Basic VPN Setup

Home Page Forums Network Management Networking Basic VPN Setup

This topic contains 12 replies, has 0 voices, and was last updated by  forgery 9 years, 7 months ago.

Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts
  • #41945

    forgery
    Member

    Hi, I’m new to setting up VPNs and trying to get our L2TP/IPSec section working. I don’t want to ask for specific advise just yet. I’m just wondering if anybody has any good pointers to guides that can get me on the way. I understand the theory of certificates, CA’s etc, I just am not sure how to fully apply it. I’ve tried but the virtual connection does not work.

    Many Thanks

    #48828

    ppalias
    Member

    There is some documentation here.

    #48829

    forgery
    Member

    I don’t know why I didn’t see that before!! Thank you for the prod in the right direction.

    #48830

    forgery
    Member

    Hi again,

    Having been through the seemingly simple steps I am still unable to VPN into the network. My log states

    16:47:32 	 ERROR: phase1 negotiation failed due to time up. ead0ea579e70a6e6:730373808337e290
    16:47:32 INFO: respond new phase 1 negotiation: 192.168.x.x[500]192.168.x.x[500]
    16:47:32 INFO: begin Identity Protection mode.
    16:47:32 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
    16:47:32 INFO: received Vendor ID: FRAGMENTATION
    16:47:32 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    16:47:32 ERROR: ignore information because ISAKMP-SA has not been established yet.

    I’ve just blanked out the IP addresses above, they are correct.

    So from following the instructions I can see the 2 certificates in the 4 places mentioned. I have the host added, the VPN enabled and server and client both share the same domain.

    The error I am getting on the client says “security layer encountered a processing error during initial negotiations with the remote computer.”

    Any advise or tips would be gratefully received. Many Thanks

    #48831

    ppalias
    Member

    Make sure the corresponding ports for all the phases of the vpn establishment are allowed on the firewall. Also make sure the routing is correct.
    It would also be helpful if you showed us some piece of configuration.

    Last but not least don’t be paranoid by not writing here the full private ip address. There is no fear of getting hacked. 😛

    #48832

    forgery
    Member

    Thank you ppalias. I realise they are private IP addresses, I don’t know, it just felt right not naming full addresses. I knew it didn’t really mean much, just meant I felt better inside 🙂

    I will doube check the ports however I did try it with the firewall turned off and it still would not connect.

    Could I ask what parts of the configuration you would like to know? Or I can just detail pretty much everything I did? Which ever would be easier, I guess it’s not that many steps in total.

    Many Thanks

    #48833

    ppalias
    Member

    Well the more steps and configuration changes you have done we know, the easier it will be to spot the mistake.

    #48834

    forgery
    Member

    Thanks for the reply again, I’ll now detail my steps in simplified form, hopefully it remains clear.

    1) Profile set up,
    HostName : zeroshell.xxx.local
    K5 Realm : XXX.LOCAL
    LDAP Base : dc=xxx,dc=local

    We have no use for the Kerberus stuff yet but thought we would make it correct anyway.

    2)Set up host for remote computer
    Hostname : Computer1
    Domain : xxx.local

    3)Set VPN settings on ZeroShell
    LT2P enabled
    set the IP address assignment.
    Left Host Certificate to be Local CA OU = Hosts, CN = zeroshell.xxx.local

    That’s it for the ZeroShell box, I now turn to remote computer ‘computer1’

    1)Added new connection using the external IP address of the ZeroShell Box

    2)Added Certificates, for this i followed instructions in the documentation on the site. I downloaded the correct Host and CA certificates. I then ended up with the 2 certificates in 4 places, these were:

    Inside
    Certificates (Local Computer)
    Personal
    Certificates
    computer1.xxx.local (from computer1.xxx.local PFX)
    Trusted Root Certificate Authorities
    Certificates
    Issued To and By: ZeroShell Example CA (from CA.der)

    Certificates – Service (IPSEC Services) on Local Computer
    PolicyAgentPersonal
    Certificates
    computer1.xxx.local (from computer1.xxx.local PFX)
    PolicyAgentTrusted Root Certificate Authorities
    Certificates
    Issued To and By: ZeroShell Example CA (from CA.der)

    That took me to the end of the instructions and the error messages given. Any more help or any other information I can give please let me know.

    Many thanks again for all time and help 🙂

    #48835

    ppalias
    Member

    Two things I would like to notice.
    First on the guide vpn_rollercoaster says that

    Hosts should have same domain as the zeroshell box unless you know what you’re doing with
    Kerberos 5 domain/realm trust relationships.

    Is that ok with your setup?

    Second thing… I am not so sure if the HOST certficate should be downloaded from the ZS log-in page. I haven’t setup an L2TP vpn, but an OpenVPN. When I download a user certificate I do it from the X509 tab of each USER. I suggest you do the same. Go to NETWORK -> HOSTS -> click on the HOST’s bullet and then click on X509. Now export the certificate on the desired format with the KEY ticked. Hope this works.

