 01 78f1 10.10.1.109 192.168.0.2
^Z
[4]+ Stopped
ping 192.168.0.2
Re: Attempting to connect to Netscreen 5gt
by cnadig on 2007-06-07 22:11:32 +0200
Hello,
the log probably won't show anything since the tunnel can be established
propetly. May I ask you to post the output of the following commands while
IPSec is active?
ifconfig -a
netstat -nr
The ICMP error is sent by 8.14.177.53 - what is this (the remote firewall or
your ISP)?
Cheers,
Christoph
Troubled while accessing Cisco PIX Firewalls
Troubled while accessing Cisco PIX Firewalls
by p0ddie on 2007-06-15 10:25:35 +0200
Hi there,
I have two Cisco Pix Firewalls (a 501 and a 515E) I would like to connect to.
The Cisco Client works smooth (of course), but I have trouble getting them
to connect with IPSecuritas. I'll try to be as detailed as possible about my
efforts to connect to the Pix 501.
I am quite new to Cisco VPN stuff and spoiled by less complex PPTP
connections with OS X / Windows' integrated clients... so please excuse my
n00by descriptions...
I set up a profile and connection and this is what I get in the log:
Jun 15, 09:53:43 Info
Jun 15, 09:53:43 Info
APP IPSec started
Jun 15, 09:53:43 Info
Jun 15, 09:53:43 Info
Jun 15, 09:53:43 Info
Jun 15, 09:53:43 Info
Jun 15, 09:53:43 Info
APP Initiated connection Pix 501
Jun 15, 09:53:50 Info
Jun 15, 09:53:57 Info
Jun 15, 09:53:59 Error IKE phase2 negotiation failed due to time up
waiting for phase1. ESP xx.xxx.xxx.xx[500]->172.30.17.31[500]
Jun 15, 09:54:04 Info
Jun 15, 09:54:11 Info
Jun 15, 09:54:14 Error IKE phase1 negotiation failed due to time up.
9cbf694fbedd0fa8:1234ed12347e918e
Jun 15, 09:54:16 Warning APP Connection Pix 501 timed out
Jun 15, 09:54:49 Info
APP IPSec stopping
Jun 15, 09:54:50 Info
**************
The Pix is on a leased line with fixed IP and connects smoothly with Cisco
VPN clients. We use a pre-shared key (PSK) for authentication.
Apparently the Phase 1 negotiation failes. This is quite weird since I
checked with my Cisco expert to have the correct settings he applied to the
Pix for Phase 1:
Lifetime 1800 sec
Re: Troubled while accessing Cisco PIX Firewalls
by cnadig on 2007-06-17 23:19:42 +0200
Hello,
I received a Cisco PIX 501 a few days ago and just managed to find a
working configuration today (Main mode + preshared key, no XAUTH yet). I
will make a short description available within the next few days.
Cheers,
Christoph
by Forum Admin on 2007-07-02 11:17:00 +0200
Hello,
an updated wizard template is available for download at
http://www.lobotomo.com/products/IPSecuritas/howtoUpdates.html. It
includes templates and setup instructions for all PIX models.
Cheers,
Christoph
by ajscam on 2007-08-02 22:37:48 +0200
Hello Christoph,
I tried the new wizards against my PIX 515E. Unfortunately, on my PIX, the
IPSec rules are already established, and I can't use your recommendations
in the HOWTO.
In short, I have the following differences:
IPSec Rules for Remote Side Host/Network: 192.168.30.192/27.
Tunnel Policy for Transform Set: ESP-3DES-MD5
IKE Policies for Hash: md5
IKE Policies for D-H Group: 2
I think I have modified IPSecuritas Phase 1 settings to match the IKE Policies
above, but I'm not sure what I need to do to IPSecuritas for the IPSec Rules
& Tunnel Policy above.
In the log, I see the following errors:
<snip>
Error IKE inappropriate sadb acquire message passed.
<snip>
ESP xx.xxx.xxx.xx[500]->10.191.1888.160[500]
To me, it looks like the PIX doesn't like the sadb acquire message.... But
beyond that I have no idea...
Thanks for you help.
by cnadig on 2007-08-03 12:35:18 +0200
Hello,
you need to increase the log level to Debug in order to see the relevant
stuff. You may send me the log to [email protected] if you need
assistance.
Cheers,
Christoph
IPSecuritas 3.0 & Certificates
IPSecuritas 3.0 & Certificates
by deanjaz on 2007-06-18 19:40:54 +0200
Hello,
I have upgraded to IPSecuritas 3.0 from previous version (2.2?) and
imported the connection profile.
But the connection fails to authenticate properly using certificates. I've
verified the connection setup, and everything is properly setup. There just
seems to be some kind of issue with client/server certificate exchange.
This same profile worked fine with 2.2 of IPsecuritas, and the settings also
work fine in VPN Tracker Demo. I think there might be something funky
with the certificate manager and how it is dealing with Certificate/Key pairs?
If you need any further information please let me know.
Re: IPSecuritas 3.0 & Certificates
by deanjaz on 2007-06-19 02:28:41 +0200
Hi,
In case anyone was wondering :P
The problem i was having turned out to be ModeConfig. It seemed to be
interfering with the Authentication of the client ID somehow. Manually
specifying the ip address for the client works just fine.
I would be interested in helping to debug this problem if it would be of
interest or use to anyone.
hx
by Forum Admin on 2007-06-19 16:22:45 +0200
Hello deanjaz,
thank you very much for your feedback and your assistance offer.
If possible, please send us exported logs to [email protected] once
with MODE_CFG [i]enabled[/i] and once with MODE_CFG [i]disabled[/i], both
with the log level set to [i]Verbose[/i].
Thanks a lot,
Christoph
by deanjaz on 2007-06-19 20:07:25 +0200
Will do! :)
Ipsecuritas v3.0 and smoothwall
Ipsecuritas v3.0 and smoothwall
by richardk on 2007-06-19 18:55:05 +0200
Hi,
Has anbody had any success connecting v3 to a smoothwall corp server. My
version 2 setup works great but version three cannot connect.
Thanks
Richard Kingsley
Re: Ipsecuritas v3.0 and smoothwall
by barneygrice on 2007-06-27 12:56:32 +0200
Same problems here; v2 worked great but v3 does not.
I have tried quite a few permutations of the connection "Options" to no
avail.
The SmoothWall logs do not even show a connection attempt - it's as if
IPSecuritas 3.0 is not even trying to connect?!
I'm still looking into this; I'll post back with any updates.
In the mean time, please post here if you've had any luck.
Thanks,
Barney Grice.
by richardk on 2007-06-27 18:21:32 +0200
Really had no luck. Bit ashamed to say that i am a certified smoothwall
reseller and had absolutely no luck at all.
Going to have another try getting it working tonight on a new smoothwall
installation using preshared keys instead of cetificate based connection to
see if it works that way.
I am also going to try connecting v3 to an ipcop vpn see if that helps.
BTW, I have tried using smoothwall advanced firewall 2 as well as
smoothwall corporate server 5 (not the free versions)
Thanks
Richard
Sorry, should have stated that I'm trying using CF4, for the record.
Still no luck, but I haven't given up - I'll look at it again when I have time.
Barney.
by Forum Admin on 2007-06-27 22:29:02 +0200
Hi,
could you please send me an IPSecuritas log with log level set to Verbose to
[email protected] (from IPSecuritas 3.0 and 2.2, if possible)?
Thanks a lot,
Christoph
by Forum Admin on 2007-06-28 20:09:29 +0200
Hello,
IPSecuritas checks the received identifier more strictly than IPSecritas 2.2
did. If the received a
different remote identifier from what is configured, an error will be logged
(invalid ID payload).
Try deselecting the option 'Verify Identifier' or check the configuration of
the firewall to see what identification is sent.
Hope this helps,
Christoph
by richardk on 2007-06-28 21:07:39 +0200
Thank you very much for your help Christoph. I changed the remote
identifier to fqdn and the connection worked first time. I shall some time
this weekend take some screen grabs of my settings and created a mini
howto for ipsecuritas 3 and smoothwall
Best Regards
Richard
Hi all,
I actually got some grabs from Smoothwall that helped me get this working
this week. I'll post my own grabs online when I have a chance, but after
importing my old IPSecuritas settings I think the "Local IP in Remote
Network" was the checkbox that made the difference......
Barney.
Sonicwall: 'No proposal chose' error on 2nd netw..
Sonicwall: 'No proposal chose' error on 2nd netw..
by Banacek on 2007-06-20 01:10:26 +0200
Hello, you'll have to forgive me because I am new to all of this VPN business
:) We're using a Sonicwall Pro 2040 and I can successfully connect to the
VPN and ping machines on 10.0.10.x. Now, we also have a network at
10.0.20.x that we would like to have access too, but every time I try I get
the following:
Jun 19, 15:52:09 Error IKE
messsage, phase1 should be
to time up to wait.
fatal NO-PROPOSAL-CHOSEN notify
deleted.
Message: '2 No proposal is chosen'.
xxx.xxx.xxx.xxx give up to get IPsec-SA due
Does anyone have any ideas as to why this is happening? Thanks!
[m]: Fan Control on macbook
[m]: Fan Control on macbook
by on 2007-06-20 07:03:33 +0200
[moved] [link=http://www.lobotomo.com/cgi-bin
/yabb/YaBB.pl?num=1182315813/0]Others[/link] [move by] Forum Admin.
IPSecuritas 2.2 and video iChat?
IPSecuritas 2.2 and video iChat?
by villaged on 2007-06-20 20:08:04 +0200
So, I am trying to have two users running iChat and IPS2.2 video chat with
each other.
After a bunch of investigating, we can see what is happening. iChat is
looking for all of the network devices on the machine, and IPS hasn't
registered a device, and hence, never gets its VPN IP address. It just grabs
the public address, which then fails to initiate the video chat, since these
computers can not see each other outside of the VPN.
Is there a way to create a device with IPS so that its IP gets snagged?
Any ideas?
Thanks.
IPSecuritas and Linksys WRV54G
IPSecuritas and Linksys WRV54G
by lcortex on 2007-06-21 22:24:51 +0200
I recently purchased a Linksys WRV54G vpn router and I'm trying to setup
my vpn connection via IPSecuritas v. 3. I'm having the following problems in
my log and cannot get it to work. Can anyone suggest what to try to fix it?
Thanks!
Jun 21, 13:03:42 Info
Jun 21, 13:03:42 Info
APP IPSec started
Jun 21, 13:03:42 Info
Jun 21, 13:03:42 Info
Jun 21, 13:03:42 Info
Jun 21, 13:03:42 Info
Jun 21, 13:03:42 Info
APP Initiated connection NCT
Jun 21, 13:03:49 Info
Jun 21, 13:03:56 Info
Jun 21, 13:04:03 Info
Jun 21, 13:04:10 Info
78f8c8ae9fb0c975:0000000000000000
Jun 21, 13:04:15 Warning APP Connection NCT timed out
Jun 21, 13:04:27 Info
APP IPSec stopping
Jun 21, 13:04:28 Info
Any help will be greatly appreciated!
Thanks!
--Ross
Re: IPSecuritas and Linksys WRV54G
by tiffert on 2007-07-05 08:17:10 +0200
If you have found a solution or a configuration that works with the
WRV54G, please let me know. Thanks!!
by tiffert on 2008-02-05 20:45:11 +0100
I have managed to setup a reliable VPN to my Linksys WRV54G (hardware
rev .02, firmware 2.39.2) using IPSecuritas 3.1 and MacOS X 10.5.1.
The WRV54G has rotten firmware. Sometimes saved changes to the VPN or
DYNDNS settings do not actually take effect, even though the changes
display in the browser window. After pointlessly trying every authentication
and encryption combination under the sun for phases 1 and 2, I just
deleted my existing tunnel and set one up from scratch. suddenly, the
settings stuck and the VPN connection worked.
I am using 3DES, SHA-1, 3600 sec., 1024, Main.
In IPSecuritas, my configuration has the following options checked: IPSec
DOI, SIT_IDENTITY_ONLY, Verify Identifier, IKE Fragmentation
i hope this helps.
by tiffert on 2008-02-06 06:37:51 +0100
I spoke a moment too soon when I declared victory. The VPN is in fact
stable once connected. But when I returned home and tried to connect, I
discovered that I cannot negotiate Phase 1 from behind my router. I had
heard that the WRV54G has problems traversing a NAT router and this
seems to confirm it. But, to repeat, if my local client is not behind a NAT
router, the VPN works well.
fails with Leopard
fails with Leopard
by theagent on 2007-07-09 19:28:55 +0200
Is there an alpha or beta build that works? Can someone send me a
pointer?
Re: fails with Leopard
by dublezero on 2007-07-17 05:41:16 +0200
bump
by cnadig on 2007-07-17 09:47:04 +0200
Working on it... a Beta will be releases this week.
Cheers,
Christoph
by dublezero on 2007-07-17 13:37:35 +0200
Excellent. You guys do an excellent job on this software. Thanks.
by theagent on 2007-07-17 16:12:51 +0200
Thanks a ton... really appreciate the effort.
fix and you can get it done quick.
Hopefully it's not that big of a
thanks again
by theagent on 2007-07-19 23:36:56 +0200
Any idea how much longer for the beta that run on Leopard. I'm dead in
the water...
by cnadig on 2007-07-22 21:22:36 +0200
Hello,
I just published a Leopard compatible version. Please download it from this
link: http://www.lobotomo.com/products/downloads
/IPSecuritas%20Leopard.dmg
Cheers,
Christoph
by theagent on 2007-07-23 00:20:34 +0200
Thank... works like a charm to my SonicWall 2040 PRO
by theagent on 2007-07-31 22:04:01 +0200
I have found an issue with host --> networks.
I am unable to get to my other subnets.
Three separate networks via permanent VPN's. I can get into my main but
not the other 3.
192.168.55.0/24 main
192.168.54.0/24
192.168.56.0/24
192.168.57.0/24
by Forum Admin on 2007-08-01 00:11:00 +0200
Hello,
have you tried enabling the 'Unique SA' option?
Cheers,
Christoph
by theagent on 2007-08-20 22:04:27 +0200
SA doesn't change a thing.... all other networks are inaccessible. What info
do you want from me to assist in debugging this?
by dublezero on 2007-09-20 22:03:16 +0200
Looks like the beta just expired. Can we get an updated one?
by Forum Admin on 2007-09-20 22:48:59 +0200
Hello,
3.0b2 is available for download.
Christoph
by dublezero on 2007-09-20 22:59:47 +0200
Link?
by Forum Admin on 2007-09-21 06:27:06 +0200
http://www.lobotomo.com/products/downloads
by dublezero on 2007-09-21 15:37:27 +0200
Thanks! I had tried that link earlier but I probably jumped the gun and got
it before you updated it.
Host to Anywhere with IPCOP connection problem
Host to Anywhere with IPCOP connection problem
by oortmanp on 2007-07-11 01:18:52 +0200
Hi all,
I managed to get ipsecuritas to work with ipcop. But only when I'm using a
specified range like 192.168.1.0/24.
When I try to connect with the endpoint mode "anywhere" setting, I don't
get a connection. (I'm using version 3, build 1693)
Both setups have also been tested in Windows with thegreenbow vpn, where
both setups work fine.
The debug of ipsecuritas wasn't much help for me either.
Jul 11, 01:01:55 Debug APP State change from IDLE to AUTHENTICATING
after event START
Jul 11, 01:01:55 Info
Jul 11, 01:01:55 Info
APP IPSec started
Jul 11, 01:01:55 Debug APP State change from AUTHENTICATING to
Jul 11, 01:01:55 Debug APP Received SADB message type X_SPDUPDATE
- not interesting
- not interesting
- not interesting
- not interesting
Jul 11, 01:01:55 Debug IKE Foreground mode.
Jul 11, 01:01:55 Info
Jul 11, 01:01:55 Info
IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep
Jul 11, 01:01:55 Info
Jul 11, 01:01:55 Info
Jul 11, 01:01:55 Debug IKE lifetime = 28800
Jul 11, 01:01:55 Debug IKE lifebyte = 0
Jul 11, 01:01:55 Debug IKE encklen=0
Jul 11, 01:01:55 Debug IKE p:1 t:1
Jul 11, 01:01:55 Debug IKE 3DES-CBC(5)
...
...
...
Jul 11, 01:01:56 Info
10.71.14.222[500]-217.120.247.4[500]
spi:8ff28b05d6afb4eb:de62ecd58bb1e726
Jul 11, 01:01:56 Debug IKE ===
Jul 11, 01:01:56 Debug IKE ===
Jul 11, 01:01:56 Debug IKE begin QUICK mode.
Jul 11, 01:01:56 Info
10.71.14.222[500]<=>217.120.247.4[500]
Jul 11, 01:01:56 Debug IKE compute IV for phase2
Jul 11, 01:01:56 Debug IKE phase1 last IV:
Jul 11, 01:01:56 Debug IKE c7c53315 1367dacb 81e4df67
Jul 11, 01:01:56 Debug IKE hash(sha1)
Jul 11, 01:01:56 Debug IKE encryption(3des)
Jul 11, 01:01:56 Debug IKE phase2 IV computed:
Re: Host to Anywhere with IPCOP connection problem
by richardk on 2007-07-20 00:48:33 +0200
Hi,
Any chance of sharing what connection settings you are using with IPCOP
and ipsecuritas.
Not sure what to enter in the authentication form on ipsecuritas when using
cert based roadwarrior connection
Thanks
Richard Kingsley
Re: Host to Anywhere with IPCOP connection problem
by oortmanp on 2007-08-19 15:25:46 +0200
@richardk
with boardsearch "ipcop" you would have found:
good luck setting up your certificate vpn
oortmanp
Frustrated with VPN on my new WRVS4400N
Frustrated with VPN on my new WRVS4400N
by Christian on 2007-07-15 03:08:13 +0200
I had VPN working on my WRT54G running DD-WRT, but I bricked it, so I
decided to buy a router with built-in VPN.
I've read through the other messages regarding the WRVS4400N and still
can not get my iBook to log in to my home network.
I've posted my debug log file here: [url]http://www.pariahware.com
/vpnlog.txt[/url]
Any help would be appreciated as I've spent way too much time butting my
head against this door. :(
Thank you very much.
Re: Frustrated with VPN on my new WRVS4400N
by Christian on 2007-07-15 19:18:11 +0200
I turned on VPN logging for my router. Here is what the router has logged:
[url]http://www.pariahware.com/routervpn.txt[/url]
by cnadig on 2007-07-16 10:55:57 +0200
Hello Christian,
you need to set the Remote Security Group to a specific address, e.g.
10.1.1.1. Setting it to Any will for some reasons only Linksys knows not
work. You then need to enter the same address in IPSecuritas for the local
endpoint (Host Mode).
Hope this helps,
Christoph
by Christian on 2007-07-16 18:34:47 +0200
Thank you for the tip, but that still didn't work. I've updated my two log
files, one from the router and the other from the app.
[url]http://www.pariahware.com/vpnlog.txt [/url]
[url]http://www.pariahware.com/routervpn.txt [/url]
To update, my router settings are:
IPsec VPN Tunnel: Enabled
Tunnel named: HomeVPN
Local Sec. Group Type: Subnet
IP Address: 192.168.2.x
Subnet: 255.255.255.0
Remote Sec. Group Type: IP Addr.
IP Address: 10.1.1.1
Remote Sec Gateway Type: Any
Key Exchange Method: Auto. (IKE)
Encryption: 3DES
Auth: SHA1
PFS: Enable
PSK: xxx
Key Life: 28800
NetBIOS: false
Phase1:
Op Mode: Main
Local ID: Name, HomeVPN
Remote ID: Remote IP
Encryptin: 3DES
Auth: SHA1
Group: 1024
Key Life Time: 3600
Phase2:
Enc: 3DES
Auth: SHA1
PFS: Enable
Group: 768
Key Life: 28800
General Tab:
Remote IPSec Device: DDNS address
IPv6: Disabled
Local Side:
Endpoint Mode: Host, IP: 10.1.1.1
Remote Side:
Endpoint Mode: Host, IP: Router's internal gateway address
Transpoirt Mode: Disabled
Phase1:
Lifetime: 3600
DH Group: 1024
Encrypt: 3DES
Auth: SHA-1
Exchange Mode: Main
by Forum Admin on 2007-07-16 21:49:38 +0200
Hello Christian,
two more things you need to change:
In your router settings, change the local identification to address too
(required for main mode) and in IPSecuritas, change the remote endpoint
mode to Network (instead of host) and set the address to 192.168.2.0/24
Cheers,
Christoph
by Christian on 2007-07-16 23:04:57 +0200
Thank you very much! I now have a green light and am on my LAN. ;D
The one remaining issue is that my web surfing (and I'm assuming e-mail)
are not going through my router, but rather, the router where I currently
have my iBook off-site. Can you please tell me how to remedy this last
piece of the puzzle? Thanks again!
problem with Netgear FVX538
problem with Netgear FVX538
by cenotaph on 2007-07-17 14:22:15 +0200
Hi,
I am totally excited about IPSecuritas as it seems like a really great piece of
software, and free too!
However, I am having trouble trying to connect to a Netgear FVX538. The
wizard had instructions for the FVS328 and also listed the FVX538 but the
settings are somewhat more advances, and I can't get past phase1 of
connecting.
I can post debug logs, but first of all, are there any more specific
instructions for configuring the FVX538?
Thanks!
Re: problem with Netgear FVX538
by cnadig on 2007-07-17 17:34:06 +0200
Hello,
have you had a look at the HOWTO yet? (in IPSecuritas->Windows->HowTo
List)
Or direct link: http://www.lobotomo.com/products/IPSecuritas/howto
/Netgear%20FVS114%20FVS328%20HOWTO.pdf
Cheers,
Christoph
by cenotaph on 2007-07-18 17:52:05 +0200
Yep - the HOWTO is great for the FVS328 but I have the FVX538 which is a
bit different so I'm not sure if I'm setting it up right. I can send logs to
someone (I don't want to post them here for security reasons) if anyone is
up for helping.
by ade76 on 2007-07-23 19:02:22 +0200
version 2 firmware is different on the FVX538 hence it not looking the
same, I've had ipsecuritas 2 working fine until recently, version 3 is giving a
few errors with connection failures I'll post up some logs later on.
last time i did it i just followed the wizard in how to and it worked fine
Sonicwall Pro2040 config with IPSecuritas
Sonicwall Pro2040 config with IPSecuritas
by coot on 2007-07-18 13:00:11 +0200
Hi all,
I spent lot's of wasted hours a few weeks ago trying to get IPSecuritas to
work with our Sonicwall Pro 2040 firewall. I was unsuccessful! >:(
Before I start to look at this again, has anybody successfully connected to a
Sonicwall Pro 2040 and would you be so kind as to let me know the
configurations both at the ipsecuritas side and the sonicwall side?
Here's hoping.
Regards..
Karl
Re: Sonicwall Pro2040 config with IPSecuritas
by JoeG on 2007-08-29 01:52:26 +0200
Same problem here, Karl. It seems I am able to connect just fine with VPN
Tracker but the settings don't quite translate directly. I will tell you that I
suspect that IPSecuritas does not support DHCP; you must get you admin to
assign a static IP and use that in you local connection... I think.
I would like to get this program working to avoid the high cost of VPN
Tracker.
by matthewyoung on 2007-08-30 02:17:10 +0200
Have a similar problem with our SonicWall 4100 - does not have DHCP
therefore I am still struggling to get things to work - also strugging to get
the hosts set up correctly as I can connect to our firewall but cannot go
further.
Re: Sonicwall config with IPSecuritas
by netnoah on 2007-09-15 15:38:52 +0200
Hey Folks. I don't know if this helps y'all, but after 3 hours of trying to get
IPSecuritas to connect to my VPN (SonicWall) I have (partial) success! Since I
am not in the IT dept (just trying to replicate my VPN Tracker setup on
company laptop to my home desktop using a shared key), I've had to guess
that the SonicWall is configured as per Equinux's specs (phase 1:3DES &
SHA1; Phase 2:Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1)
Frankly, this is a lot of Greek to me, but I can tell you that the following
settings connect with the same functionality as VPN tracker. (this is the
result of the export wizard template menu command) The only thing that
isn't working now is connecting to multiple subnets simultaneously...which
didn't work with VPN tracker either.
phase1.localEndpointMode: ISEndpointModeHost
phase1.remoteEndpointMode: ISEndpointModeNetworks
phase1.exchangeMode: ISExchangeModeAggressiveMain
phase1.proposalCheck: ISProposalCheckObey
phase1.nonceSize: 16
phase1.lifetimeValue: 28800
phase1.lifetimeUnit: ISLifetimeSeconds
phase1.dhGroup: ISDHGroupMod768
phase1.encryption: ISEncryption3DES
phase1.authentication: ISAuthenticationSHA1
phase2.lifetimeValue: 1800
phase2.lifetimeUnit: ISLifetimeSeconds
phase2.pfsGroup: ISPFSGroupNone
phase2.encryptions: ISEncryption3DES
phase2.authentications: ISAuthenticationHmacSHA1
localIdentification.mode: ISIdentificationName
remoteIdentification.mode: ISIdentificationName
authentication.mode: ISAuthenticationPresharedKey
options.ipsecDoi: 0
options.identityOnly: 0
options.verifyIdentifier: 0
options.initialContact: 0
options.generatePolicy: 0
options.supportProxy: 0
options.verifyCertificate: 0
options.sendCertificate: 0
options.sendCertificateRequest: 0
options.modeCfg: 0
options.uniqueSa: 0
options.ikeFragmentation: 0
options.nattMode: ISNATTDisable
options.dhcpPassThrough: 0
by coot on 2007-09-17 11:34:35 +0200
I got this working. Here is my setup:
==On the SonicWALL==
:General
Name: WAN GroupVPN
Share Secret: xxxxx
-Proposals
Phase 1
DH Group: Group 2
Encryption: 3DES
Authentication: MD5
Phase 2
Protocol: ESP
Encryption: 3DES
Authentication: MD5
Enable PFS: Disabled
:Advanced
Enable Windows Networking Broadcase: Unchecked
Apply NAT and Firewall Rules: Unchecked
Forward Packets to remote VPNS: unchecked
Default Gateway: 0.0.0.0
Terminated at: LAN/DMZ (I require DMZ access)
:Client
Cache XAUTH User Name and Password on Client: Single Session
Virtual Adapter Settings: DHCP Lease or Manual
Set Default Route as this Gateway: Unchecked
Require Global Security Client for this Connection: Unchecked
Use Default Key for Simple Client Provisioning: Checked
==In IPSecuritas==
:General
Remote IPSec Device: xxxxx
Local Endpoint Mode Host:
Remote Endpoint Mode Network: 10.5.1.1/16
Phase 1
DH Group: 1024(2)
Encryption: 3DES
Authentication: MD5
Exchange Mode: Main, Aggressive
Nonce Size: 16
Phase 2
PFS Group: None
Encryption: DES, 3DES
Authentication: HMAC-SHA-1, MD5
:ID
by deepstructure on 2007-09-19 19:46:10 +0200
hey coot,
i've used your exact same settings and can't get them to work! i keep
immediately getting:
error: IKE: foreground mode
error: IKE: inappropriate sadb acquire message passed
error: IKE: delete phase1 handle
anyone else able to make these settings work? my pc still connects fine
with the settings coot used for the server, but no dice for my macbookpro
with ipsecuritas.
by coot on 2007-09-20 10:48:28 +0200
If you're using a Sonicwall that isn't a pro 2040 running standard firmware
then I'd guess there must be slight differences in the models.
I can't really help any further as I was in the same boat as you, I just tried
messing with the settings, Sorry! [smiley=sad.gif]
PS: My PC's also worked fine with no problems.
by 16thnotes on 2007-10-05 12:47:49 +0200
I too get the same errors in my application log when trying to connect to
ZyWALL hardware. (alas VPN Tracker works fine)
see this thread... [url]http://www.lobotomo.com/cgi-bin
/yabb/YaBB.pl?num=1191350831[/url]
by providence on 2007-10-10 16:56:42 +0200
What is Network Address Endpoint Mode or Network Mask (CIDR) ?
Is this something that I have to set up on my SonicWall?
Is there any way to get an update to the SonicWall instructions to take
advantage of the latest firmware update?
Problems importing certs for requests generated
Problems importing certs for requests generated
by pacronce on 2007-07-21 23:45:06 +0200
Hi all,
We've been using VPN Tracker for years with certificate authentication via
our own CA. I'm exploring using IPSecuritas as an alternative, but I'm
running into problems with certificates.
The problem is there doesn't seem to be a way to import a certificate the
corresponds to a certificate request generated in IPSecuritas. It looks like all
I can do is import a certificate with a private key. But since I generated the
request using IPSecuritas, and there isn't an option to export its
corresponding private key, I don't see how to make this work.
I would have thought that the workflow for processing requests would be
something like this:
1. Generate the request with IPSecuritas. Under the hood a key pair is also
created.
2. Send the request to the CA admin.
3. The CA admin generates the associated certificate and sends it back.
4. Import the certificate in IPSecuritas. The program should match the
certificate imported to the keypair/request generated and enable that
certificate for use in a connection.
The above is what happens with VPN Tracker. Note that the certificates
we're generating are in PEM format, in case that matters.
But I can't get the above to work with IPSecuritas. The only cert import
option that remotely matches my situation is "PEM/DER encoded foreign
certificate". But when I use that, the resulting certificate is not available for
selection in the connection. The other options fail to import at all.
If I bypass IPSecuritas for certificate request generation and instead import
a complete encrypted PKCS#12 file with a private key, then the resulting
certificate does work. But I don't like the idea of providing all of our VPN
clients with a key pair and cert. Because it opens up security issues like the
strength of the password, transport and secure disposal of the PKCS#12
file, etc.
Note that I have not tried converting the PEM certificate to a PKCS#12 file
without a private key. Maybe that would work, but it seems like an
unnecessary step. Why not just allow import of a PEM certificate that
matches a request?
Thanks in advance for any help you can provide.
Best regards,
-Allen Cronce
Re: Problems importing certs for requests generate
by cnadig on 2007-07-22 20:44:23 +0200
Hello Allen,
you're right, this is a misconception in IPSecuritas, which certainly needs to
be fixed.
I will get in touch with you once it's done.
Thanks a lot,
Christoph
by pacronce on 2007-08-22 20:56:27 +0200
[quote author=cnadig link=1185054306/0#1 date=1185129863]
you're right, this is a misconception in IPSecuritas, which certainly needs to
be fixed.
I will get in touch with you once it's done.
[/quote]
Thanks for getting back to me. Have you been able to make any progress
on the fix?
Thanks in advance!
Best regards,
-Allen Cronce
by cnadig on 2007-08-29 17:57:33 +0200
Hello Allen,
yes, this is fixed. Please let me know if you need a pre-release. Otherwise it
will be available with 3.1 in a couple of weeks.
Cheers,
Christoph
by pacronce on 2007-08-30 17:24:21 +0200
[quote author=cnadig link=1185054306/0#3 date=1188403053]
yes, this is fixed. Please let me know if you need a pre-release. Otherwise it
will be available with 3.1 in a couple of weeks.
[/quote]
Great! Thanks Christoph!
I'd be happy to beta test the pre-release, if you'd like to make it available.
Maybe you could PM me with the download URL?
Thanks in advance,
-Allen Cronce
by pacronce on 2007-09-18 01:57:35 +0200
Hi Christoph,
[quote author=cnadig link=1185054306/0#3 date=1188403053]yes, this
is fixed. Please let me know if you need a pre-release. Otherwise it will be
available with 3.1 in a couple of weeks.
[/quote]
I'm just checking in again to see if I can help test the pre-release.
Thanks in advance.
Best regards,
-Allen Cronce
by pacronce on 2008-01-05 19:10:13 +0100
Looks like this feature works, mostly. I tested it when 3.1 came out in
October and was able to generate requests, then import the corresponding
certificate. It's been successful for other users of ours also. Thanks for
implementing this feature.
But I had problems when I tried to use the feature today to renew several
certificates. What I did was generate 3 requests, then created the
corresponding 3 certificates, then imported the certificates into IPSecuritas.
I got a message each time indicating that the request was found and that
the private key was associated with the imported certificate.
But none of the new certificates worked. I looked at the log on our server
side and found digital signature errors.
It occurred to me that maybe if there are more than one request, IPSecuritas
gets confused at import time and associates the wrong private key with the
certificate.
So as an experiment, I deleted all of my requests and certs. Then I
generated the 3 certificates one at a time. After each import, I deleted the
corresponding request.
When I did it this way, all of the certificates were valid and I was able to
connect.
Would it be possible for you to take a look at the import code to see if
there's a bug with associating a certificate with a private key when there is
more than one request?
by pacronce on 2008-01-25 17:58:48 +0100
I hate to be a pest, but this is really becoming a problem. So far every user
of ours that needs multiple certificates has run into the bug.
The work around of deleting all requests before processing a new one
seems to work. But it's counterintuitive and our users don't seem to be able
to follow instructions (big surprise).
It would be *really* great if this bug could be fixed. Otherwise the support
headaches will force me to seek some alternative solution.
Thanks in advance,
-Allen Cronce
IPSecuritas NOT compatible with Mac OS X 10.5 Beta
IPSecuritas NOT compatible with Mac OS X 10.5 Beta
by galphanet on 2007-07-22 19:12:04 +0200
Hello,
I've tested your exellent software on Mac OS X 10.5 Beta (Build 9A466) and
IPSecuritas starts but continues jumping on the dock and say that he can't
connect to the deamon and after quit unexpectly !
But IPSecuritasDeamon is really running...
I think it'll be easy to adapt it for 10.5...
I can help you if you want to test it !
(sorry for my bad english..say if I do mistakes)
Re: IPSecuritas NOT compatible with Mac OS X 10.5
by cnadig on 2007-07-22 21:21:49 +0200
Hello,
I just published a Leopard compatible version. Please download it from this
link: http://www.lobotomo.com/products/downloads
Cheers,
Christoph
Re: IPSecuritas NOT compatible with Mac OS X 10.5
by galphanet on 2007-07-22 21:25:20 +0200
Hello,
Thanks you very much for this ! 8-)
FortiGate 800 configuration problem
FortiGate 800 configuration problem
by dg on 2007-07-23 22:27:26 +0200
Hi,
my wife's workplace now uses FortiGate 800. Their support site explicitly
recommends Mac users to use IPsecuritas.
However, their IT guy claims that they use "two methods" authentication in
Phase 1. In IPsecuritas, you only have a popup menu with a single method
choice. Therefore he claims that IPsecuritas cannot be made to work on
their VPN.
Is this guy just giving me some B.S.?
Any help appreciated, thanks.
I have a FortiGate client profile. In theory, it should be possible to gather
the configuration options out of that profile, but it is not that easy.
Somebody here could do that?
Thanks.
Re: FortiGate 800 configuration problem
by varruss on 2007-07-24 06:20:50 +0200
I have 5 Fortigate firewalls working fine with IPSecuritas. They all use XAuth
and preshared secret. (In IPSecuritas under ID - Authentication Method).
Have him confirm what does he mean by 2 methods authentication.
Re: FortiGate 800 configuration problem
by dg on 2007-07-24 16:43:52 +0200
Well, this guy claims that in the Phase 1 authentication method, you need to
select multiple methods (same as you can do in the Phase 2 setup, where
you can check more than one method).
IPCOP and ipsecuritas
IPCOP and ipsecuritas
by richardk on 2007-07-23 23:45:36 +0200
Hi
Has anybody sucessfully used ipsecuritas to connect to ipcop? If so,please
post details of what to enter on the ID and option screen on ipsecurits.
Have been trying for about 2 days with no luck whatsover.
Thanks
Richard
Re: IPCOP and ipsecuritas
by cnadig on 2007-07-24 09:14:01 +0200
Hello,
please have a look at http://www.taupehat.com/vpn/
Although it describes the setup for the older version 2.x, it should be easy
enough to use it to configure 3.0 (the settings should be the same).
The Wizard plugin for IPCop could help, too.
Hope this helps,
Christoph
Trying to connect to Fortinet FGT-60
Trying to connect to Fortinet FGT-60
by zoomin on 2007-07-26 15:36:10 +0200
Hello, I am trying to connect to a Fortinet Fortigate 60 at work.
I have read Fortinet's instructions here:
http://kc.forticare.com/default.asp?SID=&Lang=1&id=2012
but they seem a bit contradictory.
At the top, it says "Authentication Method - Preshared Key (Note that the
Pre-shard key must be empty)" and then at the bottom it says to "Select
Id/Auth and enter the Pressured Secret (preshared key)."
I am trying to set it up in Host to Network mode.
Thanks for any tips.
Re: Trying to connect to Fortinet FGT-60
by cnadig on 2007-07-26 16:27:44 +0200
Hello,
although I don't have a Fortinet available here, I can't imagine that the
preshared key may be empty. I rather expect it to identical with the one
entered in IPSecuritas.
Please note XAUTH now also works with IPSecuritas and Fortinet (the
instructions refer to the older version 2.x) - once you have it running with
preshare key, you may try with XAUTH PSK (same preshared key, but per
user passwords).
Cheers,
Christoph
Re: Trying to connect to Fortinet FGT-60
by zoomin on 2007-07-26 19:23:32 +0200
I have upgraded to Ipsecuritas 3.0 but I am still unable to establish a
dial-up connection.
I do have some successful connections setup to different networks behind
the same hardware (FGT-60) using the static ip method but I am hoping to
downgrade my service here and will no longer have a static IP, so that is
why I am attempting to set this up with dial-up / roaming settings.
I am unsure what to put in the ID section so I left the defaults but I am
pretty sure that without a static IP I cannot use the ip address as local
identifier:
local identifier: address
remote identifier: address
authentication method: preshared key
and put in my preshared key from the fortinet.
Does "Mutual Authentication" work with cisco 3000?
Does "Mutual Authentication" work with cisco 3000?
by cwalter on 2007-07-27 17:35:44 +0200
Dear All,
I am trying to attach to a cisco 3000. It is running in Cisco's version of
Hybrid Auth, which they call "mutual authentication". It uses a certificate
for remote identification in the 1st phase and also uses xauth and a
pre-shared key.
I can't get it to work, and I can't figure out from the web page or the forums
if it is really supported. Can anyone tell me?
About the closest setup I can find is
local id:
key-id (set to group name)
remote-id: certificate
Auth method: Xauth RSA
user name: (set to xauth name)
password: (set to xauth password)
I have imported our root certificate into the certificate manager but there is
an "!" mark next to the connection name which if I hover over it says:
"remote identifier set to certificate but no XAUTH server certificate chosen."
However I can't find an option anywhere to "choose a certificate".
Does anyone have any ideas, or is this configuration not supported at all?
BTW, thanks for the work! I am using ipsecuritas to to attach to another
system not-using hybrid-auth and it is great!
-Chris
Problem Connecting With SonicWall TZ-170
Problem Connecting With SonicWall TZ-170
by jmarsan on 2007-07-30 17:23:29 +0200
I'm trying to setup IPSecuritas 3.0 to connect to a SonicWall TZ-170. Right
now when I try to connect, the indicator remains red and all I see is the
following in the debug log:
after event START
Jul 28, 16:49:22 Info
Jul 28, 16:49:22 Info
APP IPSec started
Jul 28, 16:49:22 Info
Jul 28, 16:49:22 Info
Jul 28, 16:49:22 Info
Jul 28, 16:49:22 Info
Jul 28, 16:49:22 Info
Jul 28, 16:49:22 Debug IKE open /Library/Application
management.
Jul 28, 16:49:22 Debug IKE my interface: fe80::21b:63ff:fe04:da0b%en1
(en1)
Jul 28, 16:49:22 Debug IKE my interface:
2002:d018:3087::21b:63ff:fe04:da0b (en1)
Jul 28, 16:49:22 Info
Jul 28, 16:49:22 Info
IKE 2002:d018:3087::21b:63ff:fe04:da0b[500]
used as isakmp port (fd=8)
Jul 28, 16:49:22 Info
IKE fe80::21b:63ff:fe04:da0b%en1[500] used as
isakmp port (fd=9)
Jul 28, 16:49:22 Info
Jul 28, 16:49:22 Info
Jul 28, 16:49:22 Debug IKE 02120200 02000000 00000000 03050000
directory
Do you have any hints or suggestions as to either debug this or what I'm
missing in the setup?
Re: Problem Connecting With SonicWall TZ-170
by jmarsan on 2007-08-20 17:20:28 +0200
I got past this problem - my remote network uses (used) the same IP range
as the network I was trying to connect to - this apparently causes problems
for IPSecuritas.
Now I'm on to the next issue...the connection attempt gets much further
along but now my TZ-170 is reporting:
08/18/2007 21:19:29.192
IKE Responder: IPSec proposal does not
match (Phase 2)
xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx
xxx.x.xxx.xxx/32 -> xxx.xxx.x.x/16
08/18/2007 21:19:29.192
IKE Responder: Default LAN gateway is set
but peer is not proposing to use this SA as a default route
xxx.xx.xx.xxx
xxx.xxx.xxx.xxx
xxx.xxx.x.x/16
Re: Problem Connecting With SonicWall TZ-170
by BHunsaker on 2007-09-26 03:37:40 +0200
I got the "X_SPDDUMP failed" message when the value for "Remote IPSec
Device" under the General tab is a DNS string that won't translate. For
example, I used "me.dyndns.com" instead of "me.dyndns.[b]org[/b]".
Problem connecting to Exchange server via IMAP
Problem connecting to Exchange server via IMAP
by RobertF on 2007-07-30 17:47:54 +0200
I'm trying to connect to our Exchange server from home. It has IMAP turned
on and I can access it using Mail.app from work with no difficulty. However,
when I try to access it from home using the VPN, I get a message saying it
can't access the server. I am able to access internal network shares via the
VPN, so it's not a simple connectivity problem. I can access my mail account
via Web mail without difficulty.
The mail server is on a 192.168 address, while the servers I'm able to
access are on 10.0 addresses. However, the IP address I'm being assigned is
in the 192.168 range and I can ping 192.168.1.1.
Any troubleshooting ideas?
