IPSec site to site

General questions.
Post Reply
3limccombs
Posts: 4
Joined: May 14th, 2018, 7:57 pm

IPSec site to site

Post by 3limccombs » July 11th, 2018, 3:59 am

Hi all,

I apologize that I updated my last post and am now starting this one. I did not know there was a reply to my previous thread and since then things have changed with how I use IPFire. Right now I have an IPSec connection that connects, however site A is only able to reach the IPFire machine on site B, Site A cannot access anything past the IPFire on site B. However, Site B can access everything on Site A.

Instructions were followed per the IPFire Wiki on both ends, we're just using a pre-shared key for this connection.

End goal is for Site A and B to be able to access network resources. Any help is appreciated! I'll keep up with this thread and monitor it for updates, unlike I did before.

Thanks all!

zargano
Posts: 62
Joined: December 29th, 2017, 7:50 pm
Location: Nordlicht im Ländle

Re: IPSec site to site

Post by zargano » July 11th, 2018, 6:05 pm

Hi 3limccombs,

are you saying that that clients on site A do not have access to clients on site B? That sounds weird, and I suspect a malconfiguration.

Just two days ago I have posted a step by step instruction for setting up an IPsec connection using certificates, see here: viewtopic.php?f=27&t=21012 Try it, I would be glad to get some feedback for potential improvements wrt it.

May be it is also a good opportunity to move away from preshared keys!?

Regards, zargano

3limccombs
Posts: 4
Joined: May 14th, 2018, 7:57 pm

Re: IPSec site to site

Post by 3limccombs » July 13th, 2018, 3:12 am

Hi, zargano

I have been following your steps and am receiving Certificate file move failed: error when uploading the certificate.

you're correct in your initial question. Clients on site A do not have access to site B. Site B has full access to A. The instructions were followed from https://wiki.ipfire.org/configuration/services/ipsec for the preshared key option.

At this point I'd like to just get this working with the pre-shared key due to simplicity and then once up and running I could take a look at moving to certificates.

Is there a log that would show any helpful information? Site A is able to get to the IPFire box via local ip address of site B but not past the IPFire box to the LAN.

Thank you for the assitance!

zargano
Posts: 62
Joined: December 29th, 2017, 7:50 pm
Location: Nordlicht im Ländle

Re: IPSec site to site

Post by zargano » July 13th, 2018, 5:33 am

Hello 3limccombs,

I have been working with certificates for years now, therefore I do not have any experience with the PSK option :-}
3limccombs wrote:
July 13th, 2018, 3:12 am
I ... am receiving Certificate file move failed: error when uploading the certificate.
I have also seen a sort of move error during my initial experiments with setting up a VPN tunnel. I observed this when I did not perform the upload of the root certificates.
3limccombs wrote:
July 13th, 2018, 3:12 am
Is there a log that would show any helpful information?
For sure, there is! Go to the WebGUI, there choose "Protocols / System Protocol Files". In the "Configuration" section choose "IPsec" and then press button "Update".

I have often seen problems with the SSL service in the background, when I used white spaces or special characters somewhere. SSL seems to be very "picky", so I would recommend to have an eye on that as well. Furthermore please start your excercise on clean test machines with no certificates as well as not a single created connection. I have seen errors which I could not interprete first of all, which were caused by certain entry duplications. Be aware that made entries will be used to derive file names for IPsec in the background, and when you have a duplicate file name the complete process will fail.

Please interprete the above designations / names, I am translating back to English from a German GUI :P

Regards, zargano

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests