Hello, I have created an Openvpn connection between 2 locations. They are also connected. Unfortunately, I still can’t connect to devices in the other network. I must have to set something in the routing? But both networks are set?
or should I prefer an IPSEC connection here? I intend to back up data from one network to the other using rsync
What should the firewall rule look like?
I have a N2N connection set up on my vm test bed. I don’t need any firewall rule for being able to connect from a machine on the green network at one end of the tunnel and a machine on the green network of the other end of the tunnel.
I can ping both ways and also access the ssh server at the other end of the tunnel.
I have looked at your setup and I can’t see anything that stands out to me as being wrong.
The tunnel subnet you have defined, 10.1.0.0/255.255.255.0, that is not used anywhere else, such as for an OpenVPN RW connection via dynamic or static IP setting or in the IPSec section?
It’s strange, now it works too, I had set this up using a wireguard connection from another location. Now I’m at home and it works without any problems. But thanks for checking the settings anyway.
Do you have any info on the protocol I should use? Openvpn or ipsec? Which one is more stable and faster. As I said before, I want to use rsync to back up data via this line
I have had some first attempts at setting up an IPSec RW connection and got a PSK based process to work but not a certificates one yet, so some way away from attempting a N2N IPSec tunnel.
If you are going to backup data with rsync then you would want to maximise throughput rate and I have heard that OpenVPN is slower than IPSec, so you might want to put your focus on that.
We use IPSec with a long PSK as generated with “pwgen -s 64 1” for N2N. The N2N connections are mainly used for remote backups and screen sharing for support.
This applies to any type of communication that requires speed. Listing a drive can cause a lot of traffic and therefore you need a connection that responds quickly. Of course, this all depends on your upload & download rate, but IPsec can be almost as fast as LAN with modern hardware.
Hello, I need to get back to you on this. Need help setting up ipsec (network to network) between 2 sites. I have uploaded the root certificate of each site to the other, then set up the ipsec connection using certificates. Then I set up port forwarding for UDP:500,4500 and TCP:10000 and ESP in the Fritzbox at both locations. The Ipfire hangs behind the Fritzbox. Unfortunately, no connection is established. What am I doing wrong? Does the IPFIRE have to be set as an exposi host?
ok, can you take something from here?
this is the connection using 40 digit psk
[root@ipfire ~]# tail -f /var/log/messages | grep charon
Oct 5 21:36:03 ipfire charon: 15[CFG] received stroke: terminate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 15[CFG] no IKE_SA named ‘BSBCB’ found
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading secrets
Oct 5 21:36:03 ipfire charon: 06[CFG] loading secrets from ‘/etc/ipsec.secrets’
Oct 5 21:36:03 ipfire charon: 06[CFG] loading secrets from ‘/etc/ipsec.user.secrets’
Oct 5 21:36:03 ipfire charon: 06[CFG] loaded IKE secret for @bsbgl.ipfire@bsbcb.ipfire
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading ca certificates from ‘/etc/ipsec.d/cacerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading aa certificates from ‘/etc/ipsec.d/aacerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading attribute certificates from ‘/etc/ipsec.d/acerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading crls from ‘/etc/ipsec.d/crls’
Oct 5 21:36:03 ipfire charon: 14[CFG] received stroke: delete connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 14[CFG] deleted connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 11[CFG] received stroke: add connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 07[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 07[CFG] no config named ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 11[CFG] added configuration ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 08[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[10] to 84.62.175.95
Oct 5 21:36:03 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[10] to 84.62.175.95
Oct 5 21:36:03 ipfire charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 5 21:36:03 ipfire charon: 08[NET] sending packet: from 192.168.178.3[500] to 84.62.175.95[500] (6076 bytes)
Oct 5 21:36:03 ipfire charon: 10[NET] received packet: from 84.62.175.95[500] to 192.168.178.3[500] (36 bytes)
Oct 5 21:36:03 ipfire charon: 10[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 5 21:36:03 ipfire charon: 10[IKE] received NO_PROPOSAL_CHOSEN notify error
Oct 5 21:36:04 ipfire charon: 05[CFG] received stroke: terminate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 05[CFG] no IKE_SA named ‘BSBCB’ found
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading secrets
Oct 5 21:36:04 ipfire charon: 12[CFG] loading secrets from ‘/etc/ipsec.secrets’
Oct 5 21:36:04 ipfire charon: 12[CFG] loading secrets from ‘/etc/ipsec.user.secrets’
Oct 5 21:36:04 ipfire charon: 12[CFG] loaded IKE secret for @bsbgl.ipfire@bsbcb.ipfire
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading ca certificates from ‘/etc/ipsec.d/cacerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading aa certificates from ‘/etc/ipsec.d/aacerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading attribute certificates from ‘/etc/ipsec.d/acerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading crls from ‘/etc/ipsec.d/crls’
Oct 5 21:36:04 ipfire charon: 09[CFG] received stroke: delete connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 09[CFG] deleted connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 11[CFG] received stroke: add connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 11[CFG] added configuration ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 08[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[11] to 84.62.175.95