    #48836

    forgery
    Member

    Hey, thank you for the reply. Have finally had time to play around again and progression is minimal! 🙁

    I did get the host certificate from inside the zero shell interface, this one was a great deal larger than the one I had previously used. Once this certificate was inserted I then recieved an error that the username/password didn’t match. Still no access but certainly a step closer.

    I decided to try with a new clean laptop. Everything set up the same as before. Host domains and kerberos domains are both xxx.local so that is no problem. I am now attempting off vista with what appear to be the correct certificates and still getting the error in my original post. Both computers can ping each other so there are no physical problems. Here are the current errors

    15:59:18 	INFO: respond new phase 1 negotiation: 192.168.2.253[500]192.168.2.224[500]
    15:59:18 INFO: begin Identity Protection mode.
    15:59:18 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
    15:59:18 INFO: received Vendor ID: RFC 3947
    15:59:18 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    15:59:18 INFO: received Vendor ID: FRAGMENTATION
    15:59:18 ERROR: invalid DH group 20.
    15:59:18 ERROR: invalid DH group 19.
    15:59:18 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
    15:59:18 ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
    15:59:18 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
    15:59:18 ERROR: no suitable proposal found.
    15:59:18 ERROR: failed to get valid proposal.
    15:59:18 ERROR: failed to process packet.
    15:59:19 INFO: respond new phase 1 negotiation: 192.168.2.253[500]192.168.2.224[500]
    15:59:19 INFO: begin Identity Protection mode.
    15:59:19 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
    15:59:19 INFO: received Vendor ID: RFC 3947
    15:59:19 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    15:59:19 INFO: received Vendor ID: FRAGMENTATION
    15:59:19 ERROR: invalid DH group 20.
    15:59:19 ERROR: invalid DH group 19.
    15:59:19 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
    15:59:19 ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
    15:59:19 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
    15:59:19 ERROR: no suitable proposal found.
    15:59:19 ERROR: failed to get valid proposal.
    15:59:19 ERROR: failed to process packet.
    15:59:21 INFO: respond new phase 1 negotiation: 192.168.2.253[500]192.168.2.224[500]
    15:59:21 INFO: begin Identity Protection mode.
    15:59:21 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
    15:59:21 INFO: received Vendor ID: RFC 3947
    15:59:21 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    15:59:21 INFO: received Vendor ID: FRAGMENTATION
    15:59:21 ERROR: invalid DH group 20.
    15:59:21 ERROR: invalid DH group 19.
    15:59:21 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
    15:59:21 ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
    15:59:21 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
    15:59:21 ERROR: no suitable proposal found.
    15:59:21 ERROR: failed to get valid proposal.
    15:59:21 ERROR: failed to process packet.
    15:59:26 INFO: respond new phase 1 negotiation: 192.168.2.253[500]192.168.2.224[500]
    15:59:26 INFO: begin Identity Protection mode.
    15:59:26 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
    15:59:26 INFO: received Vendor ID: RFC 3947
    15:59:26 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    15:59:26 INFO: received Vendor ID: FRAGMENTATION
    15:59:26 ERROR: invalid DH group 20.
    15:59:26 ERROR: invalid DH group 19.
    15:59:26 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
    15:59:26 ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
    15:59:26 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
    15:59:26 ERROR: no suitable proposal found.
    15:59:26 ERROR: failed to get valid proposal.
    15:59:26 ERROR: failed to process packet.
    15:59:34 INFO: respond new phase 1 negotiation: 192.168.2.253[500]192.168.2.224[500]
    15:59:34 INFO: begin Identity Protection mode.
    15:59:34 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
    15:59:34 INFO: received Vendor ID: RFC 3947
    15:59:34 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    15:59:34 INFO: received Vendor ID: FRAGMENTATION
    15:59:34 ERROR: invalid DH group 20.
    15:59:34 ERROR: invalid DH group 19.
    15:59:34 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
    15:59:34 ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
    15:59:34 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
    15:59:34 ERROR: no suitable proposal found.
    15:59:34 ERROR: failed to get valid proposal.
    15:59:34 ERROR: failed to process packet.

    Many Thanks again

    #48837

    ppalias
    Member

    At the windows pptp username are you using just

    someuser

    or

    someuser@xxx.local

    ?

    #48838

    forgery
    Member

    I’m using someuser and in the domain box I’m typing xxx.local, althought have tried with or without.

    #48839

    forgery
    Member

    The answer has finally been solved! I was using trying to achieve this on a Windows XP Home Edition laptop. I assume this had problem with the domain? As soon as I changed over to an XP Professional computer the connection went through straight away!! Finally 😀 i’m so happy.

    Could somebody please explain to me the reasons behind this?

    Many Thanks

    #48840

    ppalias
    Member

    It must have to do with the face that Home Edition doesn’t support domains.

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.