8 Replies Latest reply on Mar 21, 2012 4:04 AM by PhilM

    SG580 IPsec fails when using an alias

      Hi all,

       

      I've been having endless trouble trying to get IPSec setup using an alias address as the "Local Interface".

       

      I created a complete working (Advanced mode) IPSec between two SG580s, all fine and working.. then I edited the connection on one of the routers and change the Local Interface from "default gateway interface" to "Alias xxxxx (Port B)"... left all the other settings the same and saved.

       

      Now it actually breaks all of the other 3 IPSec connections setup on the router, so they all switch to "N/A"

       

      I did see this error in /var/log/messages:

      log[29420] whack error: "dmz_to_office3" illegal (non-DNS-name) character in name "$if_addr"

       

      The connection inside of ifmond.conf looks like this:

      connection ipsec-tunnel-dmz_to_office3

          parent      conn-eth1_0

          interface       if=conn-eth1_0

          parent      ipsec-static_ip<4>.alias<1>

          start       statsd drop ipsec-tunnel-dmz_to_office3 phase1 ; drop ipsec-tunnel-dmz_to_office3 phase2 ; drop ipsec-tunnel-dmz_to_office3 tunnel

          start       builtin-log -e whack --name "dmz_to_office3" --encrypt --tunnel --ike 3DES-SHA-MODP1024 --esp 3DES-SHA1 --host $if_addr --client 10.128.255.176/28 --nexthop $if_gw --updown "ipsec _updown" --sendcert always --to --host 103.35.185.11 --client 10.108.0.0/16 --updown "ipsec _updown" --sendcert always --psk --pfs --ipseclifetime 28800 --ikelifetime 28800 --keyingtries 0 --rekeymargin 600 --rekeyfuzz 100 --dpdaction restart_by_peer --dpddelay 9 --dpdtimeout 30

          start       builtin-log -e whack --name dmz_to_office3 --route

          start       builtin-log -e whack --asynchronous --name dmz_to_office3 --initiate

          stop        whack --delete --name dmz_to_office3

          stop        statsd drop ipsec-tunnel-dmz_to_office3 phase1 ; drop ipsec-tunnel-dmz_to_office3 phase2 ; drop ipsec-tunnel-dmz_to_office3 tunnel

          statref     ipsec-tunnel-dmz_to_office3

          retry_delay 5

          test_delay  5

          maximum_retries infinite

       

      If I change the connection back to "default gateway interface" everything comes back up again... any ideas??

       

      Thank you!

      Andrew

        • 1. Re: SG580 IPsec fails when using an alias

          Meant to mention, I'm running two identical SG580s both running firmware 4.0.10

          • 2. Re: SG580 IPsec fails when using an alias

            Just for reference, we did get a resolution here.

             

            Basically the issue was that I found using an alias from a HA connection setup as the interface for an IPSec connection was causing my IPSec setup to fail dramatically.

             

            With many thanks to Ross at McAfee, unfortunately the final answer here was that in fact this feature isn't supported and won't be added due to the product EOL.

             

            Cheers,

            Andrew

            • 3. Re: SG580 IPsec fails when using an alias
              PhilM

              Just thought I'd add an observation of my own.

               

              I'm not saying that it is right and that what you have been trying to do is wrong. But, as a reseller engineer (so I have no particular vendor affinity) who has worked with 4 or 5 different vendor's Firewall products over the past 15 years, I can't think of any situation where I haven't configured the IPSec VPN component to use any address other than the primary one assigned to the appliance.

               

              Unless you had a need to use the primary IP for some other form of VPN connection, passed through to a server on the internal side, which would have otherwise clashed with the IPSec functionality, would there be a need to use any address other than the primary one?

               

              -Phil.

              • 4. Re: SG580 IPsec fails when using an alias

                Hey Phil,

                 

                I'd love to hear your opinion on how these things are normally configured, I'm not quite a professional at this..

                 

                But basically the reason I was trying to do this was because we have 2 SG580s in a HA config active/passive take-over.

                 

                So as might be expected, this means there's a bunch of VIP aliases that are configured on the 'active' router and then in case of failure passed over to the passive router.

                 

                I wanted to setup our IPSec connection using one of these HA VIP addresses so that if the primary router failed, the secondary would be able to start up, grab the IPs, and then take-over the IPSec connection in place of the primary router, with just a small blip in service as that process occurred.

                 

                I couldn't do that if I just used the primary IP on the WAN connection of the router as that IP isn't part of the HA config.. know what I mean?

                 

                Any thoughts of other ways this is usually managed?

                • 5. Re: SG580 IPsec fails when using an alias
                  PhilM

                  Andrew,

                   

                  I understand what you are describing. My primary and longest standing exposure is with the product now known as McAfee Firewall Enterprise (Sidewinder, as it was called in 2000 when I first laid eyes on it) and we only starting getting involved with the UTM/SnapGear appliances after McAfee bought Secure Computing. For what they are I have always been very pleasantly surprised by them and I have an SG565 running at home.

                   

                  However, we did sell a pair of SG720s to a customer and, if I recall, he encountered the self-same problem as you did and this does appear to be a shortcoming in the SnapGear product range. This, of course, is all pretty irrellivent, as the UTM range went EOL some time ago and there's only a little over a year of support left on this range.

                   

                  I haven't encountered this problem with any other Firewall product which I've worked with in an active/passive HA configuration as the 'primary' address is also swapped between the devices (as well as the alises) in the event of a failure. It was only while I was thinking about this overnight did I recall the aforementioned customer situation and realised that it was basically the same problem as yours.

                   

                  -Phil.

                  • 6. Re: SG580 IPsec fails when using an alias

                    Thanks Phil.

                     

                    If I might ask... as someone with experience with the SG products and others.. would you make any particular alternative product / brand recommendation for a next step from our SG580s? Since I can't get this fail-over feature to work with the SGs, unfortunately looks like I may need to start looking around, and oh my there are quite a lot of options.

                     

                    Ourselves we don't currently use any of the web cache, shaping, spam, virus features, but we really liked the simple powerful firewall, all the NAT features, IPSec, and HA failover. The lack of being able to failover the IPSec connections gracefully to a backup device has been the only shortcoming.

                     

                    Cheers,

                    Andrew

                    • 7. Re: SG580 IPsec fails when using an alias

                      Phil,

                       

                      What you are asking about regarding VPNs and HA failover can in fact be done.   I am sorry I don't have the exact steps but I did do it myself once by editing the highavaild file directly.  If I remember right I had the tunnels preconfigured on both units with one of them disabled and then added some lines to disable/ enable the alias and ipsec during the HA process.  So if you have some programming / scripting skills, search for highavaild and see what you can find.

                       

                      Jeff

                       

                      Message was edited by: jlimb on 3/20/12 3:32:47 PM CDT
                      • 8. Re: SG580 IPsec fails when using an alias
                        PhilM

                        That's intersting, Jeff.

                         

                        It's largely moot now, as the UTM Firewall essentially only 'exists' for those people who still have one (you can't buy them from McAfee any longer) and it was McAfee support who advised both our customer and Andrew that it couldn't be done.

                         

                        Anyway, if you ever find the steps you performed, post them up on this forum - that's what they are about after all

                         

                        -Phil.