Oct 5 21:36:04 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[11] to 84.62.175.95
Oct 5 21:36:04 ipfire charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 5 21:36:04 ipfire charon: 08[NET] sending packet: from 192.168.178.3[500] to 84.62.175.95[500] (6076 bytes)
Oct 5 21:36:04 ipfire charon: 13[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 06[NET] received packet: from 84.62.175.95[500] to 192.168.178.3[500] (36 bytes)
Oct 5 21:36:04 ipfire charon: 06[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 5 21:36:04 ipfire charon: 06[IKE] received NO_PROPOSAL_CHOSEN notify error
[root@ipfire ~]# tail -f /var/log/messages | grep charon
Oct 5 21:36:03 ipfire charon: 15[CFG] received stroke: terminate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 15[CFG] no IKE_SA named ‘BSBCB’ found
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading secrets
Oct 5 21:36:03 ipfire charon: 06[CFG] loading secrets from ‘/etc/ipsec.secrets’
Oct 5 21:36:03 ipfire charon: 06[CFG] loading secrets from ‘/etc/ipsec.user.secrets’
Oct 5 21:36:03 ipfire charon: 06[CFG] loaded IKE secret for @bsbgl.ipfire@bsbcb.ipfire
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading ca certificates from ‘/etc/ipsec.d/cacerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading aa certificates from ‘/etc/ipsec.d/aacerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading attribute certificates from ‘/etc/ipsec.d/acerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading crls from ‘/etc/ipsec.d/crls’
Oct 5 21:36:03 ipfire charon: 14[CFG] received stroke: delete connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 14[CFG] deleted connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 11[CFG] received stroke: add connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 07[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 07[CFG] no config named ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 11[CFG] added configuration ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 08[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[10] to 84.62.175.95
Oct 5 21:36:03 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[10] to 84.62.175.95
Oct 5 21:36:03 ipfire charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 5 21:36:03 ipfire charon: 08[NET] sending packet: from 192.168.178.3[500] to 84.62.175.95[500] (6076 bytes)
Oct 5 21:36:03 ipfire charon: 10[NET] received packet: from 84.62.175.95[500] to 192.168.178.3[500] (36 bytes)
Oct 5 21:36:03 ipfire charon: 10[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 5 21:36:03 ipfire charon: 10[IKE] received NO_PROPOSAL_CHOSEN notify error
Oct 5 21:36:04 ipfire charon: 05[CFG] received stroke: terminate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 05[CFG] no IKE_SA named ‘BSBCB’ found
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading secrets
Oct 5 21:36:04 ipfire charon: 12[CFG] loading secrets from ‘/etc/ipsec.secrets’
Oct 5 21:36:04 ipfire charon: 12[CFG] loading secrets from ‘/etc/ipsec.user.secrets’
Oct 5 21:36:04 ipfire charon: 12[CFG] loaded IKE secret for @bsbgl.ipfire@bsbcb.ipfire
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading ca certificates from ‘/etc/ipsec.d/cacerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading aa certificates from ‘/etc/ipsec.d/aacerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading attribute certificates from ‘/etc/ipsec.d/acerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading crls from ‘/etc/ipsec.d/crls’
Oct 5 21:36:04 ipfire charon: 09[CFG] received stroke: delete connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 09[CFG] deleted connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 11[CFG] received stroke: add connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 11[CFG] added configuration ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 08[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[11] to 84.62.175.95
Oct 5 21:36:04 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[11] to 84.62.175.95
Oct 5 21:36:04 ipfire charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 5 21:36:04 ipfire charon: 08[NET] sending packet: from 192.168.178.3[500] to 84.62.175.95[500] (6076 bytes)
Oct 5 21:36:04 ipfire charon: 13[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 06[NET] received packet: from 84.62.175.95[500] to 192.168.178.3[500] (36 bytes)
I did some comparison with your log and what I see in my log so here are the differences that I see:
Your traffic is flowing from a public IP to a private IP. On my system, the traffic flows between the two public IP’s. Maybe that’s important. Check for differences between the sides that would cause this.
The NO_PROPOSAL_CHOSEN messages means that one side said “hey let’s use this encryption” and the other side said “nope”. Check to make sure that both sides of the connection are defined with the same IKE and ESP algorithms available.
I’ve never worked with a Fritzbox, but since it’s an additional piece of the puzzle, check to make sure that both sides configurations match also.
now i am testing this from a notebook which is connected to the sites via vpn. The Fritzbox has all port forwardings set up. I now suspect that it has something to do with the encryption. but which one is best to use or does it basically not matter?
The IPSec connection is now established. The problem was that I have to disable IPSec in the Fritz box each time, otherwise the Fritz box converts the outgoing port because it uses it itself. So I now have a connection, but I can’t ping or use anything at the other location. Do I now have to enable something in the firewall? Would someone help me so that the locations can access each other’s file shares and printers?
I did not know that this is so complicated after I always got along with openvpn.
I thought after the ipsec connection is established the networks should have access to each other, at least the green one. But nothing has access according to the firewall? I have already tested different rules without success. Too bad at the moment I don’t know what to do
Thanks in advance