Re: [Leaf-user] VPN error, please help
Dear Chad: What kind of Client you looking for, may be I can help you or may be not, if you find anything good please let us know too.. Good luck with your project Upnet Joe - Original Message - From: Chad Carr [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, April 28, 2002 11:19 PM Subject: Re: [Leaf-user] VPN error, please help On Sun, 28 Apr 2002 09:41:41 -0400 Upali Weerasinghe [EMAIL PROTECTED] wrote: Here is another one http://vpn.ebootis.de/ I downloaded some stuff from above, and right now its working with Windows-XP no problem if you guys need this package in zip format I'll put that on my webserver, so mail me This actually uses the Windows 2000 built-in client, but puts a freeswan-like interface on it. Unfortunately, the Windows 2000 ipsec client is actually like a mixture of ipchains/iptables _and_ freeswan, so there is not a direct correlation of functionality. It is quite a bit saner to set up, however. Thanks, Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN error, please help
It would be definitely great. Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Upali Weerasinghe Sent: Sunday, April 28, 2002 6:42 AM To: Chad Carr; Charles Steinkuehler Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN error, please help Here is another one http://vpn.ebootis.de/ I downloaded some stuff from above, and right now its working with Windows-XP no problem if you guys need this package in zip format I'll put that on my webserver, so mail me setting up vpn client on windows is pain in the rear, however with that package 10 Minutes.. Upnet Joe - Original Message - From: Chad Carr [EMAIL PROTECTED] To: Charles Steinkuehler [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, April 27, 2002 10:31 PM Subject: Re: [Leaf-user] VPN error, please help On Sat, 27 Apr 2002 14:12:14 -0500 Charles Steinkuehler [EMAIL PROTECTED] wrote: 1. Do you know of any free client for Windows which works with Free/SWAN? The newer windows systems have IPSec built-in, although configuring them to talk to a non-microsoft IPSec implementation can be quite a challange. Most of the reports I see on the FreeS/WAN mailing list seem to indicate the SSH Sentinel client is pretty good. IIRC, there's a list of windows clients known to interoperate with FreeS/WAN in the FreeS/WAN docs... I would hate for someone to have to go through the mess that I did learning how to configure the Windows 2000 ipsec client, so take a look at http://leaf.sourceforge.net/devel/jnilo/buipsec.html#AEN1227 Even though it's Windows, I'd be happy to support folks if they have trouble with it. I am not a general Windows guru, but I did learn the ipsec and certificate management utilities pretty thoroughly. Let me know how it goes, Chad Carr ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN error, please help
Thank you very very much, Charles, I could ping the other private machines and I am asking them to ping me and use a couple of services on my private server for thorough test. I hope it will be fine. The next step for me is to setup for the Road Warrior. I have 2 questions: 1. Do you know of any free client for Windows which works with Free/SWAN? 2. I guess that regardless which client, I have to create some forward rule to the one you advised me below. So it would be IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 0/0 -b Correct? Thanks again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Steinkuehler Sent: Friday, April 26, 2002 8:07 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN error, please help 192.168.9 and .3 are my private, so adding the rule as you suggested is for them only, right. For accessing 192.168.1 (the remote ipsec private), do I have to do the similar thing, i.e.: $IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 192.168.1.0/24 -b Oops! If the 192.168.9 and .3 networks are on the same system, the rule I listed will allow them to talk to each other, but not to the remote end of the VPN (which is *NOT* what you want). In your case, you'll need two rules: $IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 192.168.1.0/24 -b $IPCH -A forward -j ACCEPT -s 192.168.3.0/24 -d 192.168.1.0/24 -b NOTE: These rules will need to be in place on *BOTH* VPN gateway systems. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
On Saturday 27 April 2002 02:11, MLU wrote: Thank you very very much, Charles, I could ping the other private machines and I am asking them to ping me and use a couple of services on my private server for thorough test. I hope it will be fine. The next step for me is to setup for the Road Warrior. I have 2 questions: 1. Do you know of any free client for Windows which works with Free/SWAN? IPSec is built into Win2K (service pack 2)/XP and will work with FreeS/WAN. The SSH Sentinel also offers a free 30-day trial for the Win32 platform that works as well . 2. I guess that regardless which client, I have to create some forward rule to the one you advised me below. So it would be IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 0/0 -b Correct? I think you will want to also set device ipsec0 (or whatever) to keep from allowing this traffic from both eth0 and ipsecX. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
1. Do you know of any free client for Windows which works with Free/SWAN? The newer windows systems have IPSec built-in, although configuring them to talk to a non-microsoft IPSec implementation can be quite a challange. Most of the reports I see on the FreeS/WAN mailing list seem to indicate the SSH Sentinel client is pretty good. IIRC, there's a list of windows clients known to interoperate with FreeS/WAN in the FreeS/WAN docs... 2. I guess that regardless which client, I have to create some forward rule to the one you advised me below. So it would be IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 0/0 -b Correct? Well, you'll need some sort of forwarding allowed, but you probably don't want the above. It will allow the whole internet to forward packets to your private LAN! Note this isn't as big a hole as it seems, since most internet traffic is stopped in the input rule chain, but it's still not a good idea. Exactly what sort of rules you'll need for your road-warrior clients also depends on how they're setup (ie as single clients with a host subnet tunnel, or as a VPN Gateway with a subnet subnet tunnel). See the FreeS/WAN docs on possible architectures, and their extensive section on firewall rule setup. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
On Sat, 27 Apr 2002 14:12:14 -0500 Charles Steinkuehler [EMAIL PROTECTED] wrote: 1. Do you know of any free client for Windows which works with Free/SWAN? The newer windows systems have IPSec built-in, although configuring them to talk to a non-microsoft IPSec implementation can be quite a challange. Most of the reports I see on the FreeS/WAN mailing list seem to indicate the SSH Sentinel client is pretty good. IIRC, there's a list of windows clients known to interoperate with FreeS/WAN in the FreeS/WAN docs... I would hate for someone to have to go through the mess that I did learning how to configure the Windows 2000 ipsec client, so take a look at http://leaf.sourceforge.net/devel/jnilo/buipsec.html#AEN1227 Even though it's Windows, I'd be happy to support folks if they have trouble with it. I am not a general Windows guru, but I did learn the ipsec and certificate management utilities pretty thoroughly. Let me know how it goes, Chad Carr ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
192.168.9 and .3 are my private, so adding the rule as you suggested is for them only, right. For accessing 192.168.1 (the remote ipsec private), do I have to do the similar thing, i.e.: $IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 192.168.1.0/24 -b ^ Thank you. -- Original Message -- From: Charles Steinkuehler [EMAIL PROTECTED] Date: Fri, 26 Apr 2002 08:48:41 -0500 I think you are probably right. I do have forward rules to allow traffic between both my private 192.168.9 and 192.168.3. And those rules are added by myself in /etc/ipfilter.conf (based on what you did for DMZ, your DMZ is one-way, mine is 2-way). I will try to disable it asap, but my question is if I can still have traffic between my private networks and at the same time ipsec to remote private? Also I think I should use your scripts /etc/ipchains.input, /etc/ipchains.forward /etc/ipchains.output for those rules rather than inventing my own (and messing up things -:() but I cannot find them as examples. Could you help in this regard. And yes, I try to log protocol 50 and even 51 but nothing showed in my log. Again something is wrong here too. It sounds like you probably don't have forwarding rules in place for your VPN traffic, so it's being denied before the packets get turned into VPN data. Try adding the following to /etc/ipchains.forward: $IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 192.168.3.0/24 -b The ipchains.* files are simply sourced by the firewall scripts, so you can add or insert ipchains rules as required. You can also use variables and procedures from network.conf and ipfilter.conf (which is where $IPCH is defined). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
192.168.9 and .3 are my private, so adding the rule as you suggested is for them only, right. For accessing 192.168.1 (the remote ipsec private), do I have to do the similar thing, i.e.: $IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 192.168.1.0/24 -b Oops! If the 192.168.9 and .3 networks are on the same system, the rule I listed will allow them to talk to each other, but not to the remote end of the VPN (which is *NOT* what you want). In your case, you'll need two rules: $IPCH -A forward -j ACCEPT -s 192.168.9.0/24 -d 192.168.1.0/24 -b $IPCH -A forward -j ACCEPT -s 192.168.3.0/24 -d 192.168.1.0/24 -b NOTE: These rules will need to be in place on *BOTH* VPN gateway systems. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
From: MLU [EMAIL PROTECTED] I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Look at your local routing setup (ip route or netstat -nr). Make sure there is a route directing packets destined for the far end of the VPN to the ipsec device. From: Jonathan French [EMAIL PROTECTED] I'm having similar problems, and have found this thread helpful. I've been wondering, do we have to declare the routing on the gateways, or shouldn't ipsec handle this? FreeS/WAN handles setting up routes for the VPN link (ie traffic to the far end of the VPN gets routed to ipsec0), but you still have to setup basic networking (including routing) on the VPN gateway, as well as duplicate some routing information in FreeS/WAN's configuration file (due to limitations with the 2.0 series kerenl, initial versions of FreeS/WAN were unable to use the kernel's routing information, so this had to be duplicated in the FreeS/WAN configs...this will be fixed in the next major re-write of KLIPS, the kernel IPSec code). Also, what if the ipsec router is not the default gateway for a machine that you are trying to ping from elsewhere? Do the pings try to return through the wrong router? If the VPN gateway is *NOT* the default router for the subnet, EACH AND EVERY HOST that wants to talk to the remote end of the VPN needs a static route directing those packets to the VPN gateway. Your life will be *MUCH* easier if the VPN gateway is also the default gateway for your subnet. If you are required to use an alternate firewall for some reason, you may find a series configuration might work better than trying to parallel the VPN gateway and your existing firewall, ie: internet | firewall | VPN Gateway | internal network Rather than: internet | +--\ | | firewall VPN Gateway | | +--/ | internal network If your firewall is fancy enough, you may also be able to setup something like: internet | firewall --- VPN Gateway | internal network Where you add a static route to the firewall (forwarding internal network - VPN traffic to the VPN gateway), and port-forward, NAT, or otherwise route inbound IPSec traffic to the VPN gateway box, as well. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN error, please help
