[leaf-user] Bering rc3 and ipsec problems
Hello all, I'm using the bering 1.0rc3 release and am attempting to setup freeswan 1.97 ipsec on the firewall. I've closely followed the howto at http://leaf.sourceforge.net/devel/jnilo/buipsec.html as well as studied various documentation such as man pages etc. I believe I've setup everything correctly, but cannot seem to connect from various ipsec clients. I'm trying both the ssh sentianl client as well as a linksys ipsec vpn appliance, but I've had no luck. The only error that shows up during startup is the error regarding rp_filter being set to 1. I did as the documentation outlined and set spoofprotect to no in the options file, but the error still comes up. Any ideas would be appreciated. Thanks, -Jeff Lush I'd be happy to provide whatever documentation is requested. Here is a bit of a dump from ipsec barf. It details the connection info from the linksys appliance: -- Aug 13 16:13:29 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #4: ignoring Delete SA payload Aug 13 16:13:29 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #4: received and ignored informational message Aug 13 16:13:39 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #5: responding to Main Mode from unknown peer 207.216.146.129 Aug 13 16:13:39 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #5: OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM Aug 13 16:13:39 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #5: OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM Aug 13 16:13:40 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #5: Peer ID is ID_IPV4_ADDR: '207.216.146.129' Aug 13 16:13:40 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #5: sent MR3, ISAKMP SA established Aug 13 16:13:40 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #5: ID type of ISAKMP Identification Payload (IPsec DOI) has an unknown value: 0 Aug 13 16:13:40 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #5: malformed payload in packet Aug 13 16:16:09 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #6: responding to Main Mode from unknown peer 207.216.146.129 Aug 13 16:16:09 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #6: OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM Aug 13 16:16:09 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #6: OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM Aug 13 16:16:10 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #6: Peer ID is ID_IPV4_ADDR: '207.216.146.129' Aug 13 16:16:10 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #6: sent MR3, ISAKMP SA established Aug 13 16:16:10 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #6: ID type of ISAKMP Identification Payload (IPsec DOI) has an unknown value: 0 Aug 13 16:16:10 firewall Pluto[19365]: "roadwarrior" 207.216.146.129 #6: malformed payload in packet -- --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering rc3 and ipsec problems
I have 3DES checked off on the appliance. Maybe this is the problem... On 8/14/02 6:29 PM, Stephen Lee <[EMAIL PROTECTED]> declared: > I don't think DES is support with FreeS/Wan, only 3DES. > > Stephen Best regards, -Jeff Lush ------ Jeff Lush Alterasys [EMAIL PROTECTED]#135, 6005-103 St. p: 780-413-6373 Edmonton, AB f: 780-413-6374 CA T6H 2H3 -- "I use heavy strings, tune low, play hard and floor it. Floor it. That's technical talk." -SRV --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] More bering/ipsec questions
Hello all, I've got bering 1.0rc3 with ipsec509 up and running off a dual floppy install, but I'm having a bit of trouble. I'm using SSH Sentinal to connect from a win98 machine, and on the first connection, it works great; however, any connection attempts after that fail until I reset the firewall. Auth.log reports the following from the failed attempts: -- Aug 18 12:27:09 firewall Pluto[4101]: ERROR: "roadwarrior" 207.137.114.112 #8: sendto on eth0 to 207.137.114.112:500 failed in STATE_MAIN_R0. Errno 1: Operation not permitted Aug 18 12:27:14 firewall Pluto[4101]: ERROR: "roadwarrior" 207.137.114.112 #3: sendto on eth0 to 207.137.114.112:500 failed in EVENT_RETRANSMIT. Errno 1: Operation not permitted -- I've read (from guitarlynn's docs) that using "leftfirewall=yes" in the ipsec.conf can cause dropped tunnels to hang. Can this be what is happening here? If so, what manual rules should be added to shorewall to support ipsec connections? Thanks, -Jeff Lush --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More bering/ipsec questions
On 8/20/02 10:22 AM, Tom Eastep <[EMAIL PROTECTED]> declared: > I've also updated that page -- it was out of date in the respect that it > talked about a 'gw' zone which was a Shorewall 1.[12] feature that was not > carried forward to Shorewall 1.3. Hopefully it will be clearer now... > > Jeff -- please let me know if you are still having problems... Tom, Thank you for pointing me in the right direction. Thanks to your updated information I can now successfully connect (and disconnect) with both SSH Sentinel and a Linksys VPN appliance without issue. RTFM once again saves the day! -Jeff Lush --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSec509 in production environment?
On 9/1/02 7:55 AM, Claus Johansen <[EMAIL PROTECTED]> declared: > Hi all, > > Has anyone out there been using ipsec509 in a production environment with MS > Windows road warrior clients? Yes, after careful planning and reading. > 1.) > There's no way to tear down a tunnel, it stays active until it times out. A > client > trying to reconnect within that period will fail. If shorewall (on bering) is setup correctly, closing and reopening a tunnel is no problem at all. Using SSH Sentinel from a win98 box, I can do it as much as I like. Spend some time on the shorewall docs. Tom was kind enough to point me in the direction of this little gem for shorewall: http://www.shorewall.net/IPSEC.htm > 2.) > There's no way to set up temporary network settings (e.g. WINS) for the MS > clients > for the duration of the connection. This means that they either work with the > "tunneled" network and no other, or they will have very limited functionality > through the tunnel (because of NetBIOS limitations). This would rely on the client setup and not the tunnel. For example when using a VPN appliance, have it hand out the WINS address of the server at the other end of the tunnel via DHCP. If you're using client VPN software like SSH Sentinel, there is usually a setting for WINS, DHCP, DNS etc. in the software. While the tunnel is active, the settings are in place. WINS works great (for a M$ product) through an IPSEC tunnel, and works well with other protocols. > > If I've missed something here and there are feasible solutions, I'd very much > like > to hear about it! Again, spend some time planning, and reading. You're needs identified here can be easily fulfilled, no problem. -Jeff --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
