On Monday 20 January 2003 11:51 pm, Darren Schell wrote: > Lynn, > > I have read your "Basic IPSec VPN HowTo" at > http://leaf.sourceforge.net/devel/guitarlynn/ipsec.txt and have set out > to set up a subnet to subnet scenario. If you have the time to help me > sort out why the VPN doesn't seem to work, I would appreciate it very much.
OK, it would be in your best interest to post to the leaf-user mailing-list since not only I monitor the list, but others that may help you as well as myself (or better) and possibly quicker. If you don't want to subscribe, you can always check the archives of the list instead. > My setup is the following: > > Sunrise -- West -- Internet -- East -- Sunset > 192.168.1.0 192.168.1.254(int) 192.168.0.254(int) 192.168.0.1 > 209.107.110.181(ext) 209.107.104.142(ext) > > West and East and both plugged into a switch that has a DSL connection > plugged in also. They each get an IP address from my ISP via DHCP. > This is not the scenario I intend to use the VPN in, but I was hoping > to be able to test it this way. I get the same IP addresses from the > ISP often enough to pretend that they're static for the purposes of > testing. > > West and East are both running the Dachstein image you supplied on the > sourceforge site that includes IPSec. > > Sunrise and Sunset are Windows boxes. > > I have a connection defined in ipsec.conf called vpn. > > If I do: > ipsec auto --up vpn > > the results are: > 104 "vpn" #1: STATE_MAIN_I1: initiate > 106 "vpn" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2; expecting MR2 > 108 "vpn" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3; expecting MR3 > 004 "vpn" #1: STATE_MAIN_I4: ISAKMP SA established > 112 "vpn" #2: STATE_QUICK_I1: initiate > 004 "vpn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established > > My reading leads me to believe that this means that the VPN is > successfully up and running. However, when I try to ping Sunrise from > Sunset or vice-versa, I get "Request timed out." Yes, the tunnel has been authenticated, however that doesn't mean that any information has necessarily passed through the tunnel. Sunrise _cannot_ have the ip address 192.168.1.0 since it is a reserved address for routing.... change the last field to a 1-254 host number. I'm assuming that you are pinging by ip address since there is no name resolution (ie... WINS/bcast) across the tunnel w/o adding something to do this. Is this correct? Try changing the Sunrise ip address and see what happens. > First, I am wondering if my configuration is correct. The key bits are > below (I've substituted in a relevant description for the ip addresses > to make things clearer): > config setup > interfaces=%defaultroute > > conn %default > type=tunnel > left=209.107.110.181 > leftsubnet=192.168.1.0/24 > leftnexthop=207.107.96.1 (default gateway of my isp) > leftfirewall=yes > > conn vpn > right=209.107.104.142 > rightsubnet=192.168.0.0/24 > rightnexthop=209.107.96.1 > rightfirewall=yes > auto=add > > Is it correct to have "nexthop" set to the default gateway of the ISP? Yes, the ISP's gateway is the nexthop. I wouldn't suggest using the left/rightfirewall option as you will need to restart the machine before another tunnel can come up if one fails. How are you authenticating the connection (ie... PSK, RSA)? This information should also be in ipsec.conf. > The results of route -n on East(192.168.0.254): > Destination Gateway Genmask Flags Iface > 192.168.1.0 209.107.96.1 255.255.255.0 UG ipsec0 > 192.168.0.0 0.0.0.0 255.255.255.0 U eth1 > 209.107.96.0 0.0.0.0 255.255.240.0 U eth0 > 209.107.96.0 0.0.0.0 255.255.240.0 U ipsec0 > 0.0.0.0 209.107.96.1 0.0.0.0 UG eth0 > > 209.107.96.1 is the default gateway (my ISP) > > I am able to ping East from Sunrise. Oddly, I can't ping West from > Sunset. However, I had understood that the tunnel is really only > supposed to work from Sunrise to Sunset, and that East and West can't > communicate through the VPN without starting another tunnel. > > If you have any thoughts on what might be preventing me from pinging > from Sunrise to Sunset, I would appreciate it. You should be able to ping from host-to-gw through the internet, not the tunnel. You should be able to ping Sunrise to Sunset, but not with an ip address with the last field 0 or 255. Your understanding of the tunnel communication is correct, for the gw's to talk to each other (or anyone else) a host-to-host tunnel must be brought up. The output of "ipsec barf" would be most useful if these suggestions don't fix things. Check the LEAF FAQ "How do I request help?" for easy ways of sending logs files and config information w/o typing it. I hope this helps! -- ~Lynn Avants Linux Embedded Appliance Firewall developer http://leaf.sourceforge.net ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
