VPN SSH sentinel and .....Astaro V5 linux VPN software

Posted on 2005-04-16
Last Modified: 2013-12-07
im using software from SSH Sentinel to try and setup a connection via vpn but having not any luck?
VPN SSH sentinel and .....Astaro V5 linux VPN software
Windows XP SP2 on client end

has anyone had any luck using a client to connect to this software from Astaro?
Question by:aot2002
    LVL 12

    Expert Comment

    Please explain a little more.  Are you trying to ssh from Windows to a Linux Server?
    LVL 1

    Author Comment

    im using a vpn client to connect to VPN router to try and get a VPN connection.
    But im not having much luck with getting the two connected
    LVL 12

    Expert Comment

    A VPN [Virtual Private Network] has a lot of different meanings among various groups of people who use the term loosely.  This leads to some confusion.

    A true VPN connection is one that uses a public and private key [passphrase] based on a generated pair by ssh.  You have both a username and password, and a private and public key that are based on the pass phrase as agreed by two computers when the key is generated.  This ensures that both machines must have all of this information to establish a virtual private connection.  That is, because no other machine, or person, has all three, they cannot use simply the username and password to log into the VPN connection.

    The entire data should be encrytped.  This makes it virtually private.

    First, you must establish the keys and then the connection.  Before going into that, it is normal to not use "root" to log into such a connection.  Normally, any other username will work.

    Let's start with some simple questions:

    What client are you using?  If it is ssh Sentinal now ssh SafeGuard, CyProtectAG it's about 23meg.  A rather large program for what you want to accomplish.

    "SSH" is Secure Shell [] and "SSL" is Secure Sockets Layer designed by Netscape and the W3Org people who created html, like Tim Berners-Lee [].

    Secure Shell is a program that employs ssl, and ssl is a protocol.

    "Seeing "https" in the URL box on your browser means SSL is being used to encrypt data as it travels from your browser to the server."

    SSH, for the uninitiated, is a program that's used to log into another computer over a network, run programs on a remote system and move files between computers."

    It may be referred to as a protocol, but in actuality it is an applications program.

    To clear some misconceptions up:

    "SSL is a an ISO Layer 4/5 PROTOCOL for implementing secure, socket-based data transfer. A LOT of DIFFERENT things can use SSL. Your web browser can use it. FTP can use it. Your SMTP server can probably use it. A LOT of different services can use it.

    SSH is an ISO Layer 6/7 APPLICATION, not a protocol. SSH is used to implement services, like telnet and FTP, across an SSL link."


    Because some people do not know the difference between a protocol and an application.

    Astaro 5 is on funny ground, being a form of secure linux "SELinux," because of Open Source and GNU licensing that requires publication of the source code; this looks more like someone trying to make a proprietary Linux.  As far as I know, it's okay to make money and sell Linux, it is not permitted to do so without including the source code.

    Having tried ssh Sentinel, it's slow, cumbersome, and seems to break other securities.

    Samba and a simple windows client or server would have worked better and faster.  Any distribution of Linux would have fared better.

    I think you've got "overkill" on your security, at least for Linux, and all the security programs are fighting one another.

    Additionally, IPSec has known problems and IKE has problems.

    The configuration is more difficult than simply using something like Samba and Linux without all of the stateful packet inspection and other things that will just slow down the entire network.  Configuring the router(s) adds yet another place where things can fail.

    I have Linux Slackware 10 as one of our servers, with Samba and OpenSSL it readily picks up all XP and other Windows boxes on secure sockets layers with impenetrable security.  There is no need to firewall the router [that is not its job, its job is to route packets and not to inspect them for a non-sequitar "stateful packet" encryption/decryption], nor the server [Linux servers generally never need to be firewalled with software, but every client machine should have a firewall and an antivirus].  It is the job of the server to serve content, not to be either an antivirus or a firewall, except in the sense that it is the FrontEnd to the Internet.

    SELinux was dropped by the Pentagon as unnecessary and costing too much in network bandwidth and overhead.

    The Linux Server itself is quite capable of ssl without any additions of software besides OpenSSL,which usually comes with all distributions.

    The point being that overkill is when there is so much security nothing can get in or out.

    ssl integrates with Apache, ftp, and many other services, thus eliminating the need to make them VPN or add software to further encrypt already encrypted transport.