Netgear DG834
Netgear DG834
by robinb on 2007-08-10 12:19:55 +0200
Hi All
Noob question which hopefuly hasn't been answered (I have searched
forum)
Has anyone had any sucess connecting securitas on OS X to a Netgear
DG834?
I have used the Netgear Wizzard and the Securitas Wizzard using (what I
think) is going to be the nearest NG device on the list (124G) and the
connection fails on phase 1. Error is
Aug 10, 11:04:50 Info
APP Initiated connection XXX
Aug 10, 11:04:50 Error IKE inappropriate sadb acquire message passed.
Aug 10, 11:04:52 Error IKE phase2 negotiation failed due to time up
Aug 10, 11:04:57 Info
APP Initiated connection XXX
Aug 10, 11:04:59 Error IKE phase1 negotiation failed due to time up.
37646a8215af9cf4:0000000000000000
I am assuming that it is due to the device i chose but the 834 is not listed. I
did try a couple of others but no joy.
Can anyone point me in the right direction please
TIA
VPN and Gateway
VPN and Gateway
by Christian on 2007-08-14 22:34:26 +0200
So, it has been about a month and I'm in need of my VPN again. As I
mentioned back then, I can now connect to the VPN, but my home router is
not my gateway for web traffic. How do I set up my Mac so that when I'm
connected to my VPN, my home router is my gateway for all network traffic?
Thank you!
Spit DNS?
Spit DNS?
by phssec on 2007-08-22 11:13:34 +0200
Hello.
Has anyone got the Split DNS working with IPSecuritas 3.0?
My problem is that it seems to work [i]only[/i] when there is also a public
name.
Example:
a.example.fi has local address 10.0.0.1
b.example.fi has local address 10.0.0.2 [i]and[/i] public address
80.74.149.177
When I activate IPSecuritas' Split DNS feature for example.fi I can connet to
b.example.fi but not to a.example.fi.
With netstat I can check that b.example.fi connection really goes to
10.0.0.2 so it is using IPSec.
host command can not find any address for a.example.fi and only public
address for b.example.fi.
VPN Tracker seems to be able to handle split dns properly.
Remote Network Settings
Remote Network Settings
We have IP addresses of 172.x.0.0 and I am trying to set this up so I can
connect through to our SonicWall and into our network.
I have it so I can connect to the SonicWall as I can login to the firewall
management site but the network settings I have listed are not the same as
if I use sonicwall's own vpn software on my windows machine (they don't
make one for macs) - if on there I see the network as being 0.0.0.0 255.255.255.255 - how do I get that as the remote endpoint setting?
Also....using the fireall software my computer gets a dhcp ip address from
the firewall and I cannot see a setting for this in IPSecuritas. I can give
myself a manual setting (Local Endpoint) but one on the firewall I cannot
ping or connect to anything else on the network whether on 172.16.x.x
(which is the firewall's internal) or another 17 address we have.
any suggestions????
Linksys WRV200
Linksys WRV200
by rdfisher on 2007-09-05 06:03:03 +0200
I'm trying to establish a workstation to network VPN connection with a
Linksys WRV200 router. Through searching these forums I found reference
to an outdated guide (http://www.lobotomo.com/products/IPSecuritas
/howto/Linksys%20WRV200%20HOWTO.pdf) but I haven't been successful
at making a connection using these directions. Has anyone had success at
connecting to this router, specifically running (current) firmware 1.0.32.2? I
will certainly post logs etc if troubleshooting is necessary, but figured I'd
first start by looking for any known good configurations. Thanks for the
help.
rf
Re: Linksys WRV200
by dandor on 2007-09-07 07:02:15 +0200
Hi,
I've just been trying to get the same things working.
I think I managed to work around the outdated HowTo--- not too much
changed, luckily.
After putting in all the details, I've got a connection, according to "sudo
setkey -D" and "ifconfig".
However, the link doesn't work! Pinging the router returns silence.
In the next day or two I'll return to this forum either 1) to ask how to get it
working, or 2) explain how I sorted it out.
D.
Re: Linksys WRV200
by dandor on 2007-09-07 18:17:36 +0200
Hi,
using the HowTo as a guide, I got it working. Need the configuration
details? I can try to post a series of screenshots. Would that be helpful?
[b]UPDATE:[/b]
[url=http://www.flickr.com/photos/xandxor/1342694152/][img]http:
//farm2.static.flickr.com/1055/1342694152_906f7897b5_b.jpg[/img][/url]
I suspect the WRV200 settings are more useful. Next update.
Re: Linksys WRV200
by dandor on 2007-09-07 18:58:54 +0200
WRV settings:
(Note that the "Advanced Settings" should have the "Allow All" radio button
checked, but that is in fact the default.)
[url=http://www.flickr.com/photos/xandxor/1341846071/][img]http:
//farm2.static.flickr.com/1317/1341846071_77e7df7bdf_o.jpg[/img][/url]
Re: Linksys WRV200
by rdfisher on 2007-09-20 07:02:38 +0200
That worked! I tried your solution a few weeks ago and it didn't work at
that time. I don't know what I did different this time around but I'm
connected right now. Excellent help with the screenshots! Thanks for the
help.
IPSecuritas connecting to OS X Server 10.4
IPSecuritas connecting to OS X Server 10.4
by alex_schenkman on 2007-09-05 10:12:01 +0200
Hi:
Is is possible to connect to an OSX Server 10.4 with IPSecuritas?
I know that I can use the OSX built-in client, but I wonder if I can offer my
users a single interface for connecting to all our resources.
Thanks in advance!
IPSecuritas & Netgear DGFV338
IPSecuritas & Netgear DGFV338
by ridgedale on 2007-09-16 07:34:06 +0200
I wonder if anyone might be able to help. I'm trying to VPN into a Netgear
DGFV338 and am having no success. Would someone be able to tell me
where I am going wrong? I've provided a log of an attempted connection
below:
Sep 16, 06:06:52 Info
Sep 16, 06:06:53 Info
APP IPSec started
Sep 16, 06:06:53 Error IKE Foreground mode.
Sep 16, 06:06:53 Info
Sep 16, 06:06:53 Info
Sep 16, 06:06:53 Info
Sep 16, 06:06:53 Info
Sep 16, 06:06:53 Info
APP Initiated connection <connectionName>
Sep 16, 06:06:53 Error IKE inappropriate sadb acquire message passed.
Sep 16, 06:06:54 Info
Sep 16, 06:07:00 Info
Sep 16, 06:07:07 Info
Sep 16, 06:07:09 Error IKE <routerIP> give up to get IPsec-SA due to
time up to wait.
Sep 16, 06:07:14 Info
Sep 16, 06:07:21 Info
Sep 16, 06:07:26 Warning APP Connection <connectionName> timed out
Sep 16, 06:07:26 Warning APP Giving up
Sep 16, 06:07:29 Error IKE <routerIP> give up to get IPsec-SA due to
time up to wait.
Sep 16, 06:08:29 Info
APP IPSec stopping
Sep 16, 06:08:30 Info
Thanks in advance.
Re: IPSecuritas & Netgear DGFV338
by cnadig on 2007-09-17 07:12:22 +0200
Hello,
could you please set the log level to Debug (in IPSecuritas' preferences) and
post such a log again (please make sure to remove your public address and
other confidential information from the output)?
Thanks,
Christoph
by ridgedale on 2007-09-18 21:03:27 +0200
Christoph,
Thanks for your reply. I've managed to sort the issue out - everything's
working fine now.
I'll remember to heed your comments when posting in future.
Thanks again
Dene
by AKirchner on 2007-09-21 12:49:00 +0200
Hey I have the same Hard- and Software but I can't fix it. Thats my log.
The Support-Hotline from Netgear is incompetent i think.
Sep 21, 12:34:09 Info
APP IPSec stopping
Sep 21, 12:34:10 Info
Sep 21, 12:34:10 Info
Sep 21, 12:34:11 Info
APP IPSec started
Sep 21, 12:34:11 Info
Sep 21, 12:34:11 Info
Sep 21, 12:34:11 Info
Sep 21, 12:34:11 Info
Sep 21, 12:34:11 Info
Sep 21, 12:34:11 Info
APP Initiated connection Rudi Renner
Bellinghausen
Sep 21, 12:34:18 Info
Bellinghausen
Sep 21, 12:34:25 Info
Bellinghausen
Sep 21, 12:34:27 Error IKE phase2 negotiation failed due to time up
Sep 21, 12:34:32 Info
Bellinghausen
Sep 21, 12:34:39 Info
Bellinghausen
Sep 21, 12:34:41 Error IKE phase1 negotiation failed due to time up.
fd391904457e4be8:0000000000000000
Sep 21, 12:34:44 Warning APP Connection Rudi Renner Bellinghausen
timed out
Sep 21, 12:35:50 Info
APP IPSec stopping
Sep 21, 12:35:51 Info
Sep 21, 12:35:53 Info
Sep 21, 12:35:53 Info
APP IPSec started
Sep 21, 12:35:53 Info
Sep 21, 12:35:53 Info
Sep 21, 12:35:53 Info
Sep 21, 12:35:53 Info
Sep 21, 12:35:53 Info
Bellinghausen
by gmandil on 2008-11-12 20:58:18 +0100
ridgedale
could you please explain us what have you done to make it work ?
thanks in advance
Guillaume
IPSecuritas - problem accessing the DMZ
IPSecuritas - problem accessing the DMZ
by coot on 2007-09-17 11:25:47 +0200
Hi all,
We have a problem accessing our DMZ from home using the IPSecuritas VPN
Client. We are connecting to a sonicwall pro 2040.
I have two remote endpoints. One is the DMZ and one is the LAN. I can
connect successfully to all LAN computers. I cannot connect to any
computers in the DMZ.
I have tested the Sonicwall VPN Client on a Windows PC and can access both
the LAN and DMZ computers.
Does anyone have an idea of what could be causing this problem? If you
need any extra info about this then just let me know.
Regards.. Karl
Re: IPSecuritas - problem accessing the DMZ
by coot on 2007-09-17 17:40:29 +0200
I'm really stumped on this. I think there may be a problem accessing the
second network.
In the scenario above, I had the DMZ listed as the second network in the
Remote Endpoint "Networks" section.
I changed it around so that the DMZ network is listed first and the LAN
network second. Now I can connect to the DMZ but not the LAN.
:-/ Any ideas?
Problems connecting to Sonicwall TZ-170
Problems connecting to Sonicwall TZ-170
by adacey on 2007-09-19 13:53:21 +0200
I had this working fine under 2.1 but with 3.0 I can't connect. I imported my
connection from 2.1 but when I connect the log shows "Id expected IP
address in main mode but received FQDN" (sorry, posting from work so I
don't have the exact message).
I have identifiers set to address for both sides of the connection, I've
checked the Sonicwall's configuration and can't find what it's using for
identifiers. The closest option I found was the firewall's unique firewall
identifier, which I did try inputting for it's identifier (as a FQDN) but that
also didn't work.
Any suggestions?
Fios Actiontec M1424-WR
Fios Actiontec M1424-WR
by headbaker on 2007-09-22 04:23:00 +0200
I have been using IPSecuritas on my Macbook Pro from home over a Linksys
WRK54G router while with Comcast to a Sonicwall 4060. I just switched to
Verizon FIOS with a Actiontec M1424-WR router and have had no luck. I
am using the same LAN IP on this new router as the old one. I can connect
from the MAC when booting into Vista and running Sonicwall's GlobalVPN
client.
Has anyone else experienced any difficulties switching over to FIOS or the
Actiontech router?
Re: Fios Actiontec M1424-WR
by headbaker on 2007-09-23 00:42:07 +0200
Well, with persistance I was able to get it working. The only configuration
change was to disable NAT-T. It is working fine now.
Addressing questions
Addressing questions
by Roger408 on 2007-09-28 19:51:01 +0200
I'm setting up IPSecuritas for the first time, using a Netgear FVS114 there
and a Mac mini here. I can get a connection established, but have trouble
reaching anything at the end with the router (there). Addressing on the
LAN there is 192.168.0.0/24. At present my Mac is on my home LAN (here)
and is 10.43.x.x. Attempting to ping anything on 192.168.0.x fails, since I
assume it is trying to ping on my home LAN.
I'm not clear on how to direct traffic through the IPsec link to the 192.168...
LAN. Can anyone clarify this for me?
Here is the log for this session. The last three lines are repeated many
times...
Sep 28, 09:35:41 Info
Sep 28, 09:35:41 Info
APP IPSec started
Sep 28, 09:35:41 Info
Sep 28, 09:35:41 Info
Sep 28, 09:35:41 Info
Sep 28, 09:35:41 Info
Sep 28, 09:35:42 Info
APP Initiated connection SVCF
Sep 28, 09:35:45 Warning IKE trns_id mismatched: my:DES peer:3DES
Sep 28, 09:35:49 Info
76.210.165.xx[500]. $ xx inserted by me.
Sep 28, 09:35:54 Info
76.210.165.xx[500].
Sep 28, 09:35:59 Info
76.210.165.xx[500].
Sep 28, 09:36:44 Error IKE failed to get sainfo.
Sep 28, 09:36:44 Error IKE failed to pre-process packet.
Re: Addressing questions
by Forum Admin on 2007-10-01 17:36:52 +0200
Hello,
when a connection is established, traffic to the remote network is directed
automatically through the established tunnel, i.e. there is no need for an
extra route entry. If you can't get traffic to or from the remote network
although the connection is established (green dot), I see two possible
problems:
1. NAT problem: your local router might not support VPN-passthrough or
there are other IPSec tunnels active from the local network. Try enabling
NAT-T
2. The remote firewall is not the default route for the machine you try to
reach, the 10.x.x.x network is routed differently or not all. I'd try to specify
a different "virtual" local IP (enter the address into the local endpoint
address field), say from the 172.24.x.x range.
If this doesn't help, try to find out if the traffic you send is reaching the
other end at all, i.e. sniff the local network for traffic destined to the
machine you're trying to reach, to see which direction doesn't work.
Hope this helps,
Christoph
Connection speed issue
Connection speed issue
by wilfredoz on 2007-10-01 14:35:12 +0200
Hello,
Thank you for this great pice of software, I use it occasionaly with my
mackbook-gprs connection to a monowall ip-sec router to login to a
couple of servers at work via ssh and for a remote desktop machine.
Now I got one problem. when I use a gprs (slow) connection everything is
going well, when I connect with ssh I can control the remote servers
perfectly, but when I use a highspeed cable of adsl connection the ssh
session locks up when I try to use some commands like "ls".
The same happens with remote desktop on Mac os x, the remote screen
appears completly on a gprs connection but when I use a high speed
connection the remote screen even doesn't appears.
Is this a known problem and what can I do about it?
Thanks!
Re: Connection speed issue
by Forum Admin on 2007-10-01 17:26:53 +0200
Hello,
this looks like an issue with the MTU. IPSec encapsulates the original user
data into an ESP packet, probably making the resulting packet larger than
allowed.
Please try to decrease the MTU on the m0n0walls' WAN interface by 8 (no
NAT-T) or 28 (NAT-T enabled).
Hope this helps,
Christoph
by wilfredoz on 2007-10-03 22:14:38 +0200
[quote author=Forum Admin link=1191242112/0#1
date=1191252413]Hello,
this looks like an issue with the MTU. IPSec encapsulates the original user
data into an ESP packet, probably making the resulting packet larger than
allowed.
Please try to decrease the MTU on the m0n0walls' WAN interface by 8 (no
NAT-T) or 28 (NAT-T enabled).
Hope this helps,
Christoph[/quote]
Thanks for your reply, I tried to decrease the MTU size but it did not solve
the problem.
I think when It was the other way around, it could be a MTU issue..
by Dave on 2007-10-31 16:17:11 +0100
[quote author=wilfredoz link=1191242112/0#2 date=1191442478]Thanks
for your reply, I tried to decrease the MTU size but it did not solve the
problem.
I think when It was the other way around, it could be a MTU issue..[/quote]
When I connect to the SonicWall at work, I have to set the Mac's MTU down
to around 1400, do a couple of pings with no-fragment set, and then set it
back up to 1500. After doing all this, things will work. If I don't, the first
fragmented packet stalls the connection.
Is there some way to do this automagically when the connection starts?
MacBook Pro can't find VPN server.
MacBook Pro can't find VPN server.
by gmoon on 2007-10-01 18:35:54 +0200
My office set up a VPN mostly to be used by me when I'm out of the office. I
was given the .ipsc file to import, and I'm able to get connected in
IPSecuritas (it shows green), but when I try to connect to server from the
finder it says it's looking up the server, but then says it can't find it. A
coworker has essentially the same Mac as me, I copied his .ipsc file and he
is able to connect but I am not (from the same remote location).
I have also tried from home on my other 2 macs, each shows green, but
can't find the server.
We went through all of our network and sharing settings to see if anything
was different and it all appears the same. Is there a setting I may need to
change on my Mac?
When I'm at home I'm using an Airport extreme and I have to set NAT-T to
enable and check "Local IP in Remote Netwrok", but even from the cafe up
the street where we tried it, his works and mine won't! Any thoughts??
Thanks.
Re: MacBook Pro can't find VPN server.
by Forum Admin on 2007-10-01 21:04:11 +0200
Hello,
this seems odd... Have you tried to just ping a remote machine?
Could you please run the following commands in a Terminal window on
both your and your collueges machine, possibly from the same remote
location (one command per line):
ifconfig -a
netstat -nr
sudo setkey -DP
sudo setkey -D
(The second last command will ask you to enter your administrator
password). Could you please e-mail me the output to
[email protected]?
Thanks,
Christoph
Zywall 5 and XAUTH
Zywall 5 and XAUTH
by wf10 on 2007-10-02 20:47:10 +0200
Hi everyone
I use Zywall 5, Firmware Version 4.x and IPSecuritas Version 3. I want to
manage the access using Extended Authentication and PSK. I can't establish
a connection to my gateway. With PSK only, it runs fine.
Even with VPN Tracker, it runs also. Any hint? Thanks a lot!
Dave
Re: Zywall 5 and XAUTH
by 16thnotes on 2007-10-05 12:24:39 +0200
I too would like to do Xauth with the ZyWALL 35 and 70 models with the 4.X
firmware, but simply get following errors in the IP Securitas application
connection log:
[color=#990000]Oct 05, 19:07:53 Error IKE Xauth mode config request
but peer did not declare itself as Xauth capable
Oct 05, 19:07:53 Error IKE Hash verification failed
Oct 05, 19:07:53 Error IKE unknown Informational exchange received.
[/color]
Re: Zywall 5 and XAUTH
by 16thnotes on 2007-10-05 12:41:14 +0200
I discovered that there was the option under the ID tab for Xauth PSK. I did
not see that the first time, however, I still get the following errors in the IP
Securitas application log:
[color=#990000]Oct 05, 19:36:53 Error IKE inappropriate sadb acquire
message passed.
Oct 05, 19:36:54 Warning IKE ignore INITIAL-CONTACT notification,
Oct 05, 19:36:54 Error IKE No SIG was passed, hybrid auth is enabled,
but peer is no Xauth compliant
Oct 05, 19:36:54 Warning IKE Short payload[/color]
IPSecuritas and XAUTH
IPSecuritas and XAUTH
by sohonet on 2007-10-03 13:19:19 +0200
Hi,
i am currently testing the final release of IPSecuritas adn i can't get xauth to
work.
The VPN connection is successful but i expected a pop up windows to come
up so that the users can authenticate to the remote Netwscreen in my case.
Any ideas anyone?
Re: IPSecuritas and XAUTH
by 16thnotes on 2007-10-05 12:42:25 +0200
I'm unable to get it working with my ZyWALL 35 hardware as well.
Did you try using the new option under the ID tab for Xauth PSK?
Draytek Vigor and "host to anywhere"
Draytek Vigor and "host to anywhere"
by wanabe_cool on 2007-10-03 15:23:51 +0200
Hi,
Anyone had any experience with connecting to a Draytek Vigor router with
IPSecuritas? I've set up a "host to network" which works fine, but not when
trying to route all traffic through the VPN (host to anywhere). The connection
seems to just die when trying to connect.
Below are a selection of details which I hope might help someone to
understand what is happening:
My system log shows:
Oct 3 14:12:57 CG-MBP crashdump[704]: racoon crashed
Oct 3 14:12:57 CG-MBP crashdump[704]: crash report written to: /Library
/Logs/CrashReporter/racoon.crash.log
the crash log shows this:
Codes:
I have the following settings:
Version = 3.0rc3 (build 1693)
General -> Remote Side -> Endpoint mode = Anywhere + DHCP
Pass-Through enabled
Phase 1 and Phase 2 should be OK as it works with the same config when
connecting "host to network"
ID -> Local Identifier = Address
ID -> Remote Identifier = Address
ID -> Authentication Method = Preshared Key
Options Selected:
IPSec DOI
SIT_IDENTITY_ONLY
Verify Identity
Local IP in Remote Network
Unique SAs
IKE Fragmentation
NAT-T = Enable (my client is behind a NAT firewall)
The connection appears to get through phase 1 and possibly phase 2 until
this happens:
Oct 03, 14:12:57 Info
Oct 03, 14:12:57 Debug APP State change from RUNNING to IDLE after
event RACOON TERMINATED
Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE
not interesting
not interesting
not interesting
not interesting
not interesting
not interesting
not interesting
-
IPSecuritas 3 and AVM Fritz Box
IPSecuritas 3 and AVM Fritz Box
by yap on 2007-10-09 16:56:50 +0200
Hallo,
I have an AVM Fritz!Box with the actual firmware "Labor-Version
29.04.34-7728" installed. With the version 2.2 of IPSecuritas I can use VPN
perfect. But it doesn't work with the new version of IPSecuritas. I had
imported my settings from version 2.2 to version 3 but I only get this log
entries:
Oct 09, 16:33:22 Info
APP Network configuration change detected
Oct 09, 16:33:37 Info
Oct 09, 16:33:38 Info
APP IPSec started
Oct 09, 16:33:38 Info
Oct 09, 16:33:38 Info
Oct 09, 16:33:38 Info
Oct 09, 16:33:38 Info
Oct 09, 16:34:53 Info
APP IPSec stopping
Oct 09, 16:34:54 Info
Oct 09, 16:35:15 Info
Oct 09, 16:35:46 Info
[/code]
I don't know what's wrong. Can anyone help me?
These are my settings:
[quote]
General:
Remote IPSec Device: myadress.dyndns.org
Local Side, Endpoint Mode: Host
IP Adress (optional): 192.168.178.201
Remote Side, Endpoint Mode: Network
Network Address: 192.168.178.0
Network Mask (CIDR) 24
Phase 1:
28800 Seconds
1024 (2)
3DES
SHA-1
Aggressive
Claim
16
Phase 2:
PFS Group: 1024 (2)
Encryption: AES 128
Authentication: HMAC MD5, HMAC SHA-1
ID:
User FQDN
[email protected]
Adress
Preshared Key
Re: IPSecuritas 3 and AVM Fritz Box
by Forum Admin on 2007-10-09 19:19:47 +0200
Hello,
could you possibly send me the log output of both versions 2.2 and 3.0
with log level set to debug to [email protected]?
Christoph
by yap on 2007-10-14 12:45:25 +0200
Hi,
thank you, but now it works. Just a few days ago AVM, the producer of the
Fritz!Box, wrote a howto to connect with IPSecuritas to the AVM Fritz Box.
Here the link to the HOWTO:
http://www.avm.de/de/Service/Service-Portale/Service-Portal
/VPN_Interoperabilitaet/box_zu_securitas.php?portal=VPN
thanks
by Forum Admin on 2007-10-16 15:15:21 +0200
Thank you very much for the link. IPSecuritas 3.1 now contains a wizard
template and a HOWTO for the FRITZ!Box.
Christoph
IPSecuritas and FVS318v3
IPSecuritas and FVS318v3
by fallous on 2007-10-18 04:53:25 +0200
ok, I've got a FVS318v3 sitting as the edge router for a local network that
uses the 192.168.16.x local block for internal servers. I'm trying to connect
with a remote client that's sitting in a 192.168.1.x NAT'd network. I went
through the IPSecuritas doc for setting this net up, and when I try and
connect the connect indicator turns green, but I can't ping anything or
connect to anything. In addition a connect seems to fubar the FVS so that
you can't web connect to the management page without power cycling the
router, which sucks. I do have a second router on the net that handles
traffic to other sites that are in the 192.168.x.x block and I'm wondering if
I'm running into a problem there.
Re: IPSecuritas and FVS318v3
by jdsmcroy on 2007-11-08 23:29:35 +0100
I would be interested to know if you found a solution to this problem. I am
experiencing the exact same issue.
Re: IPSecuritas and FVS318v3
by bstender on 2007-11-29 01:53:06 +0100
try setting the client ip to 10.0.0.1
IPSecuritas connecting to Netscreen NS25 XauthPSK
IPSecuritas connecting to Netscreen NS25 XauthPSK
by bence8810 on 2007-10-18 16:18:18 +0200
Hi
I am trying to connect to a Netscreen Firewall, NS5, and I am using
IPSecuritas. I am brand new to Mac, so I may be missing a lot of things.
Firstly, the Netscreen requires a Xauth - PSK authentication, a Pre Shared
key first, then a user supplied password, as we have multiple users on the
Netscreen. I tried my best to set up IPSecuritas, but I obviously was not
good enough. I have also set up a Client for Windows with the same PSK
and Xauth login, and it works like a charm. I am including logs from the
Netscreen when connecting successfully from Windows, and the error when
connecting from IPSecuritas. Both connections are made from the same
Wireless Router, so there is no difference between the two scenarrios,
except the OS and VPN client, and of course, the settings.
Successfull connection with Netscreen Remote Connect on Windows:
[code]
2007-10-17 22:21:23
info
IKE<MY WIFI LAN STATIC IP> Phase 2
msg ID <f90990ca>: Completed negotiations with SPI <78a068ee>, tunnel
ID <32770>, and lifetime <3600> seconds/<0> KB.
2007-10-17 22:21:23
info
msg-id <f90990ca>: Completed for user <[email protected]>.
2007-10-17 22:21:23
info
msg ID <f90990ca>: Responded to the peer's first message from user
<[email protected]>.
2007-10-17 22:21:21
info
IKE<MY WIFI LAN STATIC IP>: XAuth login
was passed for gateway <NETSCREEN-GW-NAME>, username <Xauth
Username>, retry: 0.
2007-10-17 22:21:16
info
IKE<MY WIFI LAN STATIC IP>: Received
initial contact notification and removed Phase 1 SAs.
2007-10-17 22:21:16
info
IKE<MY WIFI LAN STATIC IP> Phase 1:
Completed Aggressive mode negotiations with a <28800>-second lifetime.
2007-10-17 22:21:16
info
IKE<MY WIFI LAN STATIC IP> Phase 1:
Completed for user <[email protected]>.
2007-10-17 22:21:16
info
IKE<MY WIFI LAN STATIC IP>: Received
initial contact notification and removed Phase 2 SAs.
2007-10-17 22:21:16
info
IKE<MY WIFI LAN STATIC IP>: Received a
notification message for DOI <1> <24578> <INITIAL-CONTACT>.
[/code]
And the Unsuccessfull one from Mac OS X and IPSecuritas:
[code]2007-10-17 23:23:38
info
Rejected an IKE packet on untrust
from MY WIFI LAN STATIC IP:500 to NETSCREEN IP:500 with cookies
8d838541ab3c6dda and 0000000000000000 because an initial Phase 1
packet arrived from an unrecognized peer gateway.[/code]
I would appreciate any help with this,
Thanks
Ben
Re: IPSecuritas connecting to Netscreen NS25 Xauth
by Forum Admin on 2007-10-18 18:40:53 +0200
Hello Ben,
which version of IPSecuritas did you use? Only 3.1 (or any beta of 3.1) is
able to talk to Juniper's XAuth implementation. If you were using 3.1, could
you send me a log output from IPSecuritas (with log level set to Debug) to
[email protected]?
Thanks,
Christoph
by bence8810 on 2007-10-18 22:19:23 +0200
Hi Cristoph,
I am happy to announce that I found a couple of mistakes, and after fixing
those, I am now able to connect, and stay connected. I must say, although I
havent used it that much all together, it seems rather stable.
Thanks for all the effort, its a unique tool, and it finally FINALLY allows me
to not have a Windows box at home. I want to send you a bottle of
champagne :)
Cheers
Ben
by gr33d on 2007-10-31 18:26:19 +0100
What did you finally come up with?
I'm having a similar problem creating a simple policy-based VPN between
my Juniper SSG5 and a Cisco PIX 501.
IKE<cisco static ip>: Received initial contact notification and removed Phase
1 SAs
IKE<cisco static ip>: Received initial contact notification and removed Phase
2 SAs
IKE<cisco static ip>: Received a notification message for DOI <1>
<24578> <INITIAL-CONTACT>.
IKE<cisco static ip>: Phase 2: Initiated negotiations.
IKE<cisco static ip>: Phase 1: Completed Main mode negotiations with a
<28800>-second lifetime.
I wasn't even getting negotiations yesterday, but these started today when
I'm test pinging to bring the VPN up.
Thanks in advance
by bence8810 on 2007-11-01 08:58:42 +0100
Hi
Actually I had the PSK wrong :( I know this is such an amature mistake, but
that is what I had.
From your logs though, you are showing a successfull or at least very near
to successful connection. Those are the exact same logs I was getting when
connecting successfuly from the windows PC.
I guess you can fine tune some timings, delays, and timeouts, etc.
Cheers
Ben
IP Securitas Startup
IP Securitas Startup
by Tacitus on 2007-10-19 21:15:00 +0200
I run as user rather than admin. Every time I start IPSecuritas it asks for an
Admin name & password. I think it does this because it is not connected to
the Daemon. Is there anyway the connection can be made automaticaly or
the Daemon run as a startup item? Would there be a security risk with this?
I notice there are two IPSecuritas processes running already, ID 1407 and
769. They are using 0% cpu but around 8.5Mb memory.
Re: IP Securitas Startup
by Tacitus on 2007-10-25 08:55:53 +0200
Any help out there? Please... :-)
no LAN IP when connected to RV042
no LAN IP when connected to RV042
by foilpan on 2007-10-22 15:48:54 +0200
i finally got a working connection between a client's linksys RV042
(firmware 1.3.8.2) and ipsecuritas 3.1, but i don't get an IP in the LAN when
connected.
the linksys config is basically the defaults for a client-to-gateway setup,
and ipsecuritas config mirrors this.
i've tried enabling NAT-T on both sides and NETBIOS and keepalive on the
linksys. with these options enabled or disabled, i'm able to connect but
can't ping or otherwise access anything on the client's LAN.
any ideas?
Re: no LAN IP when connected to RV042
by sortofdumb on 2007-10-24 14:08:50 +0200
Hello,
Have you had any luck getting this to work? I've got an RV042 as well and
I'm curious to know if I can use IPSecuritas with it.
Thanks!
by foilpan on 2007-10-30 13:40:23 +0100
[quote author=sortofdumb link=1193060934/0#1
Have you had any luck getting this to work? I've got an RV042 as well and
I'm curious to know if I can use IPSecuritas with it.
Thanks![/quote]
no, i haven't gotten it to work, but i haven't tested much in the past week.
i'll post back with an update as soon as i have one.
by foilpan on 2007-11-13 22:04:26 +0100
has anyone gotten this to work? i'm still unsuccessful getting ipsecuritas to
connect properly. may thanks for any tips.
mode_cfg not getting IP address from remote host
mode_cfg not getting IP address from remote host
by farlander on 2007-10-27 00:04:04 +0200
I'm using Juniper NetScreen SSG520 (similar to NetScreen-50 in all regards,
when it comes to VPN), set up to use XAuth and Mode_Config, with "Host to
Everywhere" set up. I can log in just fine, and I can ping remote gateway,
however I'm not getting an IP address from a remote host and when I log
into Juniper web GUI I can see that it shows that I'm logging in from a
public IP address, not from an internal IP I'm supposed to get from
Mode_Config.
Bascially, there's no new interface created, and no aliases assigned to any
of the existing ones on my Mac. When I use VPN Tracker, it creates a new
point-to-point interface with an IP address from 172.x.x.x subnet (the
subnet I use for dial-up VPN connections).
Any ideas? Is this a bug in IPSecuritas or am I missing something?
m0n0wall to m0n0wall connection
m0n0wall to m0n0wall connection
by wilfredoz on 2007-10-31 13:58:00 +0100
Hello,
A few weeks ago I posted a message with the subject "connection speed
issue", and I disscoverd that the problem is that I cannot get the connection
right like this: (I CAN connect but network sessions like ssh and vnc hangs
immediately)
computer
(ipsecuritas)---->m0n0wall(ipsec)---->INTERNET---->m0n0wall(ipsec)---->computer
(reversed also fails)
But this configuration works fine:
computer (ipsecuritas)----> any brand
router---->INTERNET---->m0n0wall(ipsec)---->computer
computer (ipsecuritas)----> GPRS/3G via
phone---->INTERNET---->m0n0wall(ipsec)---->computer
Both m0n0walls are a soekris 4501 board with m0n0wall ver. 1.21, NATed
and some basic firewall rules.
Does anyone had the same problem and came up with a solution?
Help much appreciated, thanks!
Netgrar FVS124G connection problem
Netgrar FVS124G connection problem
by robinb on 2007-10-31 14:56:37 +0100
Hi All
I have seen this error msg posted on here but the user then just said sorted
thanks without saying what they did!
I have a Netgear FVS124G and 3.1 IPSecuritas. I have followed to the letter
the installtion guid provided but had no sucess. always with the same error.
I have deleted all settings and tried again but always the same
here is IPS log
IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig
Oct 31, 13:54:51 Info
Oct 31, 13:54:51 Info
Oct 31, 13:54:51 Info
APP IPSec started
Oct 31, 13:54:51 Info
APP Initiated connection JIA
Oct 31, 13:54:51 Info
Oct 31, 13:54:51 Info
Oct 31, 13:54:51 Info
Oct 31, 13:54:51 Info
Oct 31, 13:54:58 Info
Oct 31, 13:55:05 Info
Oct 31, 13:55:12 Info
Oct 31, 13:55:12 Error IKE inappropriate sadb acquire message passed.
Oct 31, 13:55:17 Error IKE 87.194.169.58 give up to get IPsec-SA due to
time up to wait.
Oct 31, 13:55:19 Info
Oct 31, 13:55:24 Warning APP Connection JIA timed out
Oct 31, 13:55:24 Warning APP Giving up
Oct 31, 13:55:29 Info
APP IPSec stopping
Oct 31, 13:55:30 Info
Oct 31, 13:55:30 Info
APP IPSec stopped
Anyone know what I need to do please? I am sure it will be easy
TIA
Robin Bateman
ipsecuritas -> FGT-60
ipsecuritas -> FGT-60
by zoomin on 2007-10-31 17:04:38 +0100
I am using Ipsecuritas 3.0 build 1693 to connect to a dozen different
FGT-60 in our network.
The FGT-60 are all on the same firmware: Fortigate-60
3.00,build0247,060417
The settings are exactly the same on both ends for ALL connections, save,
of course, the things that must be different(networking bits).
All tunnels are established as far as Ipsecuritas is concerned, however on
just some of the FGT-60s, traffic travels from my Mac to the FGT-60 but
not back again.
In these cases, the FGT-60 shows *many* IPSEC connections being made in
the Monitor screen:
erik_161 123.123.123.123:4500
192.168.33.220
erik_152 123.123.123.123:4500
192.168.33.220
erik_143 123.123.123.123:4500
192.168.33.220
erik_134 123.123.123.123:4500
192.168.33.220
erik_180 123.123.123.123:4500
192.168.33.220
erik_171 123.123.123.123:4500
192.168.33.220
erik_162 123.123.123.123:4500
192.168.33.220
erik_153 123.123.123.123:4500
192.168.33.220
erik_144 123.123.123.123:4500
192.168.33.220
erik_135 123.123.123.123:4500
192.168.33.220
erik_181 123.123.123.123:4500
192.168.33.220
erik_172 123.123.123.123:4500
192.168.33.220
erik_163 123.123.123.123:4500
192.168.33.220
erik_154 123.123.123.123:4500
192.168.33.220
erik_145 123.123.123.123:4500
192.168.33.220
[email protected] 926 192.168.71.*
Any direction appreciated.
NOTE: The few tunnels that will now not pass traffic in both directions used
to work, and there have been no changes to configuration of either
endpoint.
The ipsecuritas logs have a few errors in them in regards to the failing
tunnels:
Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP
123.123.123.123[4500]->192.168.33.220[4500]
issue with leopard?
issue with leopard?
by spectre on 2007-10-31 18:12:53 +0100
So I got Leopard on my Macbook and had version 2.2 of IpSecuritas and for
some reason when I connected to my Netscreen VPN it would connect fine
but I wouldn't have any access to the remote network. Upgraded
IPSecuritas to 3.1 and imported the old connection and it worked without a
hitch. Just thought I would post this incase people were having issues with
the old version.
What does "inappropriate sadb acquire message" ?
What does "inappropriate sadb acquire message" ?
by palouis on 2007-11-02 07:14:38 +0100
can someone at least tell me what this cryptic response means?
I have spent days trying to get IPsecuritas working with my NetGear DG834
Put me out of my misery please.
paul
Re: What does "inappropriate sadb acquire message"
by robinb on 2007-11-08 21:31:27 +0100
I too have posted about this but had no reply but just to let you know you
are not alone in having the problem
by palouis on 2007-11-09 04:37:55 +0100
Oh well looks like VPN Tracker for me - no support is no good to me.
Thanks anyway.
by Forum Admin on 2007-11-09 11:58:21 +0100
Hello,
the sadb message is sent by the kernel to the IKE daemon racoon, whenever
a new tunnel needs to be established or when an established tunnel is
about to expire. Some of these messages are not used and therefore
ignored by racoon, leading to this log entry.
I will remove or rename this log entry, since it seems to cause confusion.
Cheers,
Christoph
Connection becomes available - NETSCREEN 5GT
Connection becomes available - NETSCREEN 5GT
by houser on 2007-11-05 13:16:54 +0100
Dear all,
Using IP Securitas 3.1 under OSX 10.5.
Works fine...but the connection becomes unavailable after a while...
I am connecting to a Juniper, NETSCREEN 5GT
and after a while, I can not connect.
Restart fixes it every time..
Any idea of where to tweak a setting?
best
Janne A.
Re: Connection becomes available - NETSCREEN 5GT
by Forum Admin on 2007-11-05 14:15:42 +0100
Hello Janne,
by restart you mean restarting IPSec or rebooting the computer?
Christoph
by houser on 2007-11-05 14:16:47 +0100
Thanx for reply,
Sorry to be unclear, I meant rebooting the computer, as restarting Ip Sec
does not help.
TIA and regards
Janne A.
date=1194268542]Hello Janne,
by restart you mean restarting IPSec or rebooting the computer?
Christoph[/quote]
by Forum Admin on 2007-11-08 09:54:48 +0100
Hello Janne,
could you please check the following? Once the connection becomes
unavailable and a restart of IPSec won't re-establish it, could you run the
command 'sudo ipfw list' and see if there is more than one entry?
Thanks a lot,
Christoph
by houser on 2007-11-08 11:40:14 +0100
I get this line when I type that:
"65535 allow ip from any to any"
sorry, not fluent in Unix...
best
Janne A.
date=1194512088]Hello Janne,
could you please check the following? Once the connection becomes
unavailable and a restart of IPSec won't re-establish it, could you run the
command 'sudo ipfw list' and see if there is more than one entry?
Thanks a lot,
Christoph[/quote]
IPsecuritas 3.1 and Firebox X700
IPsecuritas 3.1 and Firebox X700
by chimera on 2007-11-06 22:07:43 +0100
Hi there,
I'm hardly trying to setup a vpn-connection to a firebox x700. It works
great with VPN-Tracker, so I duplicated the settings from VPN-tracker. I get
the following messages in the logfile:
Nov 06, 22:03:54 Info
Nov 06, 22:03:54 Error APP Tunnel creation failed with errno 39
Nov 06, 22:03:54 Error APP Activation of connection test01 failed
Nov 06, 22:03:54 Info
Nov 06, 22:03:54 Info
APP IPSec started
Nov 06, 22:03:54 Info
Nov 06, 22:03:54 Info
Nov 06, 22:03:54 Info
Nov 06, 22:03:54 Info
Nov 06, 22:03:54 Info
Nov 06, 22:03:59 Info
APP IPSec stopping
Nov 06, 22:04:00 Info
Nov 06, 22:04:00 Info
APP IPSec stopped
I did not follow the configuration instructions on lobotomo's website,
because it took a long time to get the tunnel work with vpn-tracker and I
don't see a reason, why the settings shouldn't work with IPsecuritas.
Can anybody help?
Thanks!
Need Help Dubugging Connection with Cisco PIX 501
Need Help Dubugging Connection with Cisco PIX 501
by yodarunamok on 2007-11-07 16:52:54 +0100
Hello All,
I'm working on setting up a connection to a Cisco PIX 501, and though I've
looked at the log, I'm not sure what it's telling me. Basically, I try to
connect, but the attempt eventually times out. When I look at the log, I see
apparently the same process repeated over and over...
[code]
Nov 05, 09:41:02 Info
192.168.2.8[500]<=>71.216.36.206[500]
Nov 05, 09:41:02 Info
IKE begin Identity Protection mode.
Nov 05, 09:41:02 Debug IKE new cookie:
Nov 05, 09:41:02 Debug IKE 444600aba4c7d84b
Nov 05, 09:41:02 Debug IKE add payload of len 52, next type 13
Nov 05, 09:41:02 Debug IKE 348 bytes from 192.168.2.8[500] to
71.216.36.206[500]
Nov 05, 09:41:02 Debug IKE sockname 192.168.2.8[500]
Nov 05, 09:41:02 Debug IKE send packet from 192.168.2.8[500]
Nov 05, 09:41:02 Debug IKE send packet to 71.216.36.206[500]
Nov 05, 09:41:02 Debug IKE 1 times of 348 bytes message will be sent
to 71.216.36.206[500]
Nov 05, 09:41:02 Debug IKE 444600ab a4c7d84b 00000000 00000000
01100200 00000000 0000015c 0d000038
Nov 05, 09:41:02 Debug IKE 00000001 00000001 0000002c 01010001
00000024 01010000 800b0001 000c0004
Nov 05, 09:41:02 Debug IKE 00015180 80010005 80030001 80020002
80040001 0d000014 4a131c81 07035845
Nov 05, 09:41:02 Debug IKE 5c5728f2 0e95452f 0d000014 8f8d8382
6d246b6f c7a8a6a4 28c11de8 0d000014
Nov 05, 09:41:02 Debug IKE 439b59f8 ba676c4c 7737ae22 eab8f582
0d000014 4d1e0e13 6deafa34 c4f3ea9f
Nov 05, 09:41:02 Debug IKE 02ec7285 0d000014 80d0bb3d ef54565e
e84645d4 c85ce3ee 0d000014 9909b64e
Nov 05, 09:41:02 Debug IKE ed937c65 73de52ac e952fa6b 0d000014
7d9419a6 5310ca6f 2c179d92 15529d56
Nov 05, 09:41:02 Debug IKE 0d000014 cd604643 35df21f8 7cfdb2fc
68b6a448 0d000014 90cb8091 3ebb696e
Nov 05, 09:41:02 Debug IKE 086381b5 ec427b1f 0d000014 16f6ca16
e4a4066d 83821a0f 0aeaa862 0d000014
Nov 05, 09:41:02 Debug IKE 4485152d 18b6bbcd 0be8a846 9579ddcc
0d000018 4048b7d5 6ebce885 25e7de7f
Nov 05, 09:41:02 Debug IKE 00d6c2d3 80000000 00000014 afcad713
68a1f1c9 6b8696fc 77570100
Nov 05, 09:41:02 Debug IKE resend phase1 packet
444600aba4c7d84b:0000000000000000
Nov 05, 09:41:09 Info
APP Initiated connection Nifty West
Nov 05, 09:41:09 Debug IKE get pfkey ACQUIRE message
Nov 05, 09:41:09 Debug IKE 02060003 14000000 45000000 73410000
03000500 ff200000 10020000 c0a80208
Problems With Securitas and VPN-1 Edge X ADSL
Problems With Securitas and VPN-1 Edge X ADSL
by yakuzah on 2007-11-07 21:03:25 +0100
I have just discovered this software on Macupdate and am testing it at the
moment. If it works for me I would be happy to donate via Paypal, but I am
experiencing some weird problems, and was wondering if anyone could
help?
I am using a Checkpoint VPN-1 Edge X (Safe@office) device on a UK ADSL
Broadband service and have enabled VPN on the router to allow remote
access to my home network.
I initially tried the "Checkpoint VPN-1" Profile using the supplied wizard,
but could never get past Phase One authentication. So I thought I would try
Safe@Office, and to my surprise I got a green light in the IPSecuritas Status
window.
The problem is even though I can connect, I can not ping anything through
the established tunnel?
If I use a windoze machine using Checkpoint Secure Client I get connected
fine and can ping through the tunnel to devices on the other side, but I can
not ping when using the tunnel and IPSecuritas.
Can anyone possibly advise or help? If I type netstat -rn on the command
line, the right IP addresses appear to be there, just can't get connected.
I am running Leopard 10.5
Thanks
G ;)
Re: Problems With Securitas and VPN-1 Edge X ADSL
by yakuzah on 2007-11-12 16:58:57 +0100
Well no one has replied no I guess this software does not work for me?
I am looking at the routes on the Mac when a VPN is established with
Securitas and then comparing them with Checkpoint under windows, and
the allocated IP address and default gateway that Securitas thinks is correct
is all Wrong!!
I can not seem to correct the route entries either, so I am stuck with a
workin tunnel with no IP connectivity...
Oh well guess I will have to wait for Xmas 2020 for Checkpoint to release
their client... :(
Openswan Connection fails
Openswan Connection fails
by gerritche on 2007-11-08 11:58:25 +0100
Hello, there,
I'm trying unsuccessfully to connect with Version 3.x to a FreeSWAN/
openSWAN Gateway. Version 2.1 works beautifully and importing the details
into 3.x succeeds but connection fails. IPSecuritas claims a collision of local
host and remote network addresses and refuses to start a connection. The
firewall admin doesn't find any connection attempts in his logs.
In "Firewalladdress" I enter the address of the IPSec Gateway.
In "Local IP for Host" I enter the address I got from the administrator of the
VPN Gateway.
In "Remote Network" I set 10.0.0.0/8.
IPSecuritas seems to be unhappy with these settings though they work fine
in the older version.
Any ideas?
Best regards :)
Gerrit
Re: Openswan Connection fails
by Forum Admin on 2007-11-08 13:01:52 +0100
Hello Gerrit,
enabling the option 'Local IP in remote network' should resolve this issue.
Hope this helps,
Christoph
Tunnelling from DrayTek Vigor to Sonicwall Pro
Tunnelling from DrayTek Vigor to Sonicwall Pro
by DerekF on 2007-11-09 19:12:48 +0100
Hi,
I've got IPSecuritas set up on my MacBook to connect to one of my clients'
VPNs, which is hosted on a Sonicwall Pro 2040. I generally have no
problems accessing the 2040. However, I often encounter intermittent
problems when my MacBook is behind a DrayTek Vigor 2910 router. What
seems to happen is the VPN tunnel, for some reason, cannot be
re-established at some point, then I have to actually stop the VPN in
IPSecuritas, wait at least 15 minutes, then try connecting again. Sometimes
it works, sometimes it doesn't. Rebooting the DrayTek seems to do the
trick, but this is obviously not an ideal solution since that affects everyone
in our office. We are running the latest DrayTek firmware for this model
(3.1.0.1).
I realize this sounds like an issue with the DrayTek router, but has anyone
else encountered this problem before? I haven't found any configuration
options in the DrayTek web interface that might be causing these
problems...
Thanks in advance!
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro
by DerekF on 2007-11-09 23:44:23 +0100
I was able to reproduce this condition just now. Here is a snippet of the
debug log if it helps:
Nov 09, 17:36:17 Info
192.168.1.112[500]<=>xxx.xxx.xxx.xxx[500]
Nov 09, 17:36:17 Info
Nov 09, 17:36:17 Debug IKE new cookie:
Nov 09, 17:36:17 Debug IKE 33b733c8f62a4ebe
Nov 09, 17:36:17 Debug IKE use ID type of IPv4_address
Nov 09, 17:36:17 Debug IKE compute DH's private.
Nov 09, 17:36:17 Debug IKE 4b4e15df b841bd78 d8b4ea02 f8612e55
906bafe6 3e56b3ba afcb2090 f2a5db7d
Nov 09, 17:36:17 Debug IKE ac6a2312 bde6c528 9ca12ee2 b3a29284
6f16b16d 165807f2 c7daee43 ad5ff4d5
Nov 09, 17:36:17 Debug IKE 7d52a343 df805b3b 733de06a f4352bef
0e7c71a0 2d8fdfa2 f02ae55a 97ecb912
Nov 09, 17:36:17 Debug IKE 748c3244 fba8af07 b8092555 5f355a16
5f64d545 efc078eb ff50e35a d5498311
Nov 09, 17:36:17 Debug IKE compute DH's public.
Nov 09, 17:36:17 Debug IKE 2ddd8cc6 8a74e8bd 706967d9 190e8b8b
2304340f a60bfc7f 13921143 d3b2cc0b
Nov 09, 17:36:17 Debug IKE 5c8c298c c8a3de89 75808fc7 2a334099
26d3bbbb 5916caf0 db95c838 4be219b8
Nov 09, 17:36:17 Debug IKE 9abc94c1 1cd42aee 19394d40 f7cd1fa3
ec374bb3 0cb35396 8e5838b0 455c4d2c
Nov 09, 17:36:17 Debug IKE de2068b0 b1907a53 c4e3db8f c7811f77
ba7801a5 0490bb63 965a7a1c 0ff974f6
Nov 09, 17:36:17 Debug IKE authmethod is pre-shared key
Nov 09, 17:36:17 Debug IKE 264 bytes from 192.168.1.112[500] to
xxx.xxx.xxx.xxx[500]
Nov 09, 17:36:17 Debug IKE sockname 192.168.1.112[500]
Nov 09, 17:36:17 Debug IKE send packet from 192.168.1.112[500]
Nov 09, 17:36:17 Debug IKE send packet to xxx.xxx.xxx.xxx[500]
Nov 09, 17:36:17 Debug IKE 1 times of 264 bytes message will be sent
to xxx.xxx.xxx.xxx[500]
Nov 09, 17:36:17 Debug IKE 33b733c8 f62a4ebe 00000000 00000000
01100400 00000000 00000108 04000034
Nov 09, 17:36:17 Debug IKE 00000001 00000001 00000028 01010001
00000020 01010000 800b0001 800c7080
Nov 09, 17:36:17 Debug IKE 80010005 80030001 80020002 80040002
0a000084 2ddd8cc6 8a74e8bd 706967d9
Nov 09, 17:36:17 Debug IKE 190e8b8b 2304340f a60bfc7f 13921143
d3b2cc0b 5c8c298c c8a3de89 75808fc7
Nov 09, 17:36:17 Debug IKE 2a334099 26d3bbbb 5916caf0 db95c838
4be219b8 9abc94c1 1cd42aee 19394d40
Nov 09, 17:36:17 Debug IKE f7cd1fa3 ec374bb3 0cb35396 8e5838b0
455c4d2c de2068b0 b1907a53 c4e3db8f
Nov 09, 17:36:17 Debug IKE c7811f77 ba7801a5 0490bb63 965a7a1c
0ff974f6 05000014 ec6a0571 16d9677d
Nov 09, 17:36:17 Debug IKE f1e0ee58 300bb493 0d00000c 011101f4
c0a80170 00000014 afcad713 68a1f1c9
Nov 09, 17:36:17 Debug IKE 6b8696fc 77570100
Nov 09, 17:36:17 Debug IKE resend phase1 packet
33b733c8f62a4ebe:0000000000000000
...
Nov 09, 17:36:31 Info
APP Initiated connection HTC
by DerekF on 2007-11-15 16:59:34 +0100
FWIW, ever since I assigned a static (internal) IP address for my MacBook to
the DrayTek router a couple of days ago, I've not seen a recurrence of this
problem. *crosses fingers*
If this is the solution, then I hope it helps someone out!
by DerekF on 2007-11-19 16:21:00 +0100
Just a followup: I thought this "solution" was working, but it is no longer. :'(
Nobody can offer any clues?
by DerekF on 2007-11-23 09:03:36 +0100
Well, in case this helps anyone, downgrading the firmware from 3.1.2 to
3.0.7 appears to have at least temporarily solved my VPN issues. In fact,
since upgrading to the 3.1.2 version that was released a couple of days
ago, I had been completely unable to use my VPN. IPSecuritas would show
a green light as if everything was okay, but no traffic was going through the
VPN. However, in the last few hours since I've downgraded the firmware, all
seems okay so far...
by racoon on 2007-11-23 10:57:02 +0100
Where can you download the archived version from?
by DerekF on 2007-11-23 18:31:04 +0100
[quote author=racoon link=1194631968/0#5 date=1195811822]Where
can you download the archived version from? [/quote]
Click the "more edition" link in the bottom left corner of the "Firmware of
Vigor 2910..." box [url]http://www.draytek.com/support/download
/Vigor2910.php#Firmware[/url]. It'll take you to their FTP site where they
store previous versions of the firmware.
by wailaki on 2007-11-27 21:21:50 +0100
Derek, I work for SonicWALL and we have a customer needing expert help
with ipsecuritas connecting to a similar SonicWALL Pro Model. What version
of SonicOS are you running (version # and Standard vs. Enhanced)?
Thanks in advance.
by DerekF on 2007-11-28 17:54:38 +0100
[quote author=wailaki link=1194631968/0#7 date=1196194910]Derek, I
work for SonicWALL and we have a customer needing expert help with
ipsecuritas connecting to a similar SonicWALL Pro Model. What version of
SonicOS are you running (version # and Standard vs. Enhanced)?
Thanks in advance.[/quote]
Hi,
We are running SonicOS Enhanced 3.2.3.0-6e.
FYI, since downgrading our Draytek's firmware as previously mentioned, I
have had no further connection issues to our Sonicwall.
FYI #2: I never had any issues connecting to our Sonicwall through my
Linksys router at home.
by wailaki on 2007-11-28 18:19:29 +0100
Thanks Derek. I'll search upthread, but I believe you had this working with
NAT-Traversal enabled on the ipsecuritas side?
by DerekF on 2007-11-28 18:30:57 +0100
[quote author=wailaki link=1194631968/0#9 date=1196270369]Thanks
Derek. I'll search upthread, but I believe you had this working with
NAT-Traversal enabled on the ipsecuritas side?[/quote]
NAT-Traversal never made a difference either way. When it was working
(including now), it was working with or without NAT-T enabled. When it
wasn't working, enabling NAT-T didn't make a difference..
by wailaki on 2007-11-28 18:41:35 +0100
Thanks Derek. PM me with your account on www.mysonicwall.com and I'll
give you a gift for your efforts.
Not connecting in Leopard
Not connecting in Leopard
by syber on 2007-11-12 02:51:47 +0100
I did a clean install of Leopard and used Export/ Import to copy my
configuration from Tiger and now it seems that Ipsecuritas no longer
connects to my VPN. It says that the connection times out. However, it
seems to timeout long before the set timeout ( in seconds ). Phase 1 is
supposed to timeout in 360 seconds.
Log
Nov 11, 20:48:38 Info
APP Smart Environment Detection enabled
Nov 11, 20:48:39 Info
Nov 11, 20:48:39 Info
APP IPSec starting
Nov 11, 20:48:39 Info
APP Smart Environment Detection: Start
Nov 11, 20:48:39 Error IKE Foreground mode.
Nov 11, 20:48:39 Info
Nov 11, 20:48:39 Info
Nov 11, 20:48:39 Info
Nov 11, 20:48:39 Info
Nov 11, 20:48:39 Info
APP Initiated connection Office
Nov 11, 20:48:39 Error IKE inappropriate sadb acquire message passed.
Nov 11, 20:48:46 Info
Nov 11, 20:48:53 Info
Nov 11, 20:49:00 Info
Nov 11, 20:49:07 Info
Nov 11, 20:49:09 Error IKE phase1 negotiation failed due to time up.
7ce6c32f663c8b06:0000000000000000
Nov 11, 20:49:10 Error IKE phase2 negotiation failed due to time up
waiting for phase1. ESP ***********[500]->192.168.1.175[500]
Nov 11, 20:49:14 Info
Nov 11, 20:49:21 Info
Nov 11, 20:49:28 Info
Nov 11, 20:49:35 Info
Nov 11, 20:49:42 Warning APP Connection Office timed out
Nov 11, 20:49:42 Warning APP Giving up
Re: Not connecting in Leopard
by syber on 2007-11-12 18:56:13 +0100
I've confirmed that this issue only exists when connecting via WLAN.
Connecting via WLAN on my macbook works fine but not on my macbook
pro.
by planetzeos on 2007-12-12 18:10:52 +0100
We've duplicated the same issue.
Same cert on tiger and leopard.
Same configuration on fresh installs of tiger and leopard.
Tiger connects using wifi
Leopard does not connect using wifi -- it times out on phase1 from the log
Checkpoint VPN-1 with Certificates on macbook pro's
by cottard on 2008-01-31 15:35:07 +0100
I've also run across this issue: Leopard and Wifi. Currently forced to run
Windows XP in Parallels and connect with Checkpoint SecureClient - as I
share a connection with my neighbours via Wifi. I'm really looking forward
to using IPSecuritas (free, vendor-agnostic) to connect to my work VPN!
by jrsharp on 2008-08-08 18:25:51 +0200
Can anyone comment on the current status of this issue?
XAuth + RSA mutual authentication
XAuth + RSA mutual authentication
by Daniel on 2007-11-14 21:57:30 +0100
Hey guys,
I'm trying to set-up IPSecuritas 3.1 to connect to our corporate Netscreen
SSG140 firewall. Mutual authentication with RSA certificates works like a
charm. However, when I try to add XAuth I run into an issue. It seems like
IPSecuritas doesn't support XAuth with RSA mutual authentication?
Unfortunately, hybrid mode is not supported by Netscreen, and I really like
the thought of using certificates (we already have our own company-wide
PKI).
On the ID page I've got the following selected:
- Local ID: certificate
- Remote ID: certificate
- Authentication method: XAuth RSA
The GUI seems to accept this selection, even though I'm unable to select my
local and peer certificate. The debug log shows:
Nov 14, 21:54:59 Debug APP State change from IDLE to
Nov 14, 21:54:59 Info
Nov 14, 21:54:59 Info
Nov 14, 21:54:59 Debug APP State change from AUTHENTICATING to
Nov 14, 21:54:59 Info
APP IPSec started
Nov 14, 21:54:59 Debug APP Received SADB message type
X_SPDUPDATE - not interesting
Nov 14, 21:54:59 Debug APP Received SADB message type
Nov 14, 21:54:59 Info
Nov 14, 21:55:00 Info
Nov 14, 21:55:00 Info
Nov 14, 21:55:00 Info
Nov 14, 21:55:00 Info
Nov 14, 21:55:00 Error IKE /Library/Application Support/Lobotomo
Software/IPSecuritas/racoon.conf:55: "}" ASN1 ID not specified and no CERT
defined!
Nov 14, 21:55:00 Error IKE
Nov 14, 21:55:00 Error IKE fatal parse failure (1 errors)
Nov 14, 21:55:00 Error IKE racoon: failed to parse configuration file.
Nov 14, 21:55:00 Info
Nov 14, 21:55:00 Debug APP State change from RUNNING to IDLE after
event RECONFIGURE
Nov 14, 21:55:00 Info
APP IPSec terminated
Nov 14, 21:55:00 Debug APP Received SADB message type X_SPDDELETE
- not interesting
Nov 14, 21:55:00 Debug APP Received SADB message type X_SPDDELETE
- not interesting
Nov 14, 21:55:00 Debug APP Received SADB message type X_SPDFLUSH
- not interesting
Nov 14, 21:55:00 Debug APP Received SADB message type FLUSH
Nov 14, 21:55:00 Debug APP SA change detected
Re: XAuth + RSA mutual authentication
by Daniel on 2007-11-15 22:19:06 +0100
I did some more diggin' on this and it seems the generated config is indeed
for XAuth + RSA hybrid authentication:
Part of the /Library/Application Support/Lobotomo Software/IPSecuritas
/racoon.conf file:
# Connection "test"
remote X.X.X.X
{
verify_cert on;
verify_identifier on;
initial_contact on;
passive off;
support_proxy off;
generate_policy off;
verify_cert on;
send_cert on;
send_cr on;
mode_cfg off;
ike_frag off;
doi ipsec_doi;
situation identity_only;
nat_traversal on;
exchange_mode main;
proposal_check obey;
nonce_size 16;
my_identifier asn1dn;
peers_identifier asn1dn;
xauth_login "daniel";
proposal
{
lifetime time 28800 seconds;
encryption_algorithm aes 128;
hash_algorithm sha1;
authentication_method hybrid_rsa_client; <=== the GUI needs to
change this to xauth_rsa_client
dh_group modp1024;
}
}
It does seem that the version of racoon IPSecuritas uses already supports
XAuth + RSA mutual authentication:
bash-3.2# strings /Applications/IPSecuritas.app/Contents/Resources
/racoon | grep xauth_rsa
xauth_rsa_server
xauth_rsa_client
Sooo, any chance you guys can add this option to the GUI ? Shoudn't be too
hard to add, no? :)
Thanks.
by Daniel on 2007-11-15 22:20:01 +0100
And of course the GUI needs to add the "certificate_type" parameter to the
above config :)
by Forum Admin on 2007-11-16 10:35:50 +0100
Hi Daniel,
thank you very much for your investigation. I will have a look at racoon and
what's possible
Cheers,
Christoph
by Forum Admin on 2007-11-16 21:20:22 +0100
Hello Daniel,
done - do you want to test it?
Cheers,
Christoph
by Daniel on 2007-11-19 22:23:06 +0100
Hell yeah! If you drop me an email where I can download it, I'd be more
than happy to give it a shot! :)
by markguz on 2007-11-26 11:48:41 +0100
Hi there, we're also using Xauth-rsa with netscreen isg2000s. I wonder if it
would be possible to have access to this test verison you mention here to
test against our setup as we are very keen to start using this software.
Kind regards
Mark Guz
RIPE NCC
http://www.ripe.net
by Forum Admin on 2007-11-26 22:54:28 +0100
Hello,
a preview version of 3.1.1 is available from [url]http://www.lobotomo.com
/products/downloads/IPSecuritas311p1.dmg[/url].
Please report and problems (and successes too, please) to
[email protected]
Cheers,
Christoph
by markguz on 2007-11-29 14:36:29 +0100
Hi there,
This preview version is a step closer to working with our setup. However
closer inspection of our VPN Tracker configuration shows that we are using
Certificates + XAuth. At present there doesn't seem to be an option for this
within ipsecuritas, or the racoon version underneath it. Is this a hard
change or an easy change to implement?
Thanks for your support so far guys
Cheers
Mark Guz
RIPE NCC
http://www.ripe.net
FVS318 setup
FVS318 setup
by kamikaze2112 on 2007-11-20 16:42:53 +0100
I purchased an FVS318 V1 (running the 2.4 firmware) to use on my home
network so I can securely access my files and use VNC, but I can't seem to
get it working with IPSecuritas. This is way more complicated than I was
expecting. Here's all the info that I think is relevant:
I'm using DSL with a dynamic IP, however I am using a DDNS service and it's
setup and working properly. DDNS hostname is kiddt.homeip.net. My LAN
is 10.1.35.0. The computer that I will be using to connect to the VPN is
behind a NAT router and all the VPN protocols are allowed for pass-thru.
I'm not sure what other info is necessary, but whatever is needed to get this
working I'll try my best to provide.
Thanks in advance.
Re: FVS318 setup
by bstender on 2007-11-29 01:46:57 +0100
wish i had an answer for you, bc it would be because i had successfully
solved the identical problem. well, same box and same software, after that
it is a very large set of variables.
waaaaaay too complicated for 2007 it seems to me. last time i faced this (2
yrs ago) i ended up buying vpntracker and i was up and running in no time.
i would do that now but the vpntracker isnt ready for leopard yet so i'm
trying again to make it work. sigh. i used to enjoy these challenges, but i'm
getting too old to watch my life drain away for this!
but it is really cool that this product exists and gives me a fighting chance.
an amazing amount of effort and a nice looking piece of software. is this
thing all volunteer?
-newbie bill
MODE_CFG not working?
MODE_CFG not working?
by gswallow on 2007-11-20 17:49:56 +0100
Hi,
I just got started with IPSecuritas today, in response to my Checkpoint not
working in Leopard. Everything seems to go peachy with IPSecuritas, save
for "Office Mode"/MODE_CFG. My Checkpoint Firewall reports that I've
authenticated using my certificate (!! -- nice job!), then reports that I've
gone successfully through IKE quick mode, and hands off SA's.
According to my firewall, I'm in. However, I try to initiate TCP connections
and I see rejects with source = IP address of my laptop (not Office mode
address). Also, the connection beacon for my connection goes green, but
the logs window reports that Phase 2 failed due to a Phase 1 timeout.
I've tried this using DHCP for my wireless setup, and using a static IP
address as I've seen some people suggest. I also looked at the files in
/Library/Application Support/Lobotomo... but they appear to be volatile,
disappearing when I start / stop IPSec connections. Any ideas? I'd be more
than willing to test / report issues.
Re: MODE_CFG not working?
by Daniel on 2007-11-20 19:01:45 +0100
once connected, open up Terminal and type 'ifconfig gif0'. This should be
your 'virtual' tunnel interface with the IP address you received through
mode_cfg.
by gswallow on 2007-11-20 22:48:33 +0100
dhcp-88:~ gswallow$ ifconfig gif0
That's it. I get plenty of these with TCPdump:
16:49:01.013330 IP 172.16.42.88 > vpn.xxx.com:
ESP(spi=0x734cd09f,seq=0x41), length 124
16:49:01.128750 IP 172.16.42.88 > vpn.xxx.com:
ESP(spi=0x734cd09f,seq=0x42), length 124
I also get plenty of rejects on my firewall from connection attempts from
my original address. The tunnel's coming up, but gif0 isn't being assigned
an IP address?
by racoon on 2007-11-22 10:11:48 +0100
Has any one resolved this issue as im getting the same problems.
No ip being assiged to the adapter!!. gif0
by phila on 2007-11-24 23:05:57 +0100
same problem here. 10.5.1 and a checkpoint firewall on the other side.
by gswallow on 2007-11-26 15:49:12 +0100
Hey again,
I'm on the verge of downgrading OS X back to 10.4.x since I can't do critical
things out of the office, like manage my servers. Any chance someone is
looking at this issue, first?
Thanks.
by Forum Admin on 2007-11-26 17:20:56 +0100
Hello,
could you please send me an IPSecuritas log with lo level set t Debug to
[email protected]? It seems that MODE_CFG is never run or fails.
Cheers,
Christoph
Repair Permissions deleted config?
Repair Permissions deleted config?
by starlir on 2007-11-21 07:55:41 +0100
Been using V3 for a number of months and recently upgraded to Leopard
with no problems. Yesterday decided to do a Repair Permissions for first
time, afterwards my IPSecuritas config had completely disappeared,
including my certificate in certificate manager. I was able to reimport the
config from V2.x. I cannot be certain that Repair Permissions has caused
this problem but the co-incidence is suspicious and I don't see what else
could have deleted the config.
D-Link DFL-1600
D-Link DFL-1600
by Gunverth on 2007-11-29 12:08:45 +0100
Hi all!
I've been trying IPSecuritas on a DFL-1600 for a couple of days now. No
success!
VPN Tracker works fine with the included DFL-800 preset.
Anybody out there with fresh ideas what to try next in the IPSecuritas
config?
XAUTH is mandatory. Unfortunately I'm not in the position to manage the
firewall itself. Just using it.
Openswan with transport mode
Openswan with transport mode
by rmoore on 2007-12-01 00:21:16 +0100
I am connecting to a Linux server running Openswan in transport mode.
Upgrading the client from Tiger to Leopard broke that connection, which
led me to try IPSecuritas. At first, this didn't work either; I would always get
the red status indicator for the connection, even though I set it for a
transport connection and matched settings, parameter for parameter, with
the host computer.
I found that switching the connection from a host-to-host transport
connection, to a host-to-anywhere connection, caused the status indicator
to go yellow, indicating partial progress towards a connection, but still no
dice. I noticed that the psk.txt file generated by IPSecuritas was empty, even
though I specified a preshared key.
Finally, after playing with every other option, I switched back to a
host-to-host connection. Strangely, the check box to select a transport
mode connection was gone. However, equally strangely, the connection was
working! So now I'm happy, but does anybody know what happened there?
One other comment. When I boot up and log in, the IPSecuritas button is in
the menu bar, but I have to manually start the connection. Is there any way
to make it start automatically?
Re: Openswan with transport mode
by rmoore on 2007-12-10 17:59:16 +0100
I should report that the problem of not having the connection automatically
established on login seems to have gone away on its own.
However, after getting IPSecuritas working on our Leopard machine, I
decided to try it on our other MacBook, which is still running Tiger. By
setting it up field for field to match the Leopard configuration, I couldn't get
a connection to my Openswan server no matter how many times I tried.
Then I exported the configuration from the Leopard MacBook and imported
it on the Tiger MacBook, and now both are working.
It's troubling that I was only able to get this configuration working on Tiger
by importing from Leopard, and that I was only able to get it working on
Leopard by shear luck. On the plus side, both systems seem to be stable
now.
Next I will try comparing the outputs from "setkey -P -D" resulting from a
manual configuration and from the imported configuration, and if I see any
interesting differences I will post those here.
RV042 - any successful connections?
RV042 - any successful connections?
by [email protected] on 2007-12-04 18:35:57 +0100
Has anyone been able to successfully connect to the Linksys RV042?
I just made the switch to Apple, and was used to the luxury of the Linksys
QuickVPN client.
Does anyone have *detailed* instructions for configuring both sides to
make this work? Firmware 1.3.8.2.
I found a couple of other posts via google, but had no success after
following instructions, including this post - http://www.linksysinfo.org
/forums/showthread.php?t=49879.
I'm probably missing a couple of extra details I should know about, but
don't unfortunately.
Thanks so much for any help Paul
WG Fireware Pro with IPSecuritas and Securid (RSA)
by gorstein on 2007-12-11 12:29:33 +0100
Trying to get this combination to work, but still no success
Here is a doc how to set it up: http://www.lobotomo.com/products
/IPSecuritas/howto/WatchGuard%20Firebox%20HOWTO.pdf
But if I put it up like that I cannot use Xauth (at least no in any way I can
figure out), ok then I try to put it up in "normal way" like the way you set up
a VPN client in this box, and now I got problem with authentication of the
client (see below (IP's are changed))
2007-12-11 10:54:31 iked WARNING: Rejected phase 1 aggressive mode
from 100.5.33.196 to 100.5.33.212 (no matching policy) cookies
i=eab20266 65142077 r=00000000 00000000
2007-12-11 10:54:31 iked Searching ID: user domain - myData [vpn]
peerId [vpn_mu]
2007-12-11 10:54:31 iked Searching ID: user domain - myData [vpn_mu]
peerId [vpn_mu]
2007-12-11 10:54:31 iked ike_match_proxy_id: peer ID type (0) not
supported 5
2007-12-11 10:54:31 iked CreateIsakmpSA : get rasUserGroupId=3
Look at: "peer ID type (0) not supported 5".
And: "The MUVPN on Fireware expects the client software to use Full
qualified Username as the ID of the Client, the remote ID (Firebox) is IP
Address."
So how to tell the Ipsecuritas to use "Full qualified Username as the ID", is it
possible?
any answer welcome best reg /Goran
Problem with Ipsecuritas "Full qualified Username"
Problem with Ipsecuritas "Full qualified Username"
by gorstein on 2007-12-13 08:47:35 +0100
Trying again with another topic :-) guess my old thread were misleading
11. Dec 2007 at 12:29
Trying to get this combination to work, but still
no success
Here is a doc how to set it up: http://www.lobotomo.com/products
/IPSecuritas/howto/WatchGuard%20Firebox%20HOWTO. pdf
But if I put it up like that I cannot use Xauth (at least no in any way I can
figure out), ok then I try to put it up in "normal way" like the way you set up
a VPN client in this box, and now I got problem with authentication of the
client (see below (IP's are changed))
2007-12-11 10:54:31 iked WARNING: Rejected phase 1 aggressive mode
from 100.5.33.196 to 100.5.33.212 (no matching policy) cookies
i=eab20266 65142077 r=00000000 00000000
2007-12-11 10:54:31 iked Searching ID: user domain - myData [vpn]
peerId [vpn_mu]
2007-12-11 10:54:31 iked Searching ID: user domain - myData [vpn_mu]
peerId [vpn_mu]
2007-12-11 10:54:31 iked ike_match_proxy_id: peer ID type (0) not
supported 5
2007-12-11 10:54:31 iked CreateIsakmpSA : get rasUserGroupId=3
Look at: "peer ID type (0) not supported 5".
And: "The MUVPN on Fireware expects the client software to use Full
qualified Username as the ID of the Client, the remote ID (Firebox) is IP
Address."
So how to tell the Ipsecuritas to use "Full qualified Username as the ID", is it
possible?
IPSecuritas + Linksys RVS4000
IPSecuritas + Linksys RVS4000
by abalamut on 2007-12-13 14:30:25 +0100
Hello everybody, yestoday I bought Linksys RVS4000 & fund that I cant easy
setup vpn connection beetwen Linksys RVS4000 & my macintosh (10.5.1). I
ask at linksys forum, but they told me that I should ask here.
So, can anybody help me how setup vpn connection? I have tried but can
not.
FREE 1 GB Resell Rights eGoods as bonus?
FREE 1 GB Resell Rights eGoods as bonus?
by sacxooo on 2007-12-14 00:57:06 +0100
web-packages.com
Download FREE 548 ebooks from 19 categories!
Among them:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Arts
Automobiles
Business
Computers
Education
Fiction
Games
Health & Beauty
Home & Family
Internet Marketing
Kids & Teens
Music
Real Estate
Reference
Self-Improvement
Shopping
Society
Sports
Travel & Recreation
Also much more Web Sites, Scripts and a lot of SOFT for you site!
Visit NOW!
web-packages.com
IPCOMP with IPSecuritas
IPCOMP with IPSecuritas
by rodknocker on 2007-12-14 11:43:21 +0100
Hello!
I can't found an option to turn IPCOMP on :(
Where is this option (in the GUI)?
Greetings
David
Leopard and/or SonicWall
Leopard and/or SonicWall
I had a load of problems setting up IPSecuritas to work with our SonicWall
4100 Pro at work but eventually it did work perfectly. Since upgrading my
MacBook to Leopard though I have not been able to connect....or at the
most I can connect and ping the SonicWall but nothing else on the remote
network.
I have not changed the config file, and I tried a complete removal and
reinstall of IPSecuritas but it doesn't make a difference. Has anyone else
had this problem with Leopard and/or a SonicWall. As far as I can tell
everything I have entered that can match the settings on the Sonicwall does
match...here are my settings:
Remote IPSec Device: Sonicwall IP
Local Endpoint: Host (left blank as dhcp on sonicwall)
Remote Endpoint: Networks (have added all internal network ranges)
Phase 1
Lifetime: 28800
DH Group: 1024 (2)
Encryption: 3DES
Authentification: SHA-1
Exchange Mode: Aggressive, Main
Nonce Size: 16
Phas 2
Lifetime: 28800
PFS Group: 1024 (2)
Encryption: 3DES
Authentification: HMAC SHA-1
ID
Remote Identifier: FWDN (with number from sonicwall)
Authentification Method: XAuth PSK (with preshared key and
username/password entered)
DNS
Internal (remote) domains and dns servers entered
Options
IPSec DOI
SIT_IDENTIFY_ONLY
Initial Contact
Local IP in Remote Network
Generate Policy
Request Certificate
Send Certificate
Unique SAs
WG Firebox with XAUTH
WG Firebox with XAUTH
by mellander on 2007-12-30 21:41:23 +0100
I've done some extensive testing to get IPSecuritas to work with the
WatchGuard Firebox using external authentication to a RADIUS server
(XAUTH).
If I specify the local tunnel IP statically in the client, it works. But there is no
XAUTH happning. (Seems like sort of a bug in the Firebox which allows me
establish a tunnel anyway, but it can be discussed, since firewall rules
defined on usergroup of Filter-IDs returned by the RADIUS server don't
work anyway... Perhaps IKE/IPSec/XAUTH is designed this way, that a tunnel
actually can be defined even before the XAUTH is accepted.)
If I try and set it up as a local client (user account local in the Firebox)
instead, it works. But that is more or less the same thing as defining it in a
L2L tunnel, as described by your guide. But that's only handy for a handful
of clients or so. If XAUTH would work, it would bring alot of advantages, if
REM_CFG works that is...
I've done a detailed comparision with WatchGuards own OEM VPN client
(they recently changed from SafeNet to NCP).
I don't know why the XAUTH is not initiated properly, but I'm hoping that
you find something out from the logs and packet traces that I've sent.
There's both logs from the Firebox, the VPN client(s) and packet captures at
the client.
Thanks in advance.
Connection problems with SonicWall PRO1060
Connection problems with SonicWall PRO1060
by shadowman on 2008-01-05 17:13:54 +0100
[font=Verdana]Hello
I'm trying to connect with Mac OSX Leopard to a network with an SonicWall
PRO1060. I followed the wizard to set up my connection in IPSecuritas and
read trough the template manual of SonicWall PRO,deliverd with the
application. I cannot connect.
This is what i'm seeing in my logging of IpSecuritas:[/font]
[font=Courier]Error
for phase1[/font]
[font=Courier]Info
IKE phase2 negotiation failed due to time up waiting
IKE delete phase 2 handler.[/font]
[font=Verdana]And this is what i'm seeing in my SonicWall logs:[/font]
[font=Courier]IKE Responder: IKE proposal does not match (Phase 1)[/font]
Does anyone know a method that i connect and doesnt't see this errors
anymore.If more information is needed, just ask me and i will post it in this
topic. Thanks for the help in advance.
Guido
Manually removing IPsecuritas
Manually removing IPsecuritas
by antonij on 2008-01-06 03:05:10 +0100
Hi,
The uninstaller that comes with the program fails to uninstall it from my
machine. Any advise on removing it manually?
Antoni J.
Re: Manually removing IPsecuritas
by Forum Admin on 2008-01-07 00:12:28 +0100
Hello Antoni,
sorry that the uninstaller is not working. To manually remove all
components of IPSecuritas, you will need to remove the following
directories and folders
/Library/StartupItems/IPsecuritasDaemon
/Library/Application Support/Lobotomo Software/IPSecuritas
~/Library/Preferences/com.lobotomo.IPSecuritas.plist (in your home
folder)
~/Library/Widgets/IPSecuritas.wdgt
The application itself.
To stop the menu bar item, press and hold the Alt key while opening the
menu. A Quit item will appear as the last entry in the menu,
Hope this helps,
Christoph
Checkpoint VPN-1 with SecurID
Checkpoint VPN-1 with SecurID
by kridan on 2008-01-10 05:45:27 +0100
I've searched the forums, newgroups, and manuals and can't seem to find
anyone using Checkpoint with SecurID. With our setup at work, I use a
usernname, a PIN, and then current SecurID token.
I know I'm close though, since I'm getting a bad un/pw message from the
remote site. Here is the log:
[code]Jan 09, 23:21:11 Info
Jan 09, 23:21:11 Info
Jan 09, 23:21:11 Info
APP IPSec started
Jan 09, 23:21:11 Warning IKE Foreground mode.
Jan 09, 23:21:11 Info
Jan 09, 23:21:11 Info
Jan 09, 23:21:11 Info
Jan 09, 23:21:11 Info
Jan 09, 23:21:11 Info
APP Initiated connection Cognos
Jan 09, 23:21:11 Error IKE inappropriate sadb acquire message passed.
Jan 09, 23:21:12 Warning IKE ignore 2nd CERT payload.
Jan 09, 23:21:12 Warning IKE No ID match.
Jan 09, 23:21:12 Warning IKE Ignored attribute XAUTH_CHALLENGE_VPN1
Jan 09, 23:21:13 Warning IKE Ignored attribute XAUTH_CHALLENGE_VPN1
Jan 09, 23:21:15 Error IKE Xauth authentication failed
Jan 09, 23:21:15 Info
IKE XAUTH Message: 'Access denied - wrong user
name or password (msg_obj :format (1.0) :id (VPN_CUMULATE_PROMPT)
:def_msg ("Access denied - wrong user name or password ") :arguments ( :0
( :type (msg_obj) :val (msg_obj :format (1.0) :id
(CPSC_SECURID_USER_DENIED) :def_msg ("Access denied - wrong user
name or password ") :arguments () ) :def_text ("Access denied - wrong user
name or password ") ) ) ) '.
Jan 09, 23:21:15 Warning IKE Ignored attribute XAUTH_MESSAGE_VPN1
Jan 09, 23:21:17 Info
Jan 09, 23:21:17 Info
APP IPSec terminated
[/code]
So am I wrong in thinking that this means (since it knows the pw is wrong)
that it must at least be communicating with the remote site?
This doesn't surprise me though, since it never prompts me for the token,
so how could it possibly authenticate properly. In the Authentication
Method drop down I've selected XAuth RSA....is this right? If so, why am I
not getting prompted for the token?
Any help is VERY MUCH appreciated.
Dwayne
Re: Checkpoint VPN-1 with SecurID
by mellander on 2008-01-10 20:51:10 +0100
"XAUTH_CHALLENGE_VPN1" makes me think that CheckPoint have made
their own modifications to the protocol.
The problem with XAUTH seems to be that there is no "official" RFC for it.
At least not listed on the RFC pages at IETF.
I found thins among many [url]http://tools.ietf.org/html/draft-ietf-ipsecisakmp-xauth-06[/url] where "XAUTH_CHALLENGE" is listed. But the suffix
VPN1 smells like CheckPoint Proprietary all the way...
by kridan on 2008-01-14 04:57:14 +0100
Anyone else here successfully using Checkpoint with SecurID?
DK
by siromega on 2008-01-15 13:34:15 +0100
I followed the instructions in [url=http://www.lobotomo.com/cgi-bin
/yabb/YaBB.pl?num=1177416223/7#7]this post,[/url] and I was able to
successfully connect. However once I connected I wasn't able to get
anywhere in the corporate network, and my ability to access the internet
stopped working completely until I disconnected.
The only other addition I have was is the password field in the ID tab, I put
my pin and the secureid token value and I was able to successfully
authenticate.
private dns not working
private dns not working
by pong on 2008-01-12 17:31:55 +0100
i don't know if it'S leopard related but i can't get the private dns to work.
system is 10.5.1, ipsecuritas is 3.1, firewall is a fortigate 60.
the vpn connection works, i cann also connect to all servers inside the vpn
but only via ip-adress. the dns is set for the internal domain private.lan but
even if i set the private domain to * the private names don't resolve. but i
can ping and connect to the internal dns.
but it seems that it isn't involved in name resolving.
Translation needed
Translation needed
by Forum Admin on 2008-01-14 12:41:51 +0100
Hello,
we are looking for people who could translate a few sentences from English
into their native language for a few extensions of IPSecuritas. We need
translations to the following languages: French, Italian, Spanish, Portugiese,
Dutch, Norwegian and Japanese.
If you are interested to support IPSecuritas in this way, please e-mail me at
[email protected]
Christoph, Lobotomo Software
Cannot import PKCS#12 Certs
Cannot import PKCS#12 Certs
by franziskaner on 2008-01-17 12:31:19 +0100
Hi there,
i'm trying to connect my MacBook over IPSec with an Linux based
Firewall/VPN-Gateway.
I have generated Certificates on the Linux Appliance and exported them to
the Mac.
When i try to import them in IPSecuritas, i get an error message, that it is
either not
an PKCS#12 Cert or the passphrase ist incorrect.
I have tested the same Certificate with my NCP IPSec Client on a WinXP
Machine,
it works fine there.
IPSecuritas V3.1 Build 1860 on a MacBook Intel, running Leopard 10.5.1,
VPN has worked
fine with Preshared-Key Authentication, but i would prefer to use Certs.
Anyone any idea?
Re: Cannot import PKCS#12 Certs
by e-baba on 2008-04-02 14:29:47 +0200
Hello Everyone,
I've got the same problem importing signed certs (pkcs#12) made with
openssl on WinXP. I am running ipsecuritas 3.1 build 1860 using osx
leopard.
The same certs have been working on previous releases of ipsecuritas an
osx.
Are there any restrictions using pkcs#12-certs? Or is it a known bug wich is
getting fixed in future releases?
Regards
Jьrgen
by cnadig on 2008-04-10 15:53:11 +0200
Hello,
there is no known restrictions, so this is probably a bug. Is it possible to
send an example of such a certificate to [email protected] (a test
certificate, not a production one of course)?
Cheers,
Christoph
by franziskaner on 2008-04-10 18:01:15 +0200
hello Christoph,
the certificate is on the way to you.
regards,
Hartmut
by benjconrad on 2008-04-25 12:25:46 +0200
I don't know if this applies, but certainly p12 files from Smoothwall can not
be imported directly from the firewall in to IPSecuritas. I have no idea why
not! This is taken from the smoothwall website:
Notes on IPSecuritas configuration
To configure IPSecuritas the CA can be exported from the Smoothwall in a
PEM format and imported into IPSecuritas using the certificate manager.
The client certificate needs to be exported in a PKCS12 format, but before
importing into IPSecuritas first convert it into a certificate public key and
private key components by typing the following commands in an OS X
terminal:
openssl pkcs12 -in cert.p12 -nokeys -clcerts -out cert.pem
cert.pem will contain the public key part.
openssl pkcs12 -in cert.p12 -nodes -nocerts -out key.pem
key.pem will contain the private key part.
Substituting cert.p12 with the name of the pkcs12 certificate exported.
The certificate public and private key can then be imported using the
certificate manager. Note that both public and private keys will be asked for
in succession when selecting the import 'personal certificate with private
key' option.
I hope this helps. Obviously you need to cd in Terminal to the folder that
contains the VPN certs.
by artemide on 2008-04-25 15:48:08 +0200
I read this on the SW site, but I have imported the P12 keys directly into
IPSecuritas .. but it only works once and while .. I have not idea why .. I have
one key that imported immediately, one key that took like 3 tries .. and now
I have another one that will not import at all .. the interesting thing is, my
connections fail with some cert errors .. I wonder ..
I am going to split the P12 up and try again ..
by artemide on 2008-04-25 16:21:16 +0200
I tried with a new test cert and split out the key, set it all back up .. and I
still have the same issues with my connections .. so that doesn't help
I keep getting unable to get certificate CRL(3)
and libipsec failed pfkey check ( invalid sa type )
by benjconrad on 2008-04-25 18:11:09 +0200
I imagine you have done all this correctly - but when you get the P12 file
split in to two .pem files, one the cert, and one the key - you then need to
import them in to the Certificate Manager - choosing .pem with key. You
select the cert.pem first, and then the key.pem - I don't think you need to
provide the password, but you do need it to split the p12 file. Then
obviously you need to select the correct certificate in the actual connection
setup.
At least, that is how I did it.
by artemide on 2008-04-25 21:59:26 +0200
[quote author=benjconrad link=1200569480/0#7 date=1209139869]I
imagine you have done all this correctly - but when you get the P12 file
split in to two .pem files, one the cert, and one the key - you then need to
import them in to the Certificate Manager - choosing .pem with key. You
select the cert.pem first, and then the key.pem - I don't think you need to
provide the password, but you do need it to split the p12 file. Then
obviously you need to select the correct certificate in the actual connection
setup.
At least, that is how I did it.[/quote]
Yup did all that .. the connection goes green .. but it never actually comes
up .. I can't ping across the network .. and the logs complain about invalid
SA
by artemide on 2008-04-25 22:57:24 +0200
The certs need to have subjectAltname ( ID ) set in order for them to import
correctly. It is a Mac thing not an IPSecuritas thing
by artemide on 2008-04-25 23:07:28 +0200
lol .. well .. the ID does need to be there .. but the importing is still hit or
miss.
IPSecuritas with a Juniper Netscreen SSG20 F-wall.
IPSecuritas with a Juniper Netscreen SSG20 F-wall.
by rosshuts on 2008-01-17 13:25:13 +0100
Good afternoon!
I was wondering if anyone could help with a Netscreen Firewall Query.
I am in the process of setting up VPN dialup for a Mac user using the
IPSecuritas software.
We use a Netscreen SSG20 Firewall and its not listed in the supported
models. Looking at the setup guide it mentions Netscreen SSG models in
general and therefore was hoping that it would still work? The Netscreens
tend to use the same sort of firmware or ScreenOS files and was really
hoping that it would work.
Does anyone know if this will be ok or not? There is also the Equinux VPN
Tracker although its not free, but works with Netscreens, however again,
they don't list the SSG's in the list.
Any help in this matter would be greatly appreciated.
Regards,
Ross.
Re: IPSecuritas with a Juniper Netscreen SSG20 F-w
by Daniel on 2008-01-25 21:53:42 +0100
IPSecuritas works like a charm with ScreenOS, including the SSG series.
Re: IPSecuritas with a Juniper Netscreen SSG20 F-w
by Forum Admin on 2008-01-28 01:05:27 +0100
Hello,
I use IPSecuritas with a Juniper SSG140 with Xauth. The firmware of all
Juniper models are identical or similar, there should be not problem to use
it with a SSG20. Please email me at [email protected] if you need
more information.
Cheers,
Christoph
Stop IPSecuritas daemon from launching at startup.
Stop IPSecuritas daemon from launching at startup.
by techess on 2008-01-17 20:02:41 +0100
I have IPSecuritas 3.1 installed on a Leopard MacBook Pro. So far it works
great, but I don't want the daemon to automatically start at reboot. It
interferes with other software I need to run. I tried removing /Library
/StartupItems/IPSecuritasDaemon but at reboot the daemon still starts.
I still have to open IPSecuritas and manually choose the quit and terminate
daemon. Then the other software I need will run. The only thing that
removing /Library/StartupItems/IPSecuritasDaemon seems to do is to stop
the menu bar item for IPSecuritas from launching.
Anyone have a way of stopping the daemon from starting other than
uninstalling?
Re: Stop IPSecuritas daemon from launching at star
by Forum Admin on 2008-01-28 01:08:58 +0100
Hello,
the daemon is an essential part of IPSecuritas and needs to run in order to
establish a connection. It is installed and started every time you start
IPSecuritas and asked for the administrator's password.
Maybe you could tell me with what other software it interferes so that I
could do something about this?
Thanks a lot,
Christoph
by techess on 2008-01-28 17:06:57 +0100
One of the pieces is the Mac OS X built in VPN. The other software that
doesn't work is a custom Citrix client needed for secure accounting/student
info transactions.
Everything works fine if I open IPSecuritas,quit the daemon and then launch
the software. Then if I need to connect to the checkpoint firewall I can start
it up again and this works really well. I was hoping that there would be an
easy way of not having the service start on boot, and then manually launch
it when I needed it.
Thanks!
by hkirschk on 2008-04-22 09:22:52 +0200
Just wanted to state that I would also be interested in having a global
preference which defines if the IPSecuritas daemon should be automatically
started at system startup. It interferes with the Apani Contivity client, I also
have to switch off the IPSecuritas daemon and restart the Apani Contivity
client.
Heiko
by .guru on 2008-04-22 10:57:13 +0200
By the way, what exactly is the daemon for? I thought IPSecuritas relies on
the racoon IKE service only?
.guru
by Forum Admin on 2008-04-23 20:35:44 +0200
Hello,
the daemon fulfills a number of purposes:
1. Control of the IPSec kernel configuration and control of racoon and its
configuration file
2. Autostart, for when no GUI is running
3. Detection of environment changes (network, user etc.)
4. NAT-T implementation, since Apple's implementation is old and broken.
Hope this answers your question,
Christoph
by hkirschk on 2008-04-29 14:38:32 +0200
[quote author=hkirschk link=1200596561/0#3 date=1208848972]Just
wanted to state that I would also be interested in having a global preference
which defines if the IPSecuritas daemon should be automatically started at
system startup. It interferes with the Apani Contivity client, I also have to
switch off the IPSecuritas daemon and restart the Apani Contivity client.
Heiko[/quote]
Sorry for the noise, some further investigation showed that the IPSecuritas
daemon itself does not interfere with the Apani Contivity client. Unless
there is no VPN connection initiated by IPSecuritas, there are no problems,
and IMHO it does not make sense trying to have both an active IPSecuritas
client and an active Apani Contivity client.
Heiko
Weird - this was working - pfkey X_SPDDUMP failed
Weird - this was working - pfkey X_SPDDUMP failed
My VPN ( IPSecuritas -> Draytek 2800 ) was working fine yesterday, but
today keeps failing with error:
Funny thing is, I have another profile in IPSecuritas set up that goes off to a
different VPN endpoint that continues to work fine.
I have used Frameseer to look at the outgoing traffic on both setups, the
one that works does a DNS lookup first, the failing VPN configuration sends
NO traffic out the interface at all.
Just out of interest, my psk.txt file in:
/Library/Application Support/Lobotomo Software/IPSecuritas/
is empty...
Obviously psk.txt gets overwritten each time the vpn config loads. When I
use the vpn config for my working vpn I have entries in the psk.txt file. In
my non-working vpn setup, the psk.txt remains empty. WTF?????
As I said previously, this exact same vpn config worked fine yesterday....
Re: Weird - this was working - pfkey X_SPDDUMP fai
by cnadig on 2008-01-22 00:27:31 +0100
Hello,
the empty psk.txt is an indication that the connection isn't even started,
therefore you
don't see any network activity either. This is usually the case if the
connection definition is
incomplete or when there are conflicts in the definition.
Can you see a red dot next to the connection in the main window after you
started the non-working
connection? If so, please hoover the mouse over the red icon and wait for
the
tooltip to appear. If it says 'Connection definition incomplete', please open
the connection
manager and hoover the mouse over the grey exclamation mark symbol
next to the connection to
see what's wrong.
I hope this helps,
Christoph
This did not help unfortunately. The red dot appears as soon as the VPN is
dialed, but it has no tool tip when hovered over, and hence no grey dot in
the connection manager screen.
Update: I can also confirm that an uninstall / re-install does nothing to help
the situation....
This is quite frustrating ! Is there anyone that can give me a hand ??
Can anyone help out here ?? I have moved 2000km's from home and need
to be able to VPN to my mother to assist some probs she is having. As I
said in the first post - this was working fine. It just stopped working.
This gets even better !!!!!!
I just uninstalled IPSecuritas 3.1 - I used the uninstaller which actually
reported failing......but anyway
I re-installed IPSECURITAS VERSION 2.2 and put in all the same setting for
my broken VPN and walla !!!! It connected and I can access the network on
the other end.
Si I have now confirmed that only this one tunnel is broken in v3.1 and the
whole thing works an v2.2 and I have also installed a demo copy of
VPNTracker which works as well.
I can not for the life of me work out why this would / could be the case......
I did some other investigation and found that the racoon.conf file is not
being written properly/fully on the broken VPN. I copied the file under both
the working and broken configurations and they look totally different. I
dont know how to troubleshoot any further however.
I would love to have 3.1 working but at present v2.2 is my only option !
by cnadig on 2008-01-28 12:47:37 +0100
Hello,
this is indeed interesting. Could you send me the two racoon.conf files and
the connection log with log level set to debug (from the working and the
non-working configuration) to [email protected]?
Please replace any confident information like the public IP and please do
not send the psk.txt file!
Thank you alot,
Christoph
Sent.....
Hi Christoph - any luck with the logs I sent through on this issue ?? Thanks
in advance.
I can now confirm that this issue has something to do with the "Remote
Side" config item in the VPN setup. If I change this option to "Endpoint
mode - Anywhere" I get past the pfkey error. The VPN still does not
connect, but I do get a racoon.conf file created and a psk.txt file populated.
When I change the config back to "Endpoint mode - Network" ( or any other
option ) I get the pfkey issue again.
Like always, any help is appreciated.
by Forum Admin on 2008-02-03 20:09:33 +0100
Hello Brant,
thank you very much for the log file. In your case, no connection is started,
most probably because of a configuration fault or a network conflict.
Does the local network and remote network overlap, or did you enter a local
IP address that is part of the remote network by any chance? If so, please
enable the 'Local IP in Remote Network' option in the Options section of
your connection. This would also explain your success connecting with the
remote mode set to Anywhere, as you describe in another post.
Please note that such network overlaps should be avoided since there might
be undesired side effects.
Hope this helps,
Christoph
Hi there Christoph - I can;t help but think that there is a bug causing this
behavior.
The output of an ifconfig is such:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
ether 00:1b:63:a1:88:b2
media: autoselect status: inactive
supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP
<full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP
<full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <fullduplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <fullduplex,flow-control> 1000baseT <full-duplex> 1000baseT <fullduplex,hw-loopback> 1000baseT <full-duplex,flow-control> none
fw0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 4078
lladdr 00:1d:4f:ff:fe:5f:4c:74
media: autoselect <full-duplex> status: inactive
supported media: autoselect <full-duplex>
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST>
mtu 1500
ether 00:1c:b3:bc:9a:11
media: autoselect (<unknown type>) status: inactive
supported media: autoselect
ether 00:1c:42:00:00:00
ether 00:1c:42:00:00:01
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.164.45.63 --> 10.6.6.6 netmask 0xff000000
When I set the 'Remote Endpoint' to anything BUT 10.0.10.0/24 it works.
As soon as I enter a subnet that begins with 10.x.x.x it fails. The above
network for the ppp0 adapter is a class A subnet.
The only think I can think of is that somehow IPSecuritas is ignoring the fact
that I am setting the Remote Endpoint to 10.0.10.0/24 and assuming the
10. subnet is a class A ??????
If I set the Remote endpoint to somethign random, say, 11.0.11.0/24 it
creats the racoon.conf / psk.txt files and dials up.
It is ONLY the 10.x.x.x network thing that is causing all the problems.
Does this help in troubleshooting ??
by Forum Admin on 2008-02-13 22:56:15 +0100
Hello Brant,
the problem is indeed that the two networks 10.0.0.0/24 and 10.0.10.0/24
overlap. This is
not recommended (and probably also against the specification) for various
reasons (one being that
other computers will not be reachable anymore, another that there might
an address conflict between
the local address and a machine in the remote network with the same
address).
However, I will add an option to disable these collision checks or simply
ignore the remote address for PPP interfaces, since several people asked for
it.
For now, the easiest (and cleanest anyway) solution is to change her local
network range to a different private range, please have a look at RFC 1918,
section 3 (<http://www.faqs.org/rfcs/rfc1918.html>)
Cheers,
Christoph
Not sure if I wrote the last post incorrectly or if it has been interpreted
wrong, but the two 10.x.x.x addresses ARE on DIFFERENT subnets.
The ISP address is a /8 address and the remote VPN subnet is a /24
What I am postulating is that IPSecuritas is interpreting the remote VPN
subnet as a /8 ( Class A ) subnet by virtue of the 10.x.x.x subnet ( if you
are going by RFC 1918 part 3 - Private address space ) it is true that
10.x.x.x subnets SHOULD be numbered as Class A subnets, but they can
be applied in a Class C address space.
I am not sure I am making sense....
by Forum Admin on 2008-02-15 21:53:32 +0100
Hello Brant,
sorry, I was quoting the addresses incorrectly. The remote network of your
ppp0 interface is 10.0.0.0/8, which includes the smaller remote network
10.0.10.0/24 you're trying to access. IPSecuritas does these checks to avoid
indetermined (or at least unexpected) behaviour, but I will add an option to
bypass these checks for the brave among you.
Cheers,
Christoph
Thanks for that Christoph - I will wait for an update.
IPSecuritas vs. Netvanta 7100
IPSecuritas vs. Netvanta 7100
by NotThatLuke on 2008-01-20 20:24:31 +0100
Hi,
I'm trying to use IPSecuritas 3.1 build 1860 to connect to my company's
firewall, an Adtran Netvanta 7100 and it's no joy every time. I don't even
seem to be getting past Phase 1. I'm pretty sure I have all the settings
correct except for the Phase 2 Authentication (set to Null) and the Options
(DOI, Initial Contact, Local IP, Support Proxy, Unique SAs, IKE Frag are
selected, NAT-T enabled)--not sure what those should be so I've been
using trial and error. Here's a log example:
Info
Info
Info
APP IPSec started
Info
Info
IKE @(#)ipsec-tools CVS (http://ipsec-tools.sourceforge.net)
Info
IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006
(http://www.openssl.org/)
Info
Info
Info
APP Initiated connection Work
Error IKE delete phase1 handle.
Info
Info
ESP (IP Obscured by me)[500]->10.0.1.198[500]
Info
Info
Error IKE phase1 negotiation failed due to time up.
20d32e7094980c58:0000000000000000
Warning APP Connection Work timed out
Warning APP Suspending for 30 seconds
Info
APP IPSec stopping
Info
Info
APP IPSec stopped
Anyone ever try this with a Netvanta? Any ideas? Any help is very welcome.
Thanks!
Luke
Cannot connect to AFP server
Cannot connect to AFP server
by TedA on 2008-01-23 14:36:21 +0100
I have IPSecuritas connected to a Netgear FVS318, and I'm able to connect
to the vpn, but I'm unable to connect to a afp server on the vpn network. I
can ping the machine and I can control the machine using Apple Remote
Desktop, but I can't connect via afp.
When I go to "Go To Server.." all I get is "Connecting to
afp://192.168.0.201" until it eventually times out. I have connected to this
afp server in the past when it was on the same network as the vpn.
Computers on the internal network can still connect to the afp server and
computers on a separate vpn (via another Netgear FVS318) can connect to
the afp server.
Re: Cannot connect to AFP server
by TedA on 2008-01-24 21:03:56 +0100
I fixed the problem, the firewall was filtering any non 192.168.0.0
addresses.
by esailor on 2008-04-11 15:21:35 +0200
Did you turn on the apple Talk flag in the network preferences?
by mann on 2008-04-23 06:08:02 +0200
How do you know if the router is filtering addresses as I am having the
same problem only certain places does the AFP work over the VPN.
IPSecuritas and Checkpoint FW-1 - timeout
IPSecuritas and Checkpoint FW-1 - timeout
by StefanVollmar on 2008-01-23 23:50:29 +0100
Hello,
I am new to this forum and have just started using IPSecuritas 3.1 Build
1860 on MacOS X Leopard. Connecting to systems through a Checkpoint
FW-1 firewall works fine. However, during ssh connections the terminal
freezes if there was not any traffic for a number of minutes. Pressing a key
sometimes continues the session (with a delay off several seconds after the
key was pressed), more often than not I need to create a new connection. Is
there a way to keep a connection open even if there is no traffic for a
considerable amount of time, maybe by setting up "keep alive" messages
(or equivalent)?
Many thanks in advance,
Stefan
Re: IPSecuritas and Checkpoint FW-1 - timeout
by cnadig on 2008-01-25 10:14:04 +0100
Hello Stefan,
please enable the connection check in the options tab and enter an IP
address, that replies to pink requests.
Hope this helps,
Christoph
Re: IPSecuritas and Checkpoint FW-1 - timeout
by StefanVollmar on 2008-01-25 11:50:22 +0100
Dear Christoph,
as far as I can see, this solved my problem beautifully.
Thanks,
Stefan
only remote DNS works when connected
only remote DNS works when connected
by prahn on 2008-01-24 22:02:55 +0100
Hi!
When I connect to my VPN the resolution of the local DNS does not work
anymore.
Remote DNS works perfect, but nothing more local.
If I switch the DNS of in the IPSecuritas profile local DNS works.
Even when the VPN is down.
Do I need to set a local searchdomain in Network control panel?
Leopard IPsecuritas 3.1 not working with Leopard
Leopard IPsecuritas 3.1 not working with Leopard
by Rommel on 2008-01-26 20:51:03 +0100
We had IPSecuritas 2.1 OS X.4 behind a Netopia R910 working well.
Upgraded to IPSecuritas 2.1 OS X.5 – would not work.
Upgraded to IPSecuritas 3.1 OS X.5 – would not work. Had imported the
settings from IPSecuritas 2.1.
This is the log file.
Jan 25, 13:49:52 Info
APP IPSec restarting
Jan 25, 13:49:53 Info
Jan 25, 13:49:53 Info
Jan 25, 13:49:53 Info
Jan 25, 13:49:53 Info
APP IPSec started
Jan 25, 13:49:53 Info
Jan 25, 13:49:53 Info
Jan 25, 13:49:53 Info
Jan 25, 13:49:53 Info
Jan 25, 13:49:54 Info
APP Initiated connection Kodak DirectView
Jan 25, 13:50:01 Info
Jan 25, 13:50:08 Info
Jan 25, 13:50:10 Error IKE phase2 negotiation failed due to time up
Jan 25, 13:50:15 Info
Jan 25, 13:50:22 Info
Jan 25, 13:50:24 Error IKE phase1 negotiation failed due to time up.
c746ba12283e6bfd:0000000000000000
Jan 25, 13:50:27 Warning APP Connection Kodak DirectView timed out
Jan 25, 13:50:27 Warning APP Giving up
Any ideas?
Re: Leopard IPsecuritas 3.1 not working with Leopa
by ask on 2008-02-02 01:29:18 +0100
I have almost the same history / problem. I had IPsecuritas working fine
pre-OSX 10.5 and pre IPSecuritas 3.1 with my Juniper NS25, NS5XP, etc...
but since the upgrade to OSX 10.5.x and the migration to the new
IPSecuritas, I can't get anything to connect. I have tried the wizards and
instructional PDFs... no luck.
Anyone have any ideas?
by Rommel on 2008-02-02 18:37:55 +0100
Changed Exchange Mode from Aggressive to Main, Aggressive. This did not
get transferred properly in the importation. Works just fine now. :)
by ask on 2008-02-08 21:51:02 +0100
Tried that... still not working for me.
IPSecuritas Stopped Working After Leopard Upgrade
IPSecuritas Stopped Working After Leopard Upgrade
by ask on 2008-01-29 02:50:09 +0100
I have been using IPSecuritas with my Juniper firewalls for a couple years
now. I recently upgraded my OS to Leopard and my existing VPN would not
connect. I tried upgrading to the latest IPSecuritas and importing my
existing VPN configs... bu tstill no luck. I have tried recreating my VPNS
with the wizards on my firewall and in IPSecuritas according to the Juniper
Netscreen HOWTO.pdf... no luck.
as anyone had any luck getting IPSecuritas on Leopard to connect to and
Juniper/Netscreen firewalls?
Thanks!
Spencer
Re: IPSecuritas Stopped Working After Leopard Upgr
I don't know if I am having the same issues, but totally uninstall IPSecuritas
3.1 and install the older 2.2 version. When I did this mine worked. If this
does work please let Christoph know and he will probably ask for some
logs etc.
by mribiz on 2008-01-30 15:44:45 +0100
I can't seem to get 3.1 to work on Leopard as well. Where can I get the old
version?
by ask on 2008-02-03 01:16:01 +0100
I tried using IPSecuritas v2.2 again... still no luck.
I fixed my issues under Leopard by setting the Endpoint Mode to Anywhere
rather than Network.
Still not good, but at least I can get a tunnel up now.
by ask on 2008-02-08 21:52:01 +0100
That did not fix the issue for me. Anyone else?
by 2fs2ns on 2008-03-07 21:08:01 +0100
Same issue, installed IPSecuritas on 5 macbooks running pre-lepoard OS,
all work just fine. The one Leopard machine we have, it doesn't work. I've
tried all the above suggestions with no luck.
by Cucumber on 2008-03-17 04:20:59 +0100
i just discovered IPSecuritas hoping that it would allow me to connect to a
clients NetScreen 5GT. i went through the Wizards and while it said it
connected. pings or anything else would just hang (and finally timeout). i
tried all the above suggestions, and resorted to randomly changing the
options (one at a time)
disabling NAT-T was the winner for me :)
i'm using IPSecuritas 3.1 on 10.5.2
by 2fs2ns on 2008-03-19 17:32:49 +0100
Just got it to work, checked the "Local IP in Remote Network" check box in
Options...
:-/
3.1 Does not work, 2.2 does
3.1 Does not work, 2.2 does
by rghiglianovich on 2008-01-29 19:58:11 +0100
Hi,
I have IPSecuritas 2.2 connecting to an IPCop box and it works quite good
(using preshared key), OSX 10.4.11 on my site
Now I have downloaded 3.1 ; copied the configuratione parameters and so
on... The new version does not work.
Why?
Is there something to do?
Thanks,
RIc
Re: 3.1 Does not work, 2.2 does
Set your log to Debug in 3.2 and post the output here ( please remove
destination IP address ) - I am having similar issues as well. I have sent logs
and configs to the author but haven't heard back as yet.
Trouble Exporting
Trouble Exporting
by BladesAway on 2008-02-01 02:36:45 +0100
I have no idea what I am doing wrong....I have build up a connection that is
working perfectly. I need to export it to use on another machine. When I
go to Edit Connections and then select Export I enter a file name to export
to and then click on Export. I then get prompted with Missing Import
Password Please enter an Import password. Even if I put something in the
Import Password field I get the error. Any ideas of what I might be doing
wrong?
Thanks
Scott
Re: Trouble Exporting
by Forum Admin on 2008-02-01 09:52:44 +0100
Hello Scott,
this is probably due to the Leopard related bug (see
http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?num=1195575910).
Please press TAB one more time after you entered a password and the
export should just work fine.
Hope this helps,
Christoph
Re: Trouble Exporting
by BladesAway on 2008-02-01 12:11:43 +0100
That was it. Thank you. That was driving me crazy! Being new to Mac OS
and being a veteran of PC for over 20 years I couldn't help but wonder if it
was me!
Thanks again.
can connect to ipsec vpn, other subnet unreachable
can connect to ipsec vpn, other subnet unreachable
by blst on 2008-02-05 06:09:25 +0100
i have a tunnel between a fortigate firewall and a dlink firewall which works
fine. i have a vpn connection remotely to the fortigate, but cannot reach
resources on the other subnet.
has anyone solved this problem before? can't seem to figure out if it's
firewall issues or client issues.
thanks!
Where is the Wizard?
Where is the Wizard?
by jscooper on 2008-02-06 12:53:39 +0100
OK, it's early, so I must just be beery-eyed. But just downloaded this app
and cannot find this "wizard" icon anywhere. Not on the menu. in the app.
Where is it?
Thanks,
Jeff
Re: Where is the Wizard?
by jscooper on 2008-02-07 03:50:12 +0100
Nevermind, I found it. Looks like when you choose Open IPSecuras form the
menubar, it opens version 2.1 but when you click the application icon, you
get v3.1. Is this a bug or did I miss some setting somewhere?
Thanks,
Jeff
ps- used this app a couple years ago and loved it. The site vanished for a
while -- I'm very happy to see it back! :)
Re: Where is the Wizard?
by jscooper on 2008-02-07 04:08:25 +0100
Nevermind, I found it. Looks like when you choose Open IPSecuras form the
menubar, it opens version 2.1 but when you click the application icon, you
get v3.1. Is this a bug or did I miss some setting somewhere?
Thanks,
Jeff
ps- used this app a couple years ago and loved it. The site vanished for a
while -- I'm very happy to see it back! :)
Netgear G834GT
Netgear G834GT
by andy on 2008-02-07 22:00:44 +0100
Been having difficulty getting into my remote network remotely. Do I need
to make alterations on the pass through on the router?
Re: Netgear G834GT
by Tanster on 2008-02-19 01:27:26 +0100
Pass through to *WHAT*? IPSecuritas is acting as the client side. You must
have a server side. If your router doesn't have a VPN server built-in (and
the Netgear G834GT doesn't from the specs I see on the Netgear website),
then what are you connecting to behind it? Do you have a VPN server
sitting there? Otherwise, you're barking up the wrong tree.
Re: Netgear G834GT
by andy on 2008-02-19 09:51:27 +0100
Yes, was a bit cryptic.
But you have helped on other post. First job - get a new VPN server able
locally router.
Thanks
not creating racoon.conf completely
not creating racoon.conf completely
by coreyva on 2008-02-08 21:22:42 +0100
I'm having issues with IPSecuritas 3.1 on a 10.5.1 intel system. The log
stops at Resize address pool. Looking at the created racoon.conf, it is
incomplete. It contains no connection setting. I've tried removing and
reinstalling IPSecuritas, creating new profiles and connections, and creating
a new user. No change. Below is the contents of of the created racoon.conf.
# Racoon configuration created by IPSecuritas
log notify;
path pre_shared_key "/Library/Application Support/Lobotomo
Software/IPSecuritas/psk.txt";
path certificate "/Library/Application Support/Lobotomo
Software/IPSecuritas/certs";
padding
{
maximum_length 20;
randomize on;
strict_check off;
exclusive_tail on;
}
timer
{
counter 5;
interval 5 seconds;
persend 1;
phase1 15 seconds;
phase2 15 seconds;
}
listen
{
adminsock "/Library/Application Support/Lobotomo Software/IPSecuritas
/admin.sock";
}
Anyone else seen this happen?
Re: not creating racoon.conf completely
Yes - I have been battling with exactly the same issue, but have had no real
response or fix for the issue from these boards. I got around mine by
changing the 'Endpoint Mode' to 'Anywhere'
In my case I was routing to a 10.x.x.x subnet, although I was using a Class
C subnet mask ( /24 ) I think IPSecuritas was applying the standard Class A
subnet mask to this subnet. This is the only explanation I can come up with
as my Telstra NextG internet connection always gives me a 10.x.x.x/8 IP
address.
As I said, nobody has replied to my issues so I am only speculating.
Try changing the endpoint mode and get back to me.
by coreyva on 2008-02-11 17:36:50 +0100
I'll give that a try, but what's strange, is it's only one system having that
issue. My laptop works fine. Both are intel systems for what it's worth.
by Forum Admin on 2008-02-13 22:50:07 +0100
Hello,
hovering the mouse over the red indicator in the main window should give
you a short indication of what's wrong. In your case, the connection is
considered 'not runnable' for some reason, hence the empty racoon.conf
file.
Hope this helps,
Christoph
When I was having issues ( Intel MBP 10.5.1 ) hovering over the red dot did
nothing. I never got any help text...
by coreyva on 2008-02-22 20:35:54 +0100
hovering the mouse over the red indicator in the main window should give
you a short indication of what's wrong. In your case, the connection is
considered 'not runnable' for some reason, hence the empty racoon.conf
file.
Hope this helps,
Christoph[/quote]
Thanks, but no go. Hovering over the dot produces nothing. I am using a
working exported policy. Double checked all of the settings, and they are
identical on the system that works and the one that doesn't. In fact, I can
not get it to make a connection to any of my VPN's. One difference between
the two systems is that the working one was an upgrade to leopard, and the
non-working one was a fresh install. Not sure if that is contributing to the
issue or not. The fact that it is only one system I'm seeing an issue with,
makes me believe it's something with that system rather than ipsecuritas,
but I've not found it.
Connection successful, but can't reach network
Connection successful, but can't reach network
by gould on 2008-02-09 20:23:23 +0100
I can establish a connection to the remote Lancom 1722 VPN gateway
(green status dot), but besides the gateway I can't ping any computer in the
remote network.
This is my configuration:
Host 192.168.223.232 to network 192.168.223.0/24
I can only ping 192.168.223.0 and 192.168.223.254, no other server in the
same network. I suppose no data come back from the remote side. First I
thought the router on the local part, where my Mac is, blocks the packages,
but when I use my Linux PC everything is fine - without changing the router
configuration.
Ergo: Linux with Shrew VPN Manager works, IPSecurtias (VPN Tracker
neither) on Mac not. Leopard firewall is off.
I really have no idea whats wrong with my Mac configuration. Is there a
routing problem? Any suggestions what I can do?
By the way: MODE_cfg never works, while I get a IP from the gateway on my
Linux PC. Really weird.
Re: Connection successful, but can't reach network
by Forum Admin on 2008-02-13 22:53:35 +0100
Hello,
please try to change the local (virtual) IP to an address that's outside the
remote network (interpreting the IPSec standard strictly, this is nor allowed,
although some router allow it).
Hope this helps,
Christoph
by gould on 2008-02-13 23:18:40 +0100
An IP address outside the remote network is not allowed. Furthermore, I
was told that I shouldn't give an IP myself, because IKE config mode is
configured. Due to the fact, that MODE_CFG in IPSecuritas doesn't work for
me, the Lancom gateway has no MAC address of the local interface and
can't reach my local machine. My system administrator adviced my to use a
client that supports IKE config. Are there any known problems with the
MODE_CFG option in IPSecuritas?
by gould on 2008-02-15 15:37:54 +0100
In the meantime I'm pretty sure: The config mode is the problem. Is there a
way to proof wheather MODE_CFG in IPSecuritas works correctly? I think
there must be something wrong the this option.
by Tanster on 2008-02-19 01:54:43 +0100
Just curious but is "Local IP in Remote Network" checked under the
"Options" tab?
by gould on 2008-02-21 14:33:36 +0100
Yes, it's checked. Otherwise I'd get a collision error.
What do you reckon?
What do you reckon?
by andy on 2008-02-10 17:40:24 +0100
I run a newspaper and want my journalists to roam and link to network. A
friend recommended Lobo's software, saying it was very easy to set up.
So I took a MacBook pro with MacOSX 10.5.1
The local work router is a Netgear DG834GT fronting a Mac and PC network
that we want to get into. The remote router is a Netgear DG834G. I have
been told that we cannot configure the firewall on the DG834GT (no IKE etc
etc), while the DG834G has VPN policies available. VPN Tracker's network
environment checker shows both routers to be functional for IPSec and
NAT. Should I buy a new office router? What would you recommend?
Re: What do you reckon?
by Tanster on 2008-02-19 01:44:17 +0100
Insufficient data to work with. Could you give us more info about your
intended network topology (i.e., what and where do you want to connect to
what: connect the dots for us a bit more than you have thus far)? The
Netgear DG843GT doesn't have a VPN server (according to the Netgear
website) while the Netgear DG834G does (5 endpoints, again according to
the Netgear website). But it's on the remote end. Which doesn't make
sense. And where does IPSecuritas fit into the whole shebang you've
described above? Note that "VPN traversal" does *NOT* mean VPN-server
capable--it just means that it allows VPN packets to get through to a
separate VPN server sitting somewhere on the back end on the local side.
Normally, if you don't have a separate VPN server sitting on the back end,
you'd have a VPN server-capable router at the local end (i.e., use the
Netgear DG834G and toss the Netgear DG834GT) with all the roaming,
remote laptops having IPSecuritas installed on them and connecting to the
local end (i.e., the Netgear DG834G) from the outside via broadband or
similar. And that's just the 30,000 foot view with really broad strokes of
the paintbrush. I don't know if this is all you want or you have something
else in mind.
Hope it helps.
Re: What do you reckon?
by andy on 2008-02-19 09:40:53 +0100
Yup, sorry :-/ I'm a novice but we can't afford a techie
I will firstly get a VPN server router fitted locally.
Then I'll get IPSecuritas loaded onto the remote laptops.
Basically, I need them to run 'anywhere to local network'
But you have confirmed what I wasn't sure about, that the local router is not
capable.
Thanks for that.
Andy
IP collision between local and remote networks
by blst on 2008-02-13 17:15:29 +0100
i have set up a an ipsec tunnel to a fortigate 60B with three users and only
one seems to work.
everything works fine for me (leopard), but on the users' machine (tiger)
she started getting this message.
my network at home is 10.0.1.0 and hers at home is 192.168.7.0 and the
remote network is 192.168.0.0.
i have a feeling it is probably not related to the client software but i am not
really sure.
does anyone have any idea why this is happening?
thanks so much,
jason
Re: IP collision between local and remote networks
by Forum Admin on 2008-02-13 22:48:11 +0100
Hello Jason,
the problem is indeed that the two networks 192.168.7.0 and 192.168.0.0
overlap. This is
not recommended (and probably also against the specification) for various
reasons (one being that
other computers will not be reachable anymore, another that there might
an address conflict between
the local address and a machine in the remote network with the same
address).
However, I will add an option to disable these collision checks, since several
people asked for it.
For now, the easiest (and cleanest anyway) solution is to change her local
network range to a different private range, please have a look at RFC 1918,
section 3 (<http://www.faqs.org/rfcs/rfc1918.html>)
Hope this helps,
Christoph
by blst on 2008-02-13 23:29:08 +0100
christoph,
turns out that local ip in remote network became unchecked.
is there an explanation of what this setting means some where in the docs?
thanks so much for the quick reply.
--jason
by Tanster on 2008-02-18 21:28:15 +0100
[quote author=Forum Admin link=1202919329/0#1 date=1202939291]
the problem is indeed that the two networks 192.168.7.0 and 192.168.0.0
overlap.
[/quote]
I was just reading through this thread and noticed that the original poster
didn't provide subnet mask or CIDR info. I'm curious as to what clued you
in to the two networks overlapping. Is there any other info that's not
showing up here?
by blst on 2008-02-18 21:42:18 +0100
my original post:
13. Feb 2008 at 17:15 Quote
i have set up a an ipsec tunnel to a fortigate 60B with three users and only
one seems to work.
everything works fine for me (leopard), but on the users' machine (tiger)
she started getting this message.
my network at home is 10.0.1.0 and hers at home is 192.168.7.0 and the
remote network is 192.168.0.0.
i have a feeling it is probably not related to the client software but i am not
really sure.
does anyone have any idea why this is happening?
thanks so much,
jason
by Tanster on 2008-02-19 01:02:56 +0100
It kinda looks exactly the same to me. There's still no subnet mask (e.g.,
255.255.255.0) or CIDR (e.g. /24) info.
Now, if your subnet mask was, say, 255.255.0.0 (i.e., CIDR of /16) or
255.0.0.0 (i.e., CIDR of /8), then I can see where 192.168.0.0 and
192.168.7.0 would overlap. But if your subnet mask was 255.255.255.0
(i.e., CIDR of /24), which is what most class C subnets would use, then
192.168.0.0 and 192.168.7.0 would not overlap.
Since you didn't provide this info, there's no way to tell as far as I could see
just from network addresses alone. That's why I was wondering if there
was something I wasn't seeing here.
by blst on 2008-02-19 04:50:30 +0100
sorry, i see what you mean now.
acually, this didn't seem to be the problem after all. what ended up being
wrong is that the "local IP in remote network" option was not checked. once
i changed this, it was all fine.
this doesn't make sense to me though. is the local address the one you
define in host endpoint or is it your local address outside the vpn?
thanks for any light you could shed on this. we used to have a less
sophisticated firewall and the mac vpn connections we sufficient and had
far less options.
--jason
Sonicwall tz170w and non-standard VPN Profile
Sonicwall tz170w and non-standard VPN Profile
by russ990 on 2008-02-16 17:03:40 +0100
I have a tz170w running enhanced OS. The default GroupVPN policy has
been configured to be used as our default L2TP server for windows clients.
I am trying to get IP Securitas to connect to a different VPN Profile, but I
can't figure out how to specify the VPN Profile to use. When I connect to
the Sonicwall, the logs indicate that is is always trying to connect to the
WAN GroupVPN. Is there a way to specify to IPSecuritas to tell it to use a
different profile?
I have attempted to configure the IPSecuritas side with the same parameters
as our default groupVPN, but that doesn't seem to want to connect.
Re: Sonicwall tz170w and non-standard VPN Profile
by JimPBarber on 2008-06-07 01:25:58 +0200
On the ID Tab set the Local Identifier to Key ID and enter the VPN Group ID
If you were connecting to the default group id it would be GroupVPN Just
enter the name of the new VPN you created.
Recommend me a VPN server
Recommend me a VPN server
by andy on 2008-02-19 11:23:56 +0100
Can you recommend a VPN server with firewall that IPSecuritas likes and is
featured in the preloads?
Thanks
Andy
Re: Recommend me a VPN server
by Forum Admin on 2008-02-21 21:12:50 +0100
Hello Andy,
I can recommend the following models, all of them can be setup very easily,
work very reliably in my test environment and support NAT-T (which is
important, if you want to connect from public W-LAN or mobile phone
networks):
- Zyxel ZyWall (e.g. P1 or ZyWall 5)
- Linksys WRV200
- Juniper Netscreen 5x or SSG models
- m0n0Wall (http://www.m0n0.ch) , for example on this platform
(http://www.pcengines.ch/alix.htm) - very flexible and powerful, needs
some tinkering, though
There is quite a range in price and features (besides VPN capability), best
choose what you need.
Please feel free to get in touch with me again if you need further
information.
Hope this helps,
Christoph
by andy on 2008-02-22 08:51:38 +0100
Thanks Christoph. I will be looking at several today. I might run some spec
by you if I may.
Cheers
Andy
by Forum Admin on 2008-02-22 19:58:22 +0100
Sure, anytime
Cheers,
Christoph
Connection Green, but not working - Leopard
Connection Green, but not working - Leopard
by neil456 on 2008-02-23 00:02:23 +0100
Mac os x 10.5.2. Can not ping or otherwise use the connection. Nothing
seems to work. Have tried all of the things mentioned in the forum for
Leopard. Reused the wizard to create a new connection.
If it helps I am out of the country, but can IM and Audio Conference without
the vpn to the home network. It was also working prior to upgrade to
Leopard and has worked from the same hotel outside the country prior to
leopard for sure. It also worked using my WAN cellular card prior to leaving
the country with Leopard. My WAN card does not work internationally so I
am trying to use the same config with wired ethernet.
How do I troubleshoot the problem?
Log:
Feb 22, 16:55:42 Info
Feb 22, 16:55:43 Info
Feb 22, 16:55:43 Info
APP IPSec started
Feb 22, 16:55:43 Error IKE Foreground mode.
Feb 22, 16:55:43 Info
Feb 22, 16:55:43 Info
Feb 22, 16:55:43 Info
Feb 22, 16:55:43 Info
Feb 22, 16:55:43 Info
APP Initiated connection Bloomingdale AT&T Card
Feb 22, 16:55:43 Error IKE inappropriate sadb acquire message passed.
