I'd like to start by saying this project looks to be a great project.
It has a potential to take over where linsys left off. Though you could copy the ipsec tunnelling functions of linsys to make this a complete package.
My problem:
I have ipseccmd tool installed but I can't seem to start a connection.
I can run the ipseccmd from command line but not enough to establish a connection as i've never tried it before.
What can i check to see why when I click the Start button nothing happens?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi!
First I would like to thank you. You're the first who posts something in my project forum.
Yes, this project is in a very early alpha phase and should grow in the next months.
I didn't know about the linsys project. Thanks for that. I have to take a look at it. I thought there is only TauVPN.
On what system do you use the tool? On Windows XP SP 1 the connection display doesn't work well, even if the connection is established. On Windows 2000 it doesn't work now.
The most useful information you from oakley.log. Or you run ipseccmd show sas. If the Quick SA is established the ipsec connection should usually be made.
Soon I'll release a new version of Alpha 2. Maybe at the end of next week.
For any questions ask me.
*Greetz*
ipsoner
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm running XP SP2 and I've just noticed that the ipseccmd.exe is installed in the windows\system32 folder with one other file to get the command working. I had the resource kit installed long ago and then copied the ipseccmd to the system32 folder but then removed the resource kit which could be causing problems. So I'll try get that installed again properly.
I'll be happy to be your alpha/beta tester for you as I use IPSEC tunnels using ipcop alot.
You can contact me privately as I'm a SF developer myself.
Here's the output from that command you asked.
C:\>ipseccmd show sas
Main Mode SAs
------------------------------
IPSecEnumMMSAs failed with error 50
The request is not supported.
BTW, Yes, Linsys is well known in the www.ipcops.com forums and used by many but it lacks in the certificate management part and also the configuration section is sketchy at times (can't delete profiles, etc).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've since remove the system32 of ipseccmd and reinstalled the Support Tools.
I've rebooted my machine to make sure the PATH environment sticks and checked the ipseccmd show sas shows the following :
Main Mode SAs
------------------------------
No SAs
Quick Mode SAs
------------------------------
No SAs
The command completed successfully.
But when I click START, I don't see any attempts to connect. Nothing in the logs.
I can't tell if the program even attempts to do anything as there's no real status of progress (hint hint) ;)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi!
I would be very glad if you'd be a alpha/beta tester for my project!!!
You should check following:
1. Is the Policy Agent (IPSec service) activated and started? (I have already implemented an auto IPSec service setup in previous versions, but in the progress of developing with the new Qt toolkit I've discarded. At the latest in release version it'll be added.)
2. The connection status is "no connection estblished" (red) or does it shines yellow (ipsec initialised) after you click on "Strart"?
3. Oakley.log doesn't say anything? Not even "Initialization OK"?
4. How did you configured your connection? Interface Type should be first set up on "auto" and do not set up the local gateway ip address. Try it!
5. If no result post your configuration xml file (you can export it to a file).
I have tested my software in several scenerios and it worked well. I'm sure we find the error.
Greetz
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
1. Already checked that, it's on Automatic and started.
2. no connection (red).
3. Oakley only shows 1 line " 6-16: 09:17:09:484:38c Initialization OK" thats all..??
4. I got the following setup.
remote gateway (external IP of work vpn server)
local gateway (firewall/router internal IP)
Remote = Net
Remote IP = 192.168.10.0 / 24
Interface type = auto
authentication mode = x509
selection = common name
certificate = georgev
SA
mod = ESP
alg for ESP = 3des
alg for AH = SHA
Perfect Forward = left blank.. need it off.
QMR = 3600
MMR = 10Q/3 (dunno about this one).
any command line tests we can try or can I somehow initiate my connection as a test using the data above.. i can't figure out ipseccmd.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Do you really use combination of ESP and AH? It's not recommended anymore, because AH is not secure. AH is only for testing or when connection should be speed up and there's no confidentiality required. Because of this matter I have neglected AH for the time being.
