I have what I thought would be an easy problem to figure out but is not,
well for me anyways. I'm hoping someone will be in a kind and generous frame
of mind so as to point out the error of my ways! To begin, I am using Leaf
1.2 in an attempt to evaluate it's ipsec performance in no more than a
firewall/vpn sort of role. I have no problems setting it up, making it work
and establishing a connection.
the problem manifests itself when I attempt to ping anything on either
subnet - all I can see are the nics on the Bering machines themselves,
nothing beyond.
Subnet Local Net Gateway
Gateway Net Local Subnet
192.168.0.0/24<>192.168.0.25<>142.59.65.140<>142.59.64.1<>THE
INTERNET<>216.123.215.81<>216.123.215.94<>192.168.2.4<>192.168.2.0/24
Please excuse the crudity of my above network topology layout where the ip
addresses have not been concealed to protect the innocent. To better
explain, if I am tring to ping from a machine on the 192.168.2.0/24 subnet
to another machine on the 192.168.0.0/24 subnet as far as I can get is to
192.168.0.25 address on the leaf box, if I try vice versa I can only go as
far as 192.168.2.4.
I am unsure what information would best assist you in determining where my
problem lies, what I am hoping is that as this is being read someone,
somewhere is smirking and already knows why. In the event that I have
actually found a bona fida tear jerker (hah!) I will send along some stuff.
I made the follow alterations to the shorewall configuration from what it
came with 'out of the box':
zones file:
vpn VPN Remote Subnet
policy file:
loc vpn ACCEPT
vpn loc ACCEPT
tunnels file:
ipsec net 216.123.215.94 on one machine and 142.59.65.140 on the
other, I have also tried 0.0.0.0/0 for both
Here is ipsec.conf for the sake of simplicity and lack of full blown Linux
machine I am using Pre Shared Keys.
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
pfs=yes
auto=add
# sample VPN connection
conn home-edm
# Left security gateway, subnet behind it, next hop toward right.
left=216.123.215.94
leftsubnet=192.168.2.0/24
leftnexthop=216.123.215.81
# Right security gateway, subnet behind it, next hop toward left.
right=142.59.65.140
rightsubnet=192.168.0.0/24
rightnexthop=142.59.64.1
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
auto=start
Upon starting either machine a connection is made pretty much as soon as
ipsec is running the tail end of the barf file is like so:
May 30 11:49:40 firewall pluto[2212]: added connection description
"home-edm"
May 30 11:49:40 firewall pluto[2212]: listening for IKE messages
May 30 11:49:40 firewall pluto[2212]: adding interface ipsec0/eth0
216.123.215.94
May 30 11:49:40 firewall pluto[2212]: loading secrets from
"/etc/ipsec.secrets"
May 30 11:49:40 firewall pluto[2212]: "home-edm" #1: initiating Main Mode
May 30 11:49:41 firewall pluto[2212]: "home-edm" #1: Peer ID is
ID_IPV4_ADDR: '142.59.65.140'
May 30 11:49:41 firewall pluto[2212]: "home-edm" #1: ISAKMP SA established
May 30 11:49:41 firewall pluto[2212]: "home-edm" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
May 30 11:49:41 firewall pluto[2212]: "home-edm" #2: sent QI2, IPsec SA
established
According to Freeswan.org this is as it should be. Here is a copy of ipsec
look after the conenction has been established:
firewall Fri May 30 11:55:19 UTC 2003
0192168 0 024:0:192.168.2.0/24:0 -> 192.168.0.0/24:0 =>
[EMAIL PROTECTED]:0 (4)
ipsec0->eth0 mtu=16260(1443)->1500
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=142.59.65.140
iv_bits=64bits iv=0x639a27d1364f4faa ooowin=64 seq=4 bit=0xf alen=128
aklen=128 eklen=192
life(c,s,h)=bytes(432,0,0)addtime(338,0,0)usetime(333,0,0)packets(4,0,0)
idle=330
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=216.123.215.94
iv_bits=64bits iv=0x652c19db3099b60f ooowin=64 seq=4 alen=128 aklen=128
eklen=192
life(c,s,h)=bytes(448,0,0)addtime(338,0,0)usetime(333,0,0)packets(4,0,0)
idle=330
[EMAIL PROTECTED] IPIP: dir=in src=142.59.65.140
life(c,s,h)=bytes(432,0,0)addtime(338,0,0)usetime(333,0,0)packets(4,0,0)
idle=330
[EMAIL PROTECTED] IPIP: dir=out src=216.123.215.94
life(c,s,h)=bytes(320,0,0)addtime(338,0,0)usetime(333,0,0)packets(4,0,0)
idle=330
==================================================
216.123.215.80/28 dev eth0 proto kernel scope link src 216.123.215.94
216.123.215.80/28 dev ipsec0 proto kernel scope link src 216.123.215.94
192.168.0.0/24 via 216.123.215.81 dev ipsec0
default via 216.123.215.81 dev eth0
Here is some route output from one side:
216.123.215.80/28 dev eth0 proto kernel scope link src 216.123.215.94
216.123.215.80/28 dev ipsec0 proto kernel scope link src 216.123.215.94
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.4
192.168.0.0/24 via 216.123.215.81 dev ipsec0
default via 216.123.215.81 dev eth0
And the other:
192.168.2.0/24 via 142.59.64.1 dev ipsec0
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.25
142.59.64.0/21 dev eth0 proto kernel scope link src 142.59.65.140
142.59.64.0/21 dev ipsec0 proto kernel scope link src 142.59.65.140
default via 142.59.64.1 dev eth0
I have tried a number of smallish changes with no joy and or happiness,
things like ip forwarding off or on, allowing access to the proper ports
through the rules file instead of everything through the policy file, things
like that. If there is someone out there who has the patience to look
through all this crap, and has finished having a good chuckle, please let me
know what you think!
TIA!
-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
