On Saturday 16 November 2002 15:49, Lee Kimber wrote: > Hi, > > I'm trying to create a host subnet connection from an XP box to a > subnet behind a Bering V1 rc4 NAT firewall. > > When the XP client pings an interface on the firewalled subnet, it > returns one "Negotiating IP security" response followed by "Request > timed out" for its other ping packets. Judging from > /var/log/auth.log, the problem occurs after IPsec SA is established. > I'm out of ideas to troubleshoot for what that problem might be.
Likely this is a incorrect option set up on the WinXP client. The Bering Users manual ( http://leaf.sourceforge.net/devel/jnilo/buipsec.html#AEN1436 ) has instructions for Win2K, if they help. Possibly Chad Carr or someone else that has connected with WinXP could help here. > In producing ipsec barf, there is clearly a problem with there being > no md5sum on the system, but shouldn't that be part of ipsec.lrp if > it is required for operation? This should not be required. > What auth.log shows when I attempt to connect: > Nov 16 23:02:37 beringfirewall ipsec__plutorun: Starting Pluto > subsystem... Nov 16 23:02:37 beringfirewall pluto[7363]: Starting > Pluto (FreeS/WAN Version 1.98b) > Nov 16 23:02:38 beringfirewall pluto[7363]: added connection > description "w2k-road-warriors" > Nov 16 23:02:38 beringfirewall pluto[7363]: listening for IKE > messages Nov 16 23:02:38 beringfirewall pluto[7363]: adding interface > ipsec0/eth0 192.168.2.253 > Nov 16 23:02:38 beringfirewall pluto[7363]: loading secrets from > "/etc/ipsec.secrets" > Nov 16 23:03:50 beringfirewall pluto[7363]: packet from > 192.168.2.1:500: ignoring Vendor ID payload > Nov 16 23:03:50 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #1: responding to Main Mode from unknown peer 192.168.2.1 > Nov 16 23:03:50 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #1: sent MR3, ISAKMP SA established > Nov 16 23:03:51 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #2: responding to Quick Mode > Nov 16 23:03:51 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #2: IPsec SA established Hmm.... it appears to be extremly strange to be connecting to rfc1918 class address via the internet (or even having Shorewall accept anything from this address). Could we get some more information on the WAN link? > then it pauses until eventually... > > Nov 16 23:04:54 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #1: ignoring Delete SA payload > Nov 16 23:04:54 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #1: received and ignored informational message Apparently Bering didn't approve the information sent through the tunnel. Sounds like their may be a configuration problem on either of the two boxes. > > IPsec start up > # /etc/init.d/ipsec start > ipsec_setup: Starting FreeS/WAN IPsec 1.98b... > ipsec_setup: Using /lib/modules/ipsec.o > ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may > not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', > should be 0) This is a problem. I believe you will have to change this option. This is noted in the Bering User Manual: Quote "You must not turn on route filtering for any interfaces involved in ipsec. The "Bering recommended" way to turn this off is to use the /etc/network/options file and change the "spoofprotect" parameter to "no" > + ip route > 192.168.2.1 via 192.168.2.1 dev ipsec0 > 192.168.3.0/24 dev eth1 proto kernel scope link src 192.168.3.254 > 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.253 > 192.168.2.0/24 dev ipsec0 proto kernel scope link src > 192.168.2.253 default via 192.168.2.254 dev eth0 This appears to be a very unclear test system. Using a 10./8 on the WAN would clarify a lot between WAN and LAN networks. Using the same net block addressing makes it much harder to see what is exactly going on. > # How persistent to be in (re)keying negotiations (0 means > very). keyingtries=0 > # RSA authentication with keys from DNS. > # authby=rsasig > # leftrsasigkey=%dns > # rightrsasigkey=%dns > # Following added by Lee just as above 3 commented by Lee > authby=secret > left=192.168.2.253 > leftsubnet=192.168.3.0/24 > leftfirewall=yes > pfs=yes > auto=add Get rid of the "leftfirewall-yes" entry, it will not allow a reconnection if a tunnel drops w/o a reboot. It will not be needed if Shorewall is configured correctly for ipsec. > + sed -n 210,$p /var/log/syslog > + egrep -i ipsec|klips|pluto > + cat > Nov 16 23:02:36 beringfirewall ipsec_setup: Starting FreeS/WAN IPsec > 1.98b... Nov 16 23:02:36 beringfirewall ipsec_setup: Using > /lib/modules/ipsec.o Nov 16 23:02:37 beringfirewall ipsec_setup: > KLIPS ipsec0 on eth0 192.168.2.253/24 broadcast 192.168.2.255 > Nov 16 23:02:37 beringfirewall ipsec_setup: WARNING: eth0 has route > filtering turned on, KLIPS may not work > Nov 16 23:02:37 beringfirewall > ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = `1', should > be 0) Nov 16 23:02:37 beringfirewall ipsec_setup: ...FreeS/WAN IPsec > started + _________________________ plog Please turn off the route filtering as suggested in the Bering Users Manual. Ipsec will NOT work with it turned on via Shorewall. > + sed -n 224,$p /var/log/auth.log > + egrep -i pluto > + cat > Nov 16 23:02:37 beringfirewall ipsec__plutorun: Starting Pluto > subsystem... Nov 16 23:02:37 beringfirewall pluto[7363]: Starting > Pluto (FreeS/WAN Version 1.98b) > Nov 16 23:02:38 beringfirewall pluto[7363]: added connection > description "w2k-road-warriors" > Nov 16 23:02:38 beringfirewall pluto[7363]: listening for IKE > messages Nov 16 23:02:38 beringfirewall pluto[7363]: adding interface > ipsec0/eth0 192.168.2.253 > Nov 16 23:02:38 beringfirewall pluto[7363]: loading secrets from > "/etc/ipsec.secrets" > Nov 16 23:03:50 beringfirewall pluto[7363]: packet from > 192.168.2.1:500: ignoring Vendor ID payload > Nov 16 23:03:50 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #1: responding to Main Mode from unknown peer 192.168.2.1 > Nov 16 23:03:50 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #1: sent MR3, ISAKMP SA established > Nov 16 23:03:51 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #2: responding to Quick Mode > Nov 16 23:03:51 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #2: IPsec SA established The tunnel comes up successfully, but no information has been sent through the tunnel. > Nov 16 23:04:54 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #1: ignoring Delete SA payload > Nov 16 23:04:54 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #1: received and ignored informational message > Nov 16 23:09:24 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #1: ignoring Delete SA payload > Nov 16 23:09:24 beringfirewall pluto[7363]: "w2k-road-warriors"[1] > 192.168.2.1 #1: received and ignored informational message The Bering box is ignoring the information sent through the tunnel. Most likely this is because "rp_filter" is blocking the traffic sent through the tunnel. >From the Bering Users Manual: "You must not turn on route filtering for any interfaces involved in ipsec. The "Bering recommended" way to turn this off is to use the /etc/network/options file and change the "spoofprotect" parameter to "no" I believe this is your problem. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
