- This topic is empty.
-
Posts
-
Hi, I’m new to setting up VPNs and trying to get our L2TP/IPSec section working. I don’t want to ask for specific advise just yet. I’m just wondering if anybody has any good pointers to guides that can get me on the way. I understand the theory of certificates, CA’s etc, I just am not sure how to fully apply it. I’ve tried but the virtual connection does not work.
Many Thanks
There is some documentation here.
Hi again,
Having been through the seemingly simple steps I am still unable to VPN into the network. My log states
16:47:32 ERROR: phase1 negotiation failed due to time up. ead0ea579e70a6e6:730373808337e290
16:47:32 INFO: respond new phase 1 negotiation: 192.168.x.x[500]192.168.x.x[500]
16:47:32 INFO: begin Identity Protection mode.
16:47:32 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
16:47:32 INFO: received Vendor ID: FRAGMENTATION
16:47:32 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
16:47:32 ERROR: ignore information because ISAKMP-SA has not been established yet.I’ve just blanked out the IP addresses above, they are correct.
So from following the instructions I can see the 2 certificates in the 4 places mentioned. I have the host added, the VPN enabled and server and client both share the same domain.
The error I am getting on the client says “security layer encountered a processing error during initial negotiations with the remote computer.”
Any advise or tips would be gratefully received. Many Thanks
Make sure the corresponding ports for all the phases of the vpn establishment are allowed on the firewall. Also make sure the routing is correct.
It would also be helpful if you showed us some piece of configuration.Last but not least don’t be paranoid by not writing here the full private ip address. There is no fear of getting hacked. ๐
Thank you ppalias. I realise they are private IP addresses, I don’t know, it just felt right not naming full addresses. I knew it didn’t really mean much, just meant I felt better inside ๐
I will doube check the ports however I did try it with the firewall turned off and it still would not connect.
Could I ask what parts of the configuration you would like to know? Or I can just detail pretty much everything I did? Which ever would be easier, I guess it’s not that many steps in total.
Many Thanks
Well the more steps and configuration changes you have done we know, the easier it will be to spot the mistake.
Thanks for the reply again, I’ll now detail my steps in simplified form, hopefully it remains clear.
1) Profile set up,
HostName : zeroshell.xxx.local
K5 Realm : XXX.LOCAL
LDAP Base : dc=xxx,dc=localWe have no use for the Kerberus stuff yet but thought we would make it correct anyway.
2)Set up host for remote computer
Hostname : Computer1
Domain : xxx.local3)Set VPN settings on ZeroShell
LT2P enabled
set the IP address assignment.
Left Host Certificate to be Local CA OU = Hosts, CN = zeroshell.xxx.localThat’s it for the ZeroShell box, I now turn to remote computer ‘computer1’
1)Added new connection using the external IP address of the ZeroShell Box
2)Added Certificates, for this i followed instructions in the documentation on the site. I downloaded the correct Host and CA certificates. I then ended up with the 2 certificates in 4 places, these were:
Inside
Certificates (Local Computer)
Personal
Certificates
computer1.xxx.local (from computer1.xxx.local PFX)
Trusted Root Certificate Authorities
Certificates
Issued To and By: ZeroShell Example CA (from CA.der)Certificates – Service (IPSEC Services) on Local Computer
PolicyAgentPersonal
Certificates
computer1.xxx.local (from computer1.xxx.local PFX)
PolicyAgentTrusted Root Certificate Authorities
Certificates
Issued To and By: ZeroShell Example CA (from CA.der)That took me to the end of the instructions and the error messages given. Any more help or any other information I can give please let me know.
Many thanks again for all time and help ๐
Two things I would like to notice.
First on the guide vpn_rollercoaster says thatHosts should have same domain as the zeroshell box unless you know what youรขโฌโขre doing with
Kerberos 5 domain/realm trust relationships.Is that ok with your setup?
Second thing… I am not so sure if the HOST certficate should be downloaded from the ZS log-in page. I haven’t setup an L2TP vpn, but an OpenVPN. When I download a user certificate I do it from the X509 tab of each USER. I suggest you do the same. Go to NETWORK -> HOSTS -> click on the HOST’s bullet and then click on X509. Now export the certificate on the desired format with the KEY ticked. Hope this works.
