IPSec failing after some time

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

IPSec failing after some time

Lorenzo Milesi-2
Hi.
I have a 2.5.1 installation which works fine. Last week we moved from a public IP to a NATted one, and since then the IPSec VPN isn't working anymore!
Not really: it works for one hour or so, and after that time it drops and I find the following error in messages:

pluto (25362) initial Main Mode message received on EFW_WAN_IP:500 but no connection has been authorized with policy=PSK

this is weird because as I said for one hour or so it works great.

What can cause this? So strange, it has been working great before the DSL change...
thanks
--
Lorenzo Milesi - [hidden email]

YetOpen S.r.l. - http://www.yetopen.it/
Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY -
Tel 0341 220 205 - Fax 178 6070 222

GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it

-------- D.Lgs. 196/2003 --------

Si avverte che tutte le informazioni contenute in questo messaggio sono
riservate ed a uso esclusivo del destinatario. Nel caso in cui questo
messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo
senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena
possibile.
Grazie.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: IPSec failing after some time

Matt Hayes
When you say "NAT'd" IP, you mean that the IP address on your Endian isn't the public?  If so, the VPN probably won't work properly.  IPSec isn't meant to be NAT'd...


On Fri, May 31, 2013 at 12:04 PM, Lorenzo Milesi <[hidden email]> wrote:
Hi.
I have a 2.5.1 installation which works fine. Last week we moved from a public IP to a NATted one, and since then the IPSec VPN isn't working anymore!
Not really: it works for one hour or so, and after that time it drops and I find the following error in messages:

pluto (25362) initial Main Mode message received on EFW_WAN_IP:500 but no connection has been authorized with policy=PSK

this is weird because as I said for one hour or so it works great.

What can cause this? So strange, it has been working great before the DSL change...
thanks
--
Lorenzo Milesi - [hidden email]

YetOpen S.r.l. - http://www.yetopen.it/
Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY -
Tel 0341 220 205 - Fax 178 6070 222

GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it

-------- D.Lgs. 196/2003 --------

Si avverte che tutte le informazioni contenute in questo messaggio sono
riservate ed a uso esclusivo del destinatario. Nel caso in cui questo
messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo
senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena
possibile.
Grazie.

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: IPSec failing after some time

Lorenzo Milesi-2
> When you say "NAT'd" IP, you mean that the IP address on your Endian isn't
> the public? If so, the VPN probably won't work properly. IPSec isn't meant
> to be NAT'd...

Yes, endian has a private ip (192.168.2.x), and port 500 is forwarded from the DSL modem to endian.

I know what you say, but I remember I managed to establish an IPSec tunnel even if one of the endpoint was behind a modem.

--
Lorenzo Milesi - [hidden email]

YetOpen S.r.l. - http://www.yetopen.it/
Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY -
Tel 0341 220 205 - Fax 178 6070 222

GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it

-------- D.Lgs. 196/2003 --------

Si avverte che tutte le informazioni contenute in questo messaggio sono
riservate ed a uso esclusivo del destinatario. Nel caso in cui questo
messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo
senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena
possibile.
Grazie.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: IPSec failing after some time

Lorenzo Milesi-2
In reply to this post by Matt Hayes

> When you say "NAT'd" IP, you mean that the IP address on your Endian isn't
> the public? If so, the VPN probably won't work properly. IPSec isn't meant
> to be NAT'd...

and isn't NAT-traversal the solution to natted vpn?
--
Lorenzo Milesi - [hidden email]

YetOpen S.r.l. - http://www.yetopen.it/
Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY -
Tel 0341 220 205 - Fax 178 6070 222

GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it

-------- D.Lgs. 196/2003 --------

Si avverte che tutte le informazioni contenute in questo messaggio sono
riservate ed a uso esclusivo del destinatario. Nel caso in cui questo
messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo
senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena
possibile.
Grazie.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user
Reply | Threaded
Open this post in threaded view
|

Re: IPSec failing after some time

Matt Hayes
Look at time out values within the DSL modem, it's possible that it's renewing ports or something for forwarding.  Hard to say how the modem is doing forwarding though.




On Wed, Jun 12, 2013 at 10:40 AM, Lorenzo Milesi <[hidden email]> wrote:

> When you say "NAT'd" IP, you mean that the IP address on your Endian isn't
> the public? If so, the VPN probably won't work properly. IPSec isn't meant
> to be NAT'd...

and isn't NAT-traversal the solution to natted vpn?
--
Lorenzo Milesi - [hidden email]

YetOpen S.r.l. - http://www.yetopen.it/
Via Carlo Torri Tarelli 19 - 23900 Lecco - ITALY -
Tel 0341 220 205 - Fax 178 6070 222

GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it

-------- D.Lgs. 196/2003 --------

Si avverte che tutte le informazioni contenute in questo messaggio sono
riservate ed a uso esclusivo del destinatario. Nel caso in cui questo
messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo
senza copiarlo, a non inoltrarlo a terzi e ad avvertirci non appena
possibile.
Grazie.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Efw-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/efw-user