Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 20 replies
  • Subscribers 5 subscribers
  • Views 18990 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN IPSec

vasileiosg

Hello,

 

i understand that a similar question has been asked in the very very past but i am still not able to understand it as i lack some understanding of how this works.

 

I have a virtual appliance at home as the next hop after the router and i also have a VPS (OpenVZ). I would like to create a Site-to-Site VPN between the two. I found and installed OpenSwan on the VPS. In the VPS, using Webmin, i created a new IPSec connection calling it home, using the following settings:

Connection name: Home
Compress data? Default (usually No)
Connection type Tunnel
Authentication method RSA
Perfect forwarding secrecy? Default (usually Yes)
Authentication mode Default (usually ESP)
Keying re-tries Default
ESP algorithm Default (usually MD5)
Accept this ESP algorithm only? No
Connection key lifetime Default
Keying channel lifetime Default
Public IP address {public hostname}
System identifier Default
Private subnet behind system None

When i try to connect to the UTM from the VPS, i get the following error:

000 initiating all conns with alias='home'
021 no connection named "home"

To do the setup on the UTM, i did create a remote gateway:

Gateway type: initiate connection
Gateway: (the ip address of the VPS)
Aythenticaiton type: RSA key
VPN ID type: IP Address
VPN ID: {the ip address of the VPS)
Remote networks: Any

and then i created the connection:

Remote gateway: VPS
Local interface: External
Policy: AES-128 (i know this is wrong, but i tried the others and none worked)
Local Networks: Internal
Automatic firewall rules: Yes

But of course it is not connecting.

Any ideas what am i doing wrong?

Thanks!


This thread was automatically locked due to age.
Parents
  • 0

    Hi Vasileios,

    Rather than RSA keys, start with a simple PSK until everything else works.

    Please insert pictures of the Edits of the Remote Gateway, the IPsec Connection and the IPsec Policy.  Also, pictures of the Edits of any Host/Network objects used.  Where ever there's an 'Advanced' section, be sure to open that, too.

     

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

     

    I tried but still didn't work. Here is a screenshot of the settings

  • 0 in reply to vasileiosg

    Vasileios, we need pictures of the specific settings on the UTM first, then we can determine the settings for OpenSWAN - almost certainly, the "Default" settings in OpenSWAN are not what you need.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I am sorry but when you said screenshots the first time, i thought you meant from openswan. Do these make sense?

  • 0 in reply to vasileiosg

    In an "Initiate connection" Remote Gateway, the reason to fill in the Optional ID would be because the remote endpoint was behind a NAT.  In that case, the IP should be the internal IP of the remote endpoint.  If the remote VPN endpoint has a public IP, it's a good habit to leave the optional ID blank.  If OpenSWAN can provide a LeftID that is the public IP of the VPS, then leave this blank.

    If 3DES is the only one available in your OpenSWAN implementation, we can work with that.  If possible, I would use the following instead because it should be faster and more secure:

    Can you configure that in OpenSWAN?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to vasileiosg

    In an "Initiate connection" Remote Gateway, the reason to fill in the Optional ID would be because the remote endpoint was behind a NAT.  In that case, the IP should be the internal IP of the remote endpoint.  If the remote VPN endpoint has a public IP, it's a good habit to leave the optional ID blank.  If OpenSWAN can provide a LeftID that is the public IP of the VPS, then leave this blank.

    If 3DES is the only one available in your OpenSWAN implementation, we can work with that.  If possible, I would use the following instead because it should be faster and more secure:

    Can you configure that in OpenSWAN?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
Unfiltered HTML