1 Reply Latest reply on Oct 1, 2010 12:04 PM by bperez

    Problem creating VPN Site to Site Firewall Enterprise with a UTM Firewall

    bperez

      I need to create a VPN site to site but following the KB63322 (reating a VPN between UTM Firewall/Sidewinder 7.x and a UTM Firewall/SnapGear with a dynamic IP address), does not connect, the support team recommends to upgrade to 8.0.1 in the EFW due a issue in remote id's with vpn, i have been upgraded but with no success.

       

      I also try with the KB65879  (How to Create a Firewall Enterprise to UTM Firewall VPN with Certificates), but cant conenct both fw.

       

      In the UTM Log i have this:

      Aug  3 11:33:58 cgix[12672]: run 'whack --listen --rereadall' failed: 1
      Aug  3 11:33:58 ifmond[775]: Reloading configuration files 
      Aug  3 11:33:58 ifmond[775]: conn-eth0 was up and is now reloading
      Aug  3 11:33:58 packet[788]: PF Deny Dropped RFC1918: IN=eth0.2 OUT=eth1 MAC=00:17:08:3d:ae:9d SRC=192.168.201.35 DST=192.168.201.200 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4760 DF PROTO=TCP SPT=60596 DPT=80 WINDOW=16148 ACK FIN URGP=0 
      Aug  3 11:33:58 flatfs[12675]: saving fs to partition 0, tstamp=560 
      Aug  3 11:33:58 ifmond[775]: conn-eth0 was reloading and is now down
      Aug  3 11:33:58 ifmond[775]: conn-eth0 was down and is now starting
      Aug  3 11:33:58 ifmond[775]: conn-eth0 was starting and is now up
      Aug  3 11:34:01 dnsmasq[1734]: reading /etc/config/resolv.dnsmasq
      Aug  3 11:34:01 dnsmasq[1734]: using nameserver 192.168.201.1#53
      Aug  3 11:34:01 firewall[12682]: executing firewall rules
      Aug  3 11:34:02 flatfs[12675]: Wrote 21959 bytes to flash in 5 seconds
      Aug  3 11:34:07 cgix[12773]: config_change[16] by root: set vpn.ipsec enabled 1
      Aug  3 11:34:07 dnsmasq[1734]: reading /etc/config/resolv.dnsmasq
      Aug  3 11:34:07 dnsmasq[1734]: using nameserver 192.168.201.1#53
      Aug  3 11:34:07 firewall[12686]: executing firewall rules
      Aug  3 11:34:08 flatfs[12793]: using storage at /dev/flash/config
      Aug  3 11:34:08 flatfs[12793]: saving fs to partition 1, tstamp=561 
      Aug  3 11:34:08 cgix[12773]: run 'whack --listen --rereadall' failed: 1
      Aug  3 11:34:08 ifmond[775]: Reloading configuration files 
      Aug  3 11:34:08 ifmond[775]: conn-eth0 was up and is now reloading
      Aug  3 11:34:08 ifmond[775]: ipsec-init was down and is now waiting-to-start
      Aug  3 11:34:08 ifmond[775]: ipsec-defaultroute was down and is now waiting-to-start
      Aug  3 11:34:08 ifmond[775]: ipsec-tunnel-To_Pinsa was down and is now waiting-to-start
      Aug  3 11:34:08 ifmond[775]: %defaultroute was down and is now waiting-to-start
      Aug  3 11:34:09 ifmond[775]: conn-eth0 was reloading and is now down
      Aug  3 11:34:09 ifmond[775]: conn-eth0 was down and is now starting
      Aug  3 11:34:09 ifmond[775]: ipsec-init was waiting-to-start and is now starting
      Aug  3 11:34:10 ifmond[775]: %defaultroute was waiting-to-start and is now starting
      Aug  3 11:34:10 ifmond[775]: %defaultroute was starting and is now checking
      Aug  3 11:34:11 ifmond[775]: conn-eth0 was starting and is now up
      Aug  3 11:34:11 kernel: 
      Aug  3 11:34:12 syslog: adjusting ipsec.d to /etc/config
      Aug  3 11:34:12 pluto[12836]: WARNING: 1DES is enabled
      Aug  3 11:34:12 ifmond[775]: ipsec-init was starting and is now up
      Aug  3 11:34:12 pluto[12836]: Setting NAT-Traversal port-4500 floating to on
      Aug  3 11:34:12 pluto[12836]:    port floating activation criteria nat_t=1/port_float=1
      Aug  3 11:34:12 pluto[12836]:    including NAT-Traversal patch (Version 0.6c)
      Aug  3 11:34:12 pluto[12836]: using /dev/urandom as source of random entropy
      Aug  3 11:34:12 pluto[12836]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
      Aug  3 11:34:12 pluto[12836]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
      Aug  3 11:34:12 pluto[12836]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
      Aug  3 11:34:12 pluto[12836]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
      Aug  3 11:34:12 pluto[12836]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
      Aug  3 11:34:12 pluto[12836]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
      Aug  3 11:34:12 pluto[12836]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
      Aug  3 11:34:12 pluto[12836]: no helpers will be started, all cryptographic operations will be done inline
      Aug  3 11:34:12 pluto[12836]: OCF assisted AES crypto enabled
      Aug  3 11:34:12 pluto[12836]: OCF assisted DES crypto enabled
      Aug  3 11:34:12 pluto[12836]: OCF assisted 3DES crypto enabled
      Aug  3 11:34:12 pluto[12836]: Using KLIPS IPsec interface code on 2.6.26-uc0
      Aug  3 11:34:13 pluto[12836]: Changed path to directory '/etc/config'
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate ssl_key.pem
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate ssh_host_rsa_key
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate ssh_host_dsa_key
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate id_rsa
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate id_dsa
      Aug  3 11:34:13 pluto[12836]: Changed path to directory '/etc/config'
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate ssl_key.pem
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate ssh_host_rsa_key
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate ssh_host_dsa_key
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate id_rsa
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate id_dsa
      Aug  3 11:34:13 pluto[12836]: Changed path to directory '/etc/config'
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate ssl_key.pem
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate ssh_host_rsa_key
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate ssh_host_dsa_key
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate id_rsa
      Aug  3 11:34:13 pluto[12836]:   error in X.509 certificate id_dsa
      Aug  3 11:34:13 pluto[12836]: Changing to directory '/etc/config'
      Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/ssl_key.pem
      Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/ssl_cert.pem
      Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/ssh_host_rsa_key
      Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/ssh_host_dsa_key
      Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/sgcert.pem
      Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/id_rsa
      Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/id_dsa
      Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/ca.pem
      Aug  3 11:34:13 pluto[12836]: Changing to directory '/etc/config'
      Aug  3 11:34:13 pluto[12836]: v1 attribute certificates are not supported
      Aug  3 11:34:13 last message repeated 2 time(s)
      Aug  3 11:34:13 flatfs[12793]: Wrote 22564 bytes to flash in 5 seconds
      Aug  3 11:34:14 dnsmasq[1734]: reading /etc/config/resolv.dnsmasq
      Aug  3 11:34:14 dnsmasq[1734]: using nameserver 192.168.201.1#53
      Aug  3 11:34:14 firewall[12833]: executing firewall rules
      Aug  3 11:34:15 ifmond[775]: %defaultroute was checking and is now up
      Aug  3 11:34:15 ifmond[775]: ipsec-defaultroute was waiting-to-start and is now starting
      Aug  3 11:34:18 pluto[12836]: listening for IKE messages
      Aug  3 11:34:18 pluto[12836]: adding interface ipsec0/eth1 172.17.11.4:500
      Aug  3 11:34:18 pluto[12836]: adding interface ipsec0/eth1 172.17.11.4:4500
      Aug  3 11:34:18 ifmond[775]: ipsec-defaultroute was starting and is now up
      Aug  3 11:34:18 ifmond[775]: ipsec-tunnel-To_Pinsa was waiting-to-start and is now starting
      Aug  3 11:34:18 pluto[12836]: loading certificate from sgcert.pem 
      Aug  3 11:34:18 pluto[12836]:   loaded host cert file '/etc/config/sgcert.pem' (1658 bytes)
      Aug  3 11:34:18 pluto[12836]:   X.509 certificate is not valid until Sep 30 02:29:26 UTC 2010 (it is now=Aug 03 11:34:18 UTC 2009)
      Aug  3 11:34:18 pluto[12836]: added connection description "To_Pinsa"
      Aug  3 11:34:18 pluto[12836]: "To_Pinsa": prepare-client output: SIOCDELRT: No such process
      Aug  3 11:34:18 pluto[12836]: "To_Pinsa": prepare-client output: ignoring `route del -net 192.168.8.0 netmask 255.255.252.0' failure
      Aug  3 11:34:18 pluto[12836]: "To_Pinsa" #1: initiating Main Mode
      Aug  3 11:34:18 ifmond[775]: ipsec-tunnel-To_Pinsa was starting and is now up
      Aug  3 11:34:21 dnsmasq[1734]: reading /etc/config/resolv.dnsmasq
      Aug  3 11:34:21 dnsmasq[1734]: using nameserver 192.168.201.1#53
      Aug  3 11:34:21 firewall[12846]: executing firewall rules

