SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004475: multi WAN IPs and IPsec , PSK auth faild - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004475Endian FirewallVPN - IPSecpublic2012-10-30 12:582012-10-30 12:58
Reporterthomas-endian 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
PlatformOSOS Version
Product Version2.5 
Target Version2.5Fixed in Version 
Summary0004475: multi WAN IPs and IPsec , PSK auth faild
Descriptionipsec.conf is not multi WAN IP compatible, I mean, if you have more than one RED IPs on the WAN interface (e.g. MAIN Uplink) a IPsec connect is only on the first IP possible!

Although StronSwan listening on all IPs, but the ipsec.conf will filled only with the first oneā€¦
----------------------------------------------------------------
conn nettonet
        dpdaction=restart
        dpddelay=30s
        dpdtimeout=120s
        left=80.73.113.xx
        leftnexthop=80.73.113.xx
        leftsubnet=192.168.0.0/24
        leftsourceip=192.168.0.15
        right=8.8.8.8
        rightsubnet=192.168.1.0/24
        leftid=80.73.113.xx
        rightid=8.8.8.8
        authby=secret
        pfs=yes
        ikelifetime=1h
        keylife=8h
        ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
        esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
        auto=start
        keyexchange=ikev1
----------------------------------------------------------------

So, you get the following error, if you start connection to a second IP:
Oct 30 13:25:24 efw2 pluto[6705]: packet from 80.187.106.xxx:500: initial Main Mode message received on 80.73.113.xxx:500 but no connection has been authorized with policy=PSK
Additional InformationWorkaround:
- change the left site parameter in the ipsec.conf
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2012-10-30 12:58 thomas-endian New Issue

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker