Re: [leaf-user] More Bering IPSec questions ...
K.-P. Kirchdörfer said: Am Montag, 10. Februar 2003 06:19 schrieb Mike Leone: OK; so I think I'm making progress ... Anyway, when ipsec starts, I get: # svi ipsec start ipsec_setup: Starting FreeS/WAN IPsec 1.99... ipsec_setup: Using /lib/modules/ipsec.o ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = , should be 0) However, I have changed /etc/network/options, and changed spoofprotect to no. Doesn't that turn off route filtering? It's set in shorewall configuration (interfaces(?)). I thought it might, but the Bering docs indicate otherwise - that the easiest way is by changing /etc/network/options. If that's all the real tunnel config is missing, these are only the general settings for every tunnel you'll define. Correct; the tunnel definition is missing. That's what I was asking about - what do I need to put here to make the tunnel work properly with a Pix using pre-shared keys. The examples I've found on the FreeS/WAN site are confusing and contradictory. -- PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Member, LEAF Project http://leaf.sourceforge.netAIM: MikeLeone Public Key - http://www.mike-leone.com/~turgon/turgon-public-key.asc Registered Linux user# 201348 --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
On Monday 10 February 2003 08:08 am, Michael Leone wrote: However, I have changed /etc/network/options, and changed spoofprotect to no. Doesn't that turn off route filtering? It's set in shorewall configuration (interfaces(?)). I thought it might, but the Bering docs indicate otherwise - that the easiest way is by changing /etc/network/options. If that's all the real tunnel config is missing, these are only the general settings for every tunnel you'll define. Correct; the tunnel definition is missing. That's what I was asking about - what do I need to put here to make the tunnel work properly with a Pix using pre-shared keys. The examples I've found on the FreeS/WAN site are confusing and contradictory. It would definately be in your best interest to read the Shorewall Ipsec/VPN page on http://www.shorewall.net . IPSec definately won't work with Shorewall unless you configure shorewall correct. Do not use the 509 package if you are not using certs, the 509 package probably will not work with PSK's. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
Lynn Avants said: It would definately be in your best interest to read the Shorewall Ipsec/VPN page on http://www.shorewall.net . IPSec definately won't work with Shorewall unless you configure shorewall correct. Do not use OK. Haven't gotten that far yet; was just following the Bering docs for the moment. And the samples linked off the FreeS/WAN page for connecting to a Pix didn't seem to match up with the simple (?) config I wanted, of PSKs between my Bering and the Pix. the 509 package if you are not using certs, the 509 package probably will not work with PSK's. -- It won't? Shoot. I do want to move to using certs, both between my Pix and for any remote clients to my Bering box that I may have in future. But at the moment, I have PSKs to my Pix. I'd hate to have to redo all my configs when I do move to certs. Ah, well. I do still have all the keys and certs and all on my main Linux box; I suppose it won't be too bad to move them again later. I'll load up the ipsec instead of the ipsec509, and see where it takes me. Thanks. -- PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Member, LEAF Project http://leaf.sourceforge.netAIM: MikeLeone Public Key - http://www.mike-leone.com/~turgon/turgon-public-key.asc Registered Linux user# 201348 --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
However, I have changed /etc/network/options, and changed spoofprotect to no. Doesn't that turn off route filtering? It's set in shorewall configuration (interfaces(?)). I thought it might, but the Bering docs indicate otherwise - that the easiest way is by changing /etc/network/options. Trust but verify. There has been a new release of shorewall on bering since I last touched or tested that doc. It could be that it is overriding the setting I recommended. Also, I have found that it really only matters is quite strange tunneling setups (like I was using at the time). It could pay to understand what reverse path filtering actually does: If the packet comes in from a given source ip address on an interface that would not be used to send a packet to that address, the packet is dropped if rp_filter is set on the interface OR if it is set on all interfaces. Example from Mobile IP: A foreign agent receives traffic on an ipip tunnel interface (tunl0) for delivery to a mobile node in his visitor list. The source address is someone on the internet (say, www.yahoo.com). If he were to send a packet to www.yahoo.com, it would be sent through eth0, his default route. rp_filter will drop this packet (in an excruciatingly silent manner) because it was received on tunl0 (when de-tunneled), but traffic sent to that host would be sent through eth0. That is what rp_filter means. In practice, with ipsec, if you are using the %defaultroute command in ipsec.conf, you will probably not really need rp_filter disabled because all traffic coming in on the ipsecN interface will also be routed back out the same ipsec interface it came in on. There you go. -- --- Chad Carr [EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
