- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x
The ngadmin client does not support management of gateways that have a HIGHER version number than the ngadmin client itself. This may lead to an inconsistent system configuration and can cause operative malfunctions.
Of course the ngadmin client is capable of managing gateways that have a LOWER version number than the ngadmin client itself.
To solve this problem, a manual intervention on the configuration file responsible for VPN-tunnel configuration is needed.
If you are not familiar with the vi text editor please get in contact with support to avoid further-reaching impacts to your actual configuration.
Manual configured "Advanced RAW ISAKMP Settings" got lost. If necessary these settings need to be re-configured for each IPSec-tunnel.
Any other IPSec-tunnelsettings are recoverable.
Step 1: Block the rangeconf-service (or boxconfig-service in case of a single box) to avoid simultaneous access to the affected configuration file.
Step 2: Enter Command Line, login as root and open / edit the responsible file as described.
On control center-boxes:
vi /opt/phion/maintree/configroot/<rangenumber>/<clustername>/clusterservers/<servername>/services/<servicename>/vpntunnel.conf
On single-boxes:
vi /opt/phion/config/configroot/servers/<servername>/services/<servicename>/vpntunnel.conf
Locate the string RAWIPSEC, change these sections like described below and save the file.
Wrong:
PRESHARED = 0123456789012345678900
REPLAYSIZE = 0
Correct:
PRESHARED = 0123456789012345678900RAWIPSEC = -----BEGIN Text-----
-----END Text-----
REPLAYSIZE = 0
Step 3: Activate the changed configuration:
On control centers:
Start the rangeconf-service and trigger a complete update ("Control" > "Configuration Updates") by rightclicking the affected box and selecting "Complete Update" in the context menu.
On single boxes:
Start the boxconfig-service, open the Site to Site configuration ("Config" > "Box" > "Virtual Servers" > "<Servername>" > "Assigned Services" > "<Servicename>" > "Site to Site") and perform a dummy-change to trigger a rewrite of some used internal VPN-configfiles.