Below are my routes on both left and right sides. Charles, if you can confirm them correct, I think there must be some rule on my left-side denying packets destined for 192.168.1 even reach left-side eth0. I accidentally found this in one old log: Apr 23 19:14:06 router kernel: Packet log: input DENY eth0 PROTO=1 192.168.1.2:3 24.83.28.213:3 L=56 S=0x00 I=36609 F=0x T=109 (#10) But I must say that I do not know if ipsec was run at that time And the rule 10 in input chain is: 10 0 0 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/ On left side (internal 192.168.9, wants to talk to 192.168.1 via ipsec) # ip route 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 via 24.83.28.1 dev ipsec0 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.254 24.83.28.0/22 dev eth0 proto kernel scope link src 24.83.28.213 24.83.28.0/22 dev ipsec0 proto kernel scope link src 24.83.28.213 default via 24.83.28.1 dev eth0 router: -root- # netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.3.0 *255.255.255.0 U 0 0 0 eth3 192.168.2.0 *255.255.255.0 U 0 0 0 eth2 192.168.1.0 24.83.28.1 255.255.255.0 UG0 0 0 ipsec0 192.168.9.0 *255.255.255.0 U 0 0 0 eth1 24.83.28.0 *255.255.252.0 U 0 0 0 eth0 24.83.28.0 *255.255.252.0 U 0 0 0 ipsec0 default 24.83.28.1 0.0.0.0 UG0 0 0 eth0 and right side (internal 192.168.1, wants to talk to 192.168.9 via ipsec): # ip route 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.9.0/24 via 24.76.92.1 dev ipsec0 24.76.92.0/22 dev eth0 proto kernel scope link src 24.76.93.9 24.76.92.0/22 dev ipsec0 proto kernel scope link src 24.76.93.9 default via 24.76.92.1 dev eth0 router: -root- # netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.2.0 *255.255.255.0 U 0 0 0 eth2 192.168.1.0 *255.255.255.0 U 0 0 0 eth1 192.168.9.0 24.76.92.1 255.255.255.0 UG0 0 0 ipsec0 24.76.92.0 *255.255.252.0 U 0 0 0 eth0 24.76.92.0 *255.255.252.0 U 0 0 0 ipsec0 default 24.76.92.1 0.0.0.0 UG0 0 0 eth0 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Steinkuehler Sent: Thursday, April 25, 2002 7:46 AM To: Jonathan French Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN error, please help From: MLU [EMAIL PROTECTED] I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Look at your local routing setup (ip route or netstat -nr). Make sure there is a route directing packets destined for the far end of the VPN to the ipsec device. From: Jonathan French [EMAIL PROTECTED] I'm having similar problems, and have found this thread helpful. I've been wondering, do we have to declare the routing on the gateways, or shouldn't ipsec handle this? FreeS/WAN handles setting up routes for the VPN link (ie traffic to the far end of the VPN gets routed to ipsec0), but you still have to setup basic networking (including routing) on the VPN gateway, as well as duplicate some routing information in FreeS/WAN's configuration file (due to limitations with the 2.0 series kerenl, initial versions of FreeS/WAN were unable to use the kernel's routing information, so this had to be duplicated in the FreeS/WAN configs...this will be fixed in the next major re-write of KLIPS, the kernel IPSec code). Also, what if the ipsec router is not the default gateway for a machine that you are trying to ping from elsewhere? Do the pings try to return through the wrong router? If the VPN gateway is *NOT* the default router for the subnet, EACH AND EVERY HOST that wants to talk to the remote end of the VPN needs a static route directing those packets to the VPN gateway. Your life will be *MUCH* easier if the VPN gateway is also the default gateway for your subnet. If you are required to use
Re: [Leaf-user] VPN error, please help
Below are my routes on both left and right sides. Charles, if you can confirm them correct, I think there must be some rule on my left-side denying packets destined for 192.168.1 even reach left-side eth0. I accidentally found this in one old log: Apr 23 19:14:06 router kernel: Packet log: input DENY eth0 PROTO=1 192.168.1.2:3 24.83.28.213:3 L=56 S=0x00 I=36609 F=0x T=109 (#10) But I must say that I do not know if ipsec was run at that time And the rule 10 in input chain is: 10 0 0 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/ The error is probably due to trying to ping without IPSec running, but with some ipchains rules left over (like the forward rule that allows traffic between your two private networks) preventing your private source IP from being masqueraded on the way out. On left side (internal 192.168.9, wants to talk to 192.168.1 via ipsec) # ip route 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 via 24.83.28.1 dev ipsec0 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.254 24.83.28.0/22 dev eth0 proto kernel scope link src 24.83.28.213 24.83.28.0/22 dev ipsec0 proto kernel scope link src 24.83.28.213 default via 24.83.28.1 dev eth0 and right side (internal 192.168.1, wants to talk to 192.168.9 via ipsec): # ip route 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.9.0/24 via 24.76.92.1 dev ipsec0 24.76.92.0/22 dev eth0 proto kernel scope link src 24.76.93.9 24.76.92.0/22 dev ipsec0 proto kernel scope link src 24.76.93.9 default via 24.76.92.1 dev eth0 Well, both of these look OK. Packets destined for the remote end of the VPN are being routed to ipsec0, where they should be encrypted and sent along their merry way. Did you try inserting the logging rules for protocol 50 ESP traffic? What (if any) results did you get? I suspect something is filtering traffic between your two firewalls... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Hi Charles MLu Look at your local routing setup (ip route or netstat -nr). Make sure there is a route directing packets destined for the far end of the VPN to the ipsec device. Ok, so what you are saying is that on the ipsec router, I should associate the external private subnet with device ipsec0, ie route add -net 172.168.44.0 netmask 255.255.0.0 dev ipsec0 That is, don't forward the external private subnet to the external IP or the external device, but ipsec0. I think from this I also need to turn on bidirectional IP forwarding (ipchains) between masq'ed subnets. I had turned this on before, but I don't think the previous route add statement is set. Doing this from 30 miles away makes it a bit harder. Thanks for your help, Jon From: Jonathan French [EMAIL PROTECTED] I'm having similar problems, and have found this thread helpful. I've been wondering, do we have to declare the routing on the gateways, or shouldn't ipsec handle this? FreeS/WAN handles setting up routes for the VPN link (ie traffic to the far end of the VPN gets routed to ipsec0), but you still have to setup basic networking (including routing) on the VPN gateway, as well as duplicate some routing information in FreeS/WAN's configuration file (due to limitations with the 2.0 series kerenl, initial versions of FreeS/WAN were unable to use the kernel's routing information, so this had to be duplicated in the FreeS/WAN configs...this will be fixed in the next major re-write of KLIPS, the kernel IPSec code). Also, what if the ipsec router is not the default gateway for a machine that you are trying to ping from elsewhere? Do the pings try to return through the wrong router? If the VPN gateway is *NOT* the default router for the subnet, EACH AND EVERY HOST that wants to talk to the remote end of the VPN needs a static route directing those packets to the VPN gateway. Your life will be *MUCH* easier if the VPN gateway is also the default gateway for your subnet. If you are required to use an alternate firewall for some reason, you may find a series configuration might work better than trying to parallel the VPN gateway and your existing firewall, ie: internet | firewall | VPN Gateway | internal network Rather than: internet | +--\ | | firewall VPN Gateway | | +--/ | internal network If your firewall is fancy enough, you may also be able to setup something like: internet | firewall --- VPN Gateway | internal network Where you add a static route to the firewall (forwarding internal network - VPN traffic to the VPN gateway), and port-forward, NAT, or otherwise route inbound IPSec traffic to the VPN gateway box, as well. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Look at your local routing setup (ip route or netstat -nr). Make sure there is a route directing packets destined for the far end of the VPN to the ipsec device. Ok, so what you are saying is that on the ipsec router, I should associate the external private subnet with device ipsec0, ie route add -net 172.168.44.0 netmask 255.255.0.0 dev ipsec0 That is, don't forward the external private subnet to the external IP or the external device, but ipsec0. I think from this I also need to turn on bidirectional IP forwarding (ipchains) between masq'ed subnets. I had turned this on before, but I don't think the previous route add statement is set. Doing this from 30 miles away makes it a bit harder. You *DO* have to add firewall rules to allow the packets to be forwarded, and the IPSec traffic to get in/out of the box. You should *NOT* have to directly play with any routing...the FreeS/WAN scripts should set all the routing up when the connections get built. NOTE: If you have [left|right]firewall=yes, you shouldn't have to worry about the firewall rules either... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Hi Charles, Thanks, leftfirewall=yes lets me ping a machine on the other subnet now. I think I added a few too many extra ipchains rules, but now that it is working I can back off on them. - Jon Charles Steinkuehler wrote: Look at your local routing setup (ip route or netstat -nr). Make sure there is a route directing packets destined for the far end of the VPN to the ipsec device. Ok, so what you are saying is that on the ipsec router, I should associate the external private subnet with device ipsec0, ie route add -net 172.168.44.0 netmask 255.255.0.0 dev ipsec0 That is, don't forward the external private subnet to the external IP or the external device, but ipsec0. I think from this I also need to turn on bidirectional IP forwarding (ipchains) between masq'ed subnets. I had turned this on before, but I don't think the previous route add statement is set. Doing this from 30 miles away makes it a bit harder. You *DO* have to add firewall rules to allow the packets to be forwarded, and the IPSec traffic to get in/out of the box. You should *NOT* have to directly play with any routing...the FreeS/WAN scripts should set all the routing up when the connections get built. NOTE: If you have [left|right]firewall=yes, you shouldn't have to worry about the firewall rules either... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN error, please help
I think you are probably right. I do have forward rules to allow traffic between both my private 192.168.9 and 192.168.3. And those rules are added by myself in /etc/ipfilter.conf (based on what you did for DMZ, your DMZ is one-way, mine is 2-way). I will try to disable it asap, but my question is if I can still have traffic between my private networks and at the same time ipsec to remote private? Also I think I should use your scripts /etc/ipchains.input, /etc/ipchains.forward /etc/ipchains.output for those rules rather than inventing my own (and messing up things -:() but I cannot find them as examples. Could you help in this regard. And yes, I try to log protocol 50 and even 51 but nothing showed in my log. Again something is wrong here too. Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Steinkuehler Sent: Thursday, April 25, 2002 8:47 AM To: MLU Cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN error, please help The error is probably due to trying to ping without IPSec running, but with some ipchains rules left over (like the forward rule that allows traffic between your two private networks) preventing your private source IP from being masqueraded on the way out. On left side (internal 192.168.9, wants to talk to 192.168.1 via ipsec) # ip route 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 via 24.83.28.1 dev ipsec0 192.168.9.0/24 dev eth1 proto kernel scope link src 192.168.9.254 24.83.28.0/22 dev eth0 proto kernel scope link src 24.83.28.213 24.83.28.0/22 dev ipsec0 proto kernel scope link src 24.83.28.213 default via 24.83.28.1 dev eth0 and right side (internal 192.168.1, wants to talk to 192.168.9 via ipsec): # ip route 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.9.0/24 via 24.76.92.1 dev ipsec0 24.76.92.0/22 dev eth0 proto kernel scope link src 24.76.93.9 24.76.92.0/22 dev ipsec0 proto kernel scope link src 24.76.93.9 default via 24.76.92.1 dev eth0 Well, both of these look OK. Packets destined for the remote end of the VPN are being routed to ipsec0, where they should be encrypted and sent along their merry way. Did you try inserting the logging rules for protocol 50 ESP traffic? What (if any) results did you get? I suspect something is filtering traffic between your two firewalls... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
After making the RSA right, I restarted the ipsec service on both side and then I try to ping a machine on 192.168.1.x from 192.168.9.x subnet but the ping times out and there is nothing in auth.log or syslog suggesting a reason. Could you please suggest what I should look at now? I am including the log messages and the config files. BTW, both ends have dynamic IPs but they do not change for long time. The left, leftnexthop, right and rightnexthop are extracted from the file /var/state/dhcp/dhclient.leases Well, it looks like your tunnel is coming up, so I'd look at firewalling rules. The behavior you're seeing can be caused if protocol 50 packets are being denied or rejected by one (or both) of the firewalls. Since you're not setting [left|right]firewall=yes, you need to make sure you're allowing the ESP (protocol 50) packets between the firewalls. Check /var/log/messages for denied packets, and the output of net ipfilter list for non-zero counts beside any deny/reject rules. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Hi Charles and Lynn. Thank you for your suggestions. Things are not changed much after I did the following as you advised: - As per Lynn's remark, I now use only one /etc/ipsec.conf on both sides. The FreeSWAN doc said that you may need to change the line interfaces=, but they are identical in this case too, i.e. both use eth0. So only the ipsec.secrets are different. - The ping I did was done on an internal machine behind the firewall, 192.168.9.204, not on the gateway (192.168.9.254). From there I tried to ping 192.168.1.202, another machine behind the remote gateway. - I removed ip_masq_ipsec from /etc/modules. I also set eth0_IP_SPOOF=NO in /etc/network.conf - I saw some suspicious variables in /etc/network.conf but not sure if they affect anything in my case: # Accept ICMP Redirects on ALL interfaces, also depends on /proc # per interface IP forwarding flag. - YES/NO ALLIF_ACCEPT_REDIRECTS=NO ... # Need these both for interfaces run by daemons - ie PPP, CIPE, some # WAN interfaces # IP spoofing protection by default for interfaces - YES/NO DEF_IP_SPOOF=YES ... eth1_IPADDR=192.168.1.254 eth1_MASKLEN=24 eth1_BROADCAST=192.168.1.255 eth1_IP_SPOOF=YES ... - After pinging, I saw nothing particular in /var/log/auth.log nor in /var/log/messages on both sides. - I think I have protocol 50, 51 and UDP port 500 set in /etc/network.conf, but for sure I list the partial output from net ipfilter list. You may see something wrong I have here. Extern IP: 24.83.28.213 Chain input (policy DENY: 3 packets, 734 bytes): pkts bytes target prot opttosa tosx ifname mark outsize source destination ports 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 13 528 DENY all l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/120.0.0.0/0 n/a 5 280 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.9.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.3.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 24.83.28.213 0.0.0.0/0 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0 127.0.0.0/8 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0 192.168.9.0/24n/a ... 11940 2123K ACCEPT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 500 0 0 DENY udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 67 46676 7613K ACCEPT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 1024:65535 466 61519 ACCEPT icmp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - * 0 0 ACCEPT ospf -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0
Re: [Leaf-user] VPN error, please help
Thank you for your suggestions. Things are not changed much after I did the following as you advised: - As per Lynn's remark, I now use only one /etc/ipsec.conf on both sides. The FreeSWAN doc said that you may need to change the line interfaces=, but they are identical in this case too, i.e. both use eth0. So only the ipsec.secrets are different. The previous configuration files you had looked fine...the left right portions on each end don't have to match, as long as each end can figure out whether it's supposed to be left or right as defined by it's own local configruation file. It's perfectly OK to have both sides think they're left, and the other end is right, or vise-versa... - The ping I did was done on an internal machine behind the firewall, 192.168.9.204, not on the gateway (192.168.9.254). From there I tried to ping 192.168.1.202, another machine behind the remote gateway. Good...this is how you are supposed to test. - I removed ip_masq_ipsec from /etc/modules. I also set eth0_IP_SPOOF=NO in /etc/network.conf This is good as well... - I saw some suspicious variables in /etc/network.conf but not sure if they affect anything in my case: # Accept ICMP Redirects on ALL interfaces, also depends on /proc # per interface IP forwarding flag. - YES/NO ALLIF_ACCEPT_REDIRECTS=NO ... # Need these both for interfaces run by daemons - ie PPP, CIPE, some # WAN interfaces # IP spoofing protection by default for interfaces - YES/NO DEF_IP_SPOOF=YES ... eth1_IPADDR=192.168.1.254 eth1_MASKLEN=24 eth1_BROADCAST=192.168.1.255 eth1_IP_SPOOF=YES ... All this looks OK, and shouldn't affect your IPSec link on eth0. - After pinging, I saw nothing particular in /var/log/auth.log nor in /var/log/messages on both sides. - I think I have protocol 50, 51 and UDP port 500 set in /etc/network.conf, but for sure I list the partial output from net ipfilter list. You may see something wrong I have here. It looks like you do have the required IPSec firewall rules in place: Extern IP: 24.83.28.213 Chain input (policy DENY: 3 packets, 734 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 11940 2123K ACCEPT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 500 0 0 ACCEPT 50 -- 0xFF 0x00 eth0 0.0.0.0/024.83.28.213 n/a 0 0 ACCEPT 51 -- 0xFF 0x00 eth0 0.0.0.0/024.83.28.213 n/a Based on everything you've reported so-far, I would either suspect firewall rules on the remote gateway (you only listed one side, so there could be problems with the other end), or someone filtering IPSec traffic between your two boxes. *MANY* ISP's are beginning to filter IPSec traffic for folks who don't pay business class rates...it's easy to do, and usually prompts most actual businesses to spend 2-3 times more for services. You might want to check with local user groups, and/or any online forums discussing your particular ISP(s), and see if they might be dropping your IPSec traffic. The symptoms you're reporting are very consistent with protocol 50 traffic not making it through the network between your two VPN boxes. I don't know of an easy way to test for this...with the two LEAF boxes at either end, probabaly the easiest thing to do is run the following commands on *BOTH* VPN gateway's: ipchains -I input -p 50 -l ipchains -I output -p 50 -l This will cause *ALL* ESP (protocol 50) packets to get logged when entering and leaving your firewall. If you see packets getting sent from one mahcine, but not being recieved by the other end, you'll know something is wrong, probably the ISP at one end or the other filtering the traffic... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Thank you. -- Original Message -- From: Charles Steinkuehler [EMAIL PROTECTED] Date: Wed, 24 Apr 2002 12:58:55 -0500 Based on everything you've reported so-far, I would either suspect firewall rules on the remote gateway (you only listed one side, so there could be problems with the other end), or someone filtering IPSec traffic between your two boxes. *MANY* ISP's are beginning to filter IPSec traffic for folks who don't pay business class rates...it's easy to do, and usually prompts most actual businesses to spend 2-3 times more for services. You might want to check with local user groups, and/or any online forums discussing your particular ISP(s), and see if they might be dropping your IPSec traffic. The symptoms you're reporting are very consistent with protocol 50 traffic not making it through the network between your two VPN boxes. I don't know of an easy way to test for this...with the two LEAF boxes at either end, probabaly the easiest thing to do is run the following commands on *BOTH* VPN gateway's: ipchains -I input -p 50 -l ipchains -I output -p 50 -l This will cause *ALL* ESP (protocol 50) packets to get logged when entering and leaving your firewall. If you see packets getting sent from one mahcine, but not being recieved by the other end, you'll know something is wrong, probably the ISP at one end or the other filtering the traffic... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Look at the output of ip addr, ip route, ipsec look, and ipsec barf to check your network VPN setup. Fixing any problems depends on exactly what's wrong... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Hi Charles MLu, I'm having similar problems, and have found this thread helpful. I've been wondering, do we have to declare the routing on the gateways, or shouldn't ipsec handle this? Also, what if the ipsec router is not the default gateway for a machine that you are trying to ping from elsewhere? Do the pings try to return through the wrong router? - Jon Charles Steinkuehler wrote: I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Look at the output of ip addr, ip route, ipsec look, and ipsec barf to check your network VPN setup. Fixing any problems depends on exactly what's wrong... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
I should probably amend that last statement - my current test setup is: 192.168.2.X - ipsec gateway {default} - 2Wire firewall - SSH Sentinel And I am experiencing the same problems that MLu mentioned. If I try to add a route on the subnet machines (ok, sigh windows), I get error 87. Do I even need to do this? Thanks, Jon ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN error, please help
