Reply
Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

I just upgraded my router from 1.7.0 to 1.8.5 and had to down grade it again because the IPSEC VPN would not come online.

 

Very similar to what I reported in this thread when 1.8.0 came out.

 

I can perform more testing tomorrow.

 

For now, I have a perfectly working VPN setup with 1.7.0.

I upgraded to 1.8.5 with no errors.

I rebooted the router.

I have no VPN connectivity.

 

I used the GUI and set local address to my IP address. No luck.

I used the GUI and set local address to any. No luck.

I dropped to command line and did a delete vpn;commit;save thenrebooted and added the VPN via CLI with a DNS name in local address (works in 1.7.0). No Luck.

 

I reverted (causes the 1.7.0 config to be reused) the boot image and rebooted.

VPN back up.

 

 

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3121
Solutions: 945
Contributions: 16

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

Can't really help unless you post your config files for us to try.

EdgeMAX Router Software Development
Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

[ Edited ]

UBNT-stig wrote:

Can't really help unless you post your config files for us to try.


1. I said I did not have time for more details tonight because I was forced to revert it.

2. The linked post, links to another post where my config is posted.

3. The 1.8.0 post was never followed up on.

Member
Posts: 117
Registered: ‎10-15-2015
Kudos: 6
Solutions: 5

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

Ok just quick question

Do you have ipv6 address linked to a fqdn as well as ipv4

Just use ipv4 it will work again

Ipv6 vpn won't work unless native
Member
Posts: 110
Registered: ‎01-13-2015
Kudos: 59
Solutions: 15

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

[ Edited ]

sorvani wrote:

2. The linked post, links to another post where my config is posted.


The thread with your config discusses a number of potential changes, so it's really difficult to guess what your actual, current config is. Further, firmware upgrades may run transforms on the config, so you really do need to post your config as it exists on 1.8.5 in order for others to have a look.

Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC


atomicmike wrote:

sorvani wrote:

2. The linked post, links to another post where my config is posted.


The thread with your config discusses a number of potential changes, so it's really difficult to guess what your actual, current config is. Further, firmware upgrades may run transforms on the config, so you really do need to post your config as it exists on 1.8.5 in order for others to have a look.


All of those issues still apply as I set 3 different methods of using the local address as noted. 

 

Either way chill out. I will get this posted as noted prior.

Member
Posts: 110
Registered: ‎01-13-2015
Kudos: 59
Solutions: 15

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC


sorvani wrote:

Either way chill out. I will get this posted as noted prior.


No need to take offense. You hadn't actually said you were going to provide it, and instead pointed back to the other thread, so I thought it was worth clarifying.

Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

[ Edited ]

UBNT-stig wrote:

Can't really help unless you post your config files for us to try.


Here is what the router shows for 1.7.0 with everything working. Note, I have deleted the 1.8.5 firmware image so that i can make a new clean upgrade.

 

jbusch@jared:~$ sudo cat /etc/ipsec.secrets
# generated by /opt/vyatta/sbin/vpn-config.pl

domain1.mooo.com domain2.mooo.com : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
domain1.mooo.com globe.domain1.com : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
domain1.mooo.com remote.domain2.com : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
domain1.mooo.com remote.domain3.com : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
domain1.mooo.com remote.domain4.com : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
jbusch@jared:~$ show system image
The system currently has the following image(s) installed:

v1.7.0.4783374.150622.1534     (running image) (default boot)

jbusch@jared:~$

 

Here is the working (redacted) 1.7.0 config.

