VPN problems tracking and resolution

Owned by Marcelo Fonseca
Last updated: Nov 21, 2013 by Former user (Deleted)
5 min read

The main goal of this page is to present and give visibility to the existent VPN problems in epSOS. It will contain all the statuses and possible feedback on each situation and will serve as a place for discussion and presentation of possible solutions.

 

RELATED ISSUE: OPENNCP-30 - Getting issue details... STATUS

RELATED MEETING MINUTES:

Table of contents:

1. How to use this page

  1. Check the existent "Common problem and solutions" section, for a possible answer;
  2. Present you problem as a comment at the bottom of the page, providing as much as feedback as possible (DescriptionError messages, and other useful information);

  3. Fill your system setup configuration parameters (OpenSwan and OS version); 

    You can check the OpenSwan version with the following command:

    ipsec verify

  4. Fill the status matrix, painting the background with the corresponding color GREEN (✔ symbol), RED (✘ symbol), accordingly (if you do not fill, this task will be done by the page moderator);

    You can check the connectivity with a certain country with the following command:

    ipsec barf 2>&1 | grep -i ESTAB | grep -i '"COUNTRY CODE"'
  5. For easy access you can put a comment link in the status symbol, just go to the comment, right click the Date at the bottom of the comment and copy the link, then paste the link with the symbol as the name. (See Portuguese example) 
  6. Wait for possible feedback, provided by the task-force;

2. Task-force elements

3. Common problems and solutions

3.1. Potential problems and potential solutions

Problem #1 - Firewall Rules

Problem NameFirewall Rules
DescriptionIt is not enough just to open the Tomcat SSL port 8443 for connections with other NCPs. There are some additional ports that must be opened for IPsec to work. Here is the specification.
Solutions
TCP/8443*HTTPS *See note below
UDP/500Internet Security Association and Key Management Protocol (ISAKMP)
UDP/4500IPSec NAT Traversal (SAE-URN)

 

IP forwarding must be enabled at the firewall for the following IP protocols and UDP ports:

 

IP Protocol ID 50:

For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded.

 

IP Protocol ID 51:

For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded.

 

UDP Port 500:

For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded.


* Note that if you are using an external firewall, and the VPN tunnel terminates at your NCP, there is no need to open the port 8443 at the external firewall. If it is open, it might seem that the VPN connection works, while in fact communication is going directly and not through the VPN. In the NCP's own firewall (e.g. iptables) the port 8443 must of course be open.

Problem #2 - Why and How to setup a VPN as an epSOS PN/NCP?

Problem NameWhy and How to setup a VPN as an epSOS PN/NCP?
DescriptionA good practice manual, for epSOS PN to follow, that describes how a VPN should be setup.
Solutions

IHE - epSOS PPT - VPN setup

http://gazelle.ihe.net/content/epsos-ppt-vpn-setup-0

http://gazelle.ihe.net/content/epsos-ppt-vpn-setup (deprecated)

 

Problem #3 - Verify if firewall ports are open

Problem NameVerify if firewall ports are open
DescriptionCommands to verify if the appropriate firewall ports are open
Solutions

UDP PORTS
nmap -sU -p U:50,51,500,4500 -PN <IP_ADDRESS>

TCP PORTS
nmap -p T:50,51,500,4500 -PN <IP_ADDRESS>

Problem #4 - OpenSwan development is stalled

Problem NameOpenSwan development is stalled. OpenSwan fails to support current VPN standards.
Description

Some Linux distributions stop supporting OpenSwan. For example: https://www.suse.com/releasenotes/x86_64/SUSE-SLES/11-SP3/#fate-312973

L3 support for Openswan is scheduled to expire. This decision is driven by the fact that Openswan development stalled substantially and there are no tangible signs that this will change in the future.

In contrast to this the strongSwan project is vivid and able to deliver a complete implementation of current standards. Compared to Openswan all relevant features are available by the package strongSwan plus strongSwan is the only complete Open Source implementation of the RFC 5996 IKEv2 standard whereas Openswan only implements a small mandatory subset. For now and the expected future only strongSwan qualifies to be an enterprise-ready solution for encrypted TCP/IP connectivity.

SolutionsSwitch to strongSwan and IKEv2. FI tried this with HR. This does not work because strongSwan does not support NAT traversal in transport mode by default. It must be compiled with a switch, see

https://lists.strongswan.org/pipermail/users/2010-October/005355.html

The problem still remains. The switch to strongSwan might help in case there are no NATs involved. The connection FI-ES seemed to go up (but documents exchange was not verified) when Finland switched from openSwan to strongSwan.

Problem #5 - Connection can be started only from one part (one direction connectivity)

Problem NameConnection can be started only from one part (one direction connectivity)
DescriptionLuxembourg can initiate the connection to many pn's but none can initiate the connection to LU
Solutions

Possible solution should be Luxembourg to use public ip address without NAT.

Solved after re-installing certificates in ipsec using tslsync and removing before it all certificates. There is a possibility of corrupted exported certificates.

