Jump to content

SUBIECTE NOI
« 1 / 5 »
RSS
Incalzire in pardoseala etapizata

Suprataxa card energie?!

Cum era nivelul de trai cam din a...

probleme cu ochelarii
 Impozite pe proprietati de anul v...

teava rezistenta panou apa calda

Acces in Curte din Drum National

Sub mobila de bucatarie si sub fr...
 Rezultat RMN

Numar circuite IPAT si prindere t...

Pareri brgimportchina.ro - teapa ...

Lucruri inaintea vremurilor lor
 Discuții despre TVR Sport HD.

Cost abonament clinica privata

Tremura toata, dar nu de la ro...

Renault Android
 

Site-to-Site VPN intre TMG 2010 si OpenSwan

- - - - -
  • Please log in to reply
6 replies to this topic

#1
h0tice

h0tice

    Member

  • Grup: Members
  • Posts: 379
  • Înscris: 21.03.2005
Salut,
In postul de aici incercam sa fac o conexiune VPN site-to-site intre un Juniper Netscreen 5GT si OpenVpn. Nu am reusit (se pare ca OpenVPN nu accepta alti clienti in afara de cei proprii) asa ca am inlocui OpenVPN cu OpenSwan. Totul a fost ok pana la urma, conexiunea s-a realizat cu succes.

Acum, din cauza limitarilor pe care le are echipamentul Juniper, ne-am decis sa il inlocuim cu TMG 2010 de la Microsoft. Si din nou am probleme cu realizarea conexiunii VPN, de data asta cu OpenSwan.

Setarile OpenSwan au ramas identice cu cele initiale (care au functionat cu echipamentul Juniper):
# cat /etc/ipsec.d/bucuresti.conf
conn bucuresti
type=tunnel
authby=secret
keyingtries=0
pfs=yes
ike=3des-md5-modp1024
ikelifetime="28800"
#Define IPsec Policy
auth=esp
esp=3des-md5
keylife="3600"
left=aaa.bbb.ccc.ddd
leftsubnet=192.168.96.0/23
# leftid=
leftnextnumele.spamagiului%defaultroute
right=www.xxx.yyy.zzz
# rightid=
rightsubnet=192.168.66.0/24
rightnextnumele.spamagiului%defaultroute
compress=no
#Start the tunnel on boot
auto=start


In TMG am creat o noua conexiune Site-to-Site
- VPN Protocol: IP Security protocol (IPsec) tunnel mode
- Remote VPN gateway IP address: aaa.bbb.ccc.ddd
- Local VPN gateway IP Address: www.xxx.yyy.zzz
- User pre-shared key for authentication: qwertyqwertyqwerty
- Specify the IP addresses of the remote site network: aici era deja setat aaa.bbb.ccc.ddd si am mai adaugat eu 192.168.96.0-192.168.96.255
- Am lasat seectat "Create a network rule specifying a route relationship", iar la "Reoute traffic between the new network and these destinations" a ramas selectat "Internal"
- Pentru "Create an allow access rule" am selectat "All outbound traffic"

Ca asta e ce configurari am facut, dar nu functioneaza. Aveti ceva idei?
Multumesc!

#2
maul

maul

    Member

  • Grup: Members
  • Posts: 615
  • Înscris: 10.11.2005
arunca un ochi aici - e intre ISA 2006 (predecesorul TMG) si vyatta (vpn-ul e bazat pe openswan)
http://www.carbonwin...N/VyattaVPN.htm

desi recomandarea pt simplicitate ar fi tot openvpn intre ambele masini  - iti trebuie doar un singur port aleatoriu deschis pe fiecare masina (TCP sau UDP - recomandat)
gasesti pachet atat pentru Windows server ( pe care presupun ca ai TMG-ul) si pentru linux/unix pe care ai Openswan-ul

Edited by maul, 13 May 2013 - 12:50.


#3
h0tice

h0tice

    Member

  • Grup: Members
  • Posts: 379
  • Înscris: 21.03.2005
Multumesc pentru sugestie. Avand in vedere ca de atunci am tot incercat sa fac VPN-ul intre TMG si OpenSwan si nu am reusit, m-am hotarat sa incerc cu OpenVPN.

Pe server (unde este si OpenSwan) era deja instalat pentru ca este folosit de la alti clienti.

La mine fisierul de config pentru client arata asa:
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
;;route-gateway 192.168.144.1
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote aaa.bbb.ccc.ddd 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert bucuresti.crt
key bucuresti.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20


In TMG am creat 2 reguli, care sa permita tot traficul (una de la aaa.bbb.ccc.ddd la Localhost si una de la Localhost la aaa.bbb.ccc.ddd). In Traffic Simulator, totul este ok (pe ortul 1194, UDP).