Michael Leone wrote: Lynn Avants said: the 509 package if you are not using certs, the 509 package probably will not work with PSK's. -- It won't? Shoot. I do want to move to using certs, both between my Pix and for any remote clients to my Bering box that I may have in future. But at the moment, I have PSKs to my Pix. I'd hate to have to redo all my configs when I do move to certs. Ah, well. I do still have all the keys and certs and all on my main Linux box; I suppose it won't be too bad to move them again later. I'll load up the ipsec instead of the ipsec509, and see where it takes me. I am unaware of any issue that would prevent you from continuing to use PSKs after switching to the 509 version of FreeS/WAN. As far as I know, PSKs work identically between the plain and x.509 patched versions. What *DOES* change, however, is how RSA signature keys are handled. If you have multiple road-warrior clients running RSA encryption and migrate to the x.509 patched version, you will have to migrate your road-warriors to x.509 certs as well. I believe this has to do with the difficulty of identifying dynamic-IP connections at authentication time, prior to an encrypted tunnel being setup. Connections between two ends with static IP's can authenticate with anything (certs, RSA keys, or PSKs) without issue. Since full connection specifications for these tunnels are available throughout the authentication process, there are no chicken and egg problems trying to figure out who you're talking to, and which connection description to use. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
On Monday 10 February 2003 10:58 am, Charles Steinkuehler wrote: I am unaware of any issue that would prevent you from continuing to use PSKs after switching to the 509 version of FreeS/WAN. As far as I know, PSKs work identically between the plain and x.509 patched versions. That might be, I thought the packages (after 1.91 anyway) would bomb out on initiation if the certs weren't loaded (or there) on the x509 package. In any case, it would be one less layer of possible problems until it tries to authenticate using PSK. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
Lynn Avants ([EMAIL PROTECTED]) had this to say on 02/10/03 at 19:17: On Monday 10 February 2003 10:58 am, Charles Steinkuehler wrote: I am unaware of any issue that would prevent you from continuing to use PSKs after switching to the 509 version of FreeS/WAN. As far as I know, PSKs work identically between the plain and x.509 patched versions. That might be, I thought the packages (after 1.91 anyway) would bomb out on initiation if the certs weren't loaded (or there) on the x509 package. In Actually, I have the certs already, and they seem to be loading (which doesn't mean that they *work*, of course :-) And if not, almost certainly my error creating/configuring the certs). I think that if they load without error, I can then use PSKs instead of the certs, if I choose. Or use both, perhaps, depending on the tunnel config. any case, it would be one less layer of possible problems until it tries to authenticate using PSK. Hopefully, we'll find out soon. I followed the Shorewall VPN document to the letter, and now will be trying to verify my ipsecrets.conf entries. (left is me, right is them - do I have that right? If so, I have all the entries, except for that rightnexthop .. is that the gateway entry for the other subnet?) msg12930/pgp0.pgp Description: PGP signature
Re: [leaf-user] More Bering IPSec questions ...
On Monday 10 February 2003 06:31 pm, Mike Leone wrote: Hopefully, we'll find out soon. I followed the Shorewall VPN document to the letter, and now will be trying to verify my ipsecrets.conf entries. (left is me, right is them - do I have that right? If so, I have all the entries, except for that rightnexthop .. is that the gateway entry for the other subnet?) rightnexthop would be the ISP's router(gateway) for the 'other' network. The external interface on the router's themselves are 'right'/'left'. -- ~Lynn Avants Linux Embedded Firewall Project developer http://leaf.sourceforge.net --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More Bering IPSec questions ...
Lynn Avants ([EMAIL PROTECTED]) had this to say on 02/10/03 at 22:05: On Monday 10 February 2003 06:31 pm, Mike Leone wrote: Hopefully, we'll find out soon. I followed the Shorewall VPN document to the letter, and now will be trying to verify my ipsecrets.conf entries. (left is me, right is them - do I have that right? If so, I have all the entries, except for that rightnexthop .. is that the gateway entry for the other subnet?) rightnexthop would be the ISP's router(gateway) for the 'other' network. The external interface on the router's themselves are 'right'/'left'. That's about what I thought ... I'll have to check what the office Pix uses as a gateway. I do have the external IPs of both subnets. Thanks; I'll post back the results, perhaps tomorrow. msg12939/pgp0.pgp Description: PGP signature
Re: [leaf-user] More Bering IPSec questions ...
