Support Requests item #677584, was opened at 2003-01-30 18:19 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=213751&aid=677584&group_id=13751
Category: packages Group: None Status: Open Priority: 5 Submitted By: Bob Dushok (bdushok) Assigned to: Mike Noyes (mhnoyes) Summary: Problems communicating via VPN Initial Comment: I'm attempting to configure a subnet to subnet VPN between two Bering uclibc v1.02 firewalls and am having difficulty. The VPN appears to be coming up, but no traffic seems to pass through it. My systems are setup as follows: workstation1 - ip 10.12.0.2 | bering gw - internal 10.12.0.1 - external 66.202.70.89 | (internet) | bering gw - internal 10.1.2.200 - external 199.224.108.200 | workstation 2 - ip 10.1.1.1 The external IPs are statically assigned, I'm not using DHCP. When entering ipsec auto --up vpn I receive the following: 104 "vpn" #8: STATE_MAIN_I1: initiate 106 "vpn" #8: STATE_MAIN_I2: sent MI2, expecting MR2 108 "vpn" #8: STATE_MAIN_I3: sent MI3, expecting MR3 004 "vpn" #8: STATE_MAIN_I4: ISAKMP SA established 112 "vpn" #9: STATE_QUICK_I1: initiate 004 "vpn" #9: STATE_QUICK_I2: sent QI2, IPsec SA established The output of ipsec look is: 000 interface ipsec0/eth0 199.224.108.200 000 000 "vpn": 10.1.0.0/16===199.224.108.200---199.224.108.34...66.202.70.88---66.202.70.89===10.12.0.0/16 000 "vpn": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "vpn": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted 000 "vpn": newest ISAKMP SA: #3; newest IPsec SA: #2; eroute owner: #2 000 000 #3: "vpn" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 998s; newest ISAKMP 000 #2: "vpn" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 23043s; newest IPSEC; eroute owner 000 #2: "vpn" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] It appears the VPN is up, but 10.12.0.2 can't ping 10.1.1.1 and vice versa. My conf looks as follows: config setup interfaces=%defaultroute klipsdebug=none plutodebug=all plutoload=%search plutostart=%search conn %default type=tunnel keyexchange=ike keylife=8h keyingtries=0 authby=rsasig disablearrivalcheck=no pfs=yes conn vpn left=199.224.108.200 leftsubnet=10.1.0.0/16 leftnexthop=199.224.108.34 leftfirewall=yes right=66.202.70.89 rightsubnet=10.12.0.0/16 rightnexthop=66.202.70.88 rightfirewall=yes auto=add leftrsasigkey=(omitted) rightrsasigkey=(ommitted) I've added a zone for the VPN and have a rule similar to the following added to the Shorewall rules: vpnnet localnet ACCEPT localnet vpnnet ACCEPT (sorry I don't have the exact text of these rules) hosts.allow does include an ALL: entry denoting the private network on the other end of the VPN. Do I need to perform any masquerading on the IPSEC0 interface for the nets to communicate properly? As I was searching the mailing list, I noticed conversations which mentioned an ipsec masquerade kernel driver. I can't seem to locate any info on this for Bering/uclibc. Am I missing something important? The only modules I'm loading for masquerading came with the Bering release (ip_conntrack_ftp, ip_conntrack_irc, ip_nat_ftp, and ip_nat_irc). When shorewall starts it prints a warning indicating the zone I've created for my VPN is empty. I've defined the zone by including the following in the zones file: vpnzone ipsec0 Does this warning indicate a problem? Any suggestions would be appreciated. TIA Bob ---------------------------------------------------------------------- >Comment By: KP Kirchdörfer (kapeka) Date: 2003-01-30 19:14 Message: Logged In: YES user_id=204664 Lynn Avants advice in his ipsec doc for LEAF is to omitt the left- and rightfirewall. I cannot see a real error in your ipsec settings, but I'm no expert. I guess you should provide your shorewall settings, esp: zones interfaces policy rules tunnels I have an ipsec tunnel up and running, without touching masq. I'm not shure, if that's all correct and safe, but it's working. kp ---------------------------------------------------------------------- Comment By: Tom Eastep (teastep) Date: 2003-01-30 18:41 Message: Logged In: YES user_id=6546 Bob, You are asking busy people for free technical assistance yet you can't be bothered to collect the relevant information? (ref: "sorry I don't have the exact text of these rules") The fact that Shorewall is reporting an empty zone is probably a key symptom but without the contents of the 'zones', 'interfaces', 'hosts' and 'tunnels' files from your /etc/shorewall directory it would be a wild guess to try to tell you what might be wrong. -Tom ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=213751&aid=677584&group_id=13751 ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html