This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN IPSec

Hello,

 

i understand that a similar question has been asked in the very very past but i am still not able to understand it as i lack some understanding of how this works.

 

I have a virtual appliance at home as the next hop after the router and i also have a VPS (OpenVZ). I would like to create a Site-to-Site VPN between the two. I found and installed OpenSwan on the VPS. In the VPS, using Webmin, i created a new IPSec connection calling it home, using the following settings:

Connection name: Home
Compress data? Default (usually No)
Connection type Tunnel
Authentication method RSA
Perfect forwarding secrecy? Default (usually Yes)
Authentication mode Default (usually ESP)
Keying re-tries Default
ESP algorithm Default (usually MD5)
Accept this ESP algorithm only? No
Connection key lifetime Default
Keying channel lifetime Default
Public IP address {public hostname}
System identifier Default
Private subnet behind system None

When i try to connect to the UTM from the VPS, i get the following error:

000 initiating all conns with alias='home'
021 no connection named "home"

To do the setup on the UTM, i did create a remote gateway:

Gateway type: initiate connection
Gateway: (the ip address of the VPS)
Aythenticaiton type: RSA key
VPN ID type: IP Address
VPN ID: {the ip address of the VPS)
Remote networks: Any

and then i created the connection:

Remote gateway: VPS
Local interface: External
Policy: AES-128 (i know this is wrong, but i tried the others and none worked)
Local Networks: Internal
Automatic firewall rules: Yes

But of course it is not connecting.

Any ideas what am i doing wrong?

Thanks!


This thread was automatically locked due to age.
  • Hi Vasileios,

    Rather than RSA keys, start with a simple PSK until everything else works.

    Please insert pictures of the Edits of the Remote Gateway, the IPsec Connection and the IPsec Policy.  Also, pictures of the Edits of any Host/Network objects used.  Where ever there's an 'Advanced' section, be sure to open that, too.

     

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks, sorry for the late reply, i will test it and come back to you

  • Hi,

     

    I tried but still didn't work. Here is a screenshot of the settings

  • Vasileios, we need pictures of the specific settings on the UTM first, then we can determine the settings for OpenSWAN - almost certainly, the "Default" settings in OpenSWAN are not what you need.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I am sorry but when you said screenshots the first time, i thought you meant from openswan. Do these make sense?

  • In an "Initiate connection" Remote Gateway, the reason to fill in the Optional ID would be because the remote endpoint was behind a NAT.  In that case, the IP should be the internal IP of the remote endpoint.  If the remote VPN endpoint has a public IP, it's a good habit to leave the optional ID blank.  If OpenSWAN can provide a LeftID that is the public IP of the VPS, then leave this blank.

    If 3DES is the only one available in your OpenSWAN implementation, we can work with that.  If possible, I would use the following instead because it should be faster and more secure:

    Can you configure that in OpenSWAN?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • In your second screenshot you have "any" in remote networks. That's most likely not what you need, since it would mean to send all traffic not destined for your local network over the tunnel. You would also need "any" in the local network for the remote (OpenSWAN) side for this to work.

    You would most likely need to enter the OpenSWAN's private range in there (or at least the same as you have configured in OpenSWAN as Local network).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Good catch, my friend.  I didn't look closely at those because I figured the first problem was probably a failure to agree on a Policy.  I guess I'm just lazier than you! [;)]

    In fact, Vasileios, it's best practice never to use "Any" there even if you do want a Full Tunnel.  I would recommend the remote LANs plus the "Internet" object to create a Full tunnel.  I agree with apijnappels that it's unlikely that you want anything other than the remote subnet(s).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • ok so this is how i did this part: