[leaf-user] IPSEC help needed....
I am using Dachstein 1.02 and need IPSEC enabled to get the work VPN software to work correctly. I do not see a module IPSEC that is loaded, should I have one to make this work correctly? Here are the modules loaded: Linux version 2.2.19-3-LEAF ([EMAIL PROTECTED]) (gcc version 2.7.2.3) #1 Sat Dec 1 12:15:05 CST 2001 Installed Modules: ip_masq_vdolive 1180 0 (unused) ip_masq_user3708 0 (unused) ip_masq_raudio 2980 0 (unused) ip_masq_quake 1220 0 (unused) ip_masq_portfw 2416 0 (unused) ip_masq_mfw 3196 0 (unused) ip_masq_irc 1924 0 ip_masq_ftp 3576 0 ip_masq_cuseeme 964 0 (unused) ip_masq_autofw 2476 0 (unused) ne 6292 2 83906236 0 [ne] bsd_comp3708 0 (unused) ppp_deflate40672 0 (unused) ppp20828 2 [bsd_comp ppp_deflate] slhc4436 0 [ppp] Here are the packages: NameVersionDescription ===-==-= = root4.0.6Linux Router Project etc 4.0.1 /etc/ of the main root, minus any other packag ramlog 1.1Creates additinal ramdisks on boot local 4.0.6 Local package. This package does not contain a modules 4.0.6 Modules package. Contains kernel modules and u ppp 2.3.11 PPPd Deamon for Dial-Up dhcpd 2.0pl5 dhcpd - Autoconfigure client machines dnscache1.05a dnscache from djbdns (V1.05a) package creates ifconfig1.45 ifconfig and route commnads pppoe 2.6Roaring Penguin PPPoE Client LRP Package weblet 1.2.0 weblet - LRP status via a small web server sshd3.0p1 OpenSSH sshd daemon. oidentd 1.6.0 There shouldn't be any configuration needed un libzso.1 used for SSHD only psentry 1.0If this package failed to load, please create This is the block that needs to pass through: Apr 19 07:10:48 amberton kernel: Packet log: input DENY ppp0 PROTO=50 207.11.4.7:65535 68.19.16.103:65535 L=168 S=0x00 I=8699 F=0x T=243 (#70) I am not sure if I need a rule set or a package loaded, any help would be beneficial. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC help needed....
There is no ipsec.o module in Dachstein for IPSEC. I have a pair of boxes with an IPSEC VPN between them on static ip's and its all in the configuration of IPSEC, that is the secret. Read the howto's and look at the freeswan site if its still around. We need a bit more than just "to get the work VPN software to work correctly". Are you setting up a subnet to subnet or single client to subnet? The howto's are out there, just look. Email the list again if you need more help. Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sent: Tuesday, April 20, 2004 10:27 AM To: [EMAIL PROTECTED] Subject: [leaf-user] IPSEC help needed I am using Dachstein 1.02 and need IPSEC enabled to get the work VPN software to work correctly. I do not see a module IPSEC that is loaded, should I have one to make this work correctly? Here are the modules loaded: Linux version 2.2.19-3-LEAF ([EMAIL PROTECTED]) (gcc version 2.7.2.3) #1 Sat Dec 1 12:15:05 CST 2001 Installed Modules: ip_masq_vdolive 1180 0 (unused) ip_masq_user3708 0 (unused) ip_masq_raudio 2980 0 (unused) ip_masq_quake 1220 0 (unused) ip_masq_portfw 2416 0 (unused) ip_masq_mfw 3196 0 (unused) ip_masq_irc 1924 0 ip_masq_ftp 3576 0 ip_masq_cuseeme 964 0 (unused) ip_masq_autofw 2476 0 (unused) ne 6292 2 83906236 0 [ne] bsd_comp3708 0 (unused) ppp_deflate40672 0 (unused) ppp20828 2 [bsd_comp ppp_deflate] slhc4436 0 [ppp] Here are the packages: NameVersionDescription ===-==-= = root4.0.6Linux Router Project etc 4.0.1 /etc/ of the main root, minus any other packag ramlog 1.1Creates additinal ramdisks on boot local 4.0.6 Local package. This package does not contain a modules 4.0.6 Modules package. Contains kernel modules and u ppp 2.3.11 PPPd Deamon for Dial-Up dhcpd 2.0pl5 dhcpd - Autoconfigure client machines dnscache1.05a dnscache from djbdns (V1.05a) package creates ifconfig1.45 ifconfig and route commnads pppoe 2.6Roaring Penguin PPPoE Client LRP Package weblet 1.2.0 weblet - LRP status via a small web server sshd3.0p1 OpenSSH sshd daemon. oidentd 1.6.0 There shouldn't be any configuration needed un libzso.1 used for SSHD only psentry 1.0If this package failed to load, please create This is the block that needs to pass through: Apr 19 07:10:48 amberton kernel: Packet log: input DENY ppp0 PROTO=50 207.11.4.7:65535 68.19.16.103:65535 L=168 S=0x00 I=8699 F=0x T=243 (#70) I am not sure if I need a rule set or a package loaded, any help would be beneficial. --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC help needed....
