Hello everyone,
This is actually a freeswan VPN query, so I'm sorry if I had to post
this query here also. But I do know that most of you are experts in
the VPN field, hence, here goes...
I've been trying to do a subnet-to-subnet VPN using my LEAF based
routers without success.
My setup involves another LEAF machine acting as a virtual internet
between the two VPN boxes.
Here's a diagram of my setup:
VPN1-CLI
|eth0: 192.168.4.1
|gw: 192.168.4.200
|
|
|eth1: 192.168.4.200
|gw: 192.168.2.1
VPN1 BOX
|eth0: 192.168.2.1
|gw: 192.168.2.200
|
|
|eth1: 192.168.2.200
|gw: 192.168.1.200
ROUTER----eth0: 192.168.1.200
|eth2: 192.168.3.200
|gw: 192.168.1.200
|
|
|eth0: 192.168.3.1
|gw: 192.168.3.200
VPN2 BOX
|eth1: 192.168.5.200
|gw: 192.168.3.1
|
|
|eth0: 192.168.5.1
|gw: 192.168.5.200
VPN2-CLI
My VPN and ROUTER machines are LEAF/LRP 2.2.19 based, while
the VPN-CLI client machines are Win98 PCs.
My problem is that, I cannot 'ping' 192.168.4.1 from 192.168.5.1 and
vise versa. Upon running 'ipsec look' on either side, I get a 'trap'
status instead of a tunnel.
SR3K-VPN1 Tue Jul 30 04:02:27 UTC 2002
192.168.4.0/24 -> 192.168.5.0/24 => %trap (0)
ipsec0->eth0 mtu=16260(1500)->1500
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 192.168.2.200 0.0.0.0 UG 0 0 0
eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
192.168.5.0 192.168.2.200 255.255.255.0 UG 0 0 0
ipsec0
I believe there's nothing wrong with my network setup and ipchaining /
routing rules as I am able to 'ping' VPN1 BOX from VPN2-CLI,
and 'ping' VPN2 BOX from VPN1-CLI. I can also 'ping' VPN1
from VPN2 BOX, and vise versa.
Below are some of the listings in my 'ipsec barf' result. I'm currently
employing a very lame ipchain rule set just to see this work. Both
of my VPN machines are currently using the same set of rules with
respect to their network settings.
I also tried allowing ipsec protocols to pass thru ROUTER's internal
networks thinking it may be needed.... not!
What else am I missing here?
TIA - Vic
=============================
SR3K-VPN1
Tue Jul 30 03:43:58 UTC 2002
+ _________________________
+
+ ipsec --version
Linux FreeS/WAN 1.91
See `ipsec --copyright' for copyright information.
+ _________________________
+
+ cat /proc/net/ipsec_eroute
0 192.168.4.0/24 -> 192.168.5.0/24 => %trap
+ _________________________
+
+ cat /proc/net/ipsec_spi
+ _________________________
+
+ cat /proc/net/ipsec_spigrp
+ _________________________
+
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.5.0 192.168.2.200 255.255.255.0 UG 0 0 0
ipsec0
192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
0.0.0.0 192.168.2.200 0.0.0.0 UG 0 0 0
eth0
+ _________________________
+
+ cat /proc/net/ipsec_tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________
+
+ cat /proc/net/pf_key
sock pid socket next prev e n p sndbf Flags Type
St
c7278680 1574 c54643b0 0 0 0 0 2 32767 00000000 3
1
+ _________________________
+
+ cd /proc/net
+ egrep ^ pf_key_registered pf_key_supported
pf_key_registered:satype socket pid sk
pf_key_registered: 2 c54643b0 1574 c7278680
pf_key_registered: 3 c54643b0 1574 c7278680
pf_key_registered: 9 c54643b0 1574 c7278680
pf_key_registered: 10 c54643b0 1574 c7278680
pf_key_supported:satype exttype alg_id ivlen minbits maxbits
pf_key_supported: 2 14 3 0 160 160
pf_key_supported: 2 14 2 0 128 128
pf_key_supported: 3 15 3 128 168 168
pf_key_supported: 3 14 3 0 160 160
pf_key_supported: 3 14 2 0 128 128
pf_key_supported: 9 15 4 0 128 128
pf_key_supported: 9 15 3 0 32 128
pf_key_supported: 9 15 2 0 128 32
pf_key_supported: 9 15 1 0 32 32
pf_key_supported: 10 15 2 0 1 1
+ _________________________
+
+ cd /proc/sys/net/ipsec
+ egrep ^ debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:0
inbound_policy_check:1
tos:1
+ _________________________
+
+ ipsec auto --status
000 interface ipsec0/eth0 192.168.2.1
000
000 "VNP1-VPN2": 192.168.4.0/24===192.168.2.1---192.168.2.200...