Feb 22, 16:55:47 Warning IKE No ID match.
Feb 22, 16:55:47 Info
Feb 22, 16:55:50 Info
APP Initiated connection Bloomingdale AT&T Card
Feb 22, 16:55:51 Info
76.223.254.88[500].
Feb 22, 16:55:57 Info
76.223.254.88[500].
Feb 22, 16:55:57 Info
76.223.254.88[500].
Feb 22, 16:56:02 Error IKE libipsec failed pfkey check (Invalid SA type)
Feb 22, 16:56:02 Info
76.223.254.88[500].
Feb 22, 16:56:02 Info
76.223.254.88[500].
Feb 22, 16:56:08 Info
76.223.254.88[500].
Feb 22, 16:56:08 Info
76.223.254.88[500].
Re: Connection Green, but not working - Leopard
by neil456 on 2008-02-24 15:19:42 +0100
OK, Touch down in Miami and everything works.
I am going back in 3 weeks and need to have this working. How do I
troubleshoot this?
Could be one of several possibilities?
1. Network is being filtered and some part of the VPN does not work. The
hotel network provider indicates they allow VPNs and have not had any
problems.
2. The method of securing internet access keeps the VPN from working.
You know the problem, browser comes up and you have to put in code to
get access to the hotel network.
3. Leopard is unreliable.
Any Ideas?
Re: Connection Green, but not working - Leopard
by neil456 on 2008-03-21 14:11:35 +0100
Solved :)
Need to get public IP from ISP. Now it works.
Why couldn't IP Securitas tell me it needed a public IP address?
Neil
Connecting to Nortel Contivity (DreamHost)
Connecting to Nortel Contivity (DreamHost)
by tuatara on 2008-02-23 02:19:45 +0100
DreamHost offers a VPN for customers. They're using Nortel Contivity.
There are a few mentions of this VPN type in the forums here, but mainly
seem to be unresolved issues. Has anyone successfully connected to this
VPN?
Nortel Contivity doesn't appear in IPSecuritas' setup wizard, so I'm trying to
configure it manually, using the rather brief info at the DreamHost wiki,
[url]http://wiki.dreamhost.com/KB_/_Account_Control_Panel_
/_VPN_Users[/url]. The main info they give is that it uses IPSec, ESP
(Encapsulated Security Payload) and AH (Authentication Header), encryption
is 3DES, key length is 168 bits (56 bits per DES cipher). (Is that key length
related to the DH Group option in IPSecuritas?) I've tried a few different
permutations with no luck so far.
Most recently, I tried it with the General tab set with IPSec Device
ant.cloudconnector.com, a dimmed-out local Endpoint Mode, a remote
Endpoint Mode set to Anywhere and DHCP Pass-Through enabled. The
Phase 1 tab has Lifetime of 1800 seconds, DH Group as 1024 (2),
Encryption as 3DES, Authentication as SHA-1 (I've also tried MD5), and the
rest left at their defaults (Main, Obey, and Nonce Size of 16).
I never seem to get past Phase 1. This is from the connection log, with
some hex data stripped (just in case my password is in there). I'm not
familiar with VPN setup so I may have missed something obvious. Hopefully
there's some data here that's useful. Thanks for any help!
Matt
[code]Feb 23, 14:01:11 Info
APP Initiated connection DreamHost VPN
Feb 23, 14:01:11 Debug IKE get pfkey ACQUIRE message
(Stripped hex data ...)
Feb 23, 14:01:11 Debug IKE suitable outbound SP found:
192.168.0.2/32[0] 0.0.0.0/0[0] proto=any dir=out.
Feb 23, 14:01:11 Debug IKE sub:0xbffff35c: 0.0.0.0/0[0]
192.168.0.2/32[0] proto=any dir=in
Feb 23, 14:01:11 Debug IKE db :0x108bf8: 0.0.0.0/0[0]
192.168.0.2/32[0] proto=any dir=in
Feb 23, 14:01:11 Debug IKE suitable inbound SP found: 0.0.0.0/0[0]
192.168.0.2/32[0] proto=any dir=in.
Feb 23, 14:01:11 Debug IKE new acquire 192.168.0.2/32[0] 0.0.0.0/0[0]
proto=any dir=out
Feb 23, 14:01:11 Debug IKE (proto_id=ESP spisize=4 spi=00000000
Feb 23, 14:01:11 Debug IKE (trns_id=DES encklen=0
authtype=hmac-md5)
Feb 23, 14:01:11 Debug IKE (trns_id=3DES encklen=0
authtype=hmac-md5)
Feb 23, 14:01:11 Debug IKE (trns_id=AES encklen=256
authtype=hmac-md5)
authtype=hmac-md5)
authtype=hmac-md5)
Feb 23, 14:01:11 Debug IKE in post_acquire
Feb 23, 14:01:11 Debug IKE configuration found for 66.33.195.193.
Feb 23, 14:01:11 Info
Re: Connecting to Nortel Contivity (DreamHost)
by tuatara on 2008-03-06 08:44:09 +0100
Any other info I can give? Is it reasonable to think IPSecuritas might work
with the Contivity system?
iPhone support?
iPhone support?
by unhitched on 2008-02-26 01:39:34 +0100
hey guys,
Will IPSECURITAS ever work on an iPhone or iPod touch?
cheers
Re: iPhone support?
by cnadig on 2008-02-26 18:39:44 +0100
Hello,
this depends on the capabilities and availability of the Apple's iPhone SDK.
There are definitely intentions to port IPSecuritas to the iPhone.
Cheers,
Christoph
Re: iPhone support?
by unhitched on 2008-02-26 23:46:58 +0100
hey,
thanks for the quick reply. I am a little confused over how the IPSECURITAS
product is... 'written'. Does it use the 'builtin' osx client which appears to
me to be only L2TP/PPTP or have you guys written some funky pure-IPSEC
feature-set to interact with or work over the top of OSX?
The reason I ask is I have a few Apple engineers I may be able to help
depending on the answers.
cheers
Re: iPhone support?
by cnadig on 2008-02-29 19:24:13 +0100
Hello,
IPSecuritas comes with its own version of racoon, the IKE daemon, and does
not use Apple's standard version of racoon (with 3.0, that is). The version
supplied with IPSecuritas is based on the ipsec-tools rather than the KAME
project and has a few extensions for NAT-T, ModeCfg support for certain
firewall vendors as well as Checkpoint specific extensions.
The rest of IPSecuritas is written in Objective-C using Cocoa.
Any help for porting this to the iPhone is highly appreciated, of course.
Cheers,
Christoph
Netgear FVG318
Netgear FVG318
by Tanster on 2008-02-28 00:07:44 +0100
Does anybody out there have an Netgear FVG318 that can help me? I'm
getting this issue where a setting of 0.0.0.0 or "Any" for the remote IP in
the VPN policy (for traveling users whose IPs cannot be determined until
activation time) results in everybody in the LAN losing connectivity to the
Internet and each other. But all of them can ping the remote user using
IPSecuritas 3.1. According to all the articles I've read in the Netgear KB, the
remote IP setting of "Any" is correct. But it doesn't quite work in reality.
The problem smacks to me of a routing issue but I can't figure out how to
rectify on the FVG318 side since this problem occurs even if I just activate
the VPN Policy but without any VPN tunnels active. Basically, I think I
somehow need to specify that all packets intended for the remote user go
through the VPN but everything else go through the FVG318's LAN port
(and thereby either resent through the local LAN or out through the WAN
port). But no other router such as ZyWALL or SonicWall has ever required
me to do this manually. Does the FVG318 require special static routes set
up manually?
Sonicwall 3060 Enhanced
Sonicwall 3060 Enhanced
by TeckboyNY on 2008-02-29 02:20:03 +0100
Anyone get it to work with a 3060 enhanced model?
Just curious.
Re: Sonicwall 3060 Enhanced
by megamiles on 2008-03-07 23:00:21 +0100
Hello TeckboyNY
Suffering with the same problem on our SonicWall Pro box. Have started a
new post, but solution if found will certainly assist you in connecting.
Regards
by el_doctor on 2008-03-18 14:46:20 +0100
I'm working with a 2040 Pro Enhanced. If I follow the setup wizard with
SonicWall model and Sonic Pro selection, it dosen't work. I tried with the
TZ170 pre-configuration setup wizard and it works!!!
by andyfram on 2008-03-21 19:24:04 +0100
I'm also using the 3060Pro Enhanced and can't get it to work.
I have the following in the logs if this means anything to anyone:
ERROR IKE inappropriate sadb acquire message passed.
ERROR IKE delete phase1 handle.
ERROR IKE delete phase1 handle.
Initiated Connection
delete phase1 handle
Initiated Connection
delete phase1 handle
ERROR IKE phase2 negotiation failed due to time up waiting for phase1.
It repeats that a few times and then says:
Warning APP giving up.
by JimPBarber on 2008-06-07 00:44:03 +0200
You can get it working but you have to drop XAUTH.... It is broken between
sonicwall and ipsecuratas and causes a hang in phase2 negotiation.
Just turn off xauth.
I am a CSSA and it took me a couple of days to work it all out.
Here are the settings.
[color=#003366]SonicWall WAN GroupVPN:[/color]
[color=#003399][b]General Tab:[/b][i][/i][highlight][/highlight][/color]
Name: WAN GroupVPN
Shared Secret: <your shared secret>
[color=#003366][b]Proposals Tab:[/b][/color]
[u][color=#003399][b]IKE (Phase 1) Proposal[/b][/color][/u]
[u]DH Group:[/u] Group 2
[u]Encryption:[/u] 3DES
[u]Athentication:[/u] Sha1
[u]Lifetime: [/u]28800
[color=#003399][u][b]Ipsec (Phase 2) Proposal[/b][/u][/color]
[u]Protocol: [/u]ESP
[u]Encryption:[/u] 3DES
[u]Authentication:[/u] Sha1
[b]Enable Perfect Forward Secrecy [unchecked][/b]
[u]Life Time[/u] (seconds): 28800
[color=#003366][u][b]Advanced Settings Tab:[/b][/u][/color]
[i][color=#003366][u](Optional)[/u][/color][/i]
[x]Enable Windows Networking (NetBIOS) Broadcast
[x]Enable Multicast
Management via this SA: [] HTTP [] HTTPS [] SSH
Default Gateway:
0.0.0.0
Client Authentication
[] Require Authentication of VPN Clients via XAUTH
User Group for XAUTH users: Greyed out
Allow Unauthenticated VPN Client Access: <network of your choice>
[u][color=#003366][b]Client Tab:[/b][/color][/u]
[u][color=#003366]User Name and Password Caching[/color][/u]
Cache XAUTH User Name and Password on Client: How you want it. <mine
by jessica on 2008-09-17 03:53:11 +0200
I was able to get this to work with XAuth. Here's my setup:
SonicWALL Pro3060, OS Enhanced 4.0.0.2-51e
DHCP on, WAN GroupVPN with default settings (shown in detail in
[URL="http://www.equinux.com/cms_components/media
/vpnt/VPNT_Interop_Howtos/1065/SonicOS_Enhanced-5-EN.pdf"]VPN
Tracker's guide[/URL])
IPSecuritas 3.1, running on OS 10.5.4, settings as follows:
Remote IPSec Device: SonicWALL's external address
Local Endpoint Mode: Host, blank
Remote Endpoint Mode: Network, 10.1.10.0, 24 (of course yours will be
different)
Phase 1: 28800 sec, 1024(2), 3DES, SHA-1, Agressive, Claim, 16
Phase 2: 28800 sec, none, checked: DES, 3DES, HMAC MD5, HMAC SHA-1
ID: Address, Address, XAuth PSK, with my info entered
Options Checked: IPSec, SIT, Initial Cont, Request Cert, Send Cert, Unique
SAs, IKE Frag; NAT-T Enabled
I got it working without XAuth first, then crossed my fingers and re-enabled
it, and it worked. Hopefully it will work for others, as well. Saves me $120
for VPN Tracker!
AT&T Global Network Client
AT&T Global Network Client
by drgonzo2k2 on 2008-03-04 05:38:20 +0100
Greetings,
My company makes us use AT&T Global Network Client on PCs to connect
remotely to their VPN. They offer absolutely no Mac support, and those of
us with Mac laptops are left out in the cold. I was wondering if anyone had
used this software as a replacement for the AT&T software, and if so how
did you set it up to work properly? Any help would be appreciated.
Work with IPSecuritas from the command line
Work with IPSecuritas from the command line
by sologroupmc on 2008-03-04 23:28:49 +0100
Is it possible to work with IPS from the command line?
We do a lot of remote terminal work and it would be nice to be able to
initiate/sever a connection using terminal. We could also then use bash
scripting to automate tasks.
Thanks!
Re: Work with IPSecuritas from the command line
by Forum Admin on 2008-03-04 23:35:46 +0100
Hello,
we were actually thinking about a command line version, but would
appreciate any input on the requirements of such a tool (how would you
want to use it etc.)
Christoph
Re: Work with IPSecuritas from the command line
by sologroupmc on 2008-03-05 00:12:35 +0100
A CLI version would be fantastic. I'll post some usage/feature requests
here, let me know if you would like me to post them elsewhere (issue
tracker, etc.)
We use IPS for some of our client installations of software, establishing a
VPN to our servers for subversion and file xfer access.
So for us, a typical use would be to create the SA, export to a file, deploy to
client workstation and configure IPS. It would be good if this was a CLI
procedure, but not critical. It would be nice to create a package installer
and deploy with ARD, or using SSH, but again, not critical.
The crucial part for us is deployment and updates to software. We would
like to ssh to the client machine (or have a script perform) a vpn connection
to our servers. then we could perform via CLI the svn updates, etc. When
done, we could tear-down the tunnel and close ssh.
So in this case, the CLI version would only have to create and tear-down the
tunnel. Some feedback on the connection would be good. But really, just
the basics to start out.
It would be much better for us to not have to use ARD/Timbuktu each time
we need to connect.
Thanks Christoph for a truly wonderful piece of software.
SonicWall connections
SonicWall connections
by megamiles on 2008-03-06 23:28:57 +0100
Hello all,
I am trying to make a connection to a SonicWall Pro Firewall (could be any
SonicWall Pro model, 2040, 3060 etc) using Lobomoto 3.1 on Mac 10.5.2
(Intel)
Have followed configurations, have correct VPN parameters etc, but fails
Phase 1.
Transcript of log follows if anyone can help......
Mar 06, 20:45:18 Info
APP Smart Environment Detection enabled
Mar 06, 20:45:18 Info
APP Smart Environment Detection: No
environment found, reconfiguration
Mar 06, 22:13:06 Info
Mar 06, 22:13:06 Info
Mar 06, 22:13:06 Info
APP IPSec started
Mar 06, 22:13:06 Info
APP Initiated connection XXXXX VPN
Mar 06, 22:13:06 Info
Mar 06, 22:13:06 Info
Mar 06, 22:13:06 Info
Mar 06, 22:13:06 Info
Mar 06, 22:13:13 Info
Mar 06, 22:13:20 Info
Mar 06, 22:13:27 Info
Mar 06, 22:13:34 Info
Mar 06, 22:13:34 Error IKE inappropriate sadb acquire message passed.
Mar 06, 22:13:39 Warning APP Connection XXXXX VPN timed out
Mar 06, 22:13:39 Warning APP Giving up
Mar 06, 22:14:47 Info
APP IPSec stopping
Mar 06, 22:14:48 Info
Mar 06, 22:14:48 Info
APP IPSec stopped
Have tried with VPN Tracker 5 in demo mode, and made a connection
immediately and could browse remote network, use the beta Microsoft RDP
client to link to a Windows Terminal Server.
Looked at VPN Tracker Log, and could see a lot of stuff going on, I can post
this if this would help find a solution.
Clearly, I would like to use the Lobotomo IPSecuritas
Thanks
Re: SonicWall connections
by cnadig on 2008-03-07 10:13:08 +0100
Hello,
setting the log level to debug (in IPSecuritas' preferences) will reveal more
information. From what I see in this log, there does not seem to be an
answer from the remote side, but the detailed log will give more
information on which part the negotiation fails.
Cheers,
Christoph
by megamiles on 2008-03-07 22:57:15 +0100
Hello Christophe,
Many thanks for the quick post.
A little bit of info, which may be obvious, the remote network and my home
network are NAT'ed
The remote network firewall is a SonicWall Pro 2040 (Enhanced software)
which has a public IP, which has been replaced with xxx.xxx.xxx.xxx, but
is reachable by the software.
As advised VPN Tracker 5 works straight of the bat, with the same Phase 1 /
Phase 2 settings and basic IP info. Also my Windows XP system (using the
SonicWall Global VPN Client) connects no problems.
Debug log is too long to attach, and exceeds the 5500 character limit...
please advise how to attach this. Can offer to send via e-mail as a PDF
Many thanks
by diwa on 2008-04-06 16:28:10 +0200
Hi,
since I am facing the same error, I am posting in this thread instead of
creating a new one.
I have a SonicWall Pro 230, to which I was able to connect using my
Macbook Pro running OS 10.4 and an older version of IPSecuritas.
After upgrading to Leopard (now 10.5.2), I was installing IPSecuritas 3.1
(Build 1860), but I fail to connect to my SonicWall.
As megamiles describes, I am able to connect using VPN Tracker 5 with the
same settings as for IPSecuritas...
Here's my debug-level log:
Apr 06, 16:20:16 Debug APP State change from IDLE to
Apr 06, 16:20:16 Info
Apr 06, 16:20:16 Info
Apr 06, 16:20:16 Debug APP State change from AUTHENTICATING to
Apr 06, 16:20:16 Info
APP IPSec started
Apr 06, 16:20:16 Debug APP Received SADB message type
Apr 06, 16:20:16 Debug APP Received SADB message type
Apr 06, 16:20:16 Info
Apr 06, 16:20:16 Info
Apr 06, 16:20:16 Info
Apr 06, 16:20:16 Info
Apr 06, 16:20:16 Info
Apr 06, 16:20:16 Debug IKE lifetime = 28800
Apr 06, 16:20:16 Debug IKE lifebyte = 0
Apr 06, 16:20:16 Debug IKE encklen=0
Apr 06, 16:20:16 Debug IKE p:1 t:1
Apr 06, 16:20:16 Debug IKE 3DES-CBC(5)
Apr 06, 16:20:16 Debug IKE SHA(2)
Apr 06, 16:20:16 Debug IKE 1024-bit MODP group(2)
Apr 06, 16:20:16 Debug IKE pre-shared key(1)
Apr 06, 16:20:16 Debug IKE hmac(modp1024)
Apr 06, 16:20:16 Debug IKE compression algorithm can not be checked
Apr 06, 16:20:16 Debug IKE parse successed.
Apr 06, 16:20:16 Debug IKE open /Library/Application
management.
Apr 06, 16:20:16 Info
(fd=6)
Apr 06, 16:20:16 Info
(fd=7)
Apr 06, 16:20:16 Debug IKE get pfkey X_SPDDUMP message
Apr 06, 16:20:16 Debug IKE 02120000 0f000200 01000000 bb050000
03000500 ff180000 10020000 c0a80200
Apr 06, 16:20:16 Debug IKE 00000000 00000000 03000600 ff200000
10020000 c0a800ca 00000000 00000000
by diwa on 2008-04-06 16:28:52 +0200
Apr 06, 16:20:17 Debug IKE suitable outbound SP found:
192.168.0.202/32[0] 192.168.2.0/24[0] proto=any dir=out.
Apr 06, 16:20:17 Debug IKE sub:0xbffff67c: 192.168.2.0/24[0]
192.168.0.202/32[0] proto=any dir=in
Apr 06, 16:20:17 Debug IKE db :0x108c28: 192.168.2.0/24[0]
192.168.0.202/32[0] proto=any dir=in
Apr 06, 16:20:17 Debug IKE suitable inbound SP found: 192.168.2.0/24[0]
192.168.0.202/32[0] proto=any dir=in.
Apr 06, 16:20:17 Debug IKE new acquire 192.168.0.202/32[0]
Apr 06, 16:20:17 Debug IKE (proto_id=ESP spisize=4 spi=00000000
Apr 06, 16:20:17 Debug IKE (trns_id=3DES encklen=0
authtype=hmac-sha)
Apr 06, 16:20:17 Debug IKE in post_acquire
Apr 06, 16:20:17 Debug IKE configuration found for 192.168.0.220.
Apr 06, 16:20:17 Info
IKE IPsec-SA request for 192.168.0.220 queued due
to no phase1 found.
Apr 06, 16:20:17 Debug IKE ===
Apr 06, 16:20:17 Info
192.168.0.202[500]<=>192.168.0.220[500]
Apr 06, 16:20:17 Info
Apr 06, 16:20:17 Debug IKE new cookie:
Apr 06, 16:20:17 Debug IKE 152f943f37bb765a
Apr 06, 16:20:17 Debug IKE use ID type of IPv4_address
Apr 06, 16:20:17 Debug IKE compute DH's private.
Apr 06, 16:20:17 Debug IKE 4cbdf7e5 6b3d95a2 7f74fb3b 4d59c9dc
546fbe97 846eb042 bfe382d0 bdd5067c
Apr 06, 16:20:17 Debug IKE f81af96f dfd5a1a3 f58077f7 988fe2fd
8ff2aa78 50e0337a 24f6b86f 2b798d08
Apr 06, 16:20:17 Debug IKE abddfc0a cb1b4eb6 37f49011 c10b8a79
be73ec5a 1c915b15 77b50d3c b6559693
Apr 06, 16:20:17 Debug IKE 188dff70 6348f6d0 74acd4bb 5492305f
334abeb5 5c801a01 19ea9fb0 eddd6fde
Apr 06, 16:20:17 Debug IKE compute DH's public.
Apr 06, 16:20:17 Debug IKE 0e2ce8b4 e7bd1302 a9be84f8 16c827b9
ab07327e e30199a7 efe2cd3c 345b2676
Apr 06, 16:20:17 Debug IKE cf97d6a5 73fcad2c 842e35b7 e9b27f77
03631fbd 112137f8 fd260e80 8a6c8c31
Apr 06, 16:20:17 Debug IKE 53b391fd 63179c33 0605f5a9 6f04b37e
aa375613 bf953f87 a1ba5ba7 9d5f956a
Apr 06, 16:20:17 Debug IKE a0bee2e3 0be905dd a9d801fb 3b3b45b8
419ac03e c6ed1d3f 5129fda7 d1ddc34d
Apr 06, 16:20:17 Debug IKE authmethod is pre-shared key
Apr 06, 16:20:17 Debug IKE add payload of len 48, next type 4
Apr 06, 16:20:17 Debug IKE 484 bytes from 192.168.0.202[500] to
by diwa on 2008-04-06 16:30:09 +0200
Apr 06, 16:20:17 Debug IKE 02060003 26000000 7a000000 00000000
03000500 ff200000 10020000 c0a800ca
Apr 06, 16:20:17 Debug IKE 00000000 00000000 03000600 ff200000
10020000 c0a800dc 00000000 00000000
Apr 06, 16:20:17 Debug IKE 02001200 02000200 9b000000 00000000
1c000d00 20000000 00030000 00000000
Apr 06, 16:20:17 Debug IKE 00010008 00000000 01000000 01000000
00000000 00000000 00000000 00000000
Apr 06, 16:20:17 Debug IKE 00000000 00000000 80510100 00000000
80700000 00000000 00000000 00000000
Apr 06, 16:20:17 Debug IKE 00040000 00000000 0001c001 00000000
01000000 01000000 00000000 00000000
Apr 06, 16:20:17 Debug IKE 00000000 00000000 00000000 00000000
80510100 00000000 80700000 00000000
Apr 06, 16:20:17 Debug IKE 00000000 00000000 000c0000 00000000
00010001 00000000 01000000 01000000
Apr 06, 16:20:17 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 80510100 00000000
Apr 06, 16:20:17 Debug IKE 80700000 00000000 00000000 00000000
Apr 06, 16:20:17 Debug IKE ignore the acquire because ph2 found
Apr 06, 16:20:17 Debug IKE ===
Apr 06, 16:20:17 Debug IKE 360 bytes message received from
192.168.0.220[500] to 192.168.0.202[500]
Apr 06, 16:20:17 Debug IKE 152f943f 37bb765a 82a0c6e5 960b3c7c
01100400 00000000 00000168 04000034
Apr 06, 16:20:17 Debug IKE 00000001 00000001 00000028 01010001
00000020 01010000 80010005 80020002
Apr 06, 16:20:17 Debug IKE 80040002 80030001 800b0001 800c7080
0d000084 0f0d72dc 606be9c1 ec45b697
Apr 06, 16:20:17 Debug IKE 2aa873b0 a4ee9911 13047e1a aa28344a
c39d2792 51e4618c ec69b354 6af345f1
Apr 06, 16:20:17 Debug IKE 652b12ac f72b550b 1fc9f0c3 c888a710
14dbc636 5eebe9a7 ca885aad b0d0fbf3
Apr 06, 16:20:17 Debug IKE 933552e8 ec9cdbfe 6ec80536 548f9b3b
c5917c67 167a2680 73555427 37b5f211
Apr 06, 16:20:17 Debug IKE 92e08bc1 f8f11379 a74be7ba 6e7ccc17
8d3dc51d 82000014 4485152d 18b6bbcd
Apr 06, 16:20:17 Debug IKE 0be8a846 9579ddcc 82000018 fe2f1c61
46808848 594cf99a a084781f 31831a0a
Apr 06, 16:20:17 Debug IKE 0a000018 ec6f0e75 925e5b1e 682c239f
435d5834 032c003d 05000018 ad2b0f4d
Apr 06, 16:20:17 Debug IKE 3cc39629 0196fcaf 0f1711c2 5280ae2f
0d000014 03000000 30303430 31303138
Apr 06, 16:20:17 Debug IKE 36333631 0800000c 404bf439 522ca3f6
00000018 c348eaf2 8063e979 e5df3b17
Apr 06, 16:20:17 Debug IKE 3d890a8b 2f492be1
Apr 06, 16:20:17 Debug IKE begin.
Apr 06, 16:20:17 Debug IKE seen nptype=1(sa)
Apr 06, 16:20:17 Debug IKE seen nptype=4(ke)
Apr 06, 16:20:17 Debug IKE seen nptype=13(vid)
Apr 06, 16:20:17 Debug IKE seen nptype=130(nat-d)
Apr 06, 16:20:17 Debug IKE seen nptype=130(nat-d)
Apr 06, 16:20:17 Debug IKE seen nptype=10(nonce)
Apr 06, 16:20:17 Debug IKE seen nptype=5(id)
Apr 06, 16:20:17 Debug IKE seen nptype=13(vid)
Apr 06, 16:20:17 Debug IKE seen nptype=8(hash)
Apr 06, 16:20:17 Debug IKE succeed.
Apr 06, 16:20:17 Info
IKE received Vendor ID: draft-ietf-ipsec-nat-tike-00
Apr 06, 16:20:17 Debug IKE received unknown Vendor ID
Apr 06, 16:20:17 Debug IKE 404bf439 522ca3f6
by diwa on 2008-04-06 16:31:17 +0200
Apr 06, 16:20:17 Debug IKE hashtype = SHA:SHA
Apr 06, 16:20:17 Debug IKE authmethod = pre-shared key:pre-shared key
Apr 06, 16:20:17 Debug IKE dh_group = 1024-bit MODP group:1024-bit
MODP group
Apr 06, 16:20:17 Debug IKE an acceptable proposal found.
Apr 06, 16:20:17 Debug IKE hmac(modp1024)
Apr 06, 16:20:17 Debug IKE agreed on pre-shared key auth.
Apr 06, 16:20:17 Info
IKE Selected NAT-T version: draft-ietf-ipsec-nat-tike-00
Apr 06, 16:20:17 Info
Apr 06, 16:20:17 Debug IKE hash(sha1)
Apr 06, 16:20:17 Info
IKE NAT-D payload #-1 verified
Apr 06, 16:20:17 Info
Apr 06, 16:20:17 Info
IKE NAT-D payload #0 verified
Apr 06, 16:20:17 Info
IKE NAT not detected
Apr 06, 16:20:17 Debug IKE compute DH's shared.
Apr 06, 16:20:17 Debug IKE bab5179f 23f21b7d 0a451794 63586729
19364cdf 824ec5c4 bd6bc3c9 37ff151c
Apr 06, 16:20:17 Debug IKE db6ca3ec d525de68 71ca6cbf d738e5db
8ccb7028 951eefcb 44e56113 ecc0aed7
Apr 06, 16:20:17 Debug IKE 57c4ecf1 e3a43504 921734ec 8ef93f5b
d8f127b0 f8016084 ed2c3a7a 80b119f5
Apr 06, 16:20:17 Debug IKE 30d6ad5c 71a4c038 5caad69d c487b164
c8b84613 f07398a0 4442ad9e fa242f92
Apr 06, 16:20:17 Info
IKE couldn't find the proper pskey, try to get one by
the peer's address.
Apr 06, 16:20:17 Debug IKE the psk found.
Apr 06, 16:20:17 Debug IKE psk: 2008-04-06 16:20:17: DEBUG2:
Apr 06, 16:20:17 Debug IKE 4c656e6e 61726439 39
Apr 06, 16:20:17 Debug IKE nonce 1: 2008-04-06 16:20:17: DEBUG:
Apr 06, 16:20:17 Debug IKE ce256712 97667fd8 9deaf391 8e9903e2
Apr 06, 16:20:17 Debug IKE nonce 2: 2008-04-06 16:20:17: DEBUG:
Apr 06, 16:20:17 Debug IKE ad2b0f4d 3cc39629 0196fcaf 0f1711c2
5280ae2f
Apr 06, 16:20:17 Debug IKE hmac(hmac_sha1)
Apr 06, 16:20:17 Debug IKE SKEYID computed:
Apr 06, 16:20:17 Debug IKE af696726 5a8b7477 7168bc1a f926fd04
cd546421
Apr 06, 16:20:17 Debug IKE SKEYID_d computed:
Apr 06, 16:20:17 Debug IKE 60d88d5f addadb88 29f703ed c950571f
61db2d67
Apr 06, 16:20:17 Debug IKE SKEYID_a computed:
Apr 06, 16:20:17 Debug IKE ffd3212f 9167c672 2666decb 2115b219
f4bfe04c
Apr 06, 16:20:17 Debug IKE SKEYID_e computed:
Apr 06, 16:20:17 Debug IKE 4c17b236 dbd6f454 92233793 f54a27aa
91dcbf1d
Apr 06, 16:20:17 Debug IKE encryption(3des)
Apr 06, 16:20:17 Debug IKE len(SKEYID_e) < len(Ka) (20 < 24), generating
long key (Ka = K1 | K2 | ...)
Apr 06, 16:20:17 Debug IKE compute intermediate encryption key K1
Apr 06, 16:20:17 Debug IKE 00
Apr 06, 16:20:17 Debug IKE 71689e10 67bbc8f4 f659fab4 42669621
9626574c
by diwa on 2008-04-06 16:32:04 +0200
Apr 06, 16:20:17 Debug IKE HASH (init) computed:
Apr 06, 16:20:17 Debug IKE c348eaf2 8063e979 e5df3b17 3d890a8b
2f492be1
Apr 06, 16:20:17 Debug IKE HASH for PSK validated.
Apr 06, 16:20:17 Debug IKE ===
Apr 06, 16:20:17 Debug IKE generate HASH_I
Apr 06, 16:20:17 Debug IKE HASH with:
Apr 06, 16:20:17 Debug IKE 0e2ce8b4 e7bd1302 a9be84f8 16c827b9
ab07327e e30199a7 efe2cd3c 345b2676
Apr 06, 16:20:17 Debug IKE cf97d6a5 73fcad2c 842e35b7 e9b27f77
03631fbd 112137f8 fd260e80 8a6c8c31
Apr 06, 16:20:17 Debug IKE 53b391fd 63179c33 0605f5a9 6f04b37e
aa375613 bf953f87 a1ba5ba7 9d5f956a
Apr 06, 16:20:17 Debug IKE a0bee2e3 0be905dd a9d801fb 3b3b45b8
419ac03e c6ed1d3f 5129fda7 d1ddc34d
Apr 06, 16:20:17 Debug IKE 0f0d72dc 606be9c1 ec45b697 2aa873b0
a4ee9911 13047e1a aa28344a c39d2792
Apr 06, 16:20:17 Debug IKE 51e4618c ec69b354 6af345f1 652b12ac
f72b550b 1fc9f0c3 c888a710 14dbc636
Apr 06, 16:20:17 Debug IKE 5eebe9a7 ca885aad b0d0fbf3 933552e8
ec9cdbfe 6ec80536 548f9b3b c5917c67
Apr 06, 16:20:17 Debug IKE 167a2680 73555427 37b5f211 92e08bc1
f8f11379 a74be7ba 6e7ccc17 8d3dc51d
00000001 00000001 00000028 01010001
Apr 06, 16:20:17 Debug IKE 00000020 01010000 800b0001 800c7080
80010005 80030001 80020002 80040002
Apr 06, 16:20:17 Debug IKE 011101f4 c0a800ca
Apr 06, 16:20:17 Debug IKE HASH (init) computed:
Apr 06, 16:20:17 Debug IKE f3a7b6cf 36279e72 6dec6ac3 7fa23fac
f00ec507
Apr 06, 16:20:17 Info
Apr 06, 16:20:17 Info
Apr 06, 16:20:17 Info
Apr 06, 16:20:17 Debug IKE 100 bytes from 192.168.0.202[500] to
192.168.0.220[500]
Apr 06, 16:20:17 Debug IKE sockname 192.168.0.202[500]
Apr 06, 16:20:17 Debug IKE send packet from 192.168.0.202[500]
Apr 06, 16:20:17 Debug IKE send packet to 192.168.0.220[500]
Apr 06, 16:20:17 Debug IKE 1 times of 100 bytes message will be sent to
192.168.0.220[500]
08100400 00000000 00000064 82000018
Apr 06, 16:20:17 Debug IKE f3a7b6cf 36279e72 6dec6ac3 7fa23fac
f00ec507 82000018 ec6f0e75 925e5b1e
Apr 06, 16:20:17 Debug IKE 682c239f 435d5834 032c003d 00000018
fe2f1c61 46808848 594cf99a a084781f
Apr 06, 16:20:17 Debug IKE 31831a0a
Apr 06, 16:20:17 Debug IKE compute IV for phase2
Apr 06, 16:20:17 Debug IKE phase1 last IV:
Apr 06, 16:20:17 Debug IKE e45ad0b6 44d229a5 bcdf2e11
Apr 06, 16:20:17 Debug IKE encryption(3des)
Apr 06, 16:20:17 Debug IKE phase2 IV computed:
Apr 06, 16:20:17 Debug IKE c6fc9684 98910dcf
by megamiles on 2008-04-06 16:47:07 +0200
Hello Diwa,
Thanks for the contribution. I have in fact sent a copy of my full debug log
to the Lobotomo support e-mail, as I faced a post log limit. Clearly I could
have spanned a few reply posts as you did ;)
It would be good to know if OS X 10.5.2 can be made to work with
SonicWall Pro devices as this could point to problems with the OS. Other
posts seem to imply 10.4.x was OK, and only Leopard users have problems.
As stated, VPN Tracker 5 does work, but uses its own XAUTH extended
authentication routine, so this is where I suspect problems are for
Lobotomo. Only problem now is my evaluation phase on VPN Tracker has
finished, so I'm back connecting via a Windows box :(
Some relief may be hand, if your SonicWall Pro is connected to a SonicWall
SSL Appliance. Firmware version 2.5 (released 22 October 07) allows Mac
OS X to also use NetExtender.
It would seem the problem can be solved as VPN Tracker does work. If the
developers need a SonicWall Pro box to try and connect to, let me know and
I will see what can be done.
Many thanks, megamiles
by diwa on 2008-04-06 17:10:54 +0200
[quote author=megamiles link=1204842537/0#8 date=1207493227]
As stated, VPN Tracker 5 does work, but uses its own XAUTH extended
authentication routine, so this is where I suspect problems are for
Lobotomo.
[/quote]
I unmarked the "Use Extended Authentication" box...
[quote author=megamiles link=1204842537/0#8 date=1207493227]
Some relief may be hand, if your SonicWall Pro is connected to a SonicWall
SSL Appliance.
[/quote]
My SonicWall is connected to a Netgear DG834GB WLAN DSL ROUTER
But It doesn't matter.
VPN using IPSecuritas is not working if I try to connect from the Internet,
nor if I connect the WAN-Port of the sonicwall to my LAN...
Ciao
Dirk
by megamiles on 2008-04-06 17:36:30 +0200
Hello Diwa,
Just comparing my VPN Tracker 5 logs when connection to the company
SonicWall Pro, does show that there is an extended authentication phase
occurring, so I concluded it is necessary to check this option.
The SonicWall SSL Appliance, is another 19" rack unit that sits with the
SonicWall Pro Firewall, and hands off the SSL activity to the SSL Appliance
box. Its not an attractive solution, and I just don't know why the basic
SonicWall Pro's can be updated (firmwave and some $$$) to run IPSec or
SSL. It just seems to me the SSL Appliance is away of getting more $$$.
Anyway, this does not resolve the Lobotomo connection issues via IPSec to
a SonicWall Pro.
It would be good to know if anyone has been successful using OS X 10.5.x
(10.5.2 ideally)
by cshander on 2008-04-08 05:20:09 +0200
I am using a Sonicwall Pro 2040 v3.1.5.0-2s firmware with IP Securitas 3.1
on Mac OS 10.5.2 successfully. I found it very difficult to get the right
combination of settings for this to work, but have it working so I took
screenshots of all the related Sonicwall pages and the IP Securitas config. If
you want, you can download the screenshots here:
http://idisk.mac.com/cshander/Public/VPN%20Screenshots.zip
I hope this helps.
by diwa on 2008-04-08 08:29:37 +0200
[quote author=cshander link=1204842537/0#11 date=1207624809]
If you want, you can download the screenshots here:
I hope this helps.[/quote]
I am asked to enter a username and password for the zip on mac.com...
Thanks
Dirk
by megamiles on 2008-04-08 15:16:57 +0200
Hello cshander,
Also having the same trouble as Diwa, needing user & password to access...
I would be good to understand just what setting you had used.
by diwa on 2008-04-15 09:33:07 +0200
Sorry for moving this up, without anything new from my side...
cshander, could you please provide us the password for your idisk?
Or is there anything, I can do to help solving this problem?
Thanks
Dirk
by megamiles on 2008-04-15 17:58:22 +0200
Hello cshander,
Just adding to Dirk's / diwa request to have a look at your config settings.
Your iDisk is locked, so neither of us can access. Please if you can shed
light on the tricks you used to connect to a SonicWall box it would be very
much appreciated.
I am sure that both Dirk and I are in the same boat, along with many other
SonicWall Pro users !
by gofuse on 2008-04-15 20:07:45 +0200
Just adding to this issue. I'm also having similar connection problems
connecting to SonicWall 3060 on os 10.5.2. Works fine with VPN Tracker 5.
Would be great if we can view the screenshots and recommend a solution.
by diwa on 2008-04-16 22:20:54 +0200
Hi and Guten Abend ;-)
I was able to establish a connection to my SonicWALL Pro 320...
I changed the "Entfernter Endpunkt" Mode in the "General" Tab from
"Network" to host - and put in an IP address from the remote network...
The Tunnel is also comming up, if I set the Mode to "Networks" and put in
the "real" network, here 192.168.0.0/24 and a not existing one like
192.168.1.0/24...
If I remove the non existing one, the tunnel not came up...
Ciao
dirk
by diwa on 2008-04-17 13:00:28 +0200
I could start crying... :'(
Yesterday it worked, but today it doesn't...
Needless to say, that I didn't changed anything.
Ciao
Dirk
by cshander on 2008-05-14 23:51:31 +0200
Thanks to a user emailing me and letting me know I had a password on the
screenshots, I went and removed the password. I am sorry to those who
tried to download the file - I thought I had set the file as public AND I
thought I set my preferences to notify me when replies were posted to this
thread...
Here is the link again:
One note of caution. My company just installed the latest firmware update
for our sonicwall pro 2040 going from v3 to v4 and now these settings do
not work. I have been unable to get a connection with the v4 firmware, and
tried varying settings with no luck "yet"...
by diwa on 2008-05-15 19:08:57 +0200
[quote author=cshander link=1204842537/15#19 date=1210801891]
Here is the link again:
[/quote]
Now it worked
Thanks.
These settings look a little bit different then mine (because of a different
sonicwall), but basicly I do have the same settings in
encryption/authentication etc.
While playing around a little bit, I found, that my parallels installation forces
some problems.
I have the parallels NAT-Adapter active and set to DHCP.
This adapter will keep the ip-address - and if this has been one from the
same subnet as my internal one, ipSecuritas cannot establish a tunnel...
I have to deactivate the adapter manually to get the tunnel established.
Ciao
dirk
Netgear DG834v2 setup
Netgear DG834v2 setup
by bergert on 2008-03-09 13:26:24 +0100
hello,
Finally, I managed to get a connection to my 834. But the connection only
remains up for a few minutes (60 seconds ?) and then stops to work. As
soon as I restart IPSecuritas it comes back, but only for a minute or so. I
check using PING and TRACEROUTE.
NOTE to other Netgear users:
- dont try to use SHA-1; it does not work, use MD5
- using FQDN user strings did not work for me; this is why I am using IPs
now
Can anybody offer suggestions ?
thanks,
Tom
1) My setup:
MacMini on pulic IP (IP securitas) <-- Internet --> DG834v2 (ADSL2+,
dyndns IP)
2) DG834 Configuration:
Remote IP, single address, MacMini
Local subnet, 192.168.1.0
IKE: Initiater and Responder
Mode: Main-Mode
DH Group: 2 (1024)
Local ID: WAN IP
Remote IP: IP Address
Encryption: DES
Authentication: MD5
sa Life time: 28800
PFS Enabled
3) Logs:
Mar 09, 05:01:48 Info
Mar 09, 05:01:48 Info
Mar 09, 05:01:48 Info
Mar 09, 05:01:48 Info
Mar 09, 05:01:55 Info
APP Initiated connection Netgear
Mar 09, 05:01:56 Error IKE not support transform-id=9 in ESP.
Mar 09, 05:02:01 Error IKE failed to pre-process packet.
Log from Netgear DG834
Sun, 2008-03-09 12:01:29 - [USA] initiating Main Mode
Feature Request: Setting the MTU on start
Feature Request: Setting the MTU on start
by next2you on 2008-03-13 11:02:34 +0100
Hi,
my VPN will only work reliably when I set the MTU on my airport (en1) to
1400 (instead of 1500).
I have to do a sudo ifconfig en1 mtu 1400 every time before starting up the
VPN.
I haven't found an easy way to make this stick on the OSX level besides the
Terminal or
writing my own startup script. Would there be a way to incoroprate this into
IPSecuritas?
Or am I the rare case of MTU performance problem?
Christian
P.S.: In the consequence I suspect my mobile account freezes after the sudo
if the VPN is up and "unreliable" and the
computer is already bound to the OSX Server (10.5, OpenDirectory)
IPSecuritas reports 'Not Connected to daemon"
IPSecuritas reports 'Not Connected to daemon"
by rooney1111 on 2008-03-13 22:43:03 +0100
I am running OS 10.5.2 with latest version of IPSec. It works perfectly to 2
separate sites for a day or two then breaks. Now when I launch it it reports
"Not connected to daemon" and all I can do is Force Quit. If I uninstall and
re-install/setup it works again for a couple of days then breaks again. Is
there a command line to re-connect it to the daemon or re-start the
daemon, or any other ideas appreciated. When it works it's just great!
Linksys WRVS4400N firmware 1.1.03 woes
Linksys WRVS4400N firmware 1.1.03 woes
by jfippin on 2008-03-14 02:11:39 +0100
Thanks to the wizard, I had been able to set up a VPN tunnel successfully
between my MacBook Pro and the Linksys. That is, until I updated the
firmware on the Linksys to the current version 1.1.03.
Now, I can't get past Phase 1 for love nor money. I completely reset the
Linksys to factory defaults after the firmware upgrade, and then manually
set up the tunnel, but no joy. I've spent far too many hours on this already,
tweaking everything I can think of. Anybody had success with this new
firmware? I could revert to 1.0.16, but there are a couple new non-VPN
capabilities in the new release that I'd like to hang on to.
For the time being, Hamachi is getting me through, but I'd really like to
have my Linksys tunnel back!
Thanks in advance for any insight.
Problems connecting to Draytek 2800
Problems connecting to Draytek 2800
by macfanguy on 2008-03-17 22:10:11 +0100
Okay, 5 hours into it, I'm getting a bit frustrated... I have setup several
Drayteks in combination with IPS, specifically 2 2900's and 3 2510's. I
recently installed 2 2800's, and guess what... I cannot get VPN to work! For
the first time in 4 years... The 2800's are updated with the latest firmware
(2.8).
I have off course set up the Draytek's the way I have allways done so, and
the same goes for IPS. As this didn't work , I re-read the instructions for
setup, even though these are for an older FW-version. Used the Wizard
instead of manually entering the settings, just in case I missed something,
but no go. Downloaded VPN Tracker (Sorry! ;-) ) just to test, and used their
wizard, exactly the same problem. There error tells me that it at least gets
past Phase one, which I can confirm, as IPS's log gives no time-out waiting
for Phase 1.
Having traced it to phase 2, I changed all settings, turning things on and
off. Having read some post here, tried changing the Endpoint Mode, and
turning NAT on and off... No luck. I'm lost!
As I am not on site, I have no way of using Draytek's Syslog tools to check
the Draytek end of the VPN setup, not even sure if it will show anything
worthwhile.
Off-course, I have log output, should anybody be interested. I just don't
inderstand enough of IPSec's process to figure out where it goes wrong.
Any help is greatly appreciated!
Re: Problems connecting to Draytek 2800
by macfanguy on 2008-04-17 12:15:11 +0200
Doesn't anybody have ANY clue... :o
I'm almost desperate here, and Draytek support is wel, Draytek support. :'(
Sonicwall TZ170
Sonicwall TZ170
by mcclint on 2008-03-24 14:39:40 +0100
I'm trying to get IPSecuritas to work with a Sonicwall TZ170. I've gone
through the router's VPN setup line by line and every setting is identical to
how I have the IPSecuritas connection file setup but every time I try to
establish a connection I get "No Proposal Chosen". I've tried using the
IPSecuritas connection wizard for the TZ170 but that doesn't work either.
As a test I used the demo version of VPNtracker and it actually works! So I
compared the settings in VPNTracker to how I have IPSecuritas setup and
once again, they are identical. Is there some magic, hidden button I need to
click in IPSecuritas to make it work with this router? I have no problems
getting it to work with a ZyWall 35.
Re: Sonicwall TZ170
by next2you on 2008-04-02 15:03:12 +0200
Just to assure you, IPSecuritas plus TZ170 works fine for me.
I've configured the Group VPN with IKE using Preshared Secret, the proposal
is group2, 3DES, SHA1, LIfetime 28800 seconds,
IPSEc Phase 2 is ESP, 3DES and SHA1, perfect forward secrecy is not enabled
and the lifetime is 28800.
In the advanced section it is only "Forward packets to removte VPNs
checked, I'm also using client authentication using XAuth, but that is
probably a few steps later.
Christian
Re: Sonicwall TZ170
by bertg on 2008-04-14 17:50:10 +0200
Hi,
I tried and tried and in the log of the TZ170, I keep getting this:
6
UTC 04/14/2008 15:11:10.048
IKE Responder: IPSec proposal
does not match (Phase 2)
Pleas see this flash movie for what I did:
[URL=http://www.hotshare.net/flash
/49209-4764030799.html]IPSecuritas.swf (1.00 MB)[/URL]
(right click on video and uncheck "Play" to pause...)
DHCP is NOT enabled in the TZ170.
As you see in the PNG screenshot below, locally the TZ170 sits on IP
address 10.0.0.2:
[img]http://i26.tinypic.com/332m8ae.png[/img]
What am I doing wrong?
I thank you in advance,
Bert
Re: Sonicwall TZ170
by cnadig on 2008-04-15 08:58:51 +0200
Hello Bert,
in the logs you sent me I can see that phase 1 is completed successfully,
but phase 2 fails with no proposal chosen (meaning the settings on both
sides for phase 2 don't match). Please change the remote network to
10.0.0.0/24 instead of 10.0.0.2/25 and disable PFS in phase 2 in
IPSecuritas (or enable it on the firewall and set it to group 1).
Hope this helps,
Christoph
Re: Sonicwall TZ170
by rpc_rodgers on 2008-05-23 01:52:37 +0200
Several colleagues and I have been working with IPSecuritas 3.1 (Build
1860) under Mac OS X 10.5.2, going against a SonicWall TX 170 SP.
We have succeeded in connecting, but never with XAUTH enabled.
We were particularly helped by the 12 June 2007 posting of sibble-comp. I
want to contact him and lobotomo support, but this
forum apparently requires at least one posting to allow personal
messages to be sent to other members, which prompts this posting.
If anyone has pointers to very precise setup instructions for this
configuration, or is willing to engage us via email or over the phone,
we'd be grateful to hear from you! Good luck to all...
Re: Sonicwall TZ170
by sibble-comp on 2008-05-25 00:34:16 +0200
What's the question you have rpc_rodgers? Ironic that I just happened to be
checking this forum a day later.
Racoon with NAT-T?!
Racoon with NAT-T?!
by .guru on 2008-03-25 07:42:59 +0100
I am really trying hard to compile racoon by hand from the sources. I am
close to breakthrough, but I still have problems with NAT-T support... it
does not let me set --enable-natt while compiling? How do you handle
this?
Help With WatchGuard Firebox...
Help With WatchGuard Firebox...
by mikemiller on 2008-03-27 17:53:55 +0100
Hi guys,
I'm a bit new to OSX and to IPSec in general, so please bear with me being
dumb and slow. We're a design/development house in the UK and currently
have a mix of OSX and Windows boxes. We bought a new MacBook as the
support laptop with the plan being to run Bootcamped Windows and OSX on
it. I've used MUVPN in the windows partition to connect to our
[b]WatchGuard Firebox Edge X15[/b] using the wgx file that is produced via
the Firebox configuration. This works fine.
I then stumbled upon IPSecuritas and tried to get this working in the OSX
partition. I downloaded the Help PDF and noticed that there is a desktop
configuration program being used and not the web interface I am lumped
with. I've tried to work through the instructions via the web interface,
however it is quite different and I got nowhere, if anyone could offer any
help it would be greatly appreciated.
Mike.
Re: Help With WatchGuard Firebox...
by itsm-support on 2008-04-03 14:55:34 +0200
I use MUVPN for Windows, too. I configured IPSecuritas like it was described
in the Help PDF. If you change the Mode to "Aggressive" the connection will
work. But after 9 minutes the VPN connection disconnect and you must
connect again. Maybe anybody can help me with this problem. Here the
Log-File:
Mar 29, 15:48:33 Info
Mar 29, 15:48:33 Info
Mar 29, 15:48:33 Info
APP IPSec started
Mar 29, 15:48:33 Info
IKE @(#)ipsec-tools CVS
(http://ipsec-tools.sourceforge.net)
Mar 29, 15:48:33 Info
Mar 29, 15:48:33 Info
IKE Reading configuration from
"/Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf"
Mar 29, 15:48:33 Info
Mar 29, 15:48:33 Info
APP Initiated connection Sogeti
Mar 29, 15:48:33 Error IKE inappropriate sadb acquire message passed.
Mar 29, 15:48:33 Info
IKE couldn't find the proper pskey, try to get
one by the peer's address.
Mar 29, 15:51:32 Error IKE unhandled notify message 32768, no phase2
handle found.
handle found.
handle found.
Re: Help With WatchGuard Firebox...
by itsm-support on 2008-04-09 12:22:23 +0200
I activate the debug modus and I can see there is something else:
Apr 08, 20:36:39 Debug IKE 68 bytes message received from
xxx.xxx.xxx.xxx[4500] to 192.168.178.11[4500]
Apr 08, 20:36:39 Debug IKE 83859376 97274c48 97a06b3f 69fbb063
08100501 5eb31459 00000044 59f7af51
Apr 08, 20:36:39 Debug IKE 22633302 54ff1026 ce420ca5 299bd048
9c5ee278 d0466696 aa0ed8ff 6d2316fd
Apr 08, 20:36:39 Debug IKE d22166ea
Apr 08, 20:36:39 Debug IKE receive Information.
Apr 08, 20:36:39 Debug IKE compute IV for phase2
Apr 08, 20:36:39 Debug IKE phase1 last IV:
Apr 08, 20:36:39 Debug IKE 14465d4d fc06e38c 5eb31459
Apr 08, 20:36:39 Debug IKE encryption(des)
Apr 08, 20:36:39 Debug IKE phase2 IV computed:
Apr 08, 20:36:39 Debug IKE 9b3e8f1b 56a79fb0
Apr 08, 20:36:39 Debug IKE begin decryption.
Apr 08, 20:36:39 Debug IKE IV was saved for next processing:
Apr 08, 20:36:39 Debug IKE 6d2316fd d22166ea
Apr 08, 20:36:39 Debug IKE with key:
Apr 08, 20:36:39 Debug IKE 898b0884 a7c0c219
Apr 08, 20:36:39 Debug IKE decrypted payload by IV:
Apr 08, 20:36:39 Debug IKE 9b3e8f1b 56a79fb0
Apr 08, 20:36:39 Debug IKE decrypted payload, but not trimed.
Apr 08, 20:36:39 Debug IKE 0b000018 c0e4c815 102335ab 338e0b64
2aefba42 06bf0b24 0000000c 00000001
Apr 08, 20:36:39 Debug IKE 01008000 00000000
Apr 08, 20:36:39 Debug IKE padding len=1
Apr 08, 20:36:39 Debug IKE skip to trim padding.
Apr 08, 20:36:39 Debug IKE decrypted.
Apr 08, 20:36:39 Debug IKE 83859376 97274c48 97a06b3f 69fbb063
08100501 5eb31459 00000044 0b000018
Apr 08, 20:36:39 Debug IKE c0e4c815 102335ab 338e0b64 2aefba42
06bf0b24 0000000c 00000001 01008000
Apr 08, 20:36:39 Debug IKE 00000000
Apr 08, 20:36:39 Debug IKE IV freed
Apr 08, 20:36:39 Debug IKE HASH with:
Apr 08, 20:36:39 Debug IKE 5eb31459 0000000c 00000001 01008000
Apr 08, 20:36:39 Debug IKE HASH computed:
Apr 08, 20:36:39 Debug IKE c0e4c815 102335ab 338e0b64 2aefba42
06bf0b24
Apr 08, 20:36:39 Debug IKE hash validated.
Apr 08, 20:36:39 Debug IKE begin.
Apr 08, 20:36:39 Debug IKE seen nptype=8(hash)
Apr 08, 20:36:39 Debug IKE seen nptype=11(notify)
Apr 08, 20:36:39 Debug IKE succeed.
Apr 08, 20:36:39 Error IKE unhandled notify message 32768, no phase2
handle found.
After 3 times all 3 minutes
Apr 08, 20:48:43 Debug
Apr 08, 20:48:43 Debug
Apr 08, 20:48:44 Debug
Apr 08, 20:48:44 Debug
Apr 08, 20:48:46 Debug
Apr 08, 20:48:46 Debug
Apr 08, 20:48:46 Debug
Apr 08, 20:48:46 Debug
(maybe Entourage checks for emails) i get this:
IKE msg 5 not interesting
IPSecuritas 3.1 with Fortigate 3.0
IPSecuritas 3.1 with Fortigate 3.0
by edcor123 on 2008-04-01 15:57:11 +0200
Hi all,
Did some succeed to connect IPSEcuritas 3.1 to a Fortigate V3.0 IOS release
?
I need to connect a couple of users with dynamic IP Adress
The Fortigate has a public IP address but I can make it work (even after
several tests)
I tried to activate Xauth and IPSEC DHCP with no success ....
Is someone able to send me back some config ?
Thanks
Re: IPSecuritas 3.1 with Fortigate 3.0
by edcor123 on 2008-04-01 16:01:04 +0200
... for a best description;
The Fortigate is configured in NAT mode
LAN IP address: 192.168.3.1 /24
IP WAN address: 195.115.112.56 /29
Do I need to activate Xauth in the Fortigate?
Do I need to configure Xauth-PSK on IPSecuritas?
Do I need to force NAT-T since users are behind ADSL routers ?
Thanks for any tip.
Re: IPSecuritas 3.1 with Fortigate 3.0
by lleung on 2008-05-02 04:56:19 +0200
[quote author=edcor123 link=1207058231/0#1 date=1207058464]... for
a best description;
The Fortigate is configured in NAT mode
LAN IP address: 192.168.3.1 /24
IP WAN address: 195.115.112.56 /29
Do I need to activate Xauth in the Fortigate?
Do I need to configure Xauth-PSK on IPSecuritas?
Do I need to force NAT-T since users are behind ADSL routers ?
Thanks for any tip.[/quote]
No,
No,
Yes.
Also something to note. Evidently firmware 3.0 MR5 and MR6 broke xauth
compatibility with IP securitas.
Linksys WRVS4400N - No connection
Linksys WRVS4400N - No connection
by ravensolutions on 2008-04-02 04:09:09 +0200
Hi - running 10.5.2, and have tried everything I can to get a working VPN
connection. IPSecuritas is my last straw... What's odd is that I was able to
connect using the Linksys QuickVPN on the same Mac running Windows
Vista under VMWare, so I know that this should work. I chose the Linksys
WRVS4400N from the wizard and added what I believed to be the correct
settings. Here's the regular log:
Apr 01, 20:01:16 Info
Apr 01, 20:01:16 Info
Apr 01, 20:01:16 Info
APP IPSec started
Apr 01, 20:01:16 Info
Apr 01, 20:01:16 Info
Apr 01, 20:01:16 Info
Apr 01, 20:01:16 Info
Apr 01, 20:01:16 Info
APP Initiated connection MAHVPN
Apr 01, 20:01:16 Error IKE inappropriate sadb acquire message passed.
Apr 01, 20:01:23 Info
Apr 01, 20:01:30 Info
Apr 01, 20:01:37 Info
Apr 01, 20:01:44 Info
Apr 01, 20:01:46 Error IKE phase1 negotiation failed due to time up.
68b4db46769c3ccf:0000000000000000
Apr 01, 20:01:49 Warning APP Connection MAHVPN timed out
Apr 01, 20:01:49 Warning APP Giving up
Apr 01, 20:02:04 Info
APP IPSec stopping
Apr 01, 20:02:05 Info
Apr 01, 20:02:05 Info
APP IPSec stopped
I'd send the debug log if I had enough space. ANY help would be
appreciated.
Steve
Trying to get set up
Trying to get set up
by andy on 2008-04-04 14:22:02 +0200
MacbookPro/Core 2duo/Leopard 10.5.2
Local (me) [ch8594]wireless[ch8594] my Local gateway (Netgear DG834G)
[ch8594] work remote (Netgear DGFV338) [ch8594] subnet 192.168.0.0/24
The remote gateway has an auto policy setup for a local VPN client
When I try to log in I get:
Apr 04, 13:12:08 Info
Apr 04, 13:12:08 Info
Apr 04, 13:12:08 Info
APP IPSec started
Apr 04, 13:12:08 Info
Apr 04, 13:12:08 Info
Apr 04, 13:12:08 Info
Apr 04, 13:12:08 Info
Apr 04, 13:12:08 Info
APP Initiated connection CHHomer
Apr 04, 13:12:15 Info
Apr 04, 13:12:22 Info
Apr 04, 13:12:29 Info
Apr 04, 13:12:36 Info
Apr 04, 13:12:41 Warning APP Connection CHHomer timed out
Apr 04, 13:12:41 Warning APP Giving up
Am I close or don't I know what I'm doing? :o
Anyone's wisdom would be gratefully received
Cheers
Andy
Limit in number of connection
Limit in number of connection
by fabien.magagnosc on 2008-04-08 19:00:35 +0200
Actually, I'm using IPSecuritas (thanks a lot for this beautiful software) to
connect to my company VPN ... but the fact is that we have a lot of VPN ...
and actually, after 5 connections within one profile, the lastest connection
is always not configured in racoon.conf, and not started (stay in red in the
menubar item list)
Is there any limitation in term of conccurent VPN running, if no, how can i
force IPsecuritas to open more connection as needed ?
Thanks a lot,
Fabien.
cant connect
cant connect
by Flare on 2008-04-08 19:17:30 +0200
Hello,
i have a strange problem. btw im new to mac.
i have 2x the same macbookpro.. same model etc.
i installed ipsecuritas on one of them and it works fine..i can connect to my
branchoffice firewall.
on the other macbookpro i got a problem.. i installed and configured it the
same way.
i taked a look at the protocoll at this is all what i see.
nothing more.. the light is red and nothing happens..
whats wrong here.. i take a look at the taskmanager and i see that no
ipsecurtasdaemon is running..
very strange .. can someone help me
Apr 04, 13:12:08 Info
Apr 04, 13:12:08 Info
Apr 04, 13:12:08 Info
APP IPSec started
Apr 04, 13:12:08 Info
Apr 04, 13:12:08 Info
Apr 04, 13:12:08 Info
Apr 04, 13:12:08 Info
greets
rene
Re: cant connect
by Flare on 2008-04-11 07:49:22 +0200
hello,
found the problem,
there was a vmnet8 interface configured with the same adress as the
destinationnetwork.
now it works.
greets rene
Re: cant connect
by noidea on 2008-07-23 04:47:20 +0200
Hello Rene,
Can you explain how you resolved this issue is a bit more? I am totally new
to this and I am having the same problem but I don't know how to fix it.
Jul 22, 22:40:50 Info
Jul 22, 22:40:50 Info
Jul 22, 22:40:50 Info
APP IPSec started
Jul 22, 22:40:50 Info
Jul 22, 22:40:50 Info
Jul 22, 22:40:50 Info
Jul 22, 22:40:50 Info
Jul 22, 22:40:50 Info
XAUTH + RSA Status?
XAUTH + RSA Status?
by yongel on 2008-04-11 21:16:31 +0200
Hello,
as I am currently investigating IPSecuritas to serve as my default MAC OS
VPN client, I'm very interested what the implementation status auf XAUTH +
RSA is?
I found an older thread where you offered a 3.1.1 Prerelease that should be
able to handle this szenario correctly. So I downloaded that version and
tried to configure it. Sady the required combination of settings is not
allowed. When I select "Local Authentication Certificate" & "XAUTH + RSA" &
my imported certificate I always get an yellow exclamation mark indicating,
that the I my config does not provide an certificate. Switching back to RSA
only everything is error free again.
Can you tell me what is going wrong here and if I can expect a corrected
version.
Thanks in advance and best regards.
Markus
Tunnel Established but cannot Ping or use ARD
Tunnel Established but cannot Ping or use ARD
by rooney1111 on 2008-04-15 15:32:12 +0200
Am using 10.5.2 and IpSecuritas 3.1. It's just stopped working - I get a
Green connection but cannot Ping the remote network nor use ARD. A
colleague has no problem with a similar configuration.
Re: Tunnel Established but cannot Ping or use ARD
by artemide on 2008-04-17 23:58:05 +0200
I am having the same issue. OSX 10.5.2, IPSecuritas 3.1, the tunnel is active
on both sides, but I can not ping.
The other end is Smoothwall Advanced Firewall 2008.
by rooney1111 on 2008-04-18 11:28:37 +0200
My remote unit is a ZyXEL ZyWALL - it all works fine from my Mac but not
my colleagues but as far as we can tell the setup is identical. He has deleted
and reinstalled IPSec - still no ping
by artemide on 2008-04-18 15:06:44 +0200
I have a support contract with smoothwall, so I opened a case with them. I
think the problem is with IPSecuritas, but they are pretty good at tracking
down issues. I'll let you know what they find.
by thorlock on 2008-04-24 12:43:23 +0200
@artemide: could the Smoothwall team help you solve this issue? I'm in a
similair situation and it's driving me nuts...
Anyone else have any ideas? Thanks a bunch.
by artemide on 2008-04-24 17:34:01 +0200
not yet, they sent me some screen shots they had from someone that did
get it working and it was somewhat of a help.
It seems like even though both sides think the tunnel is up it is really not.
The IPSecuritas side sees an invalid ID. But I can't figure out what the
problem is because the tunnel does come up.
I just sent the smoothwall teem some screen shots and some log files. I am
hoping to hear back from the soon.
This is very frustrating.
On a different note I sent an email to IPSecuritas and have received no
response as of yet. I am even trying the trial version of VPN Tracker .. and
that crashes ... joy
by rooney1111 on 2008-04-24 22:29:38 +0200
Don't know if this helps but I have been out of office on client's sites the
past couple of days and wasn't even able to 'go green' with IPSecuritas. Now
I'm back in my office everything is OK again so could the issue be with the
local firewall?
by thorlock on 2008-04-25 09:24:02 +0200
@artemide: Alright, no possibility that you could post those screenshots
provided from the Smoothwall team? Thanks.
@rooney1111: yeah, I think it might be an issue with some local firewall in
some specific cases, but I doubt it is an firewall issue when the connection
goes green and everything seems to be up and running according to the
logs!
by benjconrad on 2008-04-25 12:21:45 +0200
Specifically with Smoothwall, you should check the Zone Bridging options.
You need to allow bi-directional traffic from IPSEC to Green. If you do not,
then you get the exact problem you describing - tunnel is up, but no traffic
can pass.
by artemide on 2008-04-25 14:59:20 +0200
[quote author=benjconrad link=1208266332/0#8
date=1209118905]Specifically with Smoothwall, you should check the Zone
Bridging options. You need to allow bi-directional traffic from IPSEC to
Green. If you do not, then you get the exact problem you describing tunnel is up, but no traffic can pass.[/quote]
yes I know thank you though. I have about a dozen other connections, ipsec
subents and L2TP road warriors all working, the problem is on the
IPSecuritas side and with my keys. It seems to be having problems verifying
the keys.
I will post everything I have.
edit: I have a zip file to post of screen shots and log files .. but .. and this is
going to sound stupid but .. can I post it here? Or do I need to through it on
my web server and give a link?
by artemide on 2008-04-25 23:17:03 +0200
It seems that the Keys need to had the ID value set in them, and the ID has
to be the address of the server ( either IP or FQDN, then then also needs to
be the ID of the endpoints as well.
I am trying with 2 new keys, both with IDs set and I am specifying them on
both sides, so I imported both keys on the OSC side . the tunnel comes up
and with much less warnings on the SW side. I also get different errors now
on the Mac side
inappropriate sadb acquire message passed.
unknown informational exchange received
VPN-1: connect ok, problem: office mode/mode_cfg
VPN-1: connect ok, problem: office mode/mode_cfg
by marcz on 2008-04-17 13:07:16 +0200
Hi,
i am trying to connect a corporate network (Checkpoint VPN-1).
I exported the profile from the windows machine. it looks like this:
[code](HTTPS_COMPANY
:attributes (
:description ("blabla")
:read_only (true)
)
:options (
:force_udp_encapsulation (false)
:support_ip_assignment (true)
:support_tcp_ike (false)
:sr_route_through_gw (true)
:support_tcpt (true)
:ps_ha_scheme (no_ha)
)
:site (company_blabla)
:gateways (
: (somecompany.somenetwork-fwblabla
:name (somecompany.somenetwork-fwblabla)
:ipaddr (111.111.111.111)
:active (true)
)
)
:policy_servers (
: (somecompany.somenetwork-fwblabla
:name (somecompany.somenetwork-fwblabla)
:ipaddr (111.111.111.111)
:active (true)
)
)
)
[/code]
i configured ipsecuritas like this:
General:
FirewallIP: 111.111.111.111
Local Modus: dropdown is greyed out "MODE-CFG is enabled. lokal ip is
retrieved from firewall"
Remote Endpoint "Everywhere"
Phase 1:
10 min
1024(2)
3DES
SHA-1
Main
Obey
16
Phase 2:
10 Minutes
768 (1)
Enc: DES, 3DES, AES 256, AES 192, AES 128
Auth: HMAC MD5, HMAC SHA-1
ID:
Re: VPN-1: connect ok, problem: office mode/mode_c
by marcz on 2008-04-19 16:50:21 +0200
Noone able to help?
I already had a look at the commercial software vpn tracker, too.
but unfortunately vpn tracker supports no mode_cfg/office mode with
checkpoint vpn, too.
Re: VPN-1: connect ok, problem: office mode/mode_c
by marcz on 2008-04-24 20:59:59 +0200
bump
One hour timeout
One hour timeout
by Frank_Renner on 2008-04-21 10:08:24 +0200
Hi,
I have a problem with connecting to a client site. Everything works fine, but
after exactly one hour the connection does not work anymore. Although I
strongly assume that this is a problem with some timeout in the firewall at
the client site, I want to know if it is possible that the problem may be
caused on my side. I have MacOS X 10.5.2, IP Securitas 3.1 and no firewall
enabled on my Mac. Did anyone else experience this behaviour?
Thank you,
Frank Renner
Re: One hour timeout
by Cucumber on 2008-04-23 03:59:25 +0200
Howdy,
i have the same problem (same version of OSX and IPS). IPS thinks it is still
connected (green dot). but all communication abruptly stops after an hour.
i'm connecting to a NetScreen 5GT.
same thing happens if i use IPS 2.2
\\//_
What can we do? Accept fate?
by benjconrad on 2008-04-25 12:19:12 +0200
I had this problem before, connecting IP Securitas on Tiger to a Smoothwall
Firewall.
On that firewall, where you set up the IPSEC Roadwarriors, there is a "Key
Life" setting, which by default was 60 minutes. The key is presumably
supposed to be reissued in some way, but I couldn't work out what was
wrong, so in the end just increased the key life setting to 360 - 6 Hours
being more than enough for the users.
Not sure how much this information helps, but there should be a setting on
the firewall you are connecting to, rather than on IP Securitas.
by kamikaze2112 on 2008-05-08 20:59:18 +0200
I am having the exact same issue. After an hour, everything drops but the
tunnel says it's still up. I am running Leopard 10.5.2, IPSecuritas 3.1, and a
Linksys RV042 with the latest firmware. I have a pretty good feeling that
it's the Phase 2 key that's not being renewed properly. I've bumped the
phase 2 key life to 28800 seconds (8 hours) to see if it helps.
Hopefully we can get a fix for this issue.
To add another weirdness which makes it difficult to convince the client
about his firewall doing wrong: others are connection to the same firewall
without any problems (with the same version of MacOS, IPSecuritas and the
same settings of course). So the issue might have something to do with the
Mac settings as well...still not solved on my side.
by cnadig on 2008-05-09 12:51:00 +0200
Hello,
it is possible that the rekeying is initiated by the firewall shortly before the
first key expires after the specified life time (probably one hour). This could
be problematic if your client is behind a NAT router or a firewall.
Try lowering both life times to a smaller value, say 30 minutes instead of
one hour.
Hope this helps,
Christoph
by kamikaze2112 on 2008-05-14 18:20:05 +0200
I tried decreasing the Phase 2 lifetime to 1800 seconds (30 min) but left the
phase 1 lifetime at 28800 seconds (8 hours). All this did was caused the
traffic to come to a halt after 30 minutes instead of the original hour. I've
just tried setting both phases to 30 minutes to see how that affects things,
and I'll update this post with my findings.
Update: with both phases set for 1800 seconds, the pings stopped after 30
minutes. I don't think this is a problem with my VPN router. it's possible
that the NAT router that the client is behind could be the culprit, but I
doubt that's the case.
by Ingo on 2008-06-06 11:19:39 +0200
I'm seeing exactly the same problem with IPSecuritas 3.1 on Leopard
connecting to a Checkpoint VPN-1. This seems to be a Leopard problem, as
the same configuration works flawlessly with IPSecuritas 3.1 on Tiger.
VPN on only one interface
VPN on only one interface
by swhitman on 2008-04-29 23:28:52 +0200
I have IPSEC working on the wireless interface. When a cable is attached to
the ethernet and the wireless is turned off, networking does not work
unless I turn off IPSecuritas. How do I setup IPSecuritas so that it is only
active for the wireless interface?
Problems with CISCO VPN
Problems with CISCO VPN
by MBC on 2008-04-30 15:51:25 +0200
Dear friends,
I have a big problem using IPSecuritas with my company firewall CISCO. The
problem is, that IPSecuritas wanted a preshared secret and my company is
not working with this. We are working with a group name and group
password and then with personal name and personal password. How can I
solve this problem and configurate IPSecuritas?
Thanks,
Michael
Can anyone hand-hold my newbie setup?
Can anyone hand-hold my newbie setup?
by slightly on 2008-05-02 14:53:05 +0200
Hi
I've never set up a VPN before, although I have used IPSecuritas to connect
at a previous employer.
So, any help or advice would be hugely appreciated!
I'm trying to connect my home 10.5 Powerbook running IPSecuritas to a
Linksys RVS4000 VPN router/firewall at work. So it's a host-to-network
connection.
The RVS4000 is at [b]68.167.x.x[/b].
It creates a private network of [b]192.168.1.0/24[/b].
My home Mac is at [b]74.66.y.y[/b]. (Cable internet, dynamic IP, but it
should be the same address for a while.)
Its private address is [b]192.168.0.103[/b], within a [b]192.168.0.0/24[/b]
network. (Served by a D-Link EBR-2310 with IPSec passthrough enabled.
L2TP and PPTP are not passed through. I'm also connected to an interim
Airport Express, if that makes any difference.)
Here's what I have set up on the router's tunnel configuration:
[b]Local Security Gateway type: IP Only
IP address: 68.167.x.x.
Local security group type: IP addr.
IP address: 192.168.2.1[/b]
First question: is that "192.168.2.1" sane? I'm guessing that what this refers
to is the IP address that my Mac will be assigned once within the local
network, and I don't want it to clash with the existing subnet. Is that
correct?
[b]Remote Security Gateway Type: IP Only
IP address: 74.66.y.y.
Remote security group type: subnet
IP address: 192.168.0.103
Mask: 255.255.255.0
Key mode: IKE/preshared
Phase1:
Encrypt: 3DES
Authenticate: MD5
Group: 768-bit
Life: 28800 secs
Phase2:
Encrypt: 3DES
Authenticate: MD5
PFS: Enable
Key: *******
Group: 768-bit
Life: 28800 secs[/b]
Now, on IPSecuritas:
[b]Remote IPSec device: 68.167.x.x
Local Endpoint mode: Host
Remote Endpoint mode: Network
Phase1:
Life: 28800 secs
XAuth doesn't honor the IP handed out by server
XAuth doesn't honor the IP handed out by server
by signal15 on 2008-05-05 21:54:12 +0200
It's sending the packets with a source address of the one physically
assigned to my local interface, not the one that I'm handing to it via an IP
Pool for XAuth. Is there a way to change this behavior?
I noticed I can optionally hard set the IP address under the "General" tab,
and I can assign a static to each user in the firewall via Xauth options. This
would probably work, however, it would be nice to avoid that extra config
especially for multiple users.
I am assuming since it's not honoring the IP I'm handing it, it probably
doesn't take the DNS servers I'm giving it either.
Re: XAuth doesn't honor the IP handed out by serve
by Forum Admin on 2008-05-05 22:13:20 +0200
Hello,
XAuth doesn't provide a way to handing out IP addresses or other client
configuration. Please try enabling MODE_CFG, which was meant for this
purpose. Please note that MODE_CFG was never officially released as a RFC,
therefore there are many different proprietery implementations. So it might
or it might nor work. In the latter case, I'd be very interested to make the
necessary software changes to support your firewall's implementation. Let
me know.
Hope this helps,
Christoph
Re: XAuth doesn't honor the IP handed out by serve
by signal15 on 2008-05-05 22:31:30 +0200
Works! Thanks!
FYI, this is on a Juniper SSG5 running ScreenOS 6.0r2.
Fortigate-100
Fortigate-100
by anev on 2008-05-06 16:12:20 +0200
Hey,
I've been trying to set up a VPN connection to my office with little success.
The logs show the following;
May 06, 14:35:04 Info
APP System wake up event received
May 06, 14:36:00 Info
May 06, 14:36:00 Info
APP Smart Environment Detection: Off,
reconfiguration
May 06, 14:58:24 Info
May 06, 14:58:24 Info
May 06, 14:58:24 Info
APP IPSec started
May 06, 14:58:24 Info
May 06, 14:58:24 Info
May 06, 14:58:24 Info
May 06, 14:58:24 Info
And doesn't get much further than that. Does anyone have a config they
should send me for a Fortigate-100? If necessary, I can post the details
here re our set up.
Kind Regards,
A
Re: Fortigate-100
by cnadig on 2008-05-06 18:06:39 +0200
Hello,
this looks like no negotiation is started at all. Do you get a red dot next to
the connection name in the main window? If so, what does it say when you
hover your mouse pointer over it?
Cheers,
Christoph
Re: Fortigate-100
by anev on 2008-05-06 20:26:47 +0200
When i hover the mouse above it, it says "connection definition error". I'm
assuming then I have done something wrong during the configuration
process. I can export the connection settings and paste them if if it helps?
Re: Fortigate-100
by cnadig on 2008-05-07 11:30:17 +0200
Hello,
please open the connection manager and hover the mouse over the
exclamation mark symbol next to the connection. This will show a list of
things to correct in the connection.
Hope this helps,
Christoph
Problems on Mac OSX V10.4.11
Problems on Mac OSX V10.4.11
by dash on 2008-05-07 14:56:43 +0200
IPSecuritas will connect to our firewall (Juniper SSG-20 with V6.1 firmware)
automatically after restarting the Mac, but after closing the connection it
will fail when you try to start the connection again. It will work sometimes,
but mostly you have to restart the laptop to get it to work.
Also, I have the connect on startup checkbox unchecked in the IPSecuritas
preferences, but it connects anyway when you restart the Mac.
The laptop is a MacBook Pro 15" with Core 2 Duo, 2.16GHz and 1GB
memory.
Thanks,
Darren
Re: Problems on Mac OSX V10.4.11
by dash on 2008-05-12 03:21:25 +0200
Anyone else with this problem on Tiger?
SHA-2 support for phase 1 negotiation?
SHA-2 support for phase 1 negotiation?
by hori on 2008-05-07 15:48:00 +0200
Is there any possibility to to manually edit the configuration files that are
created by ipsecuritas? I need SHA-2 support during the phase 1
negotiation but ipsecuritas only offers MD5 and SHA-1.
As far as I know racoon supports SHA-2.
Re: SHA-2 support for phase 1 negotiation?
by cnadig on 2008-05-09 12:53:24 +0200
Hello,
racoon indeed supports SHA-1 with different hash sizes. I will add support
for this (unfortunately I can't see a way to edit the configuration files to
support this). What about SHA-2 in phase2 (raccon does support it, not so
sure whether MacOS X does as well)?
Cheers,
Christoph
by hori on 2008-05-13 12:08:28 +0200
Hello,
I cannot find any information if the Mac OS kernel supports IPSec in
conjuction with SHA-2. I hope it does because the userspace tools racoon
and setkey do so. And they are delivered by Apple.
Regards, Holger
by cnadig on 2008-05-13 13:40:02 +0200
Hello,
I had a look at the kernel and it offers support for SHA-2 (which are
officially called SHA-256, SHA-384, SHA-512, since there are variations
with different digest lengths) for phase 2 too. SHA-224 is not supported by
neither racoon (phase 1) nor the kernel (phase 2).
I will add support for those hashes to both phases.
Cheers,
Christoph
NAT issues
NAT issues
by rjzzleep on 2008-05-15 10:44:21 +0200
Hello,
At work we have a wireless router connected to our internal network. Now
when i use ipsecuritas from within my home router everything works fine,
however, when i try to connect to the vpn from the public wlan at work i
can't connect anymore.
I don't have the logs handy but i just wanted to let you know that replacing
the racoon version inside the ipsecuritas bundle with the stock 10.5.2
version of racoon solves everything.
Also would it be possible to add an option launch the menu item and the
daemon whenever i plan to connect to the vpn?
Either way thanks for ipsecuritas.
IPSecuritas and Smartcard?
IPSecuritas and Smartcard?
by TauTau on 2008-05-19 12:28:10 +0200
Hi,
I will receive my MacBookPro soon, and it will replace a Windows Laptop
then. Until now, I used the Checkpoint-1 Client with Nexus Software and a
Smartcard containing my certificate to access company network. Is there
some way to get this working with IPSecuritas? What would I use to handle
the smartcard?
Lars
Launch2Net, IPSecuritas and Zywall 2 Plus
Launch2Net, IPSecuritas and Zywall 2 Plus
by winnall on 2008-05-21 02:24:32 +0200
I have managed to get a VPN up and running from my MacBook Pro running
Mac OS X 10.5.2 through to my Zywall 2 Plus firewall. I'm using IPSecuritas
3.1 together with Launch2Net, which drives a Novatel Merlin XU870 HSDPA
card.
I would have liked to have perfectly clean log files, but I get the impression
from googling around that certain suspicious-looking log entries in the
IPSecuritas log are normal, e.g.
[i]Warning IKE ignore INITIAL-CONTACT notification, because it is only
accepted after phase1.
ESP <Zywall-IP>[500]-><Laptop-IP>[500]
Error IKE inappropriate sadb acquire message passed.[/i] etc.
Similarly, I get an error in the Zywall log which is well-documented but
doesn't seem to have a solution:
[i]Receive IPSec packet, but no corresponding tunnel exists[/i]
At the basic TCP/IP level I have a functioning connection from my laptop to
my Zywall (as an endpoint).
However, IPSecuritas has not set up my local DNS server although I made
what I think is an appropriate entry under the DNS tab in the connections
dialogue. I am not the first person to report this: is it still a known bug, or
should I go back and look at it again? The result is that I have to use IP
numbers all the time, which is obviously not nice. I tried adding the address
of the DNS server to the Network configuration in System Preferences, but
that did not help.
Bonjour doesn't seem to work across the VPN either (measured with Bonjour
Browser). I have a number of services on my Linux servers advertised with
Avahi, which show up in Bonjour on my local Macs but don't make it across
the VPN to my laptop. As far as I can tell, the VPN places no restrictions on
packets transfered from the LAN to the VPN so I don't understand why
Bonjour doesn't work.
If anyone can help me with these problems, I'd be very grateful.
Other things I want to do later are to make my AFP and NFS mounts visible
(using Avahi/Bonjour). I know some of the issues there, but if anyone has
an hints, I'd would also apppreciate that.
Steve
Re: Launch2Net, IPSecuritas and Zywall 2 Plus
by winnall on 2008-05-23 13:19:52 +0200
Further research reveals that a VPN will not route multicast packets, so
Bonjour will not work without some extra work. This means having
something at either end of the VPN which tunnels Bonjour's multicast
packets though the VPN. There is something called mtunnel which purports
to do this, but it is no longer available at its author's site.
Why DNS doesn't work remains a mystery to me. I tried VPN Tracker too,
but DNS doesn't work with that either.
Steve
Connecting MacBook to OpenSwan on CentOs Linux
Connecting MacBook to OpenSwan on CentOs Linux
by angelocr on 2008-05-22 16:21:59 +0200
Hi to everybody here!
I am trying to access an OpenSwan Firewall with an OSX 10.4.11 MacBook
(soon to become 10.5.2). Not being so knowledgeable I have made several
attempts trying to understand settings and log results to no avail.
I get the errors:
IKE 508:error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not
01:rsa_pk1.c:100: 508:error:04067072:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:707:
IKE Invalid SIG.
IKE none message must be encrypted
IKE inappropriate sadb acquire message passed.
IKE phase2 negotiation failed due to time up waiting for phase1. ESP
55.113.55.186[4500]->192.168.1.105[4500]
Beyond this, I see that IPsesuritas wisely has "suggested settings" for
several firewalls. Is there anything like that to connect to an openswan
based linux machine?
Thanks for any hint, I am eager to learn!
Angelo.
