D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: freezoo on March 22, 2010, 03:25:54 AM

Title: DFL-210 - VPN using an IPsec lan-to-lan tunnel
Post by: freezoo on March 22, 2010, 03:25:54 AM

Hello,

I have two DFL210 and I would make a site-to-site configuration.

I followed the steps in the following document:

ftp://ftp.dlink.co.uk/dfl_firewall/dfl-210/DFL-800_1600_2500-VPN_Using_an_IPSec_Lan-to-Lan_Tunnel.pdf

But the two sites can not connect, the following logs:

--------------------------------------------------------------------------------------------------

2010-03-20
15:59:39    Info    IPSEC                                          ike_sa_destroyed
               1802708                                        ike_sa_killed
ike_sa=" Initiator SPI ESP=0x14ff1ced, AH=0x72bd7495, IPComp=0x69cce06"


2010-03-20
15:59:39    Warning    IPSEC
                  1802022                                     ike_sa_failed
                                                            no_ike_sa
statusmsg="No proposal chosen" local_peer="10.10.1.1 ID No Id" remote_peer="<REMOTE_IP> ID No Id" initiator_spi="ESP=0x14ff1ced, AH=0x72bd7495, IPComp=0x69cce066"

2010-03-20
15:59:39    Warning    IPSEC
                  1802715                                     event_on_ike_sa
side=Responder msg="failed" int_severity=6

2010-03-20
15:59:39    Warning    IPSEC
                  1800107                                     ike_invalid_proposal
local_ip=10.10.1.1 remote_ip=<REMOTE_IP> cookies=14ff1ced72bd749569cce0664da4742f reason="Could not find acceptable proposal"

2010-03-20
15:59:39    Notice    IPSEC
               1802300                                        rule_selection_failed
info="Peer IP address mismatch" int_severity=6

2010-03-20
15:59:39    Info    IPSEC
               1803001                                        failed_to_select_policy_rule

2010-03-20
15:59:39    Warning    IPSEC   
                  1802715                                     event_on_ike_sa
side=Responder msg="failed" int_severity=6


--------------------------------------------------------------------------------------------------

Same logs for the second DFL

Where can I configure a "acceptable proposal"?

Best regards,

Gianfranco

Title: Re: DFL-210 - VPN using an IPsec lan-to-lan tunnel
Post by: danilovav on March 22, 2010, 06:11:07 AM

Seems, one of your DFLs is under NAT with private IP?

Title: Re: DFL-210 - VPN using an IPsec lan-to-lan tunnel
Post by: freezoo on March 22, 2010, 07:40:09 AM

Yes,

in fact the two sites are under NAT.

One of the two sites accept PPTP connections, if they are configured as a client-server, the VPN works correctly.

Title: Re: DFL-210 - VPN using an IPsec lan-to-lan tunnel
Post by: danilovav on March 22, 2010, 11:28:38 AM

If PPTP is working and you're satisfied by its security, just use it.

Anyway, to keep IPsec working, you need your NAT supports IPsec pass thru. In this case, you can try set on "NATted" DFL manual ID type = IP address and ID value = your external address.

Title: Re: DFL-210 - VPN using an IPsec lan-to-lan tunnel
Post by: freezoo on April 15, 2010, 03:31:36 AM

Hi,

I'm not satisfied by the pptp security level and I'm going to configure IPSEC.

I'm following this guide to generate the certificates (http://web.dlink-me.com/faqs/IPS/How_to_create_Certification_Authority_and_import_into_firewall.pdf) but when a save the configuration, the DLINK has this error:


Error E4814/IPSEC in "<NAME>_ipsec.IPsecTunnel", property "GatewayCertificate":
  - Unable to get alternative names for gateway certificate



Thanks

Gianfranco

Title: Re: DFL-210 - VPN using an IPsec lan-to-lan tunnel
Post by: danilovav on April 15, 2010, 11:02:35 AM

In openssl.cnf, try to uncomment line subjectAltName=email:copy

But, for easy start, you can try to use PSK