000 "VNP1-VPN2": ...192.168.3.200---192.168.3.1===192.168.5.0/24
000 "VNP1-VPN2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "VNP1-VPN2": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0;
trap erouted
000 "VNP1-VPN2": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000
000 #1: "VNP1-VPN2" STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 31s
+ _________________________
+
+ ifconfig -a
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:11766 errors:0 dropped:0 overruns:0 frame:0
TX packets:11766 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec0 Link encap:Ethernet HWaddr 00:04:A7:01:02:48
inet addr:192.168.2.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec1 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec2 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
ipsec3 Link encap:IPIP Tunnel HWaddr
unspec addr:[NONE SET] Mask:[NONE SET]
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
brg0 Link encap:Ethernet HWaddr FE:FD:06:00:09:FA
unspec addr:[NONE SET] Bcast:[NONE SET] Mask:[NONE SET]
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
eth0 Link encap:Ethernet HWaddr 00:04:A7:01:02:48
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:11 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 00:04:A7:01:02:47
inet addr:192.168.4.200 Bcast:192.168.4.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Collisions:0
Interrupt:10 Base address:0xd800
+ _________________________
+
+ ipsec --directory
/usr/local/lib/ipsec
+ _________________________
+
+ hostname --fqdn
SR3K-VPN1
+ _________________________
+
+ hostname --ip-address
192.168.2.1
+ _________________________
+
+ uptime
03:43:59 up 0 Days (0h), load average: 0.27 0.22 0.10
+ _________________________
+
+ ipsec showdefaults
#dr: no default route
# no default route
# no default route
+ _________________________
+
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
authby=rsasig
conn VNP1-VPN2
leftid=192.168.2.1
left=192.168.2.1
leftsubnet=192.168.4.0/24
leftnexthop=192.168.2.200
leftfirewall=yes
rightid=192.168.3.1
right=192.168.3.1
rightsubnet=192.168.5.0/24
rightnexthop=192.168.3.200
rightfirewall=yes
auto=start
leftrsasigkey=[sums to 364c...]
rightrsasigkey=[sums to 1636...]
+ _________________________
+
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
+ _________________________
+ cat /proc/net/dev
Inter-| Receive |
Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 859794 11803 0 0 0 0 0 0
859794 11803 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec2: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
brg0: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
eth0: 2834 20 0 0 0 0 0 0
2806 20 0 0 0 0 0 0
eth1: 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
+ _________________________
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT
ipsec0 0005A8C0 C802A8C0 0003 0 0 0 00FFFFFF 0 0 0
eth1 0004A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 0002A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
ipsec0 0002A8C0 00000000 0001 0 0 0 00FFFFFF 0 0 0
eth0 00000000 C802A8C0 0003 0 0 0 00000000 0 0 0
+ _________________________
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________
+ cat /proc/net/ipsec_version
FreeS/WAN version: 1.91
+ _________________________
+
+ ipchains -L -v -n
Chain input (policy ACCEPT: 1 packets, 100 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 ACCEPT 51 ------ 0xFF 0x00 *
192.168.3.1 192.168.2.1 n/a
0 0 ACCEPT 50 ------ 0xFF 0x00 *
192.168.3.1 192.168.2.1 n/a
10 2040 ACCEPT udp ------ 0xFF 0x00 *
0.0.0.0/0 192.168.2.0/24 * -> 500
0 0 ACCEPT 50 ------ 0xFF 0x00 *
0.0.0.0/0 192.168.2.0/24 n/a
0 0 ACCEPT 51 ------ 0xFF 0x00 *
0.0.0.0/0 192.168.2.0/24 n/a
4 336 ACCEPT all ------ 0xFF 0x00 *
192.168.2.1 0.0.0.0/0 n/a
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.2.1 192.168.4.0/24 n/a
11802 860K ACCEPT all ------ 0xFF 0x00 lo
0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.5.0/24 192.168.4.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.4.0/24 192.168.5.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.4.0/24 192.168.5.0/24 n/a
0 0 ACCEPT all ------ 0xFF 0x00 *
192.168.5.0/24 192.168.4.0/24 n/a
0 0 MASQ all ------ 0xFF 0x00 *
192.168.4.0/24 0.0.0.0/0 n/a
0 0 MASQ all ------ 0xFF 0x00 *
192.168.2.0/24 0.0.0.0/0 n/a
Chain output (policy ACCEPT: 11814 packets, 861906 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 - tcp ------ 0x01 0x08 *
0.0.0.0/0 0.0.0.0/0 * -> 20