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name LAN_IN {
        default-action accept
        description "Wired and Wireless LAN to Internet"
        rule 2 {
            action reject
            description "Block Port 25"
            destination {
                port 25
            }
            log enable
            protocol tcp
        }
    }
    name LAN_LOCAL {
        default-action accept
        description "Wired and Wireless LAN to Router"
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 50 {
            action accept
            description "Allow Pings to Router"
            limit {
                burst 1
                rate 62/minute
            }
            log enable
            protocol icmp
        }
        rule 60 {
            action accept
            description "Accept OpenVPN Connections"
            destination {
                group {
                    address-group ADDRv4_eth2
                }
                port 1194
            }
            log disable
            protocol udp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 61 {
            action accept
            description "Allow IPSEC"
            ipsec {
                match-ipsec
            }
            log disable
            protocol all
            state {
                established disable
                invalid disable
                new enable
                related disable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        address dhcpv6
        description "Comcast WAN"
        dhcp-options {
            default-route update
            default-route-distance 210
            name-server no-update
        }
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address 10.254.103.1/24
        description "Jared LAN"
        duplex auto
        speed auto
    }
    ethernet eth2 {
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        description "Family VPN Server"
        encryption aes128
        mode server
        openvpn-option --tls-server
        openvpn-option "--proto udp"
        openvpn-option "--port 1194"
        openvpn-option "--push dhcp-option DNS 10.254.103.1"
        openvpn-option "--tun-mtu 1400"
        openvpn-option --persist-key
        openvpn-option --persist-tun
        openvpn-option --persist-local-ip
        openvpn-option --persist-remote-ip
        openvpn-option "--keepalive 8 30"
        openvpn-option --comp-lzo
        openvpn-option --duplicate-cn
        openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
        openvpn-option "--client-cert-not-required --username-as-common-name"
        openvpn-option "--verb 1"
        openvpn-option --client-to-client
        openvpn-option "--user nobody --group nogroup"
        openvpn-option "--push redirect-gateway def1"
        server {
            subnet 10.254.203.0/24
            topology subnet
        }
        tls {
            ca-cert-file /config/auth/openvpn/keys/ca.crt
            cert-file /config/auth/openvpn/keys/daerma.dyndns.org.crt
            dh-file /config/auth/openvpn/keys/dh2048.pem
            key-file /config/auth/openvpn/keys/daerma.dyndns.org.key
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update enable
        shared-network-name LAN {
            authoritative disable
            description "LAN eth1"
            subnet 10.254.103.0/24 {
                bootfile-name settings/snom.htm
                default-router 10.254.103.1
                dns-server 10.254.103.1
                lease 86400
                ntp-server 10.254.103.1
                start 10.254.103.31 {
                    stop 10.254.103.254
                }
                static-mapping 103 {
                    ip-address 10.254.103.10
                    mac-address 00:15:65:65:fb:3c
                }
                tftp-server-name 10.1.1.22
                time-server 10.254.103.1
                unifi-controller XXX.XXX.XXX.13
            }
        }
    }
    dns {
        dynamic {
            interface eth0 {
                service afraid {
                    host-name domain1.mooo.com
                    login XXXXXXXXX
                    password XXXXXXXXXXXXXXXX
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth1
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    upnp2 {
        listen-on eth1
        nat-pmp enable
        secure-mode disable
        wan eth0
    }
}
system {
    host-name jared
    login {
    }
    name-server 8.8.8.8
    name-server 8.8.4.4
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
            vlan enable
        }
        ipv6 {
            forwarding enable
        }
    }
    static-host-mapping {
        host-name pbx.domain1.com {
            inet 10.254.0.24
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
    smart-queue SmartQoS {
        download {
            ecn enable
            rate 90mbit
        }
        upload {
            ecn enable
            rate 10mbit
        }
        wan-interface eth0
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        esp-group FOO1 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        esp-group FOO2 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        esp-group FOO3 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        esp-group FOO4 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO0 {
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 19
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO1 {
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 19
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO2 {
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 19
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO3 {
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 19
                encryption aes256
                hash sha1
            }
        }
        ike-group FOO4 {
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 19
                encryption aes256
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
        site-to-site {
            peer domain2.mooo.com {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                }
                connection-type initiate
                description "To XXXXXXX"
                ike-group FOO1
                local-address domain1.mooo.com
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO1
                    local {
                        prefix 10.254.103.0/24
                    }
                    remote {
                        prefix 10.254.108.0/24
                    }
                }
            }
            peer globe.domain1.com {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                }
                connection-type initiate
                description "Site 1"
                ike-group FOO2
                local-address domain1.mooo.com
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO2
                    local {
                        prefix 10.254.103.0/24
                    }
                    remote {
                        prefix 10.254.0.0/24
                    }
                }
            }
            peer remote.domain2.com {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                }
                connection-type initiate
                description "Site 2"
                ike-group FOO4
                local-address domain1.mooo.com
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO4
                    local {
                        prefix 10.254.103.0/24
                    }
                    remote {
                        prefix 10.1.1.0/24
                    }
                }
            }
            peer remote.domain3.com {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                }
                connection-type initiate
                description "Site 3"
                ike-group FOO3
                local-address domain1.mooo.com
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO3
                    local {
                        prefix 10.254.103.0/24
                    }
                    remote {
                        prefix 10.202.0.0/21
                    }
                }
            }
            peer remote.domain4.com {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
                }
                connection-type initiate
                description "Site 4"
                ike-group FOO0
                local-address domain1.mooo.com
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 10.254.103.0/24
                    }
                    remote {
                        prefix 10.201.1.0/24
                    }
                }
                tunnel 2 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 10.254.103.0/24
                    }
                    remote {
                        prefix 10.201.5.0/24
                    }
                }
            }
        }
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.7.0.4783374.150622.1534 */