IPSecuritas
IPSecuritas
by vdubvr6 on 2008-05-28 15:54:45 +0200
Good Morning,
I have been handed a task to help an end user with VPN connectivity. I am
not familiar with this software and need some advise. Our typical user uses
//shame Windows with a CheckPoint client, anyway this user is on a direct
connected connection on a comcast home account. They connect but it
automatically puts a red dot next to the connection. What could this mean,
I'm sure a lot? Is there a log file or can I enable logging? This is a remote
machine so if I could do this from SSH that would be wonderful.
If not, is there a supplied manual.
-- Thank you
Re: IPSecuritas
by angelocr on 2008-06-03 00:24:42 +0200
I am no expert, just a beginner glad to be able to help :)
1) The red dot says that the connection had no success. So there is
something in the settings to tweak;
2) Yes, you can enable logs and see it through menus. Thay help a lot, in
fact!
3) The whole purpose of IPSecuritas is to put an user interface to make
racoon (the native IPsec of Mac & BSD) easier. I am quite sure you coud use
racoon through SSH, being geeky enough, but not IPSecuritas.
4) Yes, there is a manual included in the product.
Disclaimer: See the beginning!
How to direct all traffic through the VPN
How to direct all traffic through the VPN
by consi on 2008-06-05 10:41:33 +0200
I have successfully set up a VPN in host to network mode so that I can reach
private IPs in the remote network.
All my traffic to websites however still goes out directly instead of going
through the router in the remote network.
How can I tunnel my traffic through the remote network, either all or
selectively, perhaps on a by application basis?
Thanks!
Re: How to direct all traffic through the VPN
by consi on 2008-06-11 00:59:00 +0200
Nobody knows?
It is an option in Apple's built-in VPN client... which is lacking in other areas
though.
How can it be done with IPSecuritas?
I don't have to mention that this is vital if you want to protect your web
usage from a public hotspot.
by Forum Admin on 2008-06-11 18:47:11 +0200
Hello,
select Anywhere for the remote endpoint. However, it very much depends
on your firewall and its configuration if this is working.
Cheers,
Christoph
by consi on 2008-06-12 01:10:13 +0200
Thanks for the tip. Unfortunately with the 'anywhere' setting, my connection
lamp stays yellow, DCHP pass-through enabled or not. My os x firewall is
set to allow all incoming connections. I suppose I need to open some ports
on my router? Which are those?
by consi on 2008-06-18 10:43:44 +0200
A hint from somebody?
Certificate request import error
Certificate request import error
by domodomo on 2008-06-06 22:38:38 +0200
Hello,
I am trying to import a DER request file I generated in IPSecuritas's
Certificate Manager, into Windows Server Certificate Authority.
When I import the submit the request to windows CA I get a 'ASN1 bad tag
value met. 0x8009310b (ASN: 267)' error.
Does anyone know what this is about?
Thanks,
Ian
Help with Nortel 1800/2800
Help with Nortel 1800/2800
by enygma on 2008-06-07 13:42:47 +0200
Has anyone had any luck setting up a connection (user/pass auth) on a
Nortel 1800 or 2800 remote vpn machine? I've been messing with settings
for a while now and I can't seem to get it. Any help would be appreciated!
Local-Network to Remote-Network
Local-Network to Remote-Network
by LinkNet on 2008-06-08 03:21:45 +0200
Hi,
I have used, very successfully, IPSecuritas to connect a single
machine (my MacBook Pro) in host mode to a remote network.
Great job, Christoph, and many thanks. I particularly enjoy
using an ExpressCard to access the Internet via cellular broadband.
I also use Airport to access WiFi broadband.
IPSecuritas is working great as an "emulator" of the [b]hardware[/b]
Linksys BEFVP41 VPN client that I have used for years and that
I hope to be able to leave at home (in honorable retirement) for
the rest of its days.
Unfortunately, there is one (very important) case that forces me
to still travel with the Linksys BEFVP41 VPN client (and to find
hotels that have wired Internet access, to be able to connect
the Linksys's WAN port to the Internet). If you could please
help me solve this challenge, it would be wonderful. Specifically:
For local printing via VPN (using a print server at the remote
network and an HP LaserJet as a networked printer next to my
MacBook Pro), I have not found a way to configure IPSecuritas
to connect a local "network" (consisting of the LaserJet, directly
connected to the Ethernet port of my MacBook Pro) to the remote
network.
Please recall that I prefer to use an ExpressCard to access the Internet
via cellular broadband (or Airport to access WiFi broadband).
So, in these two cases, I have the Ethernet port available for the
LaserJet. How can I connect the Ethernet "network" (consisting of
just the LaserJet in this case) to the remote network via IPSecuritas
(connected to the remote network via an ExpressCard or via
Airport)?
On page 10, the IPSecuritas Manual does not explicitly say how
to connect a local network -- unless I am missing something:
------------------------------------------------------------------------[b]Local Side[/b]: This determines whether you want to connect a single
machine (Host), one (Network) or multiple (Networks) local
networks to the remote end. Most usually you connect a single
machine.
In Host mode, you may define a virtual local IP address. All traffic
sent to the remote end will have this address as the sender address. If
you leave the field empty, the address of the default network
interface is used instead. Please clarify this with your system
administrator if in doubt.
-------------------------------------------------------------------------
How do you define the meaning of "the default network interface"?
Thank you.
Re: Local-Network to Remote-Network
by Forum Admin on 2008-06-09 23:08:19 +0200
Hello,
I'm not sure if I understand your setup completely. If I understand you
correctly, you are travelling with your printer, which is attached to your
MBP's ethernet port. The print server, however, is not on your machine but
in the remote network that you access through the VPN (basically, sending
the print job through the VPN twice). Is this correct?
Cheers,
Christoph
Re: Local-Network to Remote-Network
by LinkNet on 2008-06-18 19:33:24 +0200
... If I understand you correctly, you are travelling with your printer, which is
attached to your MBP's ethernet port. The print server, however, is not on
your machine but in the remote network that you access through the VPN
(basically, sending the print job through the VPN twice). Is this correct?
Cheers,
Christoph[/quote]
Your interpretation is correct, but the print job does not go through the
VPN twice. The print job does not originate on my Mac: It originates on a
remote print server, which just blasts it to a given IP address of my choice
(which happens to be a printer on the "corporate" network when I am at
home, or a printer on my "hotel network" when I am on the road). I issue
commands from my MBP to the print server via a specialized variant of the
Telnet protocol.
Here is a specific example. Let's assume the following addresses, which
work great when I specify an Endpoing Mode of "Host" for the [b]local[/b]
side:
The Cellular broadband ExpressCard assigns some public address to my
MBP: 111.122.133.144.
My MacBook Pro's VPN IP Address, as specified in "IPSecuritas
Connections=>General Local Side Endpoint Mode := Host" is
192.168.202.17.
So far, so good. I can connect from my MBP to the remote network via the
IPSecuritas VPN tunnel (and any host from the remote network can access
my MBP, using 192.168.202.17, via the IPSecuritas VPN tunnel) without any
problem.
Now, the challenge: If I set "IPSecuritas Connections=>General Local Side
Endpoint Mode := Network" (with specifications along the lines of
192.168.202.17 / CIDR 24 -- and I have tried several kinds, including
192.168.202.0) I get a lot of debugging log entries (which I'll be happy to
email to you) but no connection ever happens.
If I simply change the local endpoint mode back to "Host", IPSecuritas
immediately connects and all is well.
The printer's manually-configured IP address is 192.168.202.22. I would
love to be able to -- somehow -- "include" the printer as part of the VPN
tunnel as established by my MBP via IPSecuritas.
I use this printer all the time when I travel with the Linksys BEFVP41 VPN
client, which connects to the remote network via its WAN port and handles
up to 4 local hardwired Ethernet addresses (my MBP, with 192.168.202.17,
the printer, with 192.168.202.22, and up to two other machines, if I wish to
do so).
With the Linksys VPN client, I am forced to use a hardwired Ethernet
connection to the Internet. With IPSecuritas, I can use Cellular broadband
with my Express card, or I can use WiFi. IPSecuritas is obviously better.
Thanks!
Juniper Netscreen isg-1000 support
Juniper Netscreen isg-1000 support
by jarlt on 2008-06-19 01:53:10 +0200
Does ipsecuritas support the Juniper Netscreen isg-1000? I am unable to
connect.
Here is the log:
Jun 18, 16:23:23 Info
Jun 18, 16:23:23 Info
Jun 18, 16:23:23 Info
APP IPSec started
Jun 18, 16:23:23 Info
Jun 18, 16:23:23 Info
Jun 18, 16:23:23 Info
Jun 18, 16:23:23 Info
Jun 18, 16:23:24 Info
APP Initiated connection MLML
Jun 18, 16:23:24 Warning IKE No ID match.
Jun 18, 16:23:24 Info
Jun 18, 16:23:25 Error IKE fatal NO-PROPOSAL-CHOSEN notify
Jun 18, 16:23:25 Error IKE Message: '] '.
Jun 18, 16:23:30 Error IKE fatal NO-PROPOSAL-CHOSEN notify
Jun 18, 16:23:30 Error IKE Message: '] '.
Jun 18, 16:23:30 Info
APP IPSec stopping
Jun 18, 16:23:31 Info
Jun 18, 16:23:31 Info
APP IPSec stopped
Jun 18, 16:26:25 Info
Jun 18, 16:26:25 Info
Jun 18, 16:26:25 Info
APP IPSec starting
Jun 18, 16:26:25 Info
APP Smart Environment Detection: Start
Jun 18, 16:26:25 Info
Jun 18, 16:26:25 Info
Jun 18, 16:26:25 Info
Jun 18,16:26:25 Info
Jun 18, 16:26:26 Info
Jun 18, 16:26:33 Info
Jun 18, 16:26:40 Info
Jun 18, 16:26:47 Info
Jun 18, 16:26:51 Error IKE sendfromto failed
Jun 18, 16:26:54 Info
a3aa741a87214ef9:0000000000000000
Re: Juniper Netscreen isg-1000 support
by cnadig on 2008-06-19 08:49:21 +0200
Hello,
I'd expect it to as I made good experiences with other models and I'd
imagine Juniper is using the same IPSec software for all of their models.
In the log you attached I can see that the phase 1 proposal is not accepted
by the firewall - most probably a detail is different on both sides (like
encryption, authentication or ID setting). Please verify the settings of
firewall and IPSecuritas exactly.
You may also send me a log with log level set to Debug to
[email protected] and I will probably be able to help you further
(please make sure to strip confidential information like IP address and IDs
from the log)
Cheers,
Christoph
Re: Juniper Netscreen isg-1000 support
by jarlt on 2008-06-20 01:06:39 +0200
I made configuration changes that enabled me to connect: Phase 2 PFS
None (was 1024 (2)), and Options
disable NAT-T. I can now connect to a single network.
Connecting to multiple networks fails with "msg 5 not interesting"
IPSecuritas and IPComp (LZS)
IPSecuritas and IPComp (LZS)
by rodknocker on 2008-06-21 12:16:41 +0200
Hello,
i would like to use IPSecuritas with IPCOMP (LZS), but I think in the gui there
are no possibilities for settings.
Are there ways to use IPCOMP in IPSecuritas?
Many thanks in advance ;)
Best greetings
David
Re: IPSecuritas and IPComp (LZS)
by cnadig on 2008-06-23 10:35:26 +0200
Hello,
the kernel of MacOS X only supports the deflate compression method, LZS
and OUI are not supported. IPCOMP deflate is therefore always enabled by
IPSecuritas.
Cheers,
Christoph
VPN always "on," would like to be prompted for pwd
VPN always "on," would like to be prompted for pwd
by blst on 2008-06-24 00:12:25 +0200
IPSecuritas is great, but I can't seem to figure out how to make it ask you
for your VPN password rather that your connection always being available.
Is this possible?
Thanks so much!
IPSecuritas, Netgear FVS318v3, AEBS, and NAT-T
IPSecuritas, Netgear FVS318v3, AEBS, and NAT-T
by filterban on 2008-06-24 05:20:47 +0200
I finally got my Netgear FVS318v3 VPN to work with IPSecuritas 3.1,
Leopard, and an Apple Airport Extreme Base Station.
My network looks like this:
MacBook (IPSecuritas) 10.0.1.2 ---> AEBS ---> |||| INTERNET |||| --->
Netgear FVS318v3 ---> Servers (192.168.0.X)
For the most part, the default instructions worked, but I was running into a
problem where IPSecuritas would say it was successfully connected (green
light) but I was unable to ping my servers.
Here's what I found:
1) The client comp has to have a fixed IP behind the AEBS. This is easy to
set up in your Airport Settings - just assign a specific IP (in my case
10.0.1.2) to your Mac by DHCP Client ID.
2) Set up everything else as described in the manual, except in IPSecuritas,
be sure to DISABLE "NAT-T".
Once I did that, everything worked like a charm.
Thanks for the great software... this is really neat stuff. One more thing...
this was with the latest FVS firmware of 3.0_26.
Export connections requests import password
Export connections requests import password
by jarlt on 2008-07-01 23:34:58 +0200
I have 5 connections. When I exported the first one I was asked for an
import password, and put one in. I can not export any additional
connections because I now get "Missing Import Password Please enter an
import password for the exported connection." This is regardless of what I
type in to the the Import password field. -Sidebar- the reason I have 5
connections is because I can not connect with Networks having more than 1
entry. I do not see any docs on Export.
Thanks
Re: Export connections requests import password
by cnadig on 2008-07-03 13:13:00 +0200
Hello,
please download a prerelease of 3.2 from here:
www.lobotomo.com/products/downloads/IPSecuritas32b1.dmg
The included Readme lists the enhancements and new features. Feedback is
welcome!
Cheers,
Christoph
by jarlt on 2008-07-03 19:35:04 +0200
Thanks. I downloaded and installed. The Export works. The multi
networks in connections is buggy. I am connecting to a Juniper ISG-1000.
I have networks: 192.190.45.0/24, 198.189.27.0/24, 205.155.73.32/27,
205.155.73.128/27, 205.155.74.0/24 and 205.155.75.0/24. If I just have
the 192.190.. and 198.189.. I can connect but if I add all 6 networks the log
shows that there are 3 networks configured and I cannot connect them and
the status light is red.
Here is the log
Jul 03, 10:27:09 Debug APP All connections authenticated
after event START
Jul 03, 10:27:09 Info
Jul 03, 10:27:09 Error APP Connection MLML 27-45 is not started
because no route to remote host was found
Jul 03, 10:27:09 Info
Jul 03, 10:27:09 Info
APP IPSec started
Jul 03, 10:27:09 Info
Jul 03, 10:27:09 Info
Jul 03, 10:27:09 Info
Jul 03, 10:27:09 Info
Jul 03, 10:27:09 Info
Jul 03, 10:27:09 Debug IKE open /Library/Application
management.
Jul 03, 10:27:09 Info
Jul 03, 10:27:09 Info
Jul 03, 10:27:09 Info
Jul 03, 10:27:09 Debug IKE 02120200 02000000 00000000 46080000
directory
by cnadig on 2008-07-04 13:19:31 +0200
Hello,
what does the tooltip say when you hover the mouse over the red dot?
Cheers,
Christoph
by jarlt on 2008-07-07 20:14:43 +0200
I connected this morning and the dot is green and the mouse over is
connected. When I attempt to connect to a server on the 192.190.45.0/24
network it fails. I'll send you the connection log.
Thanks
by jarlt on 2008-07-07 20:22:19 +0200
I am getting "msg 5 not interesting" when I attempt to connect to servers
on the different networks. When I use the connection for the individual
network I am able to connect.
odd issue
odd issue
by tmcnicho on 2008-07-02 21:40:01 +0200
I hadn't used IPSecuritas in a while, had since updated to 10.5.3. Went to
connect and it just sits there doing nothing. I've found troubleshooting that
if change the remote settings from "network" to "anywhere" it connects just
fine, but then of course sends ALL my traffic down the tunnel. Any ideas
here?
I'm connecting a checkpoint vpn.
Thanks,
Tom
Re: odd issue
by tmcnicho on 2008-07-02 22:10:47 +0200
OK...
maybe my notation is just way off here.
I was previously using 172.16.0.0/12 as the remote side.
if i define the networks on the other end i need to connect to manually, it
works fine.
such as.
172.16.19.0/24
172.16.225.0/24...
etc.. I have previously used 172.16.0.0/12 without a problem... :|
tom
Re: odd issue
by dbc on 2008-07-03 04:23:48 +0200
172.16.0.0/12
is the same as 172.0.0.0/12, as the /12 specifies a netmask of 255.240.0.0
I suspect you mean 172.16.0.0/16
which would be a netmask of 255.255.0.0
-dave
Works wired, fails wireless
Works wired, fails wireless
by dbc on 2008-07-03 03:33:56 +0200
Search did not turn up any similar problems.
IPsecuritas 3.1 on OS X 10.4.11, Netgear FVS318r3
I configured and tested everything perfectly well through the wired Ethernet
port.
Today I tried with Airport for the first time. IPSecuritas came right up to the
"green ball" stage with no hitches. But.. no connectivity either. Could not
ping my home network or the router. Yet, I come back to the wired
network and IPsecuritas works perfectly. All the time on wireless,
IPSecuritas is perfectly happy to start and stop and the log messages are all
normal, as far as I can tell. Yet, no pings back to router.
Is there something that needs to be configured differently? Clearly from the
log messages IPSecuritas is finding the wireless network and is connecting
to the Netgear box without any problem. Yet no traffic flows that way.
My home network is a 192.168.0.0/24 network, and the wireless network
that I was on served a DHCP address from the 192.168.1.0/24 range. So,
there should not be a conflict there since both networks use netmask
255.255.255.0.
IPSecuritas is configured to tunnel traffic to 192.168.0.0/24 only. All other
traffic was going out correctly. Again, IPSecuritas appears to think it is
working correctly, but doesn't seem to pass any traffic.
Re: Works wired, fails wireless
by dbc on 2008-07-04 18:12:20 +0200
Update: This appears to be a problem with the hot spot infrastructure, not
ipsecuritas, but hopefully people here can shed some light on what may be
happening.
After reading the documentation, it seems that when you get a "green ball
connect" but no traffic passes that it is a symptom of NAT traversal
problems. My original configuration was set for "enable" NAT-T. I created
another configuration set for "force" NAT-T.
Also, I went to another hot spot to test, and both the "enable" and "force"
NAT-T configurations worked perfectly. At the problematic hot spot, both
the "enable" and "force" configurations gave a "green ball connect" but
would not pass traffic. At this point, I suspect that there is some
configuration issue in the hot spot, and would like to help diagnose the
problem there. What should I look for? There are several boxes in the path,
a wireless access point of course, and also a firewall box. Something
somewhere is serving DHCP addresses. What can I do to provide additional
diagnosis?
by Forum Admin on 2008-07-05 12:41:17 +0200
Hello,
I public hotspots you will usually need NAT-T. IPSec traffic is transported in
ESP packets, which is not NAT aware (incoming ESP packets cannot be
uniquely assigned to a host in a NATed network, which hotspots usually
are. Some NAT routers will send incoming ESP packets to the host that last
sent out an ESP paket, problematic if you are not the only user using IPSec
in this hotspot. Other router do not pass on ESP at all or it is disabled by its
oprator).
NAT-T encapsulates the ESP traffic in UDP packets, which is NAT aware and
incoming traffic can be assigned to the right host by any router.
Please note that the firewall you connect to needs to support NAT-T (not to
be confused with IPSec pass-through).
The reason why you get the greed dot but cannot connect to any remote
host is that the tunnel could be established successfully (the tunnel
negotiation is done with UDP as well), but traffic is silently dropped by the
hotspot.
Hope this helps,
Christoph
by dbc on 2008-07-05 18:29:20 +0200
Yes, that helps, it clarifies a lot. I'm still unclear on what may be causing the
packets to be dropped by the hot spot. With NAT-T enabled, how does the
tunnel negotiation traffic differ from payload traffic? It would seem that the
hot spot is dropping the payload UDP packets but passing the negotiation
UDP packets.
by Forum Admin on 2008-07-10 10:15:00 +0200
Hello,
this depends on the NAT versions that your firewall supports, but basically
there is not a lot of differences. In some NAT versions, the UDP port is
different between IKE (connection negotiation, ports 500 and 4500) and
payload (a free port number agreed on during connection negotiation).
If you can establish a connection but payload is blocked, chances are high
that no NAT-T was agreed even if NAT-T was forced in IPSecuritas. The
best way to check this is to sniff your network traffic with tcpdump, e.g.
sudo tcpdump -i en1 (or en0 when connected with Ethernet). If the
command only shows ESP traffic going to your firewall, no NAT-T was
negotiated and your firewall most probably does not support it.
Hope this helps,
Christoph
by dbc on 2008-07-11 07:44:10 +0200
OK, very good. I will try that the next time I am at that hotspot.
by uocooper on 2008-11-25 22:01:44 +0100
Similar setup here with the same issues. 10.5.5, IPSecuritas 3.1, Netgear
FVS318v3. Airport network is on 172.16.33.x and the VPN is on
192.168.1.x. It works fine if I'm directly connected to my cable modem but
if I use an Airport Extreme (802.11 g) with firmware 5.7 it shows that it's
connected but nothing actually works. I can't ping an IP on the VPN
network. This is the Airport Extreme that looks like a white mushroom. I've
tried going through the various NAT-T options in IPSecuritas but no dice.
I've also modifying the NAT options of the basestation but it doesn't matter
how it's set. Is using this version of the Airport Extreme known to not work
with IPSecuritas or is there anything else I can try to get it working?
VPN connections with same local and remote netaddr
VPN connections with same local and remote netaddr
by TStewart on 2008-07-03 20:09:09 +0200
I have a SonicWall Pro 100 at work that I connect to from outside our LAN.
The internal private address scheme is 192.168.0.x /24. When I was first
setting up my VPN client, I couldn't connect from home, as my home
network had a matching network address scheme—192.168.0.x. I then
changed the network address to 192.168.1.x, and all has worked fine.
However, there are times when I need to connect to my work VPN from
remote networks where the local private network address matches the same
private network address as work. I have been unsuccessful at coming up
with a solution around this? Is there anything I can do? Am I just missing a
simple setting?
Thanks!
TStewart
Here are screenshots of my settings:
[img]http://www.gigafiles.co.uk/files/2130/Picture%202.jpg[/img]
Re: VPN connections with same local and remote net
by TStewart on 2008-07-09 01:01:32 +0200
Disregard! This was a kind of stupid question I asked. How can you route
between duplicate IP spaces. Doesn't work. . .
Tyler
by joostvdl on 2008-12-15 08:42:00 +0100
It isn't a stupid question. Because a lot of companies select the same
private address range for their local network. So when they need to be
connected it gives conflicts. I found that the ZyWALL Firewalls have the
option to use NAT over IPSEC (Virtual Address Mapping) to solve this
problem.
I tried it with IPSecuritas 3.1 but I could get it working. So if anyone has got
it working please let me know.
by Forum Admin on 2008-12-16 14:56:05 +0100
Hello,
there is an option to disable the address collision check altogehter in 3.2
(see latest beta). Please note, however, that using the same network locally
and remotely will hide the local network (since all traffic will be routed
through the tunnel to the remote side). Therefore, hosts (machines, printers
etc.) in the local lan will be unavailable when IPSec is active with such a
configuration.
Hope this helps,
Christoph
Run as Non-Admin user
Run as Non-Admin user
by gibbsjoh on 2008-07-10 11:43:14 +0200
Hi All,
We are hoping to deploy IPSecuritas in lieu of VPN Tracker to around 5
remote users. These users are not currently admin users on their company
laptops - and I'd prefer to keep it that way.
My question: is there any way to run IPSecuritas without needing an admin
username and password? I suspect not as it's a racoon issue from what I
can see.
I've tried using an AppleScript, using "do shell script" with the path to the
executable, and the "with administrator privileges" flag with no luck.
Any info would be much appreciated.
John
Re: Run as Non-Admin user
by cnadig on 2008-07-16 11:46:16 +0200
Hello,
it should work finde for non-admin users, you should need to enter the
admin password at first run only. However, if you run it as a non-admin
user for the first time, you'll need to reboot the machine afterwards.
Otherwise the user will be prompted for the admin password again he logs
in for the next time and runs IPSecuritas (this is due to a limitation/bug in
MacOS which we have no way to change).
Hope this helps,
Christoph
Network Collision
Network Collision
by mudiam on 2008-07-17 21:37:07 +0200
Hello,
I am trying to setup my vpn to my work and I get a red light when I connect.
Here is the log
Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007;
after event START
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Info
APP IPSec started
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Debug IKE open /Library/Application Support/Lobotomo
Software/IPSecuritas/admin.sock as racoon management.
Jul 17, 12:21:05 Debug IKE my interface: fe80::217:f2ff:fed4:dab6%en0
(en0)
Jul 17, 12:21:05 Debug IKE my interface: fe80::21c:42ff:fe00:0%en2 (en2)
Jul 17, 12:21:05 Debug IKE my interface: fe80::21c:42ff:fe00:1%en3 (en3)
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Info
IKE fe80::21c:42ff:fe00:1%en3[500] used as isakmp
port (fd=8)
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Info
IKE fe80::21c:42ff:fe00:0%en2[500] used as isakmp
port (fd=10)
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Info
IKE fe80::217:f2ff:fed4:dab6%en0[500] used as
isakmp port (fd=12)
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Info
Jul 17, 12:21:05 Debug IKE 02120200 02000000 00000000 ff110000
directory
My local network is 192.168.1.xxx
and my office network is 10.0.0.0/8
Re: Network Collision
by mudiam on 2008-07-18 07:17:01 +0200
Ok, so, I got rid of the interfaces that were conflicting.. as I was running
parallels interfaces, I disabled them, as they were in the 10. network as well.
Now I am getting a different error, Connection timed out.
Here is the debug log..
after event START
Jul 17, 22:10:52 Info
Jul 17, 22:10:52 Info
Jul 17, 22:10:52 Info
APP IPSec started
Jul 17, 22:10:52 Debug APP Received SADB message type X_SPDUPDATE not interesting
Jul 17, 22:10:52 Debug APP Received SADB message type X_SPDUPDATE not interesting
Jul 17, 22:10:52 Debug IKE Foreground mode.
Jul 17, 22:10:52 Info
Jul 17, 22:10:52 Info
Jul 17, 22:10:52 Info
Jul 17, 22:10:52 Info
Jul 17, 22:10:52 Debug IKE lifetime = 28800
Jul 17, 22:10:52 Debug IKE lifebyte = 0
Jul 17, 22:10:52 Debug IKE encklen=0
Jul 17, 22:10:52 Debug IKE p:1 t:1
Jul 17, 22:10:52 Debug IKE 3DES-CBC(5)
Jul 17, 22:10:52 Debug IKE SHA(2)
Jul 17, 22:10:52 Debug IKE 1536-bit MODP group(5)
Jul 17, 22:10:52 Debug IKE XAuth pskey client(65001)
Jul 17, 22:10:52 Debug IKE hmac(modp1536)
Jul 17, 22:10:52 Debug IKE compression algorithm can not be checked
Jul 17, 22:10:52 Debug IKE open /Library/Application Support/Lobotomo
Jul 17, 22:10:52 Info
Jul 17, 22:10:52 Info
Jul 17, 22:10:52 Debug IKE 02120000 0f000100 01000000 ed130000
03000500 ff080000 10020000 0a000000
Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff200000
10020000 c0a80164 00000000 00000000
Jul 17, 22:10:52 Debug IKE 07001200 02000100 34000000 00000000
28003200 02020000 10020000 3fe55d05
Jul 17, 22:10:52 Debug IKE 00000000 00000000 10020000 c0a80164
00000000 00000000
Jul 17, 22:10:52 Debug IKE 02120000 0f000100 00000000 ed130000
03000500 ff200000 10020000 c0a80164
Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff080000
10020000 0a000000 00000000 00000000
Jul 17, 22:10:52 Debug IKE 07001200 02000200 33000000 00000000
28003200 02020000 10020000 c0a80164
by mudiam on 2008-07-18 07:21:03 +0200
well, the main errors are..
Jul 17, 22:10:52 Info
APP Initiated connection Vcommerce VPN
Jul 17, 22:10:52 Debug IKE get pfkey ACQUIRE message
Jul 17, 22:10:52 Debug IKE 02060003 24000000 e9000000 00000000
03000500 ff200000 10020000 c0a80164
Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff200000
10020000 3fe55d05 00000000 00000000
Jul 17, 22:10:52 Debug IKE 1c000d00 20000000 00030000 00000000
00010008 00000000 01000000 01000000
Jul 17, 22:10:52 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 80510100 00000000
Jul 17, 22:10:52 Debug IKE 80700000 00000000 00000000 00000000
00040000 00000000 0001c001 00000000
Jul 17, 22:10:52 Debug IKE 01000000 01000000 00000000 00000000
00000000 00000000 00000000 00000000
Jul 17, 22:10:52 Debug IKE 80510100 00000000 80700000 00000000
00000000 00000000 000c0000 00000000
Jul 17, 22:10:52 Debug IKE 00010001 00000000 01000000 01000000
00000000 00000000 00000000 00000000
Jul 17, 22:10:52 Debug IKE 00000000 00000000 80510100 00000000
80700000 00000000 00000000 00000000
Jul 17, 22:10:52 Error IKE inappropriate sadb acquire message passed.
Jul 17, 22:10:52 Debug IKE get pfkey ACQUIRE message
Jul 17, 22:10:52 Debug IKE 02060003 14000000 e7000000 51130000
03000500 ff200000 10020000 c0a80164
Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff200000
10020000 3fe55d05 00000000 00000000
Jul 17, 22:10:52 Debug IKE 0a000d00 20000000 000c0000 00000000
00010001 00000000 01000000 01000000
Jul 17, 22:10:52 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 80510100 00000000
Jul 17, 22:10:52 Debug IKE 80700000 00000000 00000000 00000000
02001200 02000200 33000000 00000000
Jul 17, 22:10:52 Debug IKE suitable outbound SP found:
192.168.1.100/32[0] 10.0.0.0/8[0] proto=any dir=out.
Jul 17, 22:10:52 Debug IKE sub:0xbffff4fc: 10.0.0.0/8[0]
192.168.1.100/32[0] proto=any dir=in
Jul 17, 22:10:52 Debug IKE db :0x308cb8: 10.0.0.0/8[0]
192.168.1.100/32[0] proto=any dir=in
Jul 17, 22:10:52 Debug IKE suitable inbound SP found: 10.0.0.0/8[0]
192.168.1.100/32[0] proto=any dir=in.
Jul 17, 22:10:52 Debug IKE new acquire 192.168.1.100/32[0]
Jul 17, 22:10:52 Debug IKE (proto_id=ESP spisize=4 spi=00000000
Jul 17, 22:10:52 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-sha)
--Jul 17, 22:10:53
Jul 17, 22:10:53
Jul 17, 22:10:53
Jul 17, 22:10:53
------
Debug IKE Configuration exchange type mode config SET
Debug IKE Attribute XAUTH_STATUS
Error IKE Xauth authentication failed
Debug IKE Sending MODE_CFG ACK
by mudiam on 2008-07-18 07:26:10 +0200
well, there was too much logging when in debug, so I am just doing info..
PSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig
Jul 17, 22:23:26 Info
APP IPSec started
Jul 17, 22:23:26 Info
Jul 17, 22:23:26 Info
Jul 17, 22:23:26 Info
Jul 17, 22:23:26 Info
Jul 17, 22:23:27 Info
Jul 17, 22:23:27 Info
the peer's address.
Jul 17, 22:23:27 Error IKE Xauth authentication failed
Jul 17, 22:23:27 Error IKE unknown Informational exchange received.
Jul 17, 22:23:34 Info
Jul 17, 22:23:41 Info
Jul 17, 22:23:43 Error IKE phase2 negotiation failed due to time up waiting
for phase1. ESP 63.229.93.5[0]->192.168.1.100[0]
Jul 17, 22:23:48 Info
Jul 17, 22:23:48 Info
the peer's address.
Jul 17, 22:23:55 Info
Jul 17, 22:24:00 Warning APP Connection Vcommerce VPN timed out
Jul 17, 22:24:00 Warning APP Suspending for 15 seconds
for phase1. ESP 63.229.93.5[0]->192.168.1.100[0]
Jul 17, 22:24:16 Warning APP Connection Vcommerce VPN reactivated after
suspension
Jul 17, 22:24:16 Error IKE such policy does not already exist:
"192.168.1.100/32[0] 10.0.0.0/8[0] proto=any dir=out"
Jul 17, 22:24:16 Error IKE such policy does not already exist:
"10.0.0.0/8[0] 192.168.1.100/32[0] proto=any dir=in"
Jul 17, 22:24:19 Info
Jul 17, 22:24:19 Info
the peer's address.
Jul 17, 22:24:26 Info
Jul 17, 22:24:33 Info
for phase1. ESP 63.229.93.5[0]->192.168.1.100[0]
Jul 17, 22:24:40 Info
Jul 17, 22:24:40 Info
smb, ssh drops after few minutes
smb, ssh drops after few minutes
by ejbcommander on 2008-07-18 14:36:57 +0200
Hi,
everything here works fine (after 3 days of trial & error) with Ceckpoint
SecureClient NGX VPN-1 and IPSecuritas 3.2b1 on 10.4.11 - except
smb-shares and ssh-Sessions.
Mounted smb-shares are dropped after a few Minutes, same with ssh.
Is that a known issue?
Is there a solution?
I often have to start long running build-processes on remote servers, now I
can only complete them by starting them nohup.
Thanks in advance,
Michael
Linksys WVRS4400N - Any Secrets???
Linksys WVRS4400N - Any Secrets???
by Beavis on 2008-07-19 01:52:47 +0200
So I have a Linksys WVRS4400N that I know is set up right because I can
connect via QuickVPN with XP from my mac at home. Did the connection
wizard with ipsecuritas and no dice : {
Been reading posts here but still can't find any detailed instructions to get
this working. Even following the advice of setting the Remote Security
Group to a specific IP. Am I missing something?
Their are still a lot of acronyms and things I don't fully understand, but I
know I'm ALMOST there.
Does anyone have some detailed instructions.
Thanks in advance!
Beavis McSleavis :-/
WRVS 4400N Setup
WRVS 4400N Setup
by Beavis on 2008-07-21 22:51:00 +0200
We have this linksys router with these specs...
[img]http://www.boxwrench.net/images/posts/VPN.png[/img]
[img]http://www.boxwrench.net/images/posts/Advanced.png[/img]
[img]http://www.boxwrench.net/images/posts/General.png[/img]
And this is how we have it setup in IPSecuritas...
[img]http://www.boxwrench.net/images/posts/Phase_1.png[/img]
[img]http://www.boxwrench.net/images/posts/Phase_2.png[/img]
[img]http://www.boxwrench.net/images/posts/ID.png[/img]
[img]http://www.boxwrench.net/images/posts/DNS.png[/img]
[img]http://www.boxwrench.net/images/posts/Options.png[/img]
We still can't get a connection. We purchased a static IP thru our ISP and it
is correctly set up to passthrough VPN with NAT disabled.
Can anyone see what is wrong?
Thanks in advance 8-)
Re: WRVS 4400N Setup
by cnadig on 2008-07-22 15:19:43 +0200
Hello,
I helped configuring a WRVS4400N a while ago and found it had a rather
peculiar speciality - connecting with a random IP address would not work.
We got it working by specifying an IP address for 'Remote Security Group
Type' (like 10.10.1.1, please copy this address to the local endpoint IP
address field in IPSecuritas).
This also means, that you need to setup more than one connections if more
than one user wants to connect at the same time.
Hope this helps,
Christoph
by Beavis on 2008-07-22 20:40:18 +0200
Thanks Christoph,
For clarification, what is the local host IP? Is that the local LAN IP of the
departure router from the remote location?
Example: I'm at a coffee shop with my laptop, I don't know the local IP of
the shops router. This is my remote departure point.
I'm attempting to connect to my router at my home office which is behind a
statip IP.
I know the static IP, DNS, LAN IP, and subnet mask at my office.
Again I do not know the coffee shops LAN.
Does their router need to have VPN enabled?
Is it possible to use IPSecuritas to make an IPSec connection without
knowing your departure LAN IP?
The connection works fine with the Linksys Quick VPN on a PC in the above
scenario. Hoping IPSecuritas will enable my Macbook Pros the same access!
Thanks again! :)
The WRVS4400N is temperamental with Macs and IPSecuritas, but you can
establish a working tunnel to get onto your network. I figured this out a
couple of years ago and posted settings here on this forum. I also see that
the newer versions of IPSecuritas include auto-configuration file for the
4400N.
Looking at the particular settings you set, the first thing I see you have set
wrong is in the Advanced Settings on the Linksys. Both your local and
remote identifiers have to be set to ip address, not name. If you use name,
it must be a domain name (ie., www.mydomain.com), and any DNS lookup
on that name must resolve to your current ip address on that end of the
connection.
Also, use Main, not Aggressive.
I've found that dissecting the WRVS4400N's VPN log can really help in
figuring out what settings you have that are wrong.
One caveat about the connection: I've just learned after a couple of years of
using IPSecuritas --> WRVS4400N that not all network traffic goes over the
VPN (https, mail, chat, etc - they aren't on the VPN). I'm trying to research
that right now, which is why I came back to the forum here and ran across
your older post.
At this point, you've probably given up or figured it out, but maybe my
information above will help others who are trying to figure out getting a
connection going.
Oops! Forgot to mention that you have to use Firmware V1.00.16 or earlier.
I spent a good 12 hours trying to get the new firmware (V1.03?) working
without success. Pretty frustrating.
The issue with the new firmware is that you must use a domain name or
specific ip address to identify the client; the use of "any" never worked. I
verified this by using a Spring Aircard to attempt to VPN while sitting in
front of my router. If I put in the dynamic ip address of the Aircard as the
remote identifier, connection establishes. This won't work if you're on the
road unless you jump through some hoops.
One way to do it would be to enable remote administration of your
WRVS4400N over the WAN. You could log in via the web interface, and
change the VPN settings on the router to match your current ip address.
Ugly workaround in my opinion.
Another method that might work for the Aircard user, which I haven't tried
because I am not interested at this time in upgrading the firmware back to
V1.03 to test it out, would be to register an account with DYNDNS.ORG for
your laptop/remote system, then use their OS X widget that dynamically
updates your ip address on their DNS servers. You would then use the
domain name in the remote identifier (i.e. mymobilename.dyndns.org).
Should work, but again, I haven't tested it. I may have to if trying to get all
network traffic to go over the VPN forces me to try the newer firmware.
[quote author=DistortedLoop link=1216673460/0#4 date=1228423793]
Another method that might work for the Aircard user, which I haven't tried
because I am not interested at this time in upgrading the firmware back to
V1.1.03 to test it out, would be to register an account with DYNDNS.ORG
for your laptop/remote system, then use their OS X widget that dynamically
updates your ip address on their DNS servers. You would then use the
domain name in the remote identifier (i.e. mymobilename.dyndns.org).
Should work, but again, I haven't tested it. I may have to if trying to get all
network traffic to go over the VPN forces me to try the newer firmware.
[/quote]
Desperately trying to figure out another problem, I bit the bullet and
upgraded back to Firmware v1.1.03. My method above does work in terms
of allowing you to use a domain name as the mobile user's ip address. This
is pretty handy if your system is stable with v1.1.03. Unfortunately I had to
downgrade back to v1.00.16 because the newer firmware leaves the router
in a corrupt state after IPSecuritas connections to it disconnect. ;-(
Linksys VS Netgear
Linksys VS Netgear
by Beavis on 2008-07-22 20:57:26 +0200
I'm having problems with my linksys WRVS4400N, and have been looking
into a Netgear FVS336G. Can anyone recommend one over the other while
using IPSecuritas? Or any other brand or model for that matter.
The Netgear seems to have some better specs.
Any advice is appreciated.
Thanks!
Re: Linksys VS Netgear
by mann on 2008-09-09 05:38:59 +0200
I have installed 3 Netgear FVS338's and have had zero problems.
Re: Linksys VS Netgear
[quote author=Beavis link=1216753046/0#0 date=1216753046]I'm having
problems with my linksys WRVS4400N, and have been looking into a
Netgear FVS336G. Can anyone recommend one over the other while using
IPSecuritas? Or any other brand or model for that matter.
The Netgear seems to have some better specs.[/quote]
Did you take the plunge? Are you happy with the results? I'm actually
looking at the same device to replace/supplement my WRVS4400N right
now. The WRVS4400N is a tempermental beast when dealing with Mac
IPSEC.
[quote author=mann link=1216753046/0#1 date=1220931539]I have
installed 3 Netgear FVS338's and have had zero problems.[/quote]
Do you actually get all network services routed through the VPN when using
your Netgear with IPSecuritas? I've got few problems connecting with my
Linksys to access the internal network, but web and email and other
protocols are not routed over the Linksys (that will be the subject of a
different post, I'm just wondering if the Netgear works properly in that
regard.
Wizard | Updated Choices
Wizard | Updated Choices
by NeilMcG on 2008-07-23 02:48:32 +0200
Hi, after experimenting, with mixed success - I think it's time to ask for
help.
In the wizard, what are the appropriate choices for the FVS338 & FVG318?
Given the FVS318 is now obsolete or deleted from Netgears product range could the wizard choices be updated?
I'm not sure of the product families for FVS318v3, FVS3128, FVS338,
FVS538, etc.
Thanks in advance.
Netgear FVS338
Netgear FVS338
by NeilMcG on 2008-07-23 02:51:43 +0200
Is the Netgear FVS338 - closer to the FVS318v3 or the FVS328?
Is it possible the start a topic (stickie) with updates on the latest hardware
available?
Thanks in advance.
Re: Netgear FVS338
by blue68f100 on 2008-08-19 22:31:48 +0200
The 338 is closer to the 328 but it has a lot of features like a 538 if your
using the latest firmware.
I'm here seeking help on getting my FVS338 to connect up to my MBP. I did
not have time to test before I left and I could not connect.
Re: Netgear FVS338
by NeilMcG on 2008-08-30 11:32:46 +0200
I successfully got both an FVS338 & FVG318 to connect, using the latest
firmware for each and the 3.2b1 IPsecuritas
I generated Connection Wizard Templates and emailed them to lobotomo.
Re: Netgear FVS338
by digitalscanner on 2008-09-23 10:40:49 +0200
hallo
is it possible to send me the wizard template for the FVS338 cause itґs still
not included in the b2
thanx
digital
Juniper Netscreen wizard hole
Juniper Netscreen wizard hole
by douger on 2008-07-25 21:01:59 +0200
I am trying to set up a VPN to a Netscreen 5XT from a machine running
leopard. I downloaded the instructions for Juniper Netscreen / Juniper SSG
and followed them, using the two wizards (IPSecuritas and Netscreen). I fire
up the connection, and it doesn't seem to connect - red light. However, I
ping the server I am trying to reach and it gets there. Not sure what is
going on at this point, but if it is working and the light doesn't turn green
so who cares - well, probably my user who will be confused. So I quit and
exit the daemon, and still can ping the server. Hmm, maybe something left
on - reboot. Try and ping the server again - sure, no problem. ??? OK,
something on the firewall - oh here it is. The new policy added for the VPN
allows everything in! So I check the document again and there it is, the last
line in the configuration from the wizard is:
set policy top from "Untrust" to "Trust" "Any" "192.168.215.0/24' Permit
This allows all traffic from the untrust port to the trust port.
Bad idea. Like having no firewall at all.
OK, so what I did that worked was use this document http://kb.juniper.net
/kb/documents/public/ApplicationNotes/Technical/ScreenOS%204.0.0
/VPN_Vaporsec.htm
and adapt it to the IPSecuritas screens.
I had to turn off Nat-T on the IPSecuritas side as I was using a static IP
address for testing, may need to turn that back on.
I did turn on Nat Traversal on the firewall.
I started out to post a question about the VPN working but the red light on,
but figured it out and decided to post this one as a warning.
Hope it helps - Doug
IP Securitas From Mac book Pro to Fortinet 800
IP Securitas From Mac book Pro to Fortinet 800
by Yuseff on 2008-07-31 05:40:41 +0200
Hi everybody, I have an issue with a MAC Book Pro running IPSecuritas. The
VPN connection to a Fortigate 800 drops in some cases every 20-30 min
but in the mayority of time evey 5 min. I have more MACs running the
IPSecuritas and they don't have this problem.
Does anybody have a clue to what may be causing this problem?
Thank you
Re: IP Securitas From Mac book Pro to Fortinet 800
by chris-in-sf on 2008-08-01 23:28:27 +0200
We are having a similar issue, but I'm not sure if it's a Fortigate problem or
a VLAN problem on our switch. Also 2 of 3 MacBook Pros are having the
issue, but mine has not shown the issue. We are using a Fortigate 300a.
Our problem more specifically is the VPN connection itself doesn't seem to
drop, but you get disconnected from machines on the LAN after about 30
minutes. Particularly if you are using remote desktop which most of us do.
You can't ping those machines on that subnet anymore. Then you have to
disconnect VPN connection, and reconnect, and then you can get back to
the LAN.
The error message that IP Securitas throws up when the LAN drops is:
"Jul 28, 23:03:08 Error IKE fatal INVALID-SPI notify messsage, phase1
should be deleted.
Jul 28, 23:03:12 Error IKE fatal INVALID-SPI notify messsage, phase1
should be deleted."
etc, etc...
Any ideas?
Fritzbox 3270 VPN problems
Fritzbox 3270 VPN problems
by ivan on 2008-08-08 11:26:45 +0200
I have a FritzBox 3270 wlan DSL router, NAT, including a VPN gateway. I
have configured it as explained here:
http://www.avm.de/de/Service/Service-Portale/Service-Portal
/VPN_Interoperabilitaet/box_zu_securitas.php
On my internal network I have a MacMini with shares and remote screen
sharing activated.
I connect to the network with a Macbook with IPSecuritas configured as
described above.
When I connect with my Macbook to the wired network or the Wifi network
at home (no VPN) I can see the Mac Mini machine and other shares.
When I connect through a foreign (wifi) network with an internal IP I can
access the shares of the MacMini if I do "Connect to computer" in the Finder
and type the IP, but the Macbook does not see the names of the computers
with shares on the local network, neither can it resolve the computername
of the MacMini. If I type the computername instead of the IP, it does not get
resolved. I cannot do screen sharing either as this relies of the resolution of
the computername.
Now I know that Macs advertise themselves on the local network with a Mac
specific Bonjour protocol, and I guess that for some reason that traffic does
not pass through the VPN. Anybody has an idea how to solve this? The only
computer I see in Finder with shares is "localhost" which is a loopback to
my macbook I guess.
I tried to switch the use_nat_t parameter to yes, to check if this has
anything to do with NAT translation, but it did not solve the problem (was a
shot in the dark anyway)
Re: Fritzbox 3270 VPN problems
by deltanine on 2008-09-09 00:44:37 +0200
you could try:
http://www.macosxhints.com/article.php?story=20080626194901370
<< create the illusion that Bonjour works over a VPN >>
regards
delta
Checkpoint VPN-1 connection drops all others
Checkpoint VPN-1 connection drops all others
by mpdg on 2008-08-08 16:55:57 +0200
I have a work PC and Mac at home. When I connect to my work Checkpoint
VPN with IPSecuritas from the mac it kills the VPN connection between the
Checkpoint and my work PC (which has checkpoint's software on it). If I
connect two PCs with the checkpoint software I can connect to both fine.
Anyone had this issue?/knows a way around it?
was working, now is not.
was working, now is not.
by eylisian on 2008-08-12 21:56:01 +0200
Hi,
Have a user with OS X 10.5 and IPSecuritas 3.*
This was working until approx a month ago, and then the gateway started
getting PACKET_MALFORMED messages when he'd try and connect. I
figured something got munged and generated a new cert/key pair and
installed them. Now the gateway throws different errors and the connection
log locally states that IKE cant find certificates or keys.
Any ideas?
I can and will post some logs, the user had to fly the coop and I'll get him to
forward them on.
Thanks,
Robert
Re: was working, now is not.
by eylisian on 2008-08-20 23:21:37 +0200
Finally got got the Connection Log from the user
<snip>
Aug 20, 13:40:14 Debug IKE filename: /Library/Application
Support/Lobotomo Software/IPSecuritas/certs
/aab01961-75e9-40f0-9c15-2ad51224602d.cert
Aug 20, 13:40:14 Error IKE failed to get my CERT.
Aug 20, 13:40:14 Error IKE failed to get own CERT.
Aug 20, 13:40:14 Error IKE failed get my ID
Aug 20, 13:40:14 Error IKE failed to process packet.
Aug 20, 13:40:14 Error IKE phase1 negotiation failed.
Aug 20, 13:40:14 Debug IKE IV freed
Aug 20, 13:40:20 Debug IKE ===
Aug 20, 13:40:20 Debug IKE 244 bytes message received from
*.*.*.*[500] to 192.168.0.18[500]
Aug 20, 13:40:20 Debug IKE 3c491ae8 5ab88c4b 7a68aaa4 28e5d263
04100200 00000000 000000f4 0a0000c4
Aug 20, 13:40:20 Debug IKE 82aa60e6 25e77bd5 b25340a0 21ae9410
e15d820d fc6c0f29 3edb2f33 6228871b
Aug 20, 13:40:20 Debug IKE 00b930be 9a74d311 64e76c6c 25230920
e2bdaee3 fadfd4cf 7f3a4925 d9d02853
Aug 20, 13:40:20 Debug IKE 2e67ebfc 9c72d332 a2512b6f 8b44ba73
f1f63591 d519ccdf 7dccc4ac d498230e
Aug 20, 13:40:20 Debug IKE 3dd7d88f f036ec63 52e894f8 2094dfa0
aeffec47 73bfb8d9 042b702c bd74a54f
Aug 20, 13:40:20 Debug IKE 5cd3f40e 0893c14e 65650fe3 2478a200
ebdca70d 75fb8bd9 a40730d8 0d5e382f
Aug 20, 13:40:20 Debug IKE 87b87354 61e09c7f 50c68257 237a0419
77f481eb 58ba7e68 c235710d 72afce34
Aug 20, 13:40:20 Debug IKE 00000014 c7deff2a acb9acf7 dc886f3b
5ec5f427
Aug 20, 13:40:20 Debug IKE malformed cookie received or the spi
expired.
Aug 20, 13:40:21 Info
APP Initiated connection Outside of Rulespace
Aug 20, 13:40:21 Debug IKE get pfkey ACQUIRE message
Aug 20, 13:40:21 Debug IKE 02060003 24000000 06000000 00000000
03000500 ff200000 10020000 c0a80012
Aug 20, 13:40:21 Debug IKE 00000000 00000000 03000600 ff200000
10020000 cea37bcf 00000000 00000000
Aug 20, 13:40:21 Debug IKE 1c000d00 20000000 00030000 00000000
00010008 00000000 01000000 01000000
Aug 20, 13:40:21 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 80510100 00000000
Aug 20, 13:40:21 Debug IKE 80700000 00000000 00000000 00000000
00040000 00000000 0001c001 00000000
Aug 20, 13:40:21 Debug IKE 01000000 01000000 00000000 00000000
00000000 00000000 00000000 00000000
Aug 20, 13:40:21 Debug IKE 80510100 00000000 80700000 00000000
00000000 00000000 000c0000 00000000
Aug 20, 13:40:21 Debug IKE 00010001 00000000 01000000 01000000
00000000 00000000 00000000 00000000
Aug 20, 13:40:21 Debug IKE 00000000 00000000 80510100 00000000
80700000 00000000 00000000 00000000
Aug 20, 13:40:21 Error IKE inappropriate sadb acquire message passed.
Aug 20, 13:40:21 Debug IKE get pfkey ACQUIRE message
Aug 20, 13:40:21 Debug IKE 02060003 14000000 12000000 53000000
03000500 ff200000 10020000 c0a80012
Strange connections of Daemon
Strange connections of Daemon
by abfdx279 on 2008-08-22 00:27:37 +0200
Little Snitch reports on Leopard the following inbound connections for the
Daemon. IPSecuritas was is not active. Could this be some kind of "spill
over" from remote Skype clients trying to connect? Skype is running at the
same time.
Verbindungsverlauf fьr: IPSecuritasDaemon (/Library/StartupItems
/IPSecuritasDaemon/IPSecuritasDaemon)
Gesamt: 0 Bytes gesendet, 0.6kB empfangen
###.netcologne.de (###.###.243.214), Port 0 (1024/tcp), Protokoll 1
(ICMP), 0 Bytes gesendet, 170 Bytes empfangen
###.hrz.fh-zwickau.de (###.###.72.1), Port 0 (1024/tcp), Protokoll 1
###.pools.arcor-ip.net (###.###.16.47), Port 0 (1024/tcp), Protokoll 1
###.adsl.alicedsl.de (###.###.174.3), Port 0 (1024/tcp), Protokoll 1
###.zaq.ne.jp (###.###.113.26), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0
Bytes gesendet, 91 Bytes empfangen
###.###.144.95 (###.###.144.95), Port 0 (1024/tcp), Protokoll 1 (ICMP),
0 Bytes gesendet, 86 Bytes empfangen
###.TU-Berlin.DE (###.###.8.19), Port 0 (1024/tcp), Protokoll 1 (ICMP),
0 Bytes gesendet, 56 Bytes empfangen
Second question: Someone has asked similar question before, but how can
you generally route all traffic through the VPN? Do you have to have this
feature on both the client (like IPSecuritas) and the server or is that just a
feature IPSecuritas could implement (or has already) on its own?
Thanks to the developer! The connection works (to some degree) for an
AVM Fritz!Box 7170. Though, it would be nice if you could route the
websurfing through the VPN.
Re: Strange connections of Daemon
by cnadig on 2008-08-24 21:55:55 +0200
Hello,
this traffic looks strange indeed. IPSecuritas sends ICMP ping packets if the
connection surveillance is enabled and only to the configured hosts while
connected. The traffic could also be ICMP unreachable replies, but then I
could not imagine why they are addresses to IPSecuritasDaemon.
Would it be possible to tcpdump the traffic for further analysis (as root, run
'tcpdump -i en0 -s1500 -w ~/Desktop/traffic.pcap' for a while)?
Cheers,
Christoph
by abfdx279 on 2008-08-25 17:59:35 +0200
Hi again!
Just tried MacSniffer (uses tcpdump) together with Little Snitch.
After closing down all other programs (including Skype), IPSecuritas'
Daemon doesn't seem to get any more inbound connects. Guess I have to
look further into that. But Skype will produce significant traffic when
launched...
In my opinion that has something to do with skype. Could someone try that
on his Mac (Leopard)?
(running Skype, LittleSnitch as shareware version and just the Deamon
without IPSecuritas itself and without any IPSec connection).
The IPs look like they are dynamic (for example Alice is a German provider)
and Skype uses a decentral system of connections...
by abfdx279 on 2008-08-30 15:03:46 +0200
Has anyone else tested this thing?
OS X Leopard - Skype - IPSecuritas - LittleSnitch (or some other monitoring
software)
Christoph?
route add issue
route add issue
by deltanine on 2008-08-27 19:40:42 +0200
I have successfully established an IPSEC VPN connection from a
MacBook Pro to a Draytek Vigor 2820 using IPSecuritas's Wizard.
The remote router (net 192.168.10.0) can establish VPN connections to
other networks.
When using PPTP or L2TP for the same connection I was able to
[code]sudo route -n add -net 192.168.30.0 192.168.10.1
255.255.255.0[/code]
in order to allow applications on the MacBook to access network
192.168.30.0 via 192.168.10.1 .
The same approach fails when using IPSEC with IPSecuritas.
Is there a way to make this work?
Thanks in advance.
Delta
MacOS: 10.4.11
IPSecuritas: 3.1
Router: Draytek Vigor 2820 with Firmware 3.2.1_2111112
New 3.2 Beta version released
New 3.2 Beta version released
by cnadig on 2008-08-31 10:47:36 +0200
Good morning,
a new beta version has been release to replace the expiring 3.2b1. Please
download it from [url]http://www.lobotomo.com/products/downloads
/IPSecuritas32b2.dmg[/url]. The included Readme file contains a list of
enhancements and bug fixes.
Cheers,
Christoph
Problem connecting to VPN with Netgear DGFV338
Problem connecting to VPN with Netgear DGFV338
by greyloki on 2008-09-02 17:41:06 +0200
Hey folks,
I'm trying to set up a roadwarrior VPN using a Mac laptop connecting to a
Netgear DGFV338. I've found a tutorial that I followed (I can't remember the
link for it, but the first page shows it's for IPSecuritas 3.x by Lobotomo
Software and a Netgear DGFV338, written Oct 15th 2007), but i'm having
trouble in connecting - all of the settings in both IPSecuritas and the
Netgear appear to be correct, but my log seems to say otherwise, and I get
a yellow dot next to my connection's name, too.
Here's the log:
http://pastebin.com/m4a12da21
Any help would be greatly appreciated :)
Edit: The tutorial talks about matching 'local' and 'remote' IKE policy
identifiers - on the router, i have the remote identifier set as
remote_roadwarrior, since this is theoretically the laptop, and the local
identifier is esw_office.com. In IPSecuritas, I have these reversed - local is
remote_roadwarrior, and remote is esw_office.com - is that correct?
Problem installing IPSecuritas
Problem installing IPSecuritas
by marconcini on 2008-09-03 00:14:33 +0200
hi all, I'm new to the Mac world and am having trouble loading the
IPSecuritas software. I get an error message saying that i am trying to load
to a read only file system. I am trying to instal to the applications folder so I
don't understand. I'm frustrated :-[
Nortel VPN
Nortel VPN
by rambling_rebel on 2008-09-05 04:08:39 +0200
just downloaded this vpn software.....I'm trying to get MAC's into my
customer base instead of MS based stuff. I have this customer and 4 more
behind him all wanting MACS and VPN's. I Favour Nortel VPN's and need to
get this working on a contivity. I have the s/w loaded and it sayz its
working (IPSEC service started) but I don't ever see it on the contivity trying
to connect, and I can't seem to get my head around where to begin to
figure out where to look for solving this problem, any suggestions....
Re: Nortel VPN
by rambling_rebel on 2008-09-05 04:23:32 +0200
ok, I'm a knucklehead, I found the user guide.....ill read through it, but if
anyone has info that could help me, it would be appreciated...
Can't Connect to SonicWall Pro
Can't Connect to SonicWall Pro
by Philodox on 2008-09-09 03:15:03 +0200
Hi all,
I'm trying to set up IPSecuritas to give me access to a SonicWall Pro vpn
network. I can't connect and unfortunately the logs are rather cryptic so I'm
not sure where to look. I'm running this on the latest rev Macbook Pro.
[quote]
Sep 08, 17:59:39 Info
Sep 08, 17:59:39 Info
Sep 08, 17:59:39 Info
APP IPSec started
Sep 08, 17:59:39 Info
Sep 08, 17:59:39 Info
Sep 08, 17:59:39 Info
Sep 08, 17:59:39 Info
Sep 08, 17:59:39 Info
APP Initiated connection tre
Sep 08, 17:59:39 Error IKE delete phase1 handle.
Sep 08, 17:59:46 Info
Sep 08, 17:59:53 Info
Sep 08, 18:00:00 Info
Sep 08, 18:00:07 Info
Sep 08, 18:00:09 Error IKE phase1 negotiation failed due to time up.
3dfec7ca41ce9d94:0000000000000000
Sep 08, 18:00:12 Warning APP Connection tre timed out
waiting for phase1. ESP 24.16.134.55[500]->192.168.1.2[500] [/quote]
[quote]# Racoon configuration created by IPSecuritas
log notify;
padding
{
maximum_length 20;
Re: Can't Connect to SonicWall Pro
by Philodox on 2008-09-10 08:18:02 +0200
Edit: I've got a little bit farther, I had my DH group set incorrectly for phase 1.
My current log looks like:
[quote]
IPSecuritas 3.2b2 build 2391, So 31 Aug 2008 10:13:21 CEST, nadig
Darwin 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008;
Sep 10, 00:02:16 Info
Sep 10, 00:02:16 Info
APP Connection tre is started
Sep 10, 00:02:16 Info
Sep 10, 00:02:16 Info
APP IPSec started
Sep 10, 00:02:16 Info
Sep 10, 00:02:16 Info
Sep 10, 00:02:16 Info
Sep 10, 00:02:16 Info
Sep 10, 00:02:16 Info
Sep 10, 00:02:23 Info
Sep 10, 00:02:23 Error IKE ISAKMP mode config exchange with immature
phase 1
Sep 10, 00:02:28 Error IKE the length in the isakmp header is too big.
Sep 10, 00:02:30 Info
Sep 10, 00:02:37 Info
waiting for phase1. ESP [remote][4500]->192.168.1.2[4500]
Sep 10, 00:02:44 Info
waiting for phase1. ESP [remote][4500]->192.168.1.2[4500]
Sep 10, 00:02:49 Warning APP Connection tre timed out
waiting for phase1. ESP [remote][4500]->192.168.1.2[4500] [/quote]
I'm using XAuth PSK. If I turn off XAuth PSK I get this log, does anybody know
which one is "better"?
[quote]IPSecuritas 3.2b2 build 2391, So 31 Aug 2008 10:13:21 CEST, nadig
Sep 10, 00:05:02 Info
Sep 10, 00:05:03 Info
Sep 10, 00:05:03 Info
Sep 10, 00:05:03 Info
Sep 10, 00:05:03 Info
Sep 10, 00:05:03 Info
APP IPSec started
Sep 10, 00:05:03 Info
Sep 10, 00:05:03 Info
Sep 10, 00:05:03 Info
Sep 10, 00:05:03 Info
by cnadig on 2008-09-11 18:01:58 +0200
Hello,
I'd try normal PSK first since XAuth isn't strictly standardized and there are
many vendor-specific implementations around. In main mode,
identification is usually only possible by IP address (you set it to FQDN) and
may or may not work for road warriors depending on the implementation of
your firewall firmware. For road warriors, aggressive mode is usually the
better way, especially if there is more than one user.
Please set the log level to Debug to get more detailed information.
Hope this helps,
Christoph
by Philodox on 2008-09-13 03:48:08 +0200
Thanks :)
I changed it to address but I'm still getting the same errors. How do I set
the log level to debug? I tried doing it through System
Preferences/Network but that hasn't seem to have done anything.
My current config:
[quote]# Racoon configuration created by IPSecuritas
log notify;
padding
{
maximum_length 20;
randomize on;
strict_check off;
exclusive_tail on;
}
timer
{
counter 5;
interval 5 seconds;
persend 1;
phase1 15 seconds;
phase2 15 seconds;
}
# Connection "tre"
remote x.x.x.x
{
verify_cert off;
verify_identifier off;
initial_contact on;
passive off;
support_proxy off;
generate_policy off;
verify_cert off;
send_cert on;
send_cr on;
mode_cfg off;
ike_frag on;
doi ipsec_doi;
situation identity_only;
nat_traversal on;
exchange_mode main;
proposal_check obey;
nonce_size 16;
my_identifier address;
peers_identifier address;
proposal
{
lifetime time 1800 seconds;
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
by Philodox on 2008-09-15 01:20:44 +0200
Found the debug log option, it was under preferences :-[
Anyways here's the debug log[quote]IPSecuritas 3.2b2 build 2391, So 31 Aug
2008 10:13:21 CEST, nadig
Sep 14, 16:14:21 Debug APP All connections authenticated
Sep 14, 16:14:21 Debug APP State change from IDLE to AUTHENTICATING
after event START
Sep 14, 16:14:21 Info
Sep 14, 16:14:21 Info
Sep 14, 16:14:21 Info
Sep 14, 16:14:21 Debug APP State change from AUTHENTICATING to
Sep 14, 16:14:21 Info
APP IPSec started
Sep 14, 16:14:21 Debug APP Received SADB message type X_SPDUPDATE not interesting
Sep 14, 16:14:21 Debug APP Received SADB message type X_SPDUPDATE not interesting
Sep 14, 16:14:21 Info
Sep 14, 16:14:21 Info
Sep 14, 16:14:21 Info
Sep 14, 16:14:21 Info
Sep 14, 16:14:21 Info
Sep 14, 16:14:21 Debug IKE lifetime = 1800
Sep 14, 16:14:21 Debug IKE lifebyte = 0
Sep 14, 16:14:21 Debug IKE encklen=0
Sep 14, 16:14:21 Debug IKE p:1 t:1
Sep 14, 16:14:21 Debug IKE 3DES-CBC(5)
Sep 14, 16:14:21 Debug IKE SHA(2)
Sep 14, 16:14:21 Debug IKE 1024-bit MODP group(2)
Sep 14, 16:14:21 Debug IKE pre-shared key(1)
Sep 14, 16:14:21 Debug IKE compression algorithm can not be checked
Sep 14, 16:14:21 Debug IKE parse successed.
Sep 14, 16:14:21 Debug IKE open /Library/Application Support/Lobotomo
Sep 14, 16:14:21 Info
Sep 14, 16:14:21 Info
Sep 14, 16:14:21 Debug IKE get pfkey X_SPDDUMP message
Sep 14, 16:14:21 Debug IKE 02120000 0f000200 01000000 2e030000
03000500 ff180000 10020000 0a0a0a00
Sep 14, 16:14:21 Debug IKE 00000000 00000000 03000600 ff200000
10020000 c0a80102 00000000 00000000
Sep 14, 16:14:21 Debug IKE 07001200 02000100 08000000 00000000
28003200 02030e00 10020000 18108637
Sep 14, 16:14:21 Debug IKE 00000000 00000000 10020000 c0a80102
00000000 00000000
Sep 14, 16:14:21 Debug IKE get pfkey X_SPDDUMP message
Sep 14, 16:14:21 Debug IKE 02120000 0f000200 00000000 2e030000
03000500 ff200000 10020000 c0a80102
Sep 14, 16:14:21 Debug IKE 00000000 00000000 03000600 ff180000
10020000 0a0a0a00 00000000 00000000
Sep 14, 16:14:21 Debug IKE 07001200 02000200 07000000 00000000
28003200 02030d00 10020000 c0a80102
Sep 14, 16:14:21 Debug IKE 00000000 00000000 10020000 18108637
00000000 00000000
by Philodox on 2008-09-15 01:22:24 +0200
[quote]Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13
Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13
Sep 14, 16:14:21 Debug IKE 344 bytes from 192.168.1.2[500] to
x.x.x.x[500]
Sep 14, 16:14:21 Debug IKE sockname 192.168.1.2[500]
Sep 14, 16:14:21 Debug IKE send packet from 192.168.1.2[500]
Sep 14, 16:14:21 Debug IKE send packet to x.x.x.x[500]
Sep 14, 16:14:21 Debug IKE 1 times of 344 bytes message will be sent to
x.x.x.x[500]
Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 00000000 00000000
01100200 00000000 00000158 0d000034
Sep 14, 16:14:21 Debug IKE 00000001 00000001 00000028 01010001
00000020 01010000 800b0001 800c0708
Sep 14, 16:14:21 Debug IKE 80010005 80030001 80020002 80040002
0d000014 4a131c81 07035845 5c5728f2
Sep 14, 16:14:21 Debug IKE 0e95452f 0d000014 8f8d8382 6d246b6f
c7a8a6a4 28c11de8 0d000014 439b59f8
Sep 14, 16:14:21 Debug IKE ba676c4c 7737ae22 eab8f582 0d000014
Sep 14, 16:14:21 Debug IKE 0d000014 80d0bb3d ef54565e e84645d4
c85ce3ee 0d000014 9909b64e ed937c65
Sep 14, 16:14:21 Debug IKE 73de52ac e952fa6b 0d000014 7d9419a6
5310ca6f 2c179d92 15529d56 0d000014
Sep 14, 16:14:21 Debug IKE cd604643 35df21f8 7cfdb2fc 68b6a448
0d000014 90cb8091 3ebb696e 086381b5
Sep 14, 16:14:21 Debug IKE ec427b1f 0d000014 16f6ca16 e4a4066d
83821a0f 0aeaa862 0d000014 4485152d
Sep 14, 16:14:21 Debug IKE 18b6bbcd 0be8a846 9579ddcc 0d000018
4048b7d5 6ebce885 25e7de7f 00d6c2d3
Sep 14, 16:14:21 Debug IKE 80000000 00000014 afcad713 68a1f1c9
6b8696fc 77570100
Sep 14, 16:14:21 Debug IKE resend phase1 packet
5dd654cdbfed7735:0000000000000000
Sep 14, 16:14:21 Debug IKE ===
Sep 14, 16:14:21 Debug IKE 112 bytes message received from x.x.x.x[500]
to 192.168.1.2[500]
Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e
01100200 00000000 00000070 0d000034
Sep 14, 16:14:21 Debug IKE 00000001 00000001 00000028 01010001
00000020 01010000 80010005 80020002
Sep 14, 16:14:21 Debug IKE 80040002 80030001 800b0001 800c0708
0d00000c 5b362bc8 20f60006 00000014
Sep 14, 16:14:21 Debug IKE 4a131c81 07035845 5c5728f2 0e95452f
Sep 14, 16:14:21 Debug IKE begin.
Sep 14, 16:14:21 Debug IKE seen nptype=1(sa)
Sep 14, 16:14:21 Debug IKE seen nptype=13(vid)
Sep 14, 16:14:21 Debug IKE seen nptype=13(vid)
Sep 14, 16:14:21 Debug IKE succeed.
Sep 14, 16:14:21 Debug IKE received unknown Vendor ID
Sep 14, 16:14:21 Debug IKE 5b362bc8 20f60006
Sep 14, 16:14:21 Info
IKE received Vendor ID: RFC 3947
by Philodox on 2008-09-15 01:23:29 +0200
[quote]Sep 14, 16:14:21 Debug IKE (lifebyte = 0:0)
Sep 14, 16:14:21 Debug IKE enctype = 3DES-CBC:3DES-CBC
Sep 14, 16:14:21 Debug IKE (encklen = 0:0)
Sep 14, 16:14:21 Debug IKE hashtype = SHA:SHA
Sep 14, 16:14:21 Debug IKE authmethod = pre-shared key:pre-shared key
Sep 14, 16:14:21 Debug IKE dh_group = 1024-bit MODP group:1024-bit
MODP group
Sep 14, 16:14:21 Debug IKE an acceptable proposal found.
Sep 14, 16:14:21 Debug IKE hmac(modp1024)
Sep 14, 16:14:21 Debug IKE agreed on pre-shared key auth.
Sep 14, 16:14:21 Debug IKE ===
Sep 14, 16:14:21 Debug IKE compute DH's private.
Sep 14, 16:14:21 Debug IKE 6d19d366 249a109c 36b021cd b3107c47
3914824e df5ea643 ef185e07 1823fbe1
Sep 14, 16:14:21 Debug IKE 497aabf9 10104106 5848a852 358c239c
a0bdd736 b1019038 08d9de94 e866a799
Sep 14, 16:14:21 Debug IKE 804237ef 5bce8aec 3709d370 5e63c132
c3406398 d0741fc6 40776d07 b6cee87c
Sep 14, 16:14:21 Debug IKE 6ca1af6c 87d09681 7218df0f 18be22fb
88320cf3 9c25db6b a43e0c0d 096398e7
Sep 14, 16:14:21 Debug IKE compute DH's public.
Sep 14, 16:14:21 Debug IKE 970dd812 1a62895a ab5cb04b 843e04d7
06aabb36 dd897189 a2307b08 ed6b7735
Sep 14, 16:14:21 Debug IKE 7a552f68 d3e7b588 1c4613ad 28a9bf2a
3eebce18 7215c3ad 48e3b5c1 c33f42b1
Sep 14, 16:14:21 Debug IKE 4f7752b5 961f9ba2 1179335e 09fc7e7e
7e664936 016c5444 2e885254 fd76339b
Sep 14, 16:14:21 Debug IKE 727cc1cb 70f23bcf e1fee811 17eca979
c3bb190d 8915b374 02ba17a1 0c0f2ad2
Sep 14, 16:14:21 Info
IKE Hashing x.x.x.x[500] with algo #2
Sep 14, 16:14:21 Debug IKE hash(sha1)
Sep 14, 16:14:21 Info
Sep 14, 16:14:21 Info
x.x.x.x[500]
x.x.x.x[500]
04100200 00000000 000000e4 0a000084
06aabb36 dd897189 a2307b08 ed6b7735
Sep 14, 16:14:21 Debug IKE 7a552f68 d3e7b588 1c4613ad 28a9bf2a
3eebce18 7215c3ad 48e3b5c1 c33f42b1
Sep 14, 16:14:21 Debug IKE 4f7752b5 961f9ba2 1179335e 09fc7e7e
7e664936 016c5444 2e885254 fd76339b
Sep 14, 16:14:21 Debug IKE 727cc1cb 70f23bcf e1fee811 17eca979
c3bb190d 8915b374 02ba17a1 0c0f2ad2
Sep 14, 16:14:21 Debug IKE 14000014 9c8ed4a5 d1653546 a7b0d169
82d56448 14000018 bfad97a7 acc7f714
Sep 14, 16:14:21 Debug IKE 1174bbe3 eabd4651 e92c2300 00000018
00360655 a1fd4d3f f68c07a6 29ff959e
Sep 14, 16:14:21 Debug IKE 2a842026
by Philodox on 2008-09-15 01:24:11 +0200
[quote]
Sep 14, 16:14:21 Info
IKE KA list add: 192.168.1.2[4500]->x.x.x.x[4500]
Sep 14, 16:14:21 Debug IKE ===
Sep 14, 16:14:21 Debug IKE compute DH's shared.
Sep 14, 16:14:21 Debug IKE a397f573 07369726 f5cde748 422998c4
704ace1b bf96c581 9294b1e8 990d0dd7
Sep 14, 16:14:21 Debug IKE b5b6f45c b7adaea9 a2c70199 7e5a8162
88e18344 f1939812 615df1ea bf531d62
Sep 14, 16:14:21 Debug IKE ba03b1a6 1f2a7652 8b3d5224 acc599a3
6012f54b 38ddee03 5eaf86ed 0112d0de
Sep 14, 16:14:21 Debug IKE 5a5664ae 2672534b 6cc6fe04 97f0dbb4
37c12eea c095d2ba 905f57be 61589745
Sep 14, 16:14:21 Debug IKE the psk found.
Sep 14, 16:14:21 Debug IKE psk: 2008-09-14 16:14:21: DEBUG2:
Sep 14, 16:14:21 Debug IKE 45304343 43394338 42394236 38364637
Sep 14, 16:14:21 Debug IKE nonce 1: 2008-09-14 16:14:21: DEBUG:
Sep 14, 16:14:21 Debug IKE 9c8ed4a5 d1653546 a7b0d169 82d56448
Sep 14, 16:14:21 Debug IKE nonce 2: 2008-09-14 16:14:21: DEBUG:
Sep 14, 16:14:21 Debug IKE 71603fde 2e350ff6 1f9fdf6b 0588c60f
2151080a
Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1)
Sep 14, 16:14:21 Debug IKE SKEYID computed:
Sep 14, 16:14:21 Debug IKE 21425a9a d9d29890 23b41dae bc80c129
6299ebbf
Sep 14, 16:14:21 Debug IKE SKEYID_d computed:
Sep 14, 16:14:21 Debug IKE 40a8f852 117dbf35 681434f9 7234ecc2
1301d50d
Sep 14, 16:14:21 Debug IKE SKEYID_a computed:
Sep 14, 16:14:21 Debug IKE 56898368 ae8a501c 1a6b4523 133e704b
0025d46b
Sep 14, 16:14:21 Debug IKE SKEYID_e computed:
Sep 14, 16:14:21 Debug IKE e8ba7e4e 77ce21be 04e56ddc 8c7094cf
4562e6a1
Sep 14, 16:14:21 Debug IKE encryption(3des)
Sep 14, 16:14:21 Debug IKE len(SKEYID_e) < len(Ka) (20 < 24), generating
long key (Ka = K1 | K2 | ...)
Sep 14, 16:14:21 Debug IKE compute intermediate encryption key K1
Sep 14, 16:14:21 Debug IKE 00
Sep 14, 16:14:21 Debug IKE e0f43032 2960130d 4d3c200d 09204dcd
1c4daa82
Sep 14, 16:14:21 Debug IKE compute intermediate encryption key K2
1c4daa82
Sep 14, 16:14:21 Debug IKE 5c44252e a8f6897c 4d505519 1c3a78c3
f9a3c728
Sep 14, 16:14:21 Debug IKE final encryption key computed:
1c4daa82 5c44252e
Sep 14, 16:14:21 Debug IKE IV computed:
Sep 14, 16:14:21 Debug IKE 76b4a289 4d986ea9
Sep 14, 16:14:21 Debug IKE use ID type of IPv4_address
Sep 14, 16:14:21 Debug IKE HASH with:
by Philodox on 2008-09-15 01:25:13 +0200
[quote]Sep 14, 16:14:21 Debug IKE 1 times of 72 bytes message will be
sent to x.x.x.x[4500]
Sep 14, 16:14:21 Debug IKE 00000000 5dd654cd bfed7735 59ae89f0
711e7f3e 05100201 00000000 00000044
Sep 14, 16:14:21 Debug IKE a553b0ff d11baa03 0f1b4d4a a393f28c
f4e6506e 18c6aebc b5a95620 2c032e4b
Sep 14, 16:14:21 Debug IKE 3e0f94ab 847c7586
5dd654cdbfed7735:59ae89f0711e7f3e
Sep 14, 16:14:21 Debug IKE ===
Sep 14, 16:14:21 Debug IKE 76 bytes message received from x.x.x.x[4500]
to 192.168.1.2[4500]
05100201 00000000 0000004c e7b56bd6
Sep 14, 16:14:21 Debug IKE 5b7dd040 8ebb5c37 1f50211a 1aef5e8b
f8e37816 876c612d 7926a0c8 a86e0e7c
Sep 14, 16:14:21 Debug IKE 9790da4c 2f789bdc e9b130ad
Sep 14, 16:14:21 Debug IKE begin decryption.
Sep 14, 16:14:21 Debug IKE IV was saved for next processing:
Sep 14, 16:14:21 Debug IKE 2f789bdc e9b130ad
Sep 14, 16:14:21 Debug IKE with key:
1c4daa82 5c44252e
Sep 14, 16:14:21 Debug IKE decrypted payload by IV:
Sep 14, 16:14:21 Debug IKE decrypted payload, but not trimed.
Sep 14, 16:14:21 Debug IKE 08000014 02000000 30303036 42313131
36333838 00000018 70bdb824 15d12217
Sep 14, 16:14:21 Debug IKE 851cf849 61538c22 df7b05fc 00000003
Sep 14, 16:14:21 Debug IKE padding len=4
Sep 14, 16:14:21 Debug IKE skip to trim padding.
Sep 14, 16:14:21 Debug IKE decrypted.
05100201 00000000 0000004c 08000014
Sep 14, 16:14:21 Debug IKE 02000000 30303036 42313131 36333838
00000018 70bdb824 15d12217 851cf849
Sep 14, 16:14:21 Debug IKE 61538c22 df7b05fc 00000003
Sep 14, 16:14:21 Debug IKE begin.
Sep 14, 16:14:21 Debug IKE seen nptype=5(id)
Sep 14, 16:14:21 Debug IKE seen nptype=8(hash)
Sep 14, 16:14:21 Debug IKE succeed.
Sep 14, 16:14:21 Error IKE Expecting IP address type in main mode, but
FQDN.
Sep 14, 16:14:21 Error IKE invalid ID payload.
Sep 14, 16:14:26 Debug IKE Adding NON-ESP marker
x.x.x.x[4500]
x.x.x.x[4500]
711e7f3e 05100201 00000000 00000044
f4e6506e 18c6aebc b5a95620 2c032e4b
5dd654cdbfed7735:59ae89f0711e7f3e
by Philodox on 2008-09-15 01:25:55 +0200
[quote]Sep 14, 16:14:28 Debug IKE 02060003 24000000 04000000
00000000 03000500 ff200000 10020000 c0a80102
Sep 14, 16:14:28 Debug IKE 00000000 00000000 03000600 ff200000
10020000 18108637 00000000 00000000
Sep 14, 16:14:28 Debug IKE 1c000d00 20000000 00030000 00000000
00010008 00000000 01000000 01000000
Sep 14, 16:14:28 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 80510100 00000000
Sep 14, 16:14:28 Debug IKE 80700000 00000000 00000000 00000000
00040000 00000000 0001c001 00000000
Sep 14, 16:14:28 Debug IKE 01000000 01000000 00000000 00000000
00000000 00000000 00000000 00000000
Sep 14, 16:14:28 Debug IKE 80510100 00000000 80700000 00000000
00000000 00000000 000c0000 00000000
Sep 14, 16:14:28 Debug IKE 00010001 00000000 01000000 01000000
00000000 00000000 00000000 00000000
Sep 14, 16:14:28 Debug IKE 00000000 00000000 80510100 00000000
80700000 00000000 00000000 00000000
Sep 14, 16:14:28 Debug IKE get pfkey ACQUIRE message
Sep 14, 16:14:28 Debug IKE 02060003 14000000 07000000 73000000
03000500 ff200000 10020000 c0a80102
Sep 14, 16:14:28 Debug IKE 00000000 00000000 03000600 ff200000
10020000 18108637 00000000 00000000
Sep 14, 16:14:28 Debug IKE 0a000d00 20000000 000c0000 00000000
00010001 00000000 01000000 01000000
Sep 14, 16:14:28 Debug IKE 00000000 00000000 00000000 00000000
00000000 00000000 80510100 00000000
Sep 14, 16:14:28 Debug IKE 80700000 00000000 00000000 00000000
02001200 02000200 07000000 00000000
Sep 14, 16:14:28 Debug IKE suitable outbound SP found:
192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out.
Sep 14, 16:14:28 Debug IKE sub:0xbffff67c: 10.10.10.0/24[0]
192.168.1.2/32[0] proto=any dir=in
Sep 14, 16:14:28 Debug IKE db :0x108b78: 10.10.10.0/24[0]
192.168.1.2/32[0] proto=any dir=in
Sep 14, 16:14:28 Debug IKE suitable inbound SP found: 10.10.10.0/24[0]
192.168.1.2/32[0] proto=any dir=in.
Sep 14, 16:14:28 Debug IKE new acquire 192.168.1.2/32[0]
Sep 14, 16:14:28 Debug IKE (proto_id=ESP spisize=4 spi=00000000
Sep 14, 16:14:28 Debug IKE (trns_id=3DES encklen=0
authtype=hmac-sha)
Sep 14, 16:14:28 Debug IKE in post_acquire
Sep 14, 16:14:28 Debug IKE configuration found for x.x.x.x.
Sep 14, 16:14:28 Info
Sep 14, 16:14:31 Debug IKE Adding NON-ESP marker
x.x.x.x[4500]
x.x.x.x[4500]
711e7f3e 05100201 00000000 00000044
f4e6506e 18c6aebc b5a95620 2c032e4b
by Philodox on 2008-09-15 01:26:33 +0200
[quote]
Sep 14, 16:14:35 Debug IKE 80700000 00000000 00000000 00000000
02001200 02000200 07000000 00000000
Sep 14, 16:14:35 Debug IKE suitable outbound SP found:
192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out.
Sep 14, 16:14:35 Debug IKE sub:0xbffff67c: 10.10.10.0/24[0]
192.168.1.2/32[0] proto=any dir=in
Sep 14, 16:14:35 Debug IKE db :0x108b78: 10.10.10.0/24[0]
192.168.1.2/32[0] proto=any dir=in
Sep 14, 16:14:35 Debug IKE suitable inbound SP found: 10.10.10.0/24[0]
192.168.1.2/32[0] proto=any dir=in.
Sep 14,

IPSecuritas

Transcription

Similar documents

ESG szorolap.cdr

December 2013 - School District of New Berlin

Presentation

to our Fall 2012 Straydog Newsletter

Secure Connect Columbitech Mobile VPN

mission trip to texas city,texas - Valmont Community Presbyterian

FOR SALE MOMENCE RIVERFRONT CORNER Property Highlights

The Safest Way to Surf

FOR LEASE SOUTHLAKE PLAZA RETAIL Property Highlights