Hello everyone, This is actually a freeswan VPN query, so I'm sorry if I had to post this query here also. But I do know that most of you are experts in the VPN field, hence, here goes...
I've been trying to do a subnet-to-subnet VPN using my LEAF based routers without success. My setup involves another LEAF machine acting as a virtual internet between the two VPN boxes. Here's a diagram of my setup: VPN1-CLI |eth0: 192.168.4.1 |gw: 192.168.4.200 | | |eth1: 192.168.4.200 |gw: 192.168.2.1 VPN1 BOX |eth0: 192.168.2.1 |gw: 192.168.2.200 | | |eth1: 192.168.2.200 |gw: 192.168.1.200 ROUTER----eth0: 192.168.1.200 |eth2: 192.168.3.200 |gw: 192.168.1.200 | | |eth0: 192.168.3.1 |gw: 192.168.3.200 VPN2 BOX |eth1: 192.168.5.200 |gw: 192.168.3.1 | | |eth0: 192.168.5.1 |gw: 192.168.5.200 VPN2-CLI My VPN and ROUTER machines are LEAF/LRP 2.2.19 based, while the VPN-CLI client machines are Win98 PCs. My problem is that, I cannot 'ping' 192.168.4.1 from 192.168.5.1 and vise versa. Upon running 'ipsec look' on either side, I get a 'trap' status instead of a tunnel. SR3K-VPN1 Tue Jul 30 04:02:27 UTC 2002 192.168.4.0/24 -> 192.168.5.0/24 => %trap (0) ipsec0->eth0 mtu=16260(1500)->1500 Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.2.200 0.0.0.0 UG 0 0 0 eth0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 192.168.5.0 192.168.2.200 255.255.255.0 UG 0 0 0 ipsec0 I believe there's nothing wrong with my network setup and ipchaining / routing rules as I am able to 'ping' VPN1 BOX from VPN2-CLI, and 'ping' VPN2 BOX from VPN1-CLI. I can also 'ping' VPN1 from VPN2 BOX, and vise versa. Below are some of the listings in my 'ipsec barf' result. I'm currently employing a very lame ipchain rule set just to see this work. Both of my VPN machines are currently using the same set of rules with respect to their network settings. I also tried allowing ipsec protocols to pass thru ROUTER's internal networks thinking it may be needed.... not! What else am I missing here? TIA - Vic ============================= SR3K-VPN1 Tue Jul 30 03:43:58 UTC 2002 + _________________________ + + ipsec --version Linux FreeS/WAN 1.91 See `ipsec --copyright' for copyright information. + _________________________ + + cat /proc/net/ipsec_eroute 0 192.168.4.0/24 -> 192.168.5.0/24 => %trap + _________________________ + + cat /proc/net/ipsec_spi + _________________________ + + cat /proc/net/ipsec_spigrp + _________________________ + + netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.5.0 192.168.2.200 255.255.255.0 UG 0 0 0 ipsec0 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 0.0.0.0 192.168.2.200 0.0.0.0 UG 0 0 0 eth0 + _________________________ + + cat /proc/net/ipsec_tncfg ipsec0 -> eth0 mtu=16260(1500) -> 1500 ipsec1 -> NULL mtu=0(0) -> 0 ipsec2 -> NULL mtu=0(0) -> 0 ipsec3 -> NULL mtu=0(0) -> 0 + _________________________ + + cat /proc/net/pf_key sock pid socket next prev e n p sndbf Flags Type St c7278680 1574 c54643b0 0 0 0 0 2 32767 00000000 3 1 + _________________________ + + cd /proc/net + egrep ^ pf_key_registered pf_key_supported pf_key_registered:satype socket pid sk pf_key_registered: 2 c54643b0 1574 c7278680 pf_key_registered: 3 c54643b0 1574 c7278680 pf_key_registered: 9 c54643b0 1574 c7278680 pf_key_registered: 10 c54643b0 1574 c7278680 pf_key_supported:satype exttype alg_id ivlen minbits maxbits pf_key_supported: 2 14 3 0 160 160 pf_key_supported: 2 14 2 0 128 128 pf_key_supported: 3 15 3 128 168 168 pf_key_supported: 3 14 3 0 160 160 pf_key_supported: 3 14 2 0 128 128 pf_key_supported: 9 15 4 0 128 128 pf_key_supported: 9 15 3 0 32 128 pf_key_supported: 9 15 2 0 128 32 pf_key_supported: 9 15 1 0 32 32 pf_key_supported: 10 15 2 0 1 1 + _________________________ + + cd /proc/sys/net/ipsec + egrep ^ debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose debug_xform icmp inbound_policy_check tos debug_ah:0 debug_eroute:0 debug_esp:0 debug_ipcomp:0 debug_netlink:0 debug_pfkey:0 debug_radij:0 debug_rcv:0 debug_spi:0 debug_tunnel:0 debug_verbose:0 debug_xform:0 icmp:0 inbound_policy_check:1 tos:1 + _________________________ + + ipsec auto --status 000 interface ipsec0/eth0 192.168.2.1 000 000 "VNP1-VPN2": 192.168.4.0/24===192.168.2.1---192.168.2.200... 000 "VNP1-VPN2": ...192.168.3.200---192.168.3.1===192.168.5.0/24 000 "VNP1-VPN2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "VNP1-VPN2": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; trap erouted 000 "VNP1-VPN2": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0 000 000 #1: "VNP1-VPN2" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 31s + _________________________ + + ifconfig -a lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:11766 errors:0 dropped:0 overruns:0 frame:0 TX packets:11766 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 ipsec0 Link encap:Ethernet HWaddr 00:04:A7:01:02:48 inet addr:192.168.2.1 Mask:255.255.255.0 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 ipsec1 Link encap:IPIP Tunnel HWaddr unspec addr:[NONE SET] Mask:[NONE SET] NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 ipsec2 Link encap:IPIP Tunnel HWaddr unspec addr:[NONE SET] Mask:[NONE SET] NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 ipsec3 Link encap:IPIP Tunnel HWaddr unspec addr:[NONE SET] Mask:[NONE SET] NOARP MTU:0 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 brg0 Link encap:Ethernet HWaddr FE:FD:06:00:09:FA unspec addr:[NONE SET] Bcast:[NONE SET] Mask:[NONE SET] BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 eth0 Link encap:Ethernet HWaddr 00:04:A7:01:02:48 inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:20 errors:0 dropped:0 overruns:0 frame:0 TX packets:20 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 Interrupt:11 Base address:0xdc00 eth1 Link encap:Ethernet HWaddr 00:04:A7:01:02:47 inet addr:192.168.4.200 Bcast:192.168.4.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 Interrupt:10 Base address:0xd800 + _________________________ + + ipsec --directory /usr/local/lib/ipsec + _________________________ + + hostname --fqdn SR3K-VPN1 + _________________________ + + hostname --ip-address 192.168.2.1 + _________________________ + + uptime 03:43:59 up 0 Days (0h), load average: 0.27 0.22 0.10 + _________________________ + + ipsec showdefaults #dr: no default route # no default route # no default route + _________________________ + + ipsec _include /etc/ipsec.conf + ipsec _keycensor #< /etc/ipsec.conf 1 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # basic configuration config setup interfaces="ipsec0=eth0" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=0 authby=rsasig conn VNP1-VPN2 leftid=192.168.2.1 left=192.168.2.1 leftsubnet=192.168.4.0/24 leftnexthop=192.168.2.200 leftfirewall=yes rightid=192.168.3.1 right=192.168.3.1 rightsubnet=192.168.5.0/24 rightnexthop=192.168.3.200 rightfirewall=yes auto=start leftrsasigkey=[sums to 364c...] rightrsasigkey=[sums to 1636...] + _________________________ + + ipsec _include /etc/ipsec.secrets + ipsec _secretcensor + _________________________ + cat /proc/net/dev Inter-| Receive | Transmit face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed lo: 859794 11803 0 0 0 0 0 0 859794 11803 0 0 0 0 0 0 ipsec0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec2: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ipsec3: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 brg0: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 eth0: 2834 20 0 0 0 0 0 0 2806 20 0 0 0 0 0 0 eth1: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 + _________________________ + cat /proc/net/route Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT ipsec0 0005A8C0 C802A8C0 0003 0 0 0 00FFFFFF 0 0 0 eth1 0004A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0 eth0 0002A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0 ipsec0 0002A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0 eth0 00000000 C802A8C0 0003 0 0 0 00000000 0 0 0 + _________________________ + cat /proc/sys/net/ipv4/ip_forward 1 + _________________________ + cat /proc/net/ipsec_version FreeS/WAN version: 1.91 + _________________________ + + ipchains -L -v -n Chain input (policy ACCEPT: 1 packets, 100 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 0 0 ACCEPT 51 ------ 0xFF 0x00 * 192.168.3.1 192.168.2.1 n/a 0 0 ACCEPT 50 ------ 0xFF 0x00 * 192.168.3.1 192.168.2.1 n/a 10 2040 ACCEPT udp ------ 0xFF 0x00 * 0.0.0.0/0 192.168.2.0/24 * -> 500 0 0 ACCEPT 50 ------ 0xFF 0x00 * 0.0.0.0/0 192.168.2.0/24 n/a 0 0 ACCEPT 51 ------ 0xFF 0x00 * 0.0.0.0/0 192.168.2.0/24 n/a 4 336 ACCEPT all ------ 0xFF 0x00 * 192.168.2.1 0.0.0.0/0 n/a 0 0 ACCEPT all ------ 0xFF 0x00 * 192.168.2.1 192.168.4.0/24 n/a 11802 860K ACCEPT all ------ 0xFF 0x00 lo 0.0.0.0/0 0.0.0.0/0 n/a Chain forward (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 0 0 ACCEPT all ------ 0xFF 0x00 * 192.168.5.0/24 192.168.4.0/24 n/a 0 0 ACCEPT all ------ 0xFF 0x00 * 192.168.4.0/24 192.168.5.0/24 n/a 0 0 ACCEPT all ------ 0xFF 0x00 * 192.168.4.0/24 192.168.5.0/24 n/a 0 0 ACCEPT all ------ 0xFF 0x00 * 192.168.5.0/24 192.168.4.0/24 n/a 0 0 MASQ all ------ 0xFF 0x00 * 192.168.4.0/24 0.0.0.0/0 n/a 0 0 MASQ all ------ 0xFF 0x00 * 192.168.2.0/24 0.0.0.0/0 n/a Chain output (policy ACCEPT: 11814 packets, 861906 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 0 0 - tcp ------ 0x01 0x08 * 0.0.0.0/0 0.0.0.0/0 * -> 20 0 0 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 21 0 0 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 22 0 0 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 23 0 0 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 25 0 0 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 80 0 0 - tcp ------ 0x01 0x10 * 0.0.0.0/0 0.0.0.0/0 * -> 110 + _________________________ + cat /proc/modules ds 6120 1 i82365 21964 1 pcmcia_core 44928 0 [ds i82365] ip_masq_vdolive 1180 0 (unused) ip_masq_user 3708 0 (unused) ip_masq_raudio 2980 0 (unused) ip_masq_quake 1220 0 (unused) ip_masq_pptp 4116 0 (unused) ip_masq_portfw 2416 0 (unused) ip_masq_mms 2640 0 (unused) ip_masq_mfw 3196 0 (unused) ip_masq_irc 1924 0 (unused) ip_masq_ipsec 7328 0 (unused) ip_masq_icq 13096 0 (unused) ip_masq_h323 6280 0 (unused) ip_masq_ftp 3576 0 (unused) ip_masq_cuseeme 964 0 (unused) ip_masq_autofw 2476 0 (unused) lp 4508 0 (unused) parport_pc 7588 2 parport 6956 2 [lp parport_pc] slip 6196 0 (unused) ppp 20828 0 (unused) slhc 4436 0 [slip ppp] ext2 40548 0 (unused) rtl8139 10852 2 pci-scan 2296 0 [rtl8139] + _________________________ + + ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug /proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg /proc/net/ipsec_version -r--r--r-- 1 root root 0 Jul 30 03:44 /proc/net/ipsec_eroute -r--r--r-- 1 root root 0 Jul 30 03:44 /proc/net/ipsec_klipsdebug -r--r--r-- 1 root root 0 Jul 30 03:44 /proc/net/ipsec_spi -r--r--r-- 1 root root 0 Jul 30 03:44 /proc/net/ipsec_spigrp -r--r--r-- 1 root root 0 Jul 30 03:44 /proc/net/ipsec_tncfg -r--r--r-- 1 root root 0 Jul 30 03:44 /proc/net/ipsec_version + _________________________ + + egrep -i ipsec|klips|pluto + egrep -n Starting FreeS.WAN /var/log/syslog + cat + sed -n $s/:.*//p + sed -n 105,$p /var/log/syslog Jul 30 03:38:36 SR3K-VPN1 ipsec_setup: Starting FreeS/WAN IPsec 1.91... Jul 30 03:38:36 SR3K-VPN1 ipsec_setup: KLIPS debug `none' Jul 30 03:38:36 SR3K-VPN1 ipsec_setup: KLIPS ipsec0 on eth0 192.168.2.1/255.255.255.0 broadcast 192.168.2.255 Jul 30 03:38:36 SR3K-VPN1 ipsec_setup: ...FreeS/WAN IPsec started + _________________________ + + cat + egrep -i pluto + egrep -n Starting Pluto /var/log/auth.log + sed -n $s/:.*//p + sed -n 1,$p /var/log/auth.log Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: Starting Pluto (FreeS/WAN Version 1.91) Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: including X.509 patch (Version 0.9.3) Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: Could not change to directory '/etc/ipsec.d/cacerts' Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: Could not change to directory '/etc/ipsec.d/crls' Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: could not open my X.509 cert file '/etc/x509cert.der' Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: OpenPGP certificate file '/etc/pgpcert.pgp' not found Jul 30 03:38:39 SR3K-VPN1 Pluto[1574]: added connection description "VNP1-VPN2" Jul 30 03:38:39 SR3K-VPN1 Pluto[1574]: listening for IKE messages Jul 30 03:38:39 SR3K-VPN1 Pluto[1574]: adding interface ipsec0/eth0 192.168.2.1 Jul 30 03:38:39 SR3K-VPN1 Pluto[1574]: loading secrets from "/etc/ipsec.secrets" Jul 30 03:38:40 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 03:38:40 SR3K-VPN1 Pluto[1574]: "VNP1-VPN2" #1: initiating Main Mode Jul 30 03:38:50 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 03:39:10 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 03:39:50 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 03:40:30 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 03:41:10 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 03:41:50 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized Jul 30 03:42:30 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070: initial Main Mode message received on 192.168.2.1:500 but no connection has been authorized + _________________________ + + date Tue Jul 30 03:44:01 UTC 2002 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html