 

Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

Here we go.. broke thing is broke..

 

jbusch@jared:~$ add system image https://dl.ubnt.com/firmwares/edgemax/v1.8.5/ER-e100.v1.8.5.4884695.tar
Trying to get upgrade file from https://dl.ubnt.com/firmwares/edgemax/v1.8.5/ER-e100.v1.8.5.4884695.tar
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 82.7M  100 82.7M    0     0  4003k      0  0:00:21  0:00:21 --:--:-- 4729k
Download suceeded
Checking upgrade image...Done
Preparing to upgrade...Done
Copying upgrade image...Done
Removing old image...Done
Checking upgrade image...Done
Copying config data...Done
Finishing upgrade...Done
Upgrade completed
jbusch@jared:~$ reboot
Proceed with reboot? [confirm][y]

Broadcast message from root@jared (pts/0) (Tue Jun 14 15:05:45 2016):

The system is going down for reboot NOW!
jbusch@jared:~$
Linux ubnt 3.10.20-UBNT #1 SMP Sat May 28 09:46:11 PDT 2016 mips64
Welcome to EdgeOS
jbusch@jared:~$ show system image
The system currently has the following image(s) installed:

v1.8.5.4884695.160608.1057     (running image) (default boot)
v1.7.0.4783374.150622.1534

jbusch@jared:~$ sudo cat /etc/ipsec.secrets
# generated by /opt/vyatta/sbin/vpn-config.pl

domain1.mooo.com domain2.mooo.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
domain1.mooo.com globe.domain1.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
domain1.mooo.com remote.domain2.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
domain1.mooo.com remote.domain3.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
domain1.mooo.com remote.domain4.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
jbusch@jared:~$
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3121
Solutions: 945
Contributions: 16

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

Do any of those FQDN's have an IPv6 address?  Are all those PSKs the same or different?  

 

I don't think I've seen a FQDN used as the "local-adress".   Instead have you tried replacing the "local-address" with "dhcp-interface eth0".

 

Typically when I've used FQDN I've also used id's like:

 

peer r3.foo.bar {
                authentication {
                    id @r1
                    mode pre-shared-secret
                    pre-shared-secret secret2
                    remote-id @r3
                }
                connection-type initiate
                dhcp-interface eth0
                ike-group IKE

Probably the way to find out why it's failing is on one side do "sudo swanctl --log"  and on the other side find the connection name in /etc/ipsec.conf and try to manually bring that connection up:

 

sudo ipsec up peer-<fqdn>-tunnel-1
EdgeMAX Router Software Development
Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

[ Edited ]

Comparing the configurations, the only thing that changed in the config after the upgrade was the ikev2-reauth no getting added to all of the ike-groups nodes. 

 

        ike-group FOO0 {
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 19
                encryption aes256
                hash sha1
            }
        }

 

Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

[ Edited ]

UBNT-stig wrote:

Do any of those FQDN's have an IPv6 address?  Are all those PSKs the same or different?  

 

I don't think I've seen a FQDN used as the "local-adress".   Instead have you tried replacing the "local-address" with "dhcp-interface eth0".


Nothing should have an IPv6 resolvable IP on the DNS.

 

All I can say is it worked in 1.7.0. I reported as much back when 1.8.0 was released in the prior linked threads.