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 21
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 25
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 80
0 0 - tcp ------ 0x01 0x10 *
0.0.0.0/0 0.0.0.0/0 * -> 110
+ _________________________
+ cat /proc/modules
ds 6120 1
i82365 21964 1
pcmcia_core 44928 0 [ds i82365]
ip_masq_vdolive 1180 0 (unused)
ip_masq_user 3708 0 (unused)
ip_masq_raudio 2980 0 (unused)
ip_masq_quake 1220 0 (unused)
ip_masq_pptp 4116 0 (unused)
ip_masq_portfw 2416 0 (unused)
ip_masq_mms 2640 0 (unused)
ip_masq_mfw 3196 0 (unused)
ip_masq_irc 1924 0 (unused)
ip_masq_ipsec 7328 0 (unused)
ip_masq_icq 13096 0 (unused)
ip_masq_h323 6280 0 (unused)
ip_masq_ftp 3576 0 (unused)
ip_masq_cuseeme 964 0 (unused)
ip_masq_autofw 2476 0 (unused)
lp 4508 0 (unused)
parport_pc 7588 2
parport 6956 2 [lp parport_pc]
slip 6196 0 (unused)
ppp 20828 0 (unused)
slhc 4436 0 [slip ppp]
ext2 40548 0 (unused)
rtl8139 10852 2
pci-scan 2296 0 [rtl8139]
+ _________________________
+
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
-r--r--r-- 1 root root 0 Jul 30 03:44
/proc/net/ipsec_eroute
-r--r--r-- 1 root root 0 Jul 30 03:44
/proc/net/ipsec_klipsdebug
-r--r--r-- 1 root root 0 Jul 30 03:44
/proc/net/ipsec_spi
-r--r--r-- 1 root root 0 Jul 30 03:44
/proc/net/ipsec_spigrp
-r--r--r-- 1 root root 0 Jul 30 03:44
/proc/net/ipsec_tncfg
-r--r--r-- 1 root root 0 Jul 30 03:44
/proc/net/ipsec_version
+ _________________________
+
+ egrep -i ipsec|klips|pluto
+ egrep -n Starting FreeS.WAN /var/log/syslog
+ cat
+ sed -n $s/:.*//p
+ sed -n 105,$p /var/log/syslog
Jul 30 03:38:36 SR3K-VPN1 ipsec_setup: Starting FreeS/WAN IPsec 1.91...
Jul 30 03:38:36 SR3K-VPN1 ipsec_setup: KLIPS debug `none'
Jul 30 03:38:36 SR3K-VPN1 ipsec_setup: KLIPS ipsec0 on eth0
192.168.2.1/255.255.255.0 broadcast 192.168.2.255
Jul 30 03:38:36 SR3K-VPN1 ipsec_setup: ...FreeS/WAN IPsec started
+ _________________________
+
+ cat
+ egrep -i pluto
+ egrep -n Starting Pluto /var/log/auth.log
+ sed -n $s/:.*//p
+ sed -n 1,$p /var/log/auth.log
Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: Starting Pluto (FreeS/WAN Version
1.91)
Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: including X.509 patch (Version
0.9.3)
Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: Could not change to directory
'/etc/ipsec.d/cacerts'
Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: Could not change to directory
'/etc/ipsec.d/crls'
Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: could not open my X.509 cert
file '/etc/x509cert.der'
Jul 30 03:38:37 SR3K-VPN1 Pluto[1574]: OpenPGP certificate file
'/etc/pgpcert.pgp' not found
Jul 30 03:38:39 SR3K-VPN1 Pluto[1574]: added connection description
"VNP1-VPN2"
Jul 30 03:38:39 SR3K-VPN1 Pluto[1574]: listening for IKE messages
Jul 30 03:38:39 SR3K-VPN1 Pluto[1574]: adding interface ipsec0/eth0
192.168.2.1
Jul 30 03:38:39 SR3K-VPN1 Pluto[1574]: loading secrets from
"/etc/ipsec.secrets"
Jul 30 03:38:40 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070:
initial Main Mode message received on 192.168.2.1:500 but no connection
has been authorized
Jul 30 03:38:40 SR3K-VPN1 Pluto[1574]: "VNP1-VPN2" #1: initiating Main
Mode
Jul 30 03:38:50 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070:
initial Main Mode message received on 192.168.2.1:500 but no connection
has been authorized
Jul 30 03:39:10 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070:
initial Main Mode message received on 192.168.2.1:500 but no connection
has been authorized
Jul 30 03:39:50 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070:
initial Main Mode message received on 192.168.2.1:500 but no connection
has been authorized
Jul 30 03:40:30 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070:
initial Main Mode message received on 192.168.2.1:500 but no connection
has been authorized
Jul 30 03:41:10 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070:
initial Main Mode message received on 192.168.2.1:500 but no connection
has been authorized
Jul 30 03:41:50 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070:
initial Main Mode message received on 192.168.2.1:500 but no connection
has been authorized
Jul 30 03:42:30 SR3K-VPN1 Pluto[1574]: packet from 192.168.2.200:61070:
initial Main Mode message received on 192.168.2.1:500 but no connection
has been authorized
+ _________________________
+
+ date
Tue Jul 30 03:44:01 UTC 2002
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