Am Montag, 10. Februar 2003 06:19 schrieb Mike Leone: OK; so I think I'm making progress ... Anyway, when ipsec starts, I get: # svi ipsec start ipsec_setup: Starting FreeS/WAN IPsec 1.99... ipsec_setup: Using /lib/modules/ipsec.o ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = , should be 0) However, I have changed /etc/network/options, and changed spoofprotect to no. Doesn't that turn off route filtering? It's set in shorewall configuration (interfaces(?)). Also, Shorewall complains that the gw zone is empty. The zones file looks That's no problem and described in shorewall docs. ipsec.conf: config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: none for (almost) none, all for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes If that's all the real tunnel config is missing, these are only the general settings for every tunnel you'll define. kp --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More bering/ipsec questions
On 8/20/02 10:22 AM, Tom Eastep [EMAIL PROTECTED] declared: I've also updated that page -- it was out of date in the respect that it talked about a 'gw' zone which was a Shorewall 1.[12] feature that was not carried forward to Shorewall 1.3. Hopefully it will be clearer now... Jeff -- please let me know if you are still having problems... Tom, Thank you for pointing me in the right direction. Thanks to your updated information I can now successfully connect (and disconnect) with both SSH Sentinel and a Linksys VPN appliance without issue. RTFM once again saves the day! -Jeff Lush --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More bering/ipsec questions
On Wed, 21 Aug 2002, Jeff Lush wrote: Thank you for pointing me in the right direction. Thanks to your updated information I can now successfully connect (and disconnect) with both SSH Sentinel and a Linksys VPN appliance without issue. RTFM once again saves the day! Glad to hear that it's working -- in this case, I'm afraid that the FM wasn't very clear before I updated it... :-( -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More bering/ipsec questions
On Mon, 19 Aug 2002, Chad Carr wrote: On Mon, 19 Aug 2002 13:07:45 -0700 (PDT) Tom Eastep [EMAIL PROTECTED] wrote: http://www.shorewall.net/IPSEC.htm. PLEASE folks -- at least _try_ to find this kind of thing on the Shorewall site before posting. Hey! I have a crazy idea! Why don't Lynn and I point to your site in our docs? Sounds sensible -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More bering/ipsec questions
On Mon, 19 Aug 2002, Chad Carr wrote: On Mon, 19 Aug 2002 13:07:45 -0700 (PDT) Tom Eastep [EMAIL PROTECTED] wrote: http://www.shorewall.net/IPSEC.htm. PLEASE folks -- at least _try_ to find this kind of thing on the Shorewall site before posting. Hey! I have a crazy idea! Why don't Lynn and I point to your site in our docs? I've also updated that page -- it was out of date in the respect that it talked about a 'gw' zone which was a Shorewall 1.[12] feature that was not carried forward to Shorewall 1.3. Hopefully it will be clearer now... Jeff -- please let me know if you are still having problems... Thanks, -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More bering/ipsec questions
On Mon, 19 Aug 2002, Jeff Lush wrote: Hello all, I've got bering 1.0rc3 with ipsec509 up and running off a dual floppy install, but I'm having a bit of trouble. I'm using SSH Sentinal to connect from a win98 machine, and on the first connection, it works great; however, any connection attempts after that fail until I reset the firewall. Auth.log reports the following from the failed attempts: -- Aug 18 12:27:09 firewall Pluto[4101]: ERROR: roadwarrior 207.137.114.112 #8: sendto on eth0 to 207.137.114.112:500 failed in STATE_MAIN_R0. Errno 1: Operation not permitted Aug 18 12:27:14 firewall Pluto[4101]: ERROR: roadwarrior 207.137.114.112 #3: sendto on eth0 to 207.137.114.112:500 failed in EVENT_RETRANSMIT. Errno 1: Operation not permitted -- I've read (from guitarlynn's docs) that using leftfirewall=yes in the ipsec.conf can cause dropped tunnels to hang. Can this be what is happening here? If so, what manual rules should be added to shorewall to support ipsec connections? http://www.shorewall.net/IPSEC.htm. PLEASE folks -- at least _try_ to find this kind of thing on the Shorewall site before posting. -Topm -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] More bering/ipsec questions
On Mon, 19 Aug 2002 13:07:45 -0700 (PDT) Tom Eastep [EMAIL PROTECTED] wrote: http://www.shorewall.net/IPSEC.htm. PLEASE folks -- at least _try_ to find this kind of thing on the Shorewall site before posting. Hey! I have a crazy idea! Why don't Lynn and I point to your site in our docs? -- Chad Carr [EMAIL PROTECTED] --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html