       

      Some Suggestions?

       

      Regards, Bernardo.

        • 1. Re: Problem creating VPN Site to Site Firewall Enterprise with a UTM Firewall
          sliedl

          Bernardo,

           

          You have a ticket open with me on this exact issue, so I'll just reply to you here also.

           

          Looking at this output it's obvious you have errors in your certificates:

           

          Aug  3 11:34:13 pluto[12836]: Changing to directory '/etc/config'
          Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/ssl_key.pem
          Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/ssl_cert.pem
          Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/ssh_host_rsa_key
          Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/ssh_host_dsa_key
          Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/sgcert.pem
          Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/id_rsa
          Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/id_dsa
          Aug  3 11:34:13 pluto[12836]:   error in X.509 crl file:///etc/config/ca.pem
          Aug  3 11:34:13 pluto[12836]: Changing to directory '/etc/config'
          Aug  3 11:34:13 pluto[12836]: v1 attribute certificates are not supported

          and this:

          Aug  3 11:34:18 pluto[12836]:   X.509 certificate is not valid until Sep 30 02:29:26 UTC 2010 (it is now=Aug 03 11:34:18 UTC 2009)

          The date looks to be wrong on your Snapgear for one thing.  Your certifcates were created on Sep. 30th and your Snapgear thinks it's Aug 3rd, so your certs are not valid yet.  That may be your entire issue.

           

          As to the 'error' messages above, they don't exactly say what the problems are with those files (although "v1 attribute certificates are not supported" looks like you may have imported certificates with attributes the Snapgear does not support).

           

          Perhaps setting the date on the Snapgear will fix all your issues.

           

          I imagine the audit on the Sidewinder will say something about your identities being wrong again, because it cannot get certs from the Snapgear because the Snapgear is throwing errors about your certs.