I am still trying to figure out what the cause is. So far I believe that there must be something wrong in my network.conf (I have 2 internal, 1 DMZ and for IPSEC testing I had to change 192.168.1 to 192.168.9 so I could have messed something up). If I understand correctly, the ipsec should handle the routing. Charles, pls correct me if I am wrong. If I find something I will send to you and the list. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jonathan French Sent: Wednesday, April 24, 2002 8:43 PM To: Charles Steinkuehler Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN error, please help Hi Charles MLu, I'm having similar problems, and have found this thread helpful. I've been wondering, do we have to declare the routing on the gateways, or shouldn't ipsec handle this? Also, what if the ipsec router is not the default gateway for a machine that you are trying to ping from elsewhere? Do the pings try to return through the wrong router? - Jon Charles Steinkuehler wrote: I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Look at the output of ip addr, ip route, ipsec look, and ipsec barf to check your network VPN setup. Fixing any problems depends on exactly what's wrong... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Thank you very Charles, I will modify the RSA key in the config when I get home. In the network.conf I have EXTERN_PROTO0=50 0/0 EXTERN_PROTO1=51 0/0 and EXTERN_UDP_PORTS=0/0_500 on both sides so I think I do not have to set firewall=yes, right? You are correct. With the above entries in network.conf, you do not need FreeS/WAN to generate firewall holes for the IPSec packets. An additional side benifit of using network.conf to create the firewall rules is you can modify your firewall rules while running (ie edit network.conf and run net ipfilter reload) without bringing down any VPN tunnels. If you use the FreeS/WAN [left|right]firewall=yes to do this, you have to shut down IPSec, reload your firewall rules, the re-start ipsec. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Thank you Charles. After making the RSA right, I restarted the ipsec service on both side and then I try to ping a machine on 192.168.1.x from 192.168.9.x subnet but the ping times out and there is nothing in auth.log or syslog suggesting a reason. Could you please suggest what I should look at now? I am including the log messages and the config files. BTW, both ends have dynamic IPs but they do not change for long time. The left, leftnexthop, right and rightnexthop are extracted from the file /var/state/dhcp/dhclient.leases Here is the auth.log after restarting the ipsec service: on 192.168.1.x 3 Apr 23 12:07:17 router Pluto[18965]: Starting Pluto (FreeS/WAN Version 1.91) Apr 23 12:07:18 router Pluto[18965]: added connection description Binh Apr 23 12:07:18 router Pluto[18965]: listening for IKE messages Apr 23 12:07:18 router Pluto[18965]: adding interface ipsec0/eth0 24.76.93.9 Apr 23 12:07:18 router Pluto[18965]: loading secrets from /etc/ipsec.secrets Apr 23 12:07:19 router Pluto[18965]: Binh #1: initiating Main Mode Apr 23 12:07:19 router Pluto[18965]: some IKE message we sent has been rejected with ECONNREFUSED (kernel supplied no details) ^^^ probably because I started this before the other end Apr 23 12:07:58 router Pluto[18965]: Binh #2: responding to Main Mode Apr 23 12:07:59 router Pluto[18965]: Binh #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established Apr 23 12:07:59 router Pluto[18965]: Binh #3: responding to Quick Mode Apr 23 12:07:59 router Pluto[18965]: Binh #3: STATE_QUICK_R2: IPsec SA established Apr 23 12:08:29 router Pluto[18965]: Binh #1: STATE_MAIN_I4: ISAKMP SA established Apr 23 12:08:29 router Pluto[18965]: Binh #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS Apr 23 12:08:29 router Pluto[18965]: Binh #4: STATE_QUICK_I2: sent QI2, IPsec SA established # On 192.168.9.x Apr 23 12:07:58 router Pluto[11171]: Starting Pluto (FreeS/WAN Version 1.91) Apr 23 12:07:58 router Pluto[11171]: added connection description CuHoi Apr 23 12:07:58 router Pluto[11171]: listening for IKE messages Apr 23 12:07:58 router Pluto[11171]: adding interface ipsec0/eth0 24.83.28.213 Apr 23 12:07:58 router Pluto[11171]: loading secrets from /etc/ipsec.secrets Apr 23 12:07:58 router Pluto[11171]: CuHoi #1: initiating Main Mode Apr 23 12:07:59 router Pluto[11171]: CuHoi #1: STATE_MAIN_I4: ISAKMP SA established Apr 23 12:07:59 router Pluto[11171]: CuHoi #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS Apr 23 12:07:59 router Pluto[11171]: CuHoi #2: STATE_QUICK_I2: sent QI2, IPsec SA established Apr 23 12:08:29 router Pluto[11171]: CuHoi #3: responding to Main Mode Apr 23 12:08:29 router Pluto[11171]: CuHoi #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established Apr 23 12:08:29 router Pluto[11171]: CuHoi #4: responding to Quick Mode Apr 23 12:08:30 router Pluto[11171]: CuHoi #4: STATE_QUICK_R2: IPsec SA established I also try ipsec look on both sides and saw the following: ## On 192.168.1.x side router Tue Apr 23 12:41:00 PDT 2002 192.168.1.0/24 - 192.168.9.0/24 = [EMAIL PROTECTED] [EMAIL PROTECTED] (0) ipsec0-eth0 mtu=16260(1500)-1500 [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=24.76.93.9 iv_bits=64bits iv=0xc6c1541a7d8b3da7 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(14,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=24.83.28.213 iv_bits=64bits iv=0xe22a68599253e1dc ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(14,0,0) [EMAIL PROTECTED] IPIP: dir=in src=24.83.28.213 life(c,s,h)=add(14,0,0) [EMAIL PROTECTED] IPIP: dir=out src=24.76.93.9 life(c,s,h)=add(14,0,0) Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 24.76.92.1 0.0.0.0 UG0 0 0 eth0 192.168.9.0 24.76.92.1 255.255.255.0 UG0 0 0 ipsec0 24.76.92.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0 24.76.92.0 0.0.0.0 255.255.252.0 U 0 0 0 ipsec0 ### On 192.168.9.x side router Tue Apr 23 12:40:24 PDT 2002 192.168.9.0/24 - 192.168.1.0/24 = [EMAIL PROTECTED] [EMAIL PROTECTED] (0) ipsec0-eth0 mtu=16260(1500)-1500 [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=24.76.93.9 iv_bits=64bits iv=0x5d9e98819d25068d ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(106,0,0) [EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=24.83.28.213 iv_bits=64bits iv=0x603513885b325daf ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(106,0,0) [EMAIL PROTECTED] IPIP: dir=in src=24.76.93.9 life(c,s,h)=add(106,0,0) [EMAIL PROTECTED] IPIP: dir=out src=24.83.28.213 life(c,s,h)=add(106,0,0) Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 24.83.28.1 0.0.0.0 UG0 0 0 eth0 192.168.1.0 24.83.28.1 255.255.255.0 UG0 0 0 ipsec0 24.83.28.0 0.0.0.0 255.255.252.0 U 0 0
