Openvpn Netz zu Netz

Hello, I have created an Openvpn connection between 2 locations. They are also connected. Unfortunately, I still can’t connect to devices in the other network. I must have to set something in the routing? But both networks are set?


or should I prefer an IPSEC connection here? I intend to back up data from one network to the other using rsync
What should the firewall rule look like?

I have a N2N connection set up on my vm test bed. I don’t need any firewall rule for being able to connect from a machine on the green network at one end of the tunnel and a machine on the green network of the other end of the tunnel.
I can ping both ways and also access the ssh server at the other end of the tunnel.

I have looked at your setup and I can’t see anything that stands out to me as being wrong.

The tunnel subnet you have defined, 10.1.0.0/255.255.255.0, that is not used anywhere else, such as for an OpenVPN RW connection via dynamic or static IP setting or in the IPSec section?

1 Like

It’s strange, now it works too, I had set this up using a wireguard connection from another location. Now I’m at home and it works without any problems. But thanks for checking the settings anyway.
Do you have any info on the protocol I should use? Openvpn or ipsec? Which one is more stable and faster. As I said before, I want to use rsync to back up data via this line

I am afraid not. I have only used OpenVPN so far.

I have had some first attempts at setting up an IPSec RW connection and got a PSK based process to work but not a certificates one yet, so some way away from attempting a N2N IPSec tunnel.

1 Like

If you are going to backup data with rsync then you would want to maximise throughput rate and I have heard that OpenVPN is slower than IPSec, so you might want to put your focus on that.

1 Like

Definitely IPsec. OpenVPN is absolutely not recommended for network-to-network connections because it is extremely slow.

2 Likes

+1 for IPsec when N2N is needed

using this for Years without any hassle

2 Likes

We use IPSec with a long PSK as generated with “pwgen -s 64 1” for N2N. The N2N connections are mainly used for remote backups and screen sharing for support.

1 Like

This applies not only to backups but also to access to drives?

This applies to any type of communication that requires speed. Listing a drive can cause a lot of traffic and therefore you need a connection that responds quickly. Of course, this all depends on your upload & download rate, but IPsec can be almost as fast as LAN with modern hardware.

2 Likes

Hello, I need to get back to you on this. Need help setting up ipsec (network to network) between 2 sites. I have uploaded the root certificate of each site to the other, then set up the ipsec connection using certificates. Then I set up port forwarding for UDP:500,4500 and TCP:10000 and ESP in the Fritzbox at both locations. The Ipfire hangs behind the Fritzbox. Unfortunately, no connection is established. What am I doing wrong? Does the IPFIRE have to be set as an exposi host?

Hi Andreas,

If you’re having a problem making the connection, take a look at your system log and see what you find there to help you debug.

Running:

tail -f /var/log/messages | grep charon

While you’re trying to make the connection will show the relevant messages.