Nevertheless it should work. And I know why it doesn't function: an option for the ESP algorithm is missing. If you use ESP AND AH, then in EPS alg should be added following options: [des|none] and [3des|none].
Just tell me, if you really use a combination of ESP and AH. Then I will upload the fixed prog for you.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Sorry,
you have specified that only ESP is selected. So that is not the problem.
Local gateway is not the gateway behind the remote gateway. It's usually the local interface IP on your PC if you have a direct connection (no local PAT/NAT router).
Look at the figure:
--------------
remote-net/host
--------------
|
--------------
remote-gateway
--------------
|
|
<ipsec-secured>
<internet>
|
|
--------------
local gateway
--------------
|
--------------
local net/host
--------------
Some more questions:
1.Do you use more than 1 network interfaces?
2.Do you use a router with NAT activated on the local side?
Greetz
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have an IPCOP machine on my local LAN, hence the reason I put Local Gateway as the firewalls internal IP as I'm not directly connected.
My PC does have multiple ethernets (lan ethernet, bluetooth ethernet, 1394 ethernet which the last 2 have been disabled just in case).
on start, there's a small green and black window which flashes and i have no idea what it says or if it had some important messages as your program closes it before I can blink.
What amuses me is how there's no attempt at all. I do a tcpdump on the firewall and it doesn't even start so I know the client has problems before it attempts. *sigh* :(
I think you need to space out the combos a little in the SA section, cut most of them off ;) he he
I think in later betas or release make a wizard if possible or an auto detection of the network setup would be 150% effort, with manual override of course..
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi!
I make it short, I've not much time:
The output you get from ipseccmd show sas can be traced back to not properly installed Support Tools. I suppose a dll is missing for ipseccmd.exe. The path of Support Tools must be added to the PATH env. variable (usually it happens during installation), so you don't have to copy anything to the system32 directory.
Greetz ipsoner
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I'd like to start by saying this project looks to be a great project.
It has a potential to take over where linsys left off. Though you could copy the ipsec tunnelling functions of linsys to make this a complete package.
My problem:
I have ipseccmd tool installed but I can't seem to start a connection.
I can run the ipseccmd from command line but not enough to establish a connection as i've never tried it before.
What can i check to see why when I click the Start button nothing happens?
Hi!
First I would like to thank you. You're the first who posts something in my project forum.
Yes, this project is in a very early alpha phase and should grow in the next months.
I didn't know about the linsys project. Thanks for that. I have to take a look at it. I thought there is only TauVPN.
On what system do you use the tool? On Windows XP SP 1 the connection display doesn't work well, even if the connection is established. On Windows 2000 it doesn't work now.
The most useful information you from oakley.log. Or you run ipseccmd show sas. If the Quick SA is established the ipsec connection should usually be made.
Soon I'll release a new version of Alpha 2. Maybe at the end of next week.
For any questions ask me.
*Greetz*
ipsoner
OK. sorry for the obvious questions.
I'm running XP SP2 and I've just noticed that the ipseccmd.exe is installed in the windows\system32 folder with one other file to get the command working. I had the resource kit installed long ago and then copied the ipseccmd to the system32 folder but then removed the resource kit which could be causing problems. So I'll try get that installed again properly.
I'll be happy to be your alpha/beta tester for you as I use IPSEC tunnels using ipcop alot.
You can contact me privately as I'm a SF developer myself.
Here's the output from that command you asked.
C:\>ipseccmd show sas
Main Mode SAs
------------------------------
IPSecEnumMMSAs failed with error 50
The request is not supported.
BTW, Yes, Linsys is well known in the www.ipcops.com forums and used by many but it lacks in the certificate management part and also the configuration section is sketchy at times (can't delete profiles, etc).
I've since remove the system32 of ipseccmd and reinstalled the Support Tools.