Re: [Leaf-user] VPN error, please help
On Tuesday 23 April 2002 14:57, MLU wrote: Thank you Charles. After making the RSA right, I restarted the ipsec service on both side and then I try to ping a machine on 192.168.1.x from 192.168.9.x subnet but the ping times out and there is nothing in auth.log or syslog suggesting a reason. Funny, it appears that the tunnel has come up even though your left right sides are not the same on both gateways that normally doesn't happen (might be a problem). But more likely, the route to the correct local subnet on each machine is missing (I assume eth1). Using a Subnet-to-Subnet connection you cannot get the gateways to use the tunnel, they only route the local subnet traffic to the remote subnet... so any machine on the local subnet should be able to ping any machine on the remote subnet except the gateways themselves. I hope this helps! :-) -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Hello, I tried to connect 2 networks, both running DCD and IPSEC 1.91. One network is 192.168.3.x and the other is 192.168.9.x. After some efforts, I made both IPSEC start up without error. Now pinging from 192.168.9 to 192.168.3 does not work. When I have a look at /var/log/auth.log, I see all messages with pattern like: --- Apr 21 07:06:29 router Pluto[1575]: Bin #402: starting keying attempt 201 of an unlimited number Apr 21 07:06:29 router Pluto[1575]: Bin #404: initiating Main Mode Apr 21 07:06:39 router Pluto[1575]: Bin #404: discarding duplicate packet; already STATE_MAIN_I3 Apr 21 07:06:43 router Pluto[1575]: Bin #405: responding to Main Mode Apr 21 07:06:43 router Pluto[1575]: Bin #403: max number of retransmissions (2) reached STATE_MAIN_R2 Apr 21 07:06:44 router Pluto[1575]: Bin #405: no suitable connection for peer '@subnet9.btsoft.net' Apr 21 07:06:54 router Pluto[1575]: Bin #405: no suitable connection for peer '@subnet9.btsoft.net' Apr 21 07:06:59 router Pluto[1575]: Bin #404: discarding duplicate packet; already STATE_MAIN_I3 Apr 21 07:07:14 router Pluto[1575]: Bin #405: no suitable connection for peer '@subnet9.btsoft.net' Apr 21 07:07:39 router Pluto[1575]: Bin #404: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message --- What can be a reason? This looks like a configuration file problem. The no suitable connection for peer error generally indicates there's a problem with your configuration file, so FreeS/WAN doens't think it knows how to talk to the far end. This could be caused by a bad public RSA key...see below. Is that may be something wrong with the key? The way I enter the key is: - I generated the key using ipsec rsasigkey --verbose 512 mykey. Then I insert the file mykey into ipsec.secrets between the lines : RSA { # -- Create your own RSA key with ipsec rsasigkey HERE the file mykey went - } # do not change the indenting of that } This sounds fine... then I copy the part after line Modulus: 0x5652... and put it in line leftrsasigkey (similar for rightsasigkey with the other key) in ipsec.conf, so e.g leftrsasigkey=0x5652... Is that OK or not. This is *NOT* correct. The Modulus is *NOT* the public portion of the key. The part you want should be the line above this. When I run ipsec rsasigkey, I get a commented line (ie: #pubkey=0s12345...). The very large number after pubkey= is what you put in the IPSec configuration file. NOTE: Earlier versions of FreeS/WAN used hex encoding (0x1234...) rather than the more compact 0s format...both numbers are identical too FreeS/WAN, they just differ in format (ie the difference between 255 and 0xFF). - Do I have to use leftfirewall=yes or not? From the archive and Charles' example, I do not see that, so I do not use this line. You either need [left|right]firewall=yes, or you need to explicitly allow UDP port 500 and IP protocol 50/51 traffic to/from the machine at the other end of the VPN. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN error, please help
Thank you very Charles, I will modify the RSA key in the config when I get home. In the network.conf I have EXTERN_PROTO0=50 0/0 EXTERN_PROTO1=51 0/0 and EXTERN_UDP_PORTS=0/0_500 on both sides so I think I do not have to set firewall=yes, right? MLU -Original Message- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED]] Sent: Monday, April 22, 2002 2:35 PM To: M Lu; [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN error, please help then I copy the part after line Modulus: 0x5652... and put it in line leftrsasigkey (similar for rightsasigkey with the other key) in ipsec.conf, so e.g leftrsasigkey=0x5652... Is that OK or not. This is *NOT* correct. The Modulus is *NOT* the public portion of the key. The part you want should be the line above this. When I run ipsec rsasigkey, I get a commented line (ie: #pubkey=0s12345...). The very large number after pubkey= is what you put in the IPSec configuration file. NOTE: Earlier versions of FreeS/WAN used hex encoding (0x1234...) rather than the more compact 0s format...both numbers are identical too FreeS/WAN, they just differ in format (ie the difference between 255 and 0xFF). - Do I have to use leftfirewall=yes or not? From the archive and Charles' example, I do not see that, so I do not use this line. You either need [left|right]firewall=yes, or you need to explicitly allow UDP port 500 and IP protocol 50/51 traffic to/from the machine at the other end of the VPN. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user