**Cisco** \\ * http://www.fir3net.com/Cisco-ASA/how-to-configure-a-cisco-asa-site-to-site-vpn-between-a-static-and-dynamic-ip-based-peers.html * * http://www.fir3net.com/Cisco-Router/configuring-a-preshared-site-to-site-vpn-between-2-cisco-routers.html * * http://www.fir3net.com/Cisco-ASA/cisco-asa-certificate-based-ipsec-vpn-error-certificate-validation-failed-peer-certificate-key-usage-is-invalid.html \\ **Juniper SRX** * http://www.fir3net.com/Juniper-SRX-Series-Gateway/troubleshooting-a-site-to-site-vpn-on-a-srx-series-gateway.html * * http://www.fir3net.com/Juniper-SRX-Series-Gateway/srx-dyn.html * * http://www.fir3net.com/Juniper-SRX-Series-Gateway/juniper-srx-vpn-nat-issue.html * * http://www.fir3net.com/Juniper-SRX-Series-Gateway/srx-policy-vpn.html * * http://www.fir3net.com/Juniper-SRX-Series-Gateway/juniper-srx-route-based-vpn.html * * http://www.fir3net.com/Juniper-SRX-Series-Gateway/juniper-srx-destination-nat-port-forwarding.html * * http://www.fir3net.com/Juniper-SRX-Series-Gateway/how-do-i-configure-a-global-explicit-deny-on-a-srx-series-gateway.html \\ **Juniper Netscreen** * http://www.fir3net.com/Netscreen/troubleshooting-a-netscreen-site-2-site-vpn.html * * http://www.fir3net.com/Netscreen/netscreen-create-a-policy-based-vpn.html * * http://www.fir3net.com/Cisco-ASA/cisco-asa-to-netscreen-vpn-policy-vpn.html **Checkpoint** * http://www.fir3net.com/Checkpoint/creating-a-certificate-based-site-to-site-vpn-between-2-checkpoints-gateways.html * * http://www.fir3net.com/Checkpoint/how-do-i-create-an-ssl-vpn-on-a-checkpoint-gateway.html **OPENVPN SERVER FEDORA** * **Installation**: [[https://chichivica.github.io/2017/08/02/Install-OpenVPN-on-Fedora-26/]] * pki, ca, server and client cert (after being generated) + configuration , in : /etc/openvpn/server * For logs: /etc/openvpn/server/openvpn.log /etc/openvpn/server/openvpn-status.log * On the server: systemctl enable firewalld systemctl start firewalld firewall-cmd --permanent --add-service openvpn firewall-cmd --permanent --add-masquerade # also enable ip forwarding with sysctl.conf and don't forget systemctl restart network.service Start server: systemctl start openvpn-server@server.service # Server Create ovpn file and start client: [[https://gist.github.com/dmytro/0606cb32e42fc0918466|generate_openvpn_config.sh]] openvpn --config /home/jaime/ovpnrpi/client4.ovpn # client If redirection fails:\\ systemctl stop firewalld systemctl start firewalld ---- **OPENWRT CLIENT OPENVPN**:\\ In LuCi: * Click Update-list * Then INSTALL: luci-app-openvpn openvpn-easy-rsa openvpn-openssl * Press OK on each of them to download and install them. In CLI, Have these files: root@OpenWrt:/etc/config# cat /etc/config/openvpn config openvpn 'camarreal_ovpn' option config '/etc/openvpn/forsythia-client.ovpn' # This is 'raw' the file generated in the openvpn server by doing "pivpn add nopass" option enabled '1' Firewall and network config (from [[https://wiki.turris.cz/doc/en/howto/openvpn]] among other sources): root@OpenWrt:/etc/config# cat /etc/config/firewall config zone 'wan' option name 'wan' list network 'wan' list network 'wan6' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' option input 'REJECT' list device 'tun0' root@OpenWrt:/etc/config# cat /etc/config/network config interface 'vpn' option proto 'none' option ifname 'tun0' ---- LINUX VPN-CLIENT\\ [[https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#linux]] \\ START:\\ mkdir -p /var/run/xl2tpd touch /var/run/xl2tpd/l2tp-control service strongswan restart service xl2tpd restart strongswan up myvpn echo "c myvpn" > /var/run/xl2tpd/l2tp-control ip route add 0/0 dev ppp0 \\ STOP:\\ ip route del 0/0 dev ppp0 echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn INVESTIGATE WHY CRASHES SOMETIMES: May 9 05:16:22 observium xl2tpd: xl2tpd[23954]: Maximum retries exceeded for tunnel 23919. Closing. May 9 05:16:22 observium xl2tpd: xl2tpd[23954]: Connection 61860 closed to 148.64.56.150, port 1701 (Timeout) LIBRESWAN STRONGSWAN NOTES: * [[https://docs.cloud.mycompany2.com/en-us/iaas/Content/Network/Concepts/libreswan.htm]] * [[https://dc77312.wordpress.com/2019/01/08/libreswan-ipsec-vpn-on-centos-7-and-windows-10/]] * pluto is is an IKE ("IPsec Key Exchange") daemon yum install libreswan ipsec initnss systemctl enable ipsec systemctl start ipsec # Use this to add and bring up the tunnel and see the exchange! ipsec auto --add mycompany2-tunnel-1 ipsec auto --up mycompany2-tunnel-1 * In the vnic: "tick skip Source/Dest Checks" * modify /etc/sysctl.conf for forwarding [[https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-centos-rhel-8/|External Link]]. In '/etc/sysctl.d' create a file named 50-libreswan.conf with that content # https://libreswan.org/man/ipsec.conf.5.html conn mycompany2-tunnel-1 left=10.156.0.23 # leftid=193.123.39.207 # This is the public IP (nat-t) right=148.64.56.151 authby=secret leftsubnet=10.181.181.0/24 rightsubnet=10.8.0.8/23 auto=start mark=5/0xffffffff # Needs to be unique across all tunnels vti-interface=vti0 vti-routing=no ikev2=insist # To use IKEv2, change to ikev2=insist ike=aes_cbc256-sha2_384;modp1536 # "cipher-hash;modpgroup,.."IKE encryption/authentication algorithm (and dh-modpgroup) to be used for the connection (phase 1 aka ISAKMP SA). phase2alg=aes_gcm256;modp1536 # (alias esp) . Algorithms that will be offered/accepted for a phase2 negotiatio (~transform set) .format for ESP is ENC-AUTH followed by one optional PFSgroup. For instance, "3des-md5" or "aes256-sha1;modp2048" or "aes-sha1,aes-md5". When specifying multiple algorithms, specify the PFSgroup last, e.g. "3des-md5,aes256-sha1;modp2048". encapsulation=yes ikelifetime=28800s salifetime=3600s cat /etc/ipsec.d/oci-ipsec.secrets my-pub-ip x-end-pub-ip : PSK "a64-charslongrandomstringgeneratedwithpwgenoropensslorothertool" ---- CLASSY IPSEC-VPN TROUBLESHOOT: * [[http://www.twine-networks.com/blog/posts/5-troubleshooting-ipsec-log-messages]] * [[https://www.blackhole-networks.com/IKE_Modes/ikev1-quick.html]]