I've rebooted my machine to make sure the PATH environment sticks and checked the ipseccmd show sas shows the following :
Main Mode SAs
------------------------------
No SAs
Quick Mode SAs
------------------------------
No SAs
The command completed successfully.
But when I click START, I don't see any attempts to connect. Nothing in the logs.
I can't tell if the program even attempts to do anything as there's no real status of progress (hint hint) ;)
Hi!
I would be very glad if you'd be a alpha/beta tester for my project!!!
You should check following:
1. Is the Policy Agent (IPSec service) activated and started? (I have already implemented an auto IPSec service setup in previous versions, but in the progress of developing with the new Qt toolkit I've discarded. At the latest in release version it'll be added.)
2. The connection status is "no connection estblished" (red) or does it shines yellow (ipsec initialised) after you click on "Strart"?
3. Oakley.log doesn't say anything? Not even "Initialization OK"?
4. How did you configured your connection? Interface Type should be first set up on "auto" and do not set up the local gateway ip address. Try it!
5. If no result post your configuration xml file (you can export it to a file).
I have tested my software in several scenerios and it worked well. I'm sure we find the error.
Greetz
1. Already checked that, it's on Automatic and started.
2. no connection (red).
3. Oakley only shows 1 line " 6-16: 09:17:09:484:38c Initialization OK" thats all..??
4. I got the following setup.
remote gateway (external IP of work vpn server)
local gateway (firewall/router internal IP)
Remote = Net
Remote IP = 192.168.10.0 / 24
Interface type = auto
authentication mode = x509
selection = common name
certificate = georgev
SA
mod = ESP
alg for ESP = 3des
alg for AH = SHA
Perfect Forward = left blank.. need it off.
QMR = 3600
MMR = 10Q/3 (dunno about this one).
any command line tests we can try or can I somehow initiate my connection as a test using the data above.. i can't figure out ipseccmd.
Do you really use combination of ESP and AH? It's not recommended anymore, because AH is not secure. AH is only for testing or when connection should be speed up and there's no confidentiality required. Because of this matter I have neglected AH for the time being.
Nevertheless it should work. And I know why it doesn't function: an option for the ESP algorithm is missing. If you use ESP AND AH, then in EPS alg should be added following options: [des|none] and [3des|none].
Just tell me, if you really use a combination of ESP and AH. Then I will upload the fixed prog for you.
Sorry,
you have specified that only ESP is selected. So that is not the problem.
Local gateway is not the gateway behind the remote gateway. It's usually the local interface IP on your PC if you have a direct connection (no local PAT/NAT router).
Look at the figure:
--------------
remote-net/host
--------------
|
--------------
remote-gateway
--------------
|
|
<ipsec-secured>
<internet>
|
|
--------------
local gateway
--------------
|
--------------
local net/host
--------------
Some more questions:
1.Do you use more than 1 network interfaces?
2.Do you use a router with NAT activated on the local side?
Greetz
I have an IPCOP machine on my local LAN, hence the reason I put Local Gateway as the firewalls internal IP as I'm not directly connected.
My PC does have multiple ethernets (lan ethernet, bluetooth ethernet, 1394 ethernet which the last 2 have been disabled just in case).
on start, there's a small green and black window which flashes and i have no idea what it says or if it had some important messages as your program closes it before I can blink.
What amuses me is how there's no attempt at all. I do a tcpdump on the firewall and it doesn't even start so I know the client has problems before it attempts. *sigh* :(
I think you need to space out the combos a little in the SA section, cut most of them off ;) he he
I think in later betas or release make a wizard if possible or an auto detection of the network setup would be 150% effort, with manual override of course..
Hi!
I make it short, I've not much time:
The output you get from ipseccmd show sas can be traced back to not properly installed Support Tools. I suppose a dll is missing for ipseccmd.exe. The path of Support Tools must be added to the PATH env. variable (usually it happens during installation), so you don't have to copy anything to the system32 directory.
Greetz ipsoner