    If you also have a router that is set up for VPN, then you've added a third encryption and this is where things start to get really confused.

    I may play with the ssh Sentinel, just to see how much it breaks both the flow of data on the Intranet and Internet, but I'm pretty sure both it and the Astaro and a VPN router are overkill, a waste of time, and most likely will prove extremely difficult to get working correctly.

    Meanwhile, what is VPN'ed?  router?  Astaro?  ssh Sentinel?

    and give me a description of how you configured the three.
    LVL 1

    Author Comment

    Ok let me fix all the confusion.....

    SSH Sentinel is the name for a program 13mb in size which i use with a customers VPN device at their work location.
    I've setup it with a FVS318 router that my customer has and it works well to get me on thier subnet network.

    I thought since it was free and i already use it i could add another location to it (MY HOME VPN DEVICE)...

    I didnt buy a FVS318 router instead i built a linux box with Astaro installed since it was free for non commercial use.
    I wanted to take my laptop with me and use SSH Sentinel to connect to the box and get my files on my home network and be able to access my printer and more....

    as far as the router goes im not sure where i SAID that above i must of been tired but i use the term way too loosely..
    I dont have a router connected but i called the linux box a VPN router since it has router capabilities in it.

    So my question is can i get this SSH program with ipsec connected if so how can i do it?
    is there some type of docs to do this or examples for this on the internet?

    I also see a connection via VPN through windows too....under the network wizard and i know i seen a MSDEFAULT option in my astaro interface.
    If i cant use the SSH sentinel Client program can i use windows VPN connection?
    LVL 1

    Author Comment

    i setup the Astaro with two VPN type connections

    first one is :

    I selected this option >MS Windows L2TP over IPSec
    heres the different types though
       Type:    Standard Road warrior Road warrior CA (MS Windows L2TP over IPSec)      

      Endpoint Definition      :
        Local Endpoint:    Internal roadrunner      
        Remote Endpoint:   Any      
      Authentication of remote Station(s)          
        L2TP Encapsulation:   On      
         IPSec Shared Secret:  TESTING


    The next connection is

    a standard connection type
    with 3_DES option
    strict routing OFF
    local endpoint INTERNAL
    Remote endpoint DYNAMIC IP ADDRESS
    local subnet ANY
    remote subnet INTERNAL
    key PSK:mysharedsecret

    this is the connection i tried using Sentinel with not the ms one...but i setup sentinel with 3_DES option and group 2 and the shared secrect and i couldnt get the diagnostics to work at all ....
    is there something i might be missing

    LVL 12

    Accepted Solution

    Okay,got your points.

    Whenever I've had a problem with connecting two computers, especially with a secure connection [encrypted], I've had to use Ethereal to inspect the packets to see what went wrong.

    Inspection of the packets will give the exact reason it didn't work.  It takes a little time to install it on both machines, get it running, and then do a series of tests by capturing packets, but it has never failed to produce results; the reason why some connection didn't work.  And it always pointed back in a way that helped fix the problem.

    " i couldn't get the diagnostics to work at all ....
    is there something i might be missing"

    Yes, the handshake must be accomplished first.

    If the authentication fails, nothing else can function.

    Linux is actually a better router than most home routers; it has no restrictions on the number of IP Addresses, as do most home routers [256 IP Addresses].  But Linux must have installed, be running the daemon for, and have the various protocols, such as tunneling, configured properly.

    I have a similar setup with two NIC's in the server.  The VPN I use is Samba, because it is designed for Linux Servers to handle Windows machines.  Samba uses OpenSSL,which is to say it also uses OpenSSH. The Windows boxes don't care about which client software to use because Samba has already provided for that, being aimed at using Windows ssl.

    In addition to using Ethereal for troubleshooting, and Samba for ssl and network administration of secure connections, I also have installed and use Webmin for further Web Based Administration of the network.  Under SSL  Tunnels, there is a place to setup a new tunnel in Webmin on the Linux Server.

    Which I probably prefer, even with ssh Sentinel on the Windows box.  Auditing must be allowed and by rightclicking the ssh Sentinel | Auditing | Audit Settings you add a user to the Allowed users.  This should be some admin user, but not root and not Administrator.

    Then you can view the Audit logs.  You can also view the sa statistics [IPSec and IKE stuff, etc..] from a normal browser window.

    You do run into a couple of problems when adding networks and hosts.  ssh Sentinel has a problem importing the key from the server, that is, there is no option in the Policy Editor to import the Linux Server's key.  Therefore, if I use the XP machine's key, the connection, even to Webmin, is immediately broken.

    The problem that results is that since the key cannot be imported, but tries to use the Windows box key, the server refuses the connection.  ssh Sentinel does not seem to be able to browse for a key on the Linux Server, instead relying on browsing its own machine or some certificate server.  However, Linux is a certificate server, although not listed in the group of worldly certificate servers, such as Thawte and others.  Linux does not need a key from one of these "charge for certificates" sites.  Windows Server itself has a Certificate Server, although this has lately been hidden, I suppose for the sake of charging for certificates.  So what's happening is that proprietary software companies are getting in the way of software that has always been basically free and are now trying to charge for such things.  This breaks most of the software, including the security software.

    This is one of the problems with gui's oriented toward Windows.  If I create the VPN to say and then select Open VPN to this connection, first starting Ethereal to capture the traffic, is shows that Linux does not know the vendor fingerprint and thus will not allow the connection!

    Which leads back to the fact that Linux does not have the key for the box that wishes to establish the connection.  And therein lies the problem.

    I then have to check this in Webmin IPSec under Networking, which tells me that IPSec was not found under /usr/local/sbin/ipsec  and that merely means that each Linux distribution has its own paths to things and this breaks the standard Linux configuration.   A common problem with all of the different paths for different distibutions.

    And this just takes me to module configuration for IPSec VPN, which Webmin lists as /etc/ipsec.conf and started by /etc/init.d/ipsec restart  However, that is geared toward either BSD or Red Hat, and this is a Slackware box, using original Unix System V trees, so that init.d is most likely /etc/rc.d/rc.inet2 or somesuch, with it most likely being replaced entirely by Samba and OpenSSL.

    This would require me to install and configure Red Hat's FreeSwan, which I may be loathe to do because I'm not using a Red Hat distribution and I don't want Red Hat's stuff to break Slackware.

    Samba, OpenSSL, and other secure and VPN programs work better anyway.

    IPsec also seems to be dated.  You could, of course, try downloading and installing Webmin, which may help you configure some things, I'm not sure how well anything will work with Astaro 5.  You should also go to and look up ssh and see how it works, with examples of how to export keys and such.

    Under Ethereal, in a packet capture, you can look for src and dest port "isakmp" when trying to connect the two computers, via Select VPN and you'll probably see "UNKNOWN-ENCRYPTION-ALG" or unknown encryption algorithim.  This is the most common reason why two computers cannot connect, un-negotiatetd, un-agreed upon, or unknown protocols for Auth Dialect.  And you will get a Destination Unreachable.

    Which is more or less a One Way Ping.

    The Auditing | View Audit Log  may be helpful.  Mine shows secure connections to from the Windows box work, but none to the Linux Server; which means the Linux Server refused the secure connection, most probably because there is no shared key, which it doesn't seem that ssh Sentinel is capable of exporting.

    However, also, if I type in the http:// with the IP Address of the Windows box as
    the Linux Server will connect to the Windows ssh Sentinel.  In Linux, under most configures, like Konqueror configure, I can find the the encryption types.  MDE5 is common, as are many others, but not IKE or isakmp.  These are under Crypto

    The short answer is to try and get the connection working first, then add options one at a time and see if they still work.

    Unfortunately, most of the answer is long and will require a lot of reading on your part.

    LVL 1

    Author Comment

    well after doing alot of research i found out that SSH sentinel 1.3 version is not working with WinXP service PACK 2 !
    and since they were bought out by sonicwall they no longer support thier software.
    ouch !
    LVL 12

    Expert Comment

    Thank you aot2002

    Yes, many such programs become dated when they no longer work with Windows [one of the problems of being a Microsoft developer is that like walking the plank, it is often short, and the fall a long and often fatal one].

    Which is why Open Source has so many adherents and an infinite longevity.


    i.e., it is not "addicted" to the "money tree."

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now