Re: [leaf-user] trying to get ipsec VPN working

[Erich Titl]

Jim
I have a number of ipsec boxes running on Bering 1.0 and 1.2. I must admit 
the complexity of your ascii art puzzled me at first.
Basically I understood the following.

You have 2 Bering boxes in Network 10.0.0.0/24 serving as IPSEC gateways 
for the networks 192.168.0.0/24 and 192.168.1.0/24

There are a few things in your setup which are noticeable, comments inline....
At 22:46 04.06.2004, Jim Walters wrote:
...
Configuration Data (tried to do it like the support page said):
# uname -a
Linux fw_left 2.4.24 #18 Sat Apr 24 10:07:53 CEST 2004 i586 unknown
# ip addr show
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 08:00:06:25:bc:d2 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.4/24 brd 10.0.0.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:a0:c9:39:13:c2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
5: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 08:00:06:25:bc:d2 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.4/24 brd 10.0.0.255 scope global ipsec0
6: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
7: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
8: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
    link/ipip
# ip route show
10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.4
10.0.0.0/24 dev ipsec0  proto kernel  scope link  src 10.0.0.4
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1
default via 10.0.0.1 dev eth0
Obviously, ipsec is started, but your tunnel is not up, therefore no route 
to the remote subnet...

Lots removed .........................
Configuration Files:
Here are some of my configuration files.  I deleted the standard shorewall
comments, but left the default items in place so that the syntax of the
files are complete.
<contents of interfaces>
#
# Shorewall 1.4 -- Interfaces File
#
# /etc/shorewall/interfaces
#
############################################################################
##
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect
loc     eth1            detect
vpn     ipsec0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
<contents of policy>
#
# Shorewall 1.4 -- Policy File
#
# /etc/shorewall/policy
#
############################################################################
###
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
loc             net             ACCEPT
net             all             DROP            ULOG
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw             net             ACCEPT
loc             vpn             ACCEPT
vpn             loc             ACCEPT
#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT          ULOG
#LAST LINE -- DO NOT REMOVE
<contents of tunnels>
#
# Shorewall 1.4 - /etc/shorewall/tunnels
#
# TYPE                  ZONE    GATEWAY         GATEWAY
#                                               ZONE
ipsec                   net     10.0.0.3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
<contents of zones>
#
# Shorewall 1.4 /etc/shorewall/zones
#
#ZONE   DISPLAY         COMMENTS
net     Net             Internet
loc     Local           Local networks
vpn     VPN             Remote Subnet
#dmz    DMZ             Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
<contents of rules>
#
# Shorewall version 1.4 - Rules File
#
# /etc/shorewall/rules
#
############################################################################
########################
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
ORIGINAL     RATE            USER
#                                               PORT    PORT(S)    DEST 
     LIMIT
#      Accept DNS connections from the firewall to the network
#
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
#       Accept SSH connections from the local network for administration
#
ACCEPT          loc             fw              tcp     22
#       Allow Ping To And From Firewall
#
ACCEPT          loc             fw              icmp    8
ACCEPT          net             fw              icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              net             icmp    8
#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT          loc       fw            udp     53
ACCEPT          loc       fw            tcp     80
#
# jwalters 20040604
# added rules to allow IPSec VPN
No need for these, /etc/shorewall/tunnels should take care of that.
#
ACCEPT          net             fw      tcp     50
ACCEPT          net             fw      udp     50
ACCEPT          net             fw      tcp     51
ACCEPT          net             fw      udp     51
ACCEPT          fw              net     tcp     50
ACCEPT          fw              net     udp     50
ACCEPT          fw              net     tcp     51
ACCEPT          fw              net     udp     51
ACCEPT          net             fw      udp     500
ACCEPT          fw              net     udp     500
#
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
<contents of ipsec.conf>
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup 
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

# defaults for subsequent connection descriptions
conn vpn_jim
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # RSA authentication with keys from DNS.
        authby=secret
        left=10.0.0.4
        leftsubnet=192.168.1.0/24
        right=10.0.0.3
        rightsubnet=192.168.0.0/24
        auto=add
One of the gateways should have auto=start

<contents of ipsec.secrets>
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
#: RSA  {
        # -- Create your own RSA key with "ipsec rsasigkey"
#       }
# do not change the indenting of that "}"
10.0.0.4 %any : PSK "jwalters"
I never got %any to work
I guess you should do an ipsec barf and post the output
Oh, by the way, the network runs without IPSEC started?
cheers
Erich
THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16

-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html