Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] IPsec on NAT-firewall w/multiple interfaces

From: Mogens Valentin (monz_at_danbbs.dk)
Date: Fri Mar 29 2002 - 00:43:38 CET

Next message: Marco Berizzi: "[Users] pgpnet + win98 SE + telnet = crash"
Previous message: Andreas Steffen: "Re: [Users] x.509 and ipsec.secrets"
Next in thread: Mogens Valentin: "Re: [Users] IPsec on NAT-firewall w/multiple interfaces"
Reply: Mogens Valentin: "Re: [Users] IPsec on NAT-firewall w/multiple interfaces"
Reply: Mogens Valentin: "Re: [Users] IPsec on NAT-firewall w/multiple interfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

After browsing the docs, google and Jean-Francoise's info on tripod, I
still have problems with an environment like this:

   200.300.400.501
   nat -> 10.0.0.2
   +-- cisco --- firewall-vpn-gw --- clientnets: 10.{10. 12. 13.}
   | 10.0.0.1 10.0.0.2
   |
   +---------- clientnet-vpn-gw ----- testclient
            20.30.40.51 10.15.0.1 10.15.0.5

Actually, three remote locations need access to subnets behind
firewall-vpn-gw; I just didn't see the need for showing a complete
setup.

If the ascii art is a bit unclear, let me verbalize:
The Cisco 1600 NAT's 200.300.400.501 -> 10.0.0.2, the IP for
firewall-vpn-gw, which then masquerades the internal segments.

Clientnet-vpn-gw doesn't have a router in front, it's an ADSL connection
without router, so it masq's 20.30.40.51 -> 10.15.0.1 .

The tripod IPsec page doesn't deal with a central firewall/ipsec
arrangement having multiple interfaces, in contrast to my
firewall-vpn-gw above.
I need tunnels from 10.15.0.0 to 10.10.0.0, 10.12.0.0 and 10.13.0.0 .
My thought is that I can use a number of 'conn' sections, i.e.:

# firewall-vpn-gw :
config setup
  interfaces=%defaultroute
  klipsdebug=none
  plutodebug=none
  plutoload=%search
  plutostart=%search
  # Close down old connection when new one using same ID shows up
  uniqueids=yes

conn %default
  keyingtries=0

# H8 firewall are located behind a NAT router
# H26 firewall has direct dsl connection, no router

conn H26-H8-net10
left=20.30.40.51/16
leftsubnet=10.15.0.0/16
leftnexthop=
right=%defaultroute
rightsubnet=10.10.0.0/16
rightnexthop=
auto=start
authby=rsasig
leftid=@domainname
rightid=@domainname
leftrsasigkey=0s----
rightrsasigkey=0s----

conn H26-H8-net12
:
rightsubnet=10.12.0.0/16
:

conn H26-H8-net13
:
rightsubnet=10.13.0.0/16
:

I can send a complete barf from ether vpn-gw's to those wanting it.
Here's a tail of one of them, showing my problem (real IP#'s changed):

Mar 28 16:32:14 gwh26 ipsec__plutorun: Starting Pluto subsystem...
Mar 28 16:32:15 gwh26 Pluto[3896]: Starting Pluto (FreeS/WAN Version
1.96)
Mar 28 16:32:15 gwh26 Pluto[3896]: added connection description
"H26-H8-net10"
Mar 28 16:32:16 gwh26 Pluto[3896]: added connection description
"H26-H8-net12"
Mar 28 16:32:16 gwh26 Pluto[3896]: added connection description
"H26-H8-net13"
Mar 28 16:32:17 gwh26 Pluto[3896]: listening for IKE messages
Mar 28 16:32:17 gwh26 Pluto[3896]: adding interface ipsec0/eth0
20.30.40.51
Mar 28 16:32:17 gwh26 Pluto[3896]: loading secrets from
"/etc/ipsec.secrets"
Mar 28 16:32:17 gwh26 Pluto[3896]: "H26-H8-net10" #1: initiating Main
Mode
Mar 28 16:32:35 gwh26 Pluto[3896]: packet from 200.300.400.501:500:
initial Main Mode message received on 80.63.233.164:500 but no
connection has been authorized
Mar 28 16:45:05 gwh26 Pluto[3896]: packet from 200.300.400.501:500:
initial Main Mode message received on 20.30.40.51:500 but no connection
has been authorized
Mar 28 16:45:27 gwh26 Pluto[3896]: "H26-H8-net10" #1: max number of
retransmissions (20) reached STATE_MAIN_I1. No acceptable response to
our first IKE message
Mar 28 16:45:27 gwh26 Pluto[3896]: "H26-H8-net10" #1: starting keying
attempt 2 of an unlimited number, but releasing whack
Mar 28 16:45:27 gwh26 Pluto[3896]: "H26-H8-net10" #2: initiating Main
Mode to replace #1
Mar 28 16:45:45 gwh26 Pluto[3896]: packet from 200.300.400.501:500:
initial Main Mode message received on 20.30.40.51:500 but no connection
has been authorized
Mar 28 16:58:14 gwh26 Pluto[3896]: packet from 200.300.400.501:500:
initial Main Mode message received on 20.30.40.51:500 but no connection
has been authorized
Mar 28 16:58:37 gwh26 Pluto[3896]: "H26-H8-net10" #2: max number of
retransmissions (20) reached STATE_MAIN_I1. No acceptable response to
our first IKE message
Mar 28 16:58:37 gwh26 Pluto[3896]: "H26-H8-net10" #2: starting keying
attempt 3 of an unlimited number
Mar 28 16:58:37 gwh26 Pluto[3896]: "H26-H8-net10" #3: initiating Main
Mode to replace #2
Mar 28 16:58:54 gwh26 Pluto[3896]: packet from 200.300.400.501:500:
initial Main Mode message received on 20.30.40.51:500 but no connection
has been authorized

It's RH6.2/2.2.20, FreeS/WAN 1.96, and I'm using ipchains with rules
allowing udp 500, proto 50 and 51.
As part of my firewall setup, I have a test-script allowing anything +
masquerading internal nets. Even using that doesn't change a bit.
And yes, rp_filter is set to "0", and ip_forward is set to "1".

Comments are more than welcome...

-- Regards, Mr Dev - Mogens Valentin http://www.mrdev.com - mrdev_at_danbbs.dk OpenSource Security - Networking - Programming

Søger 2-3 vær. lejlighed, helst fra 1. marts Istandsættelse i noget omfang kan tilbydes _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users

Next message: Marco Berizzi: "[Users] pgpnet + win98 SE + telnet = crash"
Previous message: Andreas Steffen: "Re: [Users] x.509 and ipsec.secrets"
Next in thread: Mogens Valentin: "Re: [Users] IPsec on NAT-firewall w/multiple interfaces"
Reply: Mogens Valentin: "Re: [Users] IPsec on NAT-firewall w/multiple interfaces"
Reply: Mogens Valentin: "Re: [Users] IPsec on NAT-firewall w/multiple interfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:47 CEST