 

I will look at this solutoin of using "dhcp-interface eth0" after I redo the config with a hardcoded IP address as well as "any" which are supposed to be standard working optins that also did not work last night.

 

 

Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

[ Edited ]

I changed it to use my current IP address. Nothing works.

jbusch@jared:~$ configure
[edit]
jbusch@jared# set vpn ipsec site-to-site peer domain2.mooo.com local-address 73.209.221.234
[edit]
jbusch@jared# set vpn ipsec site-to-site peer globe.domain1.com local-address 73.209.221.234
[edit]
jbusch@jared# set vpn ipsec site-to-site peer remote.domain2.com local-address 73.209.221.234
[edit]
jbusch@jared# set vpn ipsec site-to-site peer remote.domain3.com local-address 73.209.221.234
[edit]
jbusch@jared# set vpn ipsec site-to-site peer remote.domain4.com local-address 73.209.221.234
[edit]
jbusch@jared# compare
[edit vpn ipsec site-to-site peer domain2.mooo.com]
>local-address 73.209.221.234
[edit vpn ipsec site-to-site peer globe.domain1.com]
>local-address 73.209.221.234
[edit vpn ipsec site-to-site peer remote.domain2.com]
>local-address 73.209.221.234
[edit vpn ipsec site-to-site peer remote.domain3.com]
>local-address 73.209.221.234
[edit vpn ipsec site-to-site peer remote.domain4.com]
>local-address 73.209.221.234
[edit]
jbusch@jared# commit
[ vpn ]
conntrack v0.9.14 (conntrack-tools): connection tracking table has been emptied.

[edit]
jbusch@jared# save
Saving configuration to '/config/config.boot'...
Done
[edit]
jbusch@jared:~$ sudo cat /etc/ipsec.secrets
# generated by /opt/vyatta/sbin/vpn-config.pl

73.209.221.234 domain2.mooo.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 globe.domain1.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain2.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain3.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain4.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

@UBNT-stig and I found a way to make it all work. Up to you guys to fix it. Again as was mentioned in a prior thread the %any that your code is sticking in ipsec.secrets is (apparently) breaking it.

 

I now set globe.domain1.com to the IP address that it resolves to instead while leaving my current IP in the local address field. That tunnel comes up. And look what happened to ipsec.secrets.

 

jbusch@jared:~$ configure
[edit]
jbusch@jared# delete vpn ipsec site-to-site peer globe.domain1.com
[edit]
jbusch@jared# commit
[ vpn ]
conntrack v0.9.14 (conntrack-tools): connection tracking table has been emptied.

[edit]
jbusch@jared# save
Saving configuration to '/config/config.boot'...
Done
[edit]
jbusch@jared# exit
exit
jbusch@jared:~$ sudo cat /etc/ipsec.secrets
# generated by /opt/vyatta/sbin/vpn-config.pl

73.209.221.234 domain2.mooo.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain2.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain3.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain4.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
jbusch@jared:~$ configure
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 authentication mode pre-shared-secret
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 authentication pre-shared-secret XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 connection-type initiate
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 description 'Globe'
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 ike-group FOO2
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 ikev2-reauth inherit
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 local-address 73.209.221.234
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 tunnel 1 allow-nat-networks disable
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 tunnel 1 allow-public-networks disable
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 tunnel 1 esp-group FOO2
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 tunnel 1 local prefix 10.254.103.0/24
[edit]
jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 tunnel 1 remote prefix 10.254.0.0/24
[edit]
jbusch@jared# commit
[ vpn ]
conntrack v0.9.14 (conntrack-tools): connection tracking table has been emptied.

[edit]
jbusch@jared# save
Saving configuration to '/config/config.boot'...
Done
[edit]
jbusch@jared# exit
exit
jbusch@jared:~$ sudo cat /etc/ipsec.secrets
# generated by /opt/vyatta/sbin/vpn-config.pl

73.209.221.234 XXX.XXX.XXX.13 : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
73.209.221.234 domain2.mooo.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain2.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain3.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain4.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
jbusch@jared:~$
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3121
Solutions: 945
Contributions: 16

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC


sorvani wrote:

 

All I can say is it worked in 1.7.0. I reported as much back when 1.8.0 was released in the prior linked threads.