Dar, clientul OpenVPN tot nu se conecteaza la server:
Thu May 16 12:45:44 2013 OpenVPN 2.3.1 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Mar 28 2013
Thu May 16 12:45:44 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu May 16 12:45:44 2013 Need hold release from management interface, waiting...
Thu May 16 12:45:44 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu May 16 12:45:44 2013 MANAGEMENT: CMD 'state on'
Thu May 16 12:45:44 2013 MANAGEMENT: CMD 'log all on'
Thu May 16 12:45:44 2013 MANAGEMENT: CMD 'hold off'
Thu May 16 12:45:44 2013 MANAGEMENT: CMD 'hold release'
Thu May 16 12:45:44 2013 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu May 16 12:45:44 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu May 16 12:45:44 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu May 16 12:45:44 2013 MANAGEMENT: >STATE:1368697544,RESOLVE,,,
Thu May 16 12:45:44 2013 UDPv4 link local: [undef]
Thu May 16 12:45:44 2013 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Thu May 16 12:45:44 2013 MANAGEMENT: >STATE:1368697544,WAIT,,,
Thu May 16 12:46:44 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu May 16 12:46:44 2013 TLS Error: TLS handshake failed
Thu May 16 12:46:44 2013 SIGUSR1[soft,tls-error] received, process restarting
Thu May 16 12:46:44 2013 MANAGEMENT: >STATE:1368697604,RECONNECTING,tls-error,,
Thu May 16 12:46:44 2013 Restart pause, 2 second(s)
Thu May 16 12:46:46 2013 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu May 16 12:46:46 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu May 16 12:46:46 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu May16 12:46:46 2013 MANAGEMENT: >STATE:1368697606,RESOLVE,,,
Thu May 16 12:46:46 2013 UDPv4 link local: [undef]
Thu May 16 12:46:46 2013 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Thu May 16 12:46:46 2013 MANAGEMENT: >STATE:1368697606,WAIT,,,
Thu May 16 12:47:46 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu May 16 12:47:46 2013 TLS Error: TLS handshake failed
Thu May 16 12:47:46 2013 SIGUSR1[soft,tls-error] received, process restarting
Thu May 16 12:47:46 2013 MANAGEMENT: >STATE:1368697666,RECONNECTING,tls-error,,
Thu May 16 12:47:46 2013 Restart pause, 2 second(s)
Thu May 16 12:47:48 2013 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu May 16 12:47:48 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu May 16 12:47:48 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu May 16 12:47:48 2013 MANAGEMENT: >STATE:1368697668,RESOLVE,,,
Thu May 16 12:47:48 2013 UDPv4 link local: [undef]
Thu May 16 12:47:48 2013 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Thu May 16 12:47:48 2013 MANAGEMENT: >STATE:1368697668,WAIT,,,


Edited by h0tice, 16 May 2013 - 13:02.


#4
maul

maul

    Member

  • Grup: Members
  • Posts: 615
  • Înscris: 10.11.2005
salut,

scrie clar problema in log :
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting



se pare ca ai problema de conectivitate pe portul 1194 UDP in TMG nu e deschis cum trebuie
http://openvpn.net/i...nnectivity.html
https://forums.openv...topic12649.html

citeste cu atentie articolul asta:
http://social.techne...cc-d5447799002d
http://www.carbonwin...andISApart1.htm

#5
h0tice

h0tice

    Member

  • Grup: Members
  • Posts: 379
  • Înscris: 21.03.2005
Salut,
Multumesc mult, am gasit care era problema. Eu, cand adaugasem in TMG protocolul OpenVPN, il setasem cu portul UDP 1194 receive ca si conexiune principala si UDP 1194 send ca si conexiune secundara. Am vazut aici ca ei l-au setat doar ca si conexiune principala UDP 1194 Receive Send. Acum functioneaza.

Mai am in schimb o problema. Totul functioneaza perfect doar pe masina unde este instalat clientul OpenVPN. Pe orice alt PC din reteaua mea, nu este vizibil nimic din "spatele" VPN-ului. Am instalat pe masina unde este clientul OpenVPN rolul "Routing and Remote Access", dar nu stiu sa il configurez astfel incat sa ruteze tot traficul ce provin din tunelul VPN in retea. Nu am mai lucrat cu el pana acum...

#6
maul

maul

    Member

  • Grup: Members
  • Posts: 615
  • Înscris: 10.11.2005
routarea pe masina cu TMG o faci folosind network templates:
http://www.isaserver...-templates.html
rutarea pe masina linux o faci prin comezile route si iptables sau comenzi interne configurarii openvpn (iroute/route) - google it :)

#7
h0tice

h0tice

    Member

  • Grup: Members
  • Posts: 379
  • Înscris: 21.03.2005
Problema era ca am instalat clientul OpenVPN pe alta masina, nu pe cea cu TMG (asa am vazut ca este recomandat). Am reusit sa rezolv problema, creand o ruta statica pe fiecare statie, cu ajutorul server-ului DHCP. Iar pentru statiile ce sunt configurate cu IP static, am adaugat ruta respectiva printr-o politica de domeniu, cu un sript de startup.

Multumesc mult pentru suport!

Anunturi

Chirurgia endoscopică a hipofizei Chirurgia endoscopică a hipofizei

"Standardul de aur" în chirurgia hipofizară îl reprezintă endoscopia transnazală transsfenoidală.

Echipa NeuroHope este antrenată în unul din cele mai mari centre de chirurgie a hipofizei din Europa, Spitalul Foch din Paris, centrul în care a fost introdus pentru prima dată endoscopul în chirurgia transnazală a hipofizei, de către neurochirurgul francez Guiot. Pe lângă tumorile cu origine hipofizară, prin tehnicile endoscopice transnazale pot fi abordate numeroase alte patologii neurochirurgicale.

www.neurohope.ro

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Forumul Softpedia foloseste "cookies" pentru a imbunatati experienta utilizatorilor Accept
Pentru detalii si optiuni legate de cookies si datele personale, consultati Politica de utilizare cookies si Politica de confidentialitate