Hello all,

Here is my situation.
I have 2 IPCOP 2.1.9 working (both with simple config with a green and red interface) and I (try to) set up a VPN IPESC between the two local network. So far, VPN is shown green (opened) on both IPCOP admin page.
One green network is 192.168.3.0/24 and the one on the other end is 192.168.4.0/24

For the moment, my problem is I can't ping or access web servers (or any other server) from one network to the other.

Something I think is strange is I don't see any route for opposite network in the
"Routing Table Entries"

I don't really understand what can be the problem

Can someone higlight to me what I did wrong (or forget to do ?)

Thank you

Patrice

Hello;

I'm not familiar with IPCOP, and only got my 'feet wet' in regards to IPSec, so I hope I can contribute with some valid information.
I believe it is normal for you not to see any routes in the routing table. When you create an IPSec Security Association (IPSec SA for short, and how is is usually refered to in docs), you define among other settings, the IP addresses of each endpoint, and which networks they connect, or route to.
When your local router receives an IP packet, it checks whether security applies or not, based on several criteria, one being destination address. If security measures apply, then the packet will be processed according to the SA it matched and forwarded to the other endpoint, also defined by the SA. No routing needed.

As you might have guessed, this is a very simplified and superficial description of the process.

Before the IPSec SA is established, the isakmp SA needs to be established, so:
- isakmp SA is established - this is usually called phase one;
- IPSec SA is established - this is called phase two;
- IP traffic flows through the tunnel.

There is a group of settings that govern phase one and another to govern phase two. In each endpoint, they must concur, for the SA's to be established.

Perhaps you should re-visit the configuration interface of each endpoint and review anything that has 'IKE', 'isakmp' and 'IPSec' on it.

Have fun!

--
Paulo

Hello Paulo,

Thank you for your answer

Looking at the Ipsec log, when I restart the VPN Tunnel, I can't see anything that could explain the problem (at least for me )

Here is the log when the VPN restart (atached file) (I replaced some ID information by XXX for security reason)

Do you see something that could explain the problem ?

Thank you for your help


Patrice

Attached Files

VPN_Log_201505162.txt (3.5 KB, 71 views)

The only line that caught my eye was the "X.509 certificate rejected" one.

Are you using a certificate, as opposed to a preshared key?

--
Paulo

Hello,

Yes I use a certificate I made in IPCOP.

My thought was to desable the Ipsec configuration and to make a new different one, as a test.
But for now, I can't access the remote Ipcop, so I will have to move there.

Thing strange is that the IPsec connection is shown green ( status open ).

Patrice

As a test, I'd use a preshared key. It's simpler, and after coming up with a working setup, you can change it to use a certificate instead.

Hello,

I tried this first. But for an unknown reason, I couldn't select the option of preshared key in the setup (it was impossible to select it on one of the IPCOP, don't know why) , so I used a certificate setup.

Thank you,

Patrice

Certificates can be signed by a trusted CA or self-signed (the latter being the do-it-yourself flavour). Some applications won't accept a self-signed certificate, or at least will prompt for acceptance when presented with one. I don't know how IPCOP or IPSec deal with self-signed certificates, and that is why I suggested preshared keys.

Preshared keys should work, so you might want to investigate why the option isn't available in the first place.

--
Paulo

Hello

In this situation, Certificate were issued by the IPCOP.

But anyway, I deleted the VPN configuration on both side and rebooted both IPCOP.
Then made a simple preshared key configuration.
Again the IPSEC tunnel show up green and open, but no traffic possible through it

Attached is the IPSec log.

For my understanding, the VPN configuration is ok (as it shosw "open") and the problem is somewhere else, but can't figure where

Thank you,

Patrice

Attached Files

VPN_20150518.txt (3.1 KB, 37 views)

Hi;

IPSec tunnel is established only when there is traffic, unlike OpenVPN for instance, where you have a local interface, a remote interface, routing and the works.

I suspect that the green you mention only means ready to process packets.

Again: I'm not familiar with IPCOP, but there are a couple of things to check for:

- Traffic whose destination is on the other side of the IPSec tunnel is not to be NAT'ed (in Cisco IOS you have to specify this; don't know about IPCOP);
- You must have firewall rules that'll allow traffic between subnets that are behind each IPSec endpoint, if you're running a firewall (which you must be, since you're using IPCOP);

Are you using fixed IP addresses in both endpoints?

Hello,

Rules of the IPCOP firewall (as it is "out of the box") are as follow:
Interface GREEN and IPSEC are opened. Default deny action is reject
Interface RED is closed. Default deny action is dropped

I looked at the firewall log.
I can see ICMP traffic from a remote machine (pinging my computer) coming in the Wan-1 interface and the applied rule is IPSEC-RED ACCEPT
In fact, I can see traffic coming in from the remote network. But anyway traffic does not go through.

I think there is a special IPCOP Firewall rule to create for the traffic going through.

Anybody has an idea of what rule I shoud create ?

Thank you,

---------- Post added 05-20-15 at 08:22 PM ----------

Sorry , yes there are fixed addresses

For the NAT... I have to check but don't really know how...