Kevin wrote: I am using Dachstein 1.02 and need IPSEC enabled to get the work VPN software to work correctly. I do not see a module IPSEC that is loaded, should I have one to make this work correctly? Here are the modules loaded: Linux version 2.2.19-3-LEAF ([EMAIL PROTECTED]) (gcc version 2.7.2.3) #1 Sat Dec 1 12:15:05 CST 2001 Installed Modules: ip_masq_vdolive 1180 0 (unused) ip_masq_user3708 0 (unused) ip_masq_raudio 2980 0 (unused) ip_masq_quake 1220 0 (unused) ip_masq_portfw 2416 0 (unused) ip_masq_mfw 3196 0 (unused) ip_masq_irc 1924 0 ip_masq_ftp 3576 0 ip_masq_cuseeme 964 0 (unused) ip_masq_autofw 2476 0 (unused) ne 6292 2 83906236 0 [ne] bsd_comp3708 0 (unused) ppp_deflate40672 0 (unused) ppp20828 2 [bsd_comp ppp_deflate] slhc4436 0 [ppp] Here are the packages: This is the block that needs to pass through: Apr 19 07:10:48 amberton kernel: Packet log: input DENY ppp0 PROTO=50 207.11.4.7:65535 68.19.16.103:65535 L=168 S=0x00 I=8699 F=0x T=243 (#70) I am not sure if I need a rule set or a package loaded, any help would be beneficial. Actually, I think you need a rule set and a module loaded. I'm going to work under the assumption that you need to masquerade an IPSec connection (ie: you're running an ipsec client on an internal system, rather than trying to run ipsec on the firewall itself). To do this, you first need to make sure you're using the proper kernel. Masqerading ipsec and running ipsec on the firewall are mutually exclusive, and require different kernels. The 'plain' kernels avaialble from my site support ipsec masquerading, while kernels with -IPSec in the name support running ipsec directly on the firewall. Which kernel flavor you want depends on your system, but you probably want either the 'small' or 'normal' kernel: http://lrp2.steinkuehler.net/files/kernels/Dachstein-small/ http://lrp2.steinkuehler.net/files/kernels/Dachstein-normal/ The floppy version ships with the small kernel w/o ipsec by default. Once you have an approprate kernel (or have verified you're running the linux-2.2.19-3-LEAF-small.zImage.upx kernel by filesize), you need to copy the ip_masq_ipsec.o masquerading 'helper' module to your modules directory and add it to /etc/modules. The last thing you need to do is allow the actual IPSec traffic through your firewall. This typically involves UDP port 500, and *PROTOCOL* 50 or 51, depending on whether you're running ESP or AH. To do this, add the following in /etc/network.conf EXTERN_UDP_PORTS="0/0_500" EXTERN_PORTS="50_0/0 51_0/0" -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC help needed....
Thanks Charles - yes I just need to allow the passthrough of the IPSEC protocol for everything to work. I will update the firewall like below and bring the laptop home tomorrow to try it out. The IT guys do not understand my router and all they have troubleshooting guides for are the commercial routers for consumers I will try the rules first, then the kernel and module. As Matt stated, I will also search the HOWTO's and ask the IT guys what type of connection this is if I need more help. -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 7:41 AM To: Kevin Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] IPSEC help needed Kevin wrote: SNIP Actually, I think you need a rule set and a module loaded. I'm going to work under the assumption that you need to masquerade an IPSec connection (ie: you're running an ipsec client on an internal system, rather than trying to run ipsec on the firewall itself). To do this, you first need to make sure you're using the proper kernel. Masqerading ipsec and running ipsec on the firewall are mutually exclusive, and require different kernels. The 'plain' kernels avaialble from my site support ipsec masquerading, while kernels with -IPSec in the name support running ipsec directly on the firewall. Which kernel flavor you want depends on your system, but you probably want either the 'small' or 'normal' kernel: http://lrp2.steinkuehler.net/files/kernels/Dachstein-small/ http://lrp2.steinkuehler.net/files/kernels/Dachstein-normal/ The floppy version ships with the small kernel w/o ipsec by default. Once you have an approprate kernel (or have verified you're running the linux-2.2.19-3-LEAF-small.zImage.upx kernel by filesize), you need to copy the ip_masq_ipsec.o masquerading 'helper' module to your modules directory and add it to /etc/modules. The last thing you need to do is allow the actual IPSec traffic through your firewall. This typically involves UDP port 500, and *PROTOCOL* 50 or 51, depending on whether you're running ESP or AH. To do this, add the following in /etc/network.conf EXTERN_UDP_PORTS="0/0_500" EXTERN_PORTS="50_0/0 51_0/0" -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] IPSEC help needed....
Kevin wrote: Thanks Charles - yes I just need to allow the passthrough of the IPSEC protocol for everything to work. I will update the firewall like below and bring the laptop home tomorrow to try it out. The IT guys do not understand my router and all they have troubleshooting guides for are the commercial routers for consumers I will try the rules first, then the kernel and module. As Matt stated, I will also search the HOWTO's and ask the IT guys what type of connection this is if I need more help. You'll need the rules and the module. You won't need to mess with the kernel if you're running Dachstein from floppy. If you're running off of CD, the default kernel is configured to run IPSec on the firewall so it won't work w/o changing the kernel (kind of hard on the CD-ROM, but you could install to a HDD or similar). Post to the list if you need further help. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC help needed....
I checked and after loading the module, and making the changes to the /etc/network.conf file, saved to disk and the work VPN works!!! Thanks for the help, now I can work from home :) -Original Message- From: Kevin [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 9:07 PM To: 'Charles Steinkuehler' Cc: '[EMAIL PROTECTED]' Subject: RE: [leaf-user] IPSEC help needed Thanks Charles - yes I just need to allow the passthrough of the IPSEC protocol for everything to work. I will update the firewall like below and bring the laptop home tomorrow to try it out. The IT guys do not understand my router and all they have troubleshooting guides for are the commercial routers for consumers I will try the rules first, then the kernel and module. SNIP --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