Hey, thank you for the reply. Have finally had time to play around again and progression is minimal! ๐
I did get the host certificate from inside the zero shell interface, this one was a great deal larger than the one I had previously used. Once this certificate was inserted I then recieved an error that the username/password didn’t match. Still no access but certainly a step closer.
I decided to try with a new clean laptop. Everything set up the same as before. Host domains and kerberos domains are both xxx.local so that is no problem. I am now attempting off vista with what appear to be the correct certificates and still getting the error in my original post. Both computers can ping each other so there are no physical problems. Here are the current errors
15:59:18 INFO: respond new phase 1 negotiation: 192.168.2.253[500]192.168.2.224[500]
15:59:18 INFO: begin Identity Protection mode.
15:59:18 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
15:59:18 INFO: received Vendor ID: RFC 3947
15:59:18 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
15:59:18 INFO: received Vendor ID: FRAGMENTATION
15:59:18 ERROR: invalid DH group 20.
15:59:18 ERROR: invalid DH group 19.
15:59:18 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
15:59:18 ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
15:59:18 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
15:59:18 ERROR: no suitable proposal found.
15:59:18 ERROR: failed to get valid proposal.
15:59:18 ERROR: failed to process packet.
15:59:19 INFO: respond new phase 1 negotiation: 192.168.2.253[500]192.168.2.224[500]
15:59:19 INFO: begin Identity Protection mode.
15:59:19 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
15:59:19 INFO: received Vendor ID: RFC 3947
15:59:19 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
15:59:19 INFO: received Vendor ID: FRAGMENTATION
15:59:19 ERROR: invalid DH group 20.
15:59:19 ERROR: invalid DH group 19.
15:59:19 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
15:59:19 ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
15:59:19 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
15:59:19 ERROR: no suitable proposal found.
15:59:19 ERROR: failed to get valid proposal.
15:59:19 ERROR: failed to process packet.
15:59:21 INFO: respond new phase 1 negotiation: 192.168.2.253[500]192.168.2.224[500]
15:59:21 INFO: begin Identity Protection mode.
15:59:21 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
15:59:21 INFO: received Vendor ID: RFC 3947
15:59:21 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
15:59:21 INFO: received Vendor ID: FRAGMENTATION
15:59:21 ERROR: invalid DH group 20.
15:59:21 ERROR: invalid DH group 19.
15:59:21 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
15:59:21 ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
15:59:21 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
15:59:21 ERROR: no suitable proposal found.
15:59:21 ERROR: failed to get valid proposal.
15:59:21 ERROR: failed to process packet.
15:59:26 INFO: respond new phase 1 negotiation: 192.168.2.253[500]192.168.2.224[500]
15:59:26 INFO: begin Identity Protection mode.
15:59:26 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
15:59:26 INFO: received Vendor ID: RFC 3947
15:59:26 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
15:59:26 INFO: received Vendor ID: FRAGMENTATION
15:59:26 ERROR: invalid DH group 20.
15:59:26 ERROR: invalid DH group 19.
15:59:26 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
15:59:26 ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
15:59:26 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
15:59:26 ERROR: no suitable proposal found.
15:59:26 ERROR: failed to get valid proposal.
15:59:26 ERROR: failed to process packet.
15:59:34 INFO: respond new phase 1 negotiation: 192.168.2.253[500]192.168.2.224[500]
15:59:34 INFO: begin Identity Protection mode.
15:59:34 INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
15:59:34 INFO: received Vendor ID: RFC 3947
15:59:34 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
15:59:34 INFO: received Vendor ID: FRAGMENTATION
15:59:34 ERROR: invalid DH group 20.
15:59:34 ERROR: invalid DH group 19.
15:59:34 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = MD5:SHA
15:59:34 ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1024-bit MODP group:2048-bit MODP group
15:59:34 ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = MD5:SHA
15:59:34 ERROR: no suitable proposal found.
15:59:34 ERROR: failed to get valid proposal.
15:59:34 ERROR: failed to process packet.Many Thanks again
I’m using someuser and in the domain box I’m typing xxx.local, althought have tried with or without.
The answer has finally been solved! I was using trying to achieve this on a Windows XP Home Edition laptop. I assume this had problem with the domain? As soon as I changed over to an XP Professional computer the connection went through straight away!! Finally ๐ i’m so happy.
Could somebody please explain to me the reasons behind this?
Many Thanks
- You must be logged in to reply to this topic.