Posts made by Romo

@taurex here it is

show firewall name WAN_LOCAL
 default-action drop
 description "WAN to router"
 rule 10 {
     action accept
     description "Allow established/related"
     state {
         established enable
         related enable
     }
 }
 rule 20 {
     action drop
     description "Drop invalid state"
     state {
         invalid enable
     }
 }
 rule 30 {
     action accept
     description "Allow iCMP"
     disable
     log disable
     protocol icmp
 }
 rule 40 {
     action accept
     description "Allow IKE for VPN"
     destination {
         port 500
     }
     log disable
     protocol udp
 }
 rule 50 {
     action accept
     description "Allow L2TP for VPN"
     destination {
         port 1701
     }
     log disable
     protocol udp
 }
 rule 60 {
     action accept
     description "Allow ESP for VPN"
     log disable
     protocol esp
 }
 rule 70 {
     action accept
     description "Allow NAT-T for VPN"
     destination {
         port 4500
     }
     log disable
     protocol udp
 }

Thanks for responding @jared

@jaredbusch said in EdgeRouter L2TP VPN can't pass IKE phase 1:

This is a working configuration I use on many routers.

L2TP config:

set vpn l2tp remote-access authentication local-users username SomeUsername password 'SomeUserPassword'
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 10.254.203.2
set vpn l2tp remote-access client-ip-pool stop 10.254.203.10
set vpn l2tp remote-access dhcp-interface eth0
set vpn l2tp remote-access dns-servers server-1 1.1.1.1
set vpn l2tp remote-access dns-servers server-2 8.8.8.8
set vpn l2tp remote-access idle 1800
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret SomeGoodPSK
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access ipsec-settings lifetime 3600
set vpn l2tp remote-access mtu 1492

L2TP config is pretty much the same, I saw your other post and used it as well, I had the MTU set to 1492 before but on your other guide I believe I saw it at 1400 so currently have that.

If your WAN port is not DHCP, then you use this line instead of the dhcp-interface line above.

set vpn l2tp remote-access outside-address your.wan.IP.add

Static ip so outside address set.
outside-address XXX.XXX.XXX.33

IPSEC Config:

set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group bnaesp compression disable
set vpn ipsec esp-group bnaesp lifetime 3600
set vpn ipsec esp-group bnaesp mode tunnel
set vpn ipsec esp-group bnaesp pfs enable
set vpn ipsec esp-group bnaesp proposal 1 encryption aes256
set vpn ipsec esp-group bnaesp proposal 1 hash sha1
set vpn ipsec ike-group bnaike ikev2-reauth no
set vpn ipsec ike-group bnaike key-exchange ikev1
set vpn ipsec ike-group bnaike lifetime 28800
set vpn ipsec ike-group bnaike proposal 1 dh-group 19
set vpn ipsec ike-group bnaike proposal 1 encryption aes256
set vpn ipsec ike-group bnaike proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
<snip about 8 tunnels>

IPSEC config the only thing different is I have the DH group set as 14

What seems strange is I can't even get swanctl to show me a connection attempt to see what could be wrong. This appears as if somehow I would be blocking the connection.

Trying to setup an L2TP VPN on a EdgeRouter Lite v 1.10.6. been following this guide https://help.ubnt.com/hc/en-us/articles/204950294-EdgeMAX-servidor-L2TP. For extra information, the same router has also an IPsec site to site VPN working properly.

I have even rebuilt the config a couple of times but still nothing.

sudo swanctl --log  

Is not showing anything at all.

The only thing I get is this:

sudo tcpdump -npi eth0 port 500 or port 4500 or port 1701

20:34:08.407450 IP XXX.XXX.XXX.31.500 > XXX.XXX.XXX.33.500: isakmp: phase 1 I ident
20:34:11.407450 IP XXX.XXX.XXX.31.500 > XXX.XXX.XXX.33.500: isakmp: phase 1 I ident
20:34:14.407450 IP XXX.XXX.XXX.31.500 > XXX.XXX.XXX.33.500: isakmp: phase 1 I ident
20:34:17.407450 IP XXX.XXX.XXX.31.500 > XXX.XXX.XXX.33.500: isakmp: phase 1 I ident

That is all I get on the server side and the client throws an error. I have tried connecting from an iPhone as well as different Windows 10 machines.

Statistics for the firewall rules which show 0 packets

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    5373        747906      ACCEPT  Allow established/related
20    215         14863       DROP    Drop invalid state
23    <disabled>  <disabled>  ACCEPT  Allow iCMP
24    0           0           ACCEPT  Allow IKE for VPN
25    0           0           ACCEPT  Allow L2TP for VPN
26    0           0           ACCEPT  Allow ESP for VPN
27    0           0           ACCEPT  Allow NAT-T for VPN
10000 44          1584        DROP    DEFAULT ACTION

Any other thing I can do to troubleshoot this?