Regards,
Stephen

ok, can you take something from here?
this is the connection using 40 digit psk

[root@ipfire ~]# tail -f /var/log/messages | grep charon
Oct 5 21:36:03 ipfire charon: 15[CFG] received stroke: terminate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 15[CFG] no IKE_SA named ‘BSBCB’ found
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading secrets
Oct 5 21:36:03 ipfire charon: 06[CFG] loading secrets from ‘/etc/ipsec.secrets’
Oct 5 21:36:03 ipfire charon: 06[CFG] loading secrets from ‘/etc/ipsec.user.secrets’
Oct 5 21:36:03 ipfire charon: 06[CFG] loaded IKE secret for @bsbgl.ipfire @bsbcb.ipfire
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading ca certificates from ‘/etc/ipsec.d/cacerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading aa certificates from ‘/etc/ipsec.d/aacerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading attribute certificates from ‘/etc/ipsec.d/acerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading crls from ‘/etc/ipsec.d/crls’
Oct 5 21:36:03 ipfire charon: 14[CFG] received stroke: delete connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 14[CFG] deleted connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 11[CFG] received stroke: add connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 07[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 07[CFG] no config named ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 11[CFG] added configuration ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 08[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[10] to 84.62.175.95
Oct 5 21:36:03 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[10] to 84.62.175.95
Oct 5 21:36:03 ipfire charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 5 21:36:03 ipfire charon: 08[NET] sending packet: from 192.168.178.3[500] to 84.62.175.95[500] (6076 bytes)
Oct 5 21:36:03 ipfire charon: 10[NET] received packet: from 84.62.175.95[500] to 192.168.178.3[500] (36 bytes)
Oct 5 21:36:03 ipfire charon: 10[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 5 21:36:03 ipfire charon: 10[IKE] received NO_PROPOSAL_CHOSEN notify error
Oct 5 21:36:04 ipfire charon: 05[CFG] received stroke: terminate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 05[CFG] no IKE_SA named ‘BSBCB’ found
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading secrets
Oct 5 21:36:04 ipfire charon: 12[CFG] loading secrets from ‘/etc/ipsec.secrets’
Oct 5 21:36:04 ipfire charon: 12[CFG] loading secrets from ‘/etc/ipsec.user.secrets’
Oct 5 21:36:04 ipfire charon: 12[CFG] loaded IKE secret for @bsbgl.ipfire @bsbcb.ipfire
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading ca certificates from ‘/etc/ipsec.d/cacerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading aa certificates from ‘/etc/ipsec.d/aacerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading attribute certificates from ‘/etc/ipsec.d/acerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading crls from ‘/etc/ipsec.d/crls’
Oct 5 21:36:04 ipfire charon: 09[CFG] received stroke: delete connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 09[CFG] deleted connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 11[CFG] received stroke: add connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 11[CFG] added configuration ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 08[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[11] to 84.62.175.95
Oct 5 21:36:04 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[11] to 84.62.175.95
Oct 5 21:36:04 ipfire charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 5 21:36:04 ipfire charon: 08[NET] sending packet: from 192.168.178.3[500] to 84.62.175.95[500] (6076 bytes)
Oct 5 21:36:04 ipfire charon: 13[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 06[NET] received packet: from 84.62.175.95[500] to 192.168.178.3[500] (36 bytes)
Oct 5 21:36:04 ipfire charon: 06[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 5 21:36:04 ipfire charon: 06[IKE] received NO_PROPOSAL_CHOSEN notify error
[root@ipfire ~]# tail -f /var/log/messages | grep charon
Oct 5 21:36:03 ipfire charon: 15[CFG] received stroke: terminate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 15[CFG] no IKE_SA named ‘BSBCB’ found
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading secrets
Oct 5 21:36:03 ipfire charon: 06[CFG] loading secrets from ‘/etc/ipsec.secrets’
Oct 5 21:36:03 ipfire charon: 06[CFG] loading secrets from ‘/etc/ipsec.user.secrets’
Oct 5 21:36:03 ipfire charon: 06[CFG] loaded IKE secret for @bsbgl.ipfire @bsbcb.ipfire
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading ca certificates from ‘/etc/ipsec.d/cacerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading aa certificates from ‘/etc/ipsec.d/aacerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading attribute certificates from ‘/etc/ipsec.d/acerts’
Oct 5 21:36:03 ipfire charon: 06[CFG] rereading crls from ‘/etc/ipsec.d/crls’
Oct 5 21:36:03 ipfire charon: 14[CFG] received stroke: delete connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 14[CFG] deleted connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 11[CFG] received stroke: add connection ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 07[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 07[CFG] no config named ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 11[CFG] added configuration ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 08[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:03 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[10] to 84.62.175.95
Oct 5 21:36:03 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[10] to 84.62.175.95
Oct 5 21:36:03 ipfire charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 5 21:36:03 ipfire charon: 08[NET] sending packet: from 192.168.178.3[500] to 84.62.175.95[500] (6076 bytes)
Oct 5 21:36:03 ipfire charon: 10[NET] received packet: from 84.62.175.95[500] to 192.168.178.3[500] (36 bytes)
Oct 5 21:36:03 ipfire charon: 10[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Oct 5 21:36:03 ipfire charon: 10[IKE] received NO_PROPOSAL_CHOSEN notify error
Oct 5 21:36:04 ipfire charon: 05[CFG] received stroke: terminate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 05[CFG] no IKE_SA named ‘BSBCB’ found
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading secrets
Oct 5 21:36:04 ipfire charon: 12[CFG] loading secrets from ‘/etc/ipsec.secrets’
Oct 5 21:36:04 ipfire charon: 12[CFG] loading secrets from ‘/etc/ipsec.user.secrets’
Oct 5 21:36:04 ipfire charon: 12[CFG] loaded IKE secret for @bsbgl.ipfire @bsbcb.ipfire
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading ca certificates from ‘/etc/ipsec.d/cacerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading aa certificates from ‘/etc/ipsec.d/aacerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading attribute certificates from ‘/etc/ipsec.d/acerts’
Oct 5 21:36:04 ipfire charon: 12[CFG] rereading crls from ‘/etc/ipsec.d/crls’
Oct 5 21:36:04 ipfire charon: 09[CFG] received stroke: delete connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 09[CFG] deleted connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 11[CFG] received stroke: add connection ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 11[CFG] added configuration ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 08[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[11] to 84.62.175.95
Oct 5 21:36:04 ipfire charon: 08[IKE] initiating IKE_SA BSBCB[11] to 84.62.175.95
Oct 5 21:36:04 ipfire charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 5 21:36:04 ipfire charon: 08[NET] sending packet: from 192.168.178.3[500] to 84.62.175.95[500] (6076 bytes)
Oct 5 21:36:04 ipfire charon: 13[CFG] received stroke: initiate ‘BSBCB’
Oct 5 21:36:04 ipfire charon: 06[NET] received packet: from 84.62.175.95[500] to 192.168.178.3[500] (36 bytes)

Hi Andreas,

I did some comparison with your log and what I see in my log so here are the differences that I see:

Your traffic is flowing from a public IP to a private IP. On my system, the traffic flows between the two public IP’s. Maybe that’s important. Check for differences between the sides that would cause this.

The NO_PROPOSAL_CHOSEN messages means that one side said “hey let’s use this encryption” and the other side said “nope”. Check to make sure that both sides of the connection are defined with the same IKE and ESP algorithms available.

I’ve never worked with a Fritzbox, but since it’s an additional piece of the puzzle, check to make sure that both sides configurations match also.

Regards,
Stephen

now i am testing this from a notebook which is connected to the sites via vpn. The Fritzbox has all port forwardings set up. I now suspect that it has something to do with the encryption. but which one is best to use or does it basically not matter?

If you’re behind NAT, shouldn’t ipsec be switching to UDP:4500 and encapsulating the traffic?

The IPSec connection is now established. The problem was that I have to disable IPSec in the Fritz box each time, otherwise the Fritz box converts the outgoing port because it uses it itself. So I now have a connection, but I can’t ping or use anything at the other location. Do I now have to enable something in the firewall? Would someone help me so that the locations can access each other’s file shares and printers?
I did not know that this is so complicated after I always got along with openvpn.
I thought after the ipsec connection is established the networks should have access to each other, at least the green one. But nothing has access according to the firewall? I have already tested different rules without success. Too bad at the moment I don’t know what to do
Thanks in advance

Problem is solved

Can you elaborate?

? Info of how you solved it would help others.