  


In v1.7.0 there was 2 StrongSwan daemons (pluto for ikev1 and charon for ikev2).  In v1.8.0 StrongSwan was upgraded to a much more current version and in this version charon is used for both ikev1 and ikev2 (for more info see LINK).  So it's a completely new daemon and not that suprising that some thing work differently or don't work.   We've spent and enormous amount of time testing/fixing, but obviously some things still need tweaking.

EdgeMAX Router Software Development
Highlighted
Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

[ Edited ]

UBNT-stig wrote:

sorvani wrote:

 

All I can say is it worked in 1.7.0. I reported as much back when 1.8.0 was released in the prior linked threads.

  


In v1.7.0 there was 2 StrongSwan daemons (pluto for ikev1 and charon for ikev2).  In v1.8.0 StrongSwan was upgraded to a much more current version and in this version charon is used for both ikev1 and ikev2 (for more info see LINK).  So it's a completely new daemon and not that suprising that some thing work differently or don't work.   We've spent and enormous amount of time testing/fixing, but obviously some things still need tweaking.


@UBNT-stig This is horribly basically wrong though. This is breaking on the peer having a DNS name.

 

Had to take a call so I was not available for a bit. Continuing where I left off in the prior post, globe.domain1.com was replaced with its IP address in the peer box. and now I put the fqdn back in the local address and it works perfectly. Again notice ipsec.secrets

 

jbusch@jared# set vpn ipsec site-to-site peer XXX.XXX.XXX.13 local-address sorvani.mooo.com
[edit]
jbusch@jared# commit
[ vpn ]
conntrack v0.9.14 (conntrack-tools): connection tracking table has been emptied.

[edit]
jbusch@jared# save
Saving configuration to '/config/config.boot'...
Done
[edit]
jbusch@jared# exit
exit
jbusch@jared:~$ sudo cat /etc/ipsec.secrets
# generated by /opt/vyatta/sbin/vpn-config.pl

domain1.mooo.com XXX.XXX.XXX.13 : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
73.209.221.234 domain2.mooo.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain2.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain3.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
73.209.221.234 remote.domain4.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#
jbusch@jared:~$

 

Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

@UBNT-stig do i need to open a support case? or is this going to continue to be worked here?

Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

Sad to see no response here after being so quick to complain about posting a config.

 

Support ticket 359542 opened and this thread referenced.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3121
Solutions: 945
Contributions: 16

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

Thank you for posting the config files.  When I get a chance I'll look into it, but currently trying to fix another bug.

EdgeMAX Router Software Development
Regular Member
Posts: 738
Registered: ‎11-06-2013
Kudos: 229
Solutions: 26

Re: Upgrade from 1.7.0 to 1.8.5 breaks IPSEC

[ Edited ]

I have modified all of the rest of the peers that have a static IP to use IP address with the local address my domain1.mooo.com FQDN and none of them came up. Oddly, the remaining FQDN peer did come up with local addres as my IP. 

 

jbusch@jared:~$ sudo cat /etc/ipsec.secrets
# generated by /opt/vyatta/sbin/vpn-config.pl

domain1.mooo.com XXX.XXX.XXX.42 : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXX"
domain1.mooo.com XXX.XXX.XXX.138 : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXX"
domain1.mooo.com XXX.XXX.XXX.22 : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXX"
domain1.mooo.com XXX.XXX.XXX.13 : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXX"
73.209.221.234 domain2.mooo.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#

 

 

I set the local address to my current IP for all of the peers and then it all came up again. All tunnels are up.

 

jbusch@jared:~$ sudo cat /etc/ipsec.secrets
# generated by /opt/vyatta/sbin/vpn-config.pl

73.209.221.234 XXX.XXX.XXX.42 : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXX"
73.209.221.234 XXX.XXX.XXX.138 : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXX"
73.209.221.234 XXX.XXX.XXX.22 : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXX"
73.209.221.234 XXX.XXX.XXX.13 : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXX"
73.209.221.234 domain2.mooo.com %any : PSK "XXXXXXXXXXXXXXXXXXXXXXXXXX" #RIGHT#

This is a very inconsistant reading of the config it seems to me.

 

 

 

Reply