This is the full vpn config if it helps:

ipsec {
     auto-firewall-nat-exclude enable
     esp-group FOO0 {
         compression disable
         lifetime 3600
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes256
             hash sha1
         }
     }
     ike-group FOO0 {
         ikev2-reauth no
         key-exchange ikev1
         lifetime 28800
         proposal 1 {
             dh-group 14
             encryption aes256
             hash sha1
         }
     }
     nat-traversal enable
     site-to-site {
         peer XXX.XXX.XXX.84 {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret  %SECRET%
             }
             connection-type initiate
             description "REMOTE"
             ike-group FOO0
             ikev2-reauth inherit
             local-address XXX.XXX.XXX.33
             tunnel 1 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 esp-group FOO0
                 local {
                     prefix 192.168.5.0/24
                 }
                 remote {
                     prefix 192.168.6.0/24
                 }
             }
             tunnel 2 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 esp-group FOO0
                 local {
                     prefix 192.168.4.0/24
                 }
                 remote {
                     prefix 192.168.6.0/24
                 }
             }
         }
     }
 }
 l2tp {
     remote-access {
         authentication {
             local-users {
                 username romo {
                     password TestPass#2018
                 }
             }
             mode local
         }
         client-ip-pool {
             start 192.168.4.10
             stop 192.168.4.30
         }
         dns-servers {
             server-1 192.168.5.3
         }
         idle 1800
         ipsec-settings {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret ANOTHER-SECRET-4
             }
             ike-lifetime 3600
             lifetime 3600
         }
         mtu 1400
         outside-address XXX.XXX.XXX.33
     }
 }

@obsolesce said in What Are You Doing Right Now:

@romo said in What Are You Doing Right Now:

Troubleshooting why a PowerShell script doesn't run when trigger from task scheduler.

Not running it as correct account.

Just figured it out, adding the full path and not a relative path while calling an auxiliary script makes it finally run properly.

Troubleshooting why a PowerShell script doesn't run when trigger from task scheduler.

Depending on the type of storage pool you want, you could partition your block device device or create LVM volumes to be used as storage pool. This is more of a how to add storage to a Linux host.

Here's more info https://docs.fedoraproject.org/en-US/Fedora/18/html/Virtualization_Administration_Guide/chap-Virtualization_Administration_Guide-Storage_Pools-Storage_Pools.html#sect-part-based-storage-pool-cli

@dbeato said in ScreenConnect?:

And you can also run canned scripts too.

Canned scripts would be great to have

@dbeato well remote shell is much better than just having the chance to send the commands for some stuff.

Can you do multi shell/commands via the shell to several computers at once?

@dbeato said in ScreenConnect?:

@romo said in ScreenConnect?:

Haven't really used to many tools to compare but the ability to send remote commands via cmd or power shell in Screen Connect is just so great. You can do so many things without the user getting interrupted or even knowing. Combine it with chocolatey and it's even better.

I am using Bomgar and it does not allow you to use PowerShell for sure... or scripts for that matter.

Is that due to the plan? Thought Bomgar even had a remote shell.

Haven't really used to many tools to compare but the ability to send remote commands via cmd or power shell in Screen Connect is just so great. You can do so many things without the user getting interrupted or even knowing. Combine it with chocolatey and it's even better.

@jaredbusch said in Unable to turn up ScreenConnect server on Fedora 28:

System.Exception: Magic number is wrong: 542

Searching for the error leads to a mono bug https://github.com/mono/mono/issues/6752#issuecomment-365212655

Which supposedly you can get working by exporting an enviromental variable

export TERM=xterm

According to the last comment on the thread https://github.com/mono/mono/issues/6752#issuecomment-404527450 the issue fix should already be backported on fedora which makes it strange as the error is happening on fedora 28 for jared.

Seems really interesting with the monitoring and the ability to have custom alerts.

@FATeknollogee How has the testing been going?

@scottalanmiller triggered the error again, so updates didn't help.

Ran a webgl benchmark in chrome on one monitor while surfing on the other. Watching CPUZ, temp was reaching 60C when the errors where logged.

Before the update, we ran Furmark for 30 minutes to stress test the gpu and try to trigger the error but the gpu ran perfectly without a single error.

@scottalanmiller We are testing an updated driver + the TDR registry fix before trying the upgrade on the BIOS

@jaredbusch Really don't know what they did. We figured out the host was using DHCP because after an outage some VMS were not coming back up and we had to remote in.

Tried connecting via the dns name, just to find out the static dns entry does not work because the server had been setup to use dhcp without even a reservation.

So we are trying to set the Hyper V host to have a static ip and here we are.

Errors still keep happening, started trying with older drivers to see which one finally works and resolves the issue.

We have the event logging now:
Event ID 4101
display driver amdkmdap stopped responding and has successfully recovered

So it is some driver issue.

@momurda I saw the post before but since the error message differed I had not tried enabling ipv6.
Solution error: C:\Windows\system32\en-US\sconfig.vbs (696, 21) SWbemObjectEx: Invalid index -696
My Error: C:\Windows\System32\en-US\sconfig.vbs(726, 21) SWbemObjectEx: Invalid index -726

I just tried it and get the same error sadly =(:
ms_tcpip6- True

error

So currenty the Hyper-V host has 3 Virtual ethernet adapters set to get their ip via dhcp. I am trying to change them to static, but when trying I get this error:

C:\Windows\System32\en-US\sconfig.vbs(726, 21) SWbemObjectEx: Invalid index

After the error appears the interface defaults to an APIPA address, I have to set the interface to dhcp to get it working again.

This is the results from Get-NetAdapterBinding

Why can't I set the interface to static and why does it only work for dhcp?

Researching why I am getting this error C:\Windows\System32\en-US\sconfig.vbs(726, 21) SWbemObjectEx: Invalid index when changing the ip to static in a Hyper-V Server