So, I should recommend to do the following:

  1. Check firewall status using the provided in this wiki page commands (nmap)
  2. Check with ipsec verify that ipsec starts correctly
  3. Check that certificates have been imported correctly to ipsec directory or database. Possible rerun of tslsync with prior deletion of certificates

Other ideas:

Are the problems connected with different Linux kernel versions? The problems in Finland started about at the same time when a new SLES distribution was installed, with a switch in the Linux kernel version from 2.x to 3.x? Ipsec uses some kernel modules, and this might affect the situation. Writing info on linux kernel versions in different countries might help investigating this.

3.2. What was tried and what does not seem to help

Are the problems connected with certificates? Finland and Spain tried using self-signed certificates generated in Finland using Kostas' generation scripts. This did not help solving the problem with FI-ES connection, which currently does not work despite neither part is behind NAT.

Estonia and Hungary was able to establish connection using Estonian test certificates and Hungarian PPT certificates. We were unable to connect with Estonian PPT certificates. The Estonian PPT certifcates themselves are valid.

Are the problems connected with openSwan versions? Finland tried switching from openSwan 2.6.14 to 2.6.38, this did not have any impact on the number of running connections.

4. Matrix of current situation

4.1 OPERATION

CountrySystem Setup
AT 
CZ 
DKSW Versions: Linux Openswan U2.6.32/K2.6.18-371.el5 (netkey)
OS: CentOS release 5.10 (Final)
Observation: Behind NAT firewall
ES 
FR 
GR 
IT 
SE 
SK 
TR 
CH

SW Versions: Linux Openswan U2.6.35/K2.6.32-71.24.1.el6.x86_64 (netkey)
OS: Linux vmepsos 2.6.32-71.24.1.el6.x86_64
Observation: Behind firewall 

PTSW Versions: Linux Openswan U2.6.32/K2.6.32-279.14.1.el6.x86_64
OS: CentOS x86_64 6.3 FINAL
Observation: Behind NAT firewall
MT 

 

Countries

TO
ATCZDKESFRGRITSESKTRCHPTMT

 

 

 

 

 

 

FROM

AT             
CZ             
DK           
ES             
FR        
GR             
IT            
SE            
SK             
TR             
CH      
PT  

 

       
MT             

(CLICK THE SYMBOLS FOR MORE DETAILS)

Label:

 : VPN OK

 : ERROR

BLANK : NOT TESTED

 

4.2 PPT

CountrySystem Setup
AT 
CZ 
DKSW Versions: Linux Openswan U2.6.32/K2.6.18-371.el5 (netkey)
OS: CentOS release 5.10 (Final)
Observation: Behind NAT firewall
EESW Versions: Linux Openswan U2.6.38dr2/K2.6.32-358.18.1.el6.x86_64 (netkey)
OS: CentOS x86_64 6.4 FINAL 
NAT: no NAT
ES 
FRSW Versions: Linux Openswan U2.6.35
GR 
IH 
IT 
SE

SW Versions: Linux Openswan U2.6.32/K2.6.18-348.el5 (netkey)
OS: Red Hat Enterprise Linux Server release 5.9 
NAT: Behind firewall

SK 
TR 
CHSW Versions: Linux Openswan U2.6.35/K2.6.32-71.24.1.el6.x86_64 (netkey)
OS: Linux vmepsos 2.6.32-71.24.1.el6.x86_64
Observation: Behind firewall 
DE 
FI

SW Versions: Linux OpenSwan
OS: Suse Linux Enterprise Server 11
NAT: no NAT

PTSW Versions: Linux Openswan U2.6.32/K2.6.32-279.14.1.el6.x86_64
OS: CentOS x86_64 6.3 FINAL
Observation: Behind NAT firewall
MT

SW Versions: Linux Openswan U2.6.37/K3.2.0-40-generic (netkey)
OS: Ububtu Server 12.04 64-bit
Observation: Behind NAT Firewall

SI

 

HUSW Versions: Openswan U2.6.39-66-g416d5e6/K2.6.32-358.18.1.el6.x86_64 (netkey)
OS: CentOS release 6.4 (Final)
Observation: Behind firewall, no NAT
HR 
LUSW Versions: Linux Openswan U2.6.37/K3.5.0-23-generic (netkey)
OS: Ububtu Server 12.04 64-bit
Observation: Behind NAT Firewall
CountriesTO
ATCZDKEEESFRGRIHITSESKTRCHDEFIPTMTSIHUHRLU

 

 

 

 

 

 

 

 

 

 

 

 

 

FROM














AT                     
CZ                     
DK                 
EE               
ES                     
FR               
GR                     
IH                     
IT        
SE             
SK                     
TR                     
CH    
DE                     
FI         
PT         

MT                  
SI                     
HU        
HR                     
LU              

(CLICK THE SYMBOLS FOR MORE DETAILS)

Label:

 : VPN OK

 : ERROR

BLANK : NOT TESTED