IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] desperate for help! freeswan attempt: can exhange key s but no access to other net after! (long)

From: John Sullivan (John.Sullivan_at_nexusmgmt.com)
Date: Tue Apr 23 2002 - 18:15:16 CEST

It looks like you're sending SYN packets but never receiving an ACK. My
guess would be that the internal device does not know how to get to
192.168.201.0/24 or it does know but it knows wrongly, i.e., some router is
sending the packets to some other path. Hope this helps - John

> John A. Sullivan III
> Group Technology Director
> Nexus Management
> +1 207-985-7880

-----Original Message-----
From: Martin Edward John Waller [mailto:martin.waller_at_flomerics.co.uk]
Sent: Tuesday, April 23, 2002 5:25 AM
To: users_at_lists.freeswan.org; users_at_lists.debian.org
Subject: [Users] desperate for help! freeswan attempt: can exhange keys
but no access to other net after! (long)

Hi,

I'm trying to connect to a private network at work
from home using FreeSwan. I can exchange keys,
but cannot access anything (only telnet and X are
enabled at the work end).

I'm stumped and our sysadmin can't work out where
the problem is either. I'm guessing there's some
routing problem, but unless I can I can fix the
problem I'll have to give up as I've hit a brick
wall.

Here's my setup at home:

I have a Debian woody machine with kernel 2.2.19
and FreeSwan 1.96. I have setup a private subnet
(192.168.201.*) with the woody box as a firewall
(192.168.201.1 - nymphalis) with masquerading
enabled using ipchains. Behind this sits a win95
machine (yeah, yeah - if I can get FreeSwan to
work I can dump it and put a proper OS on it!)
(192.168.201.5 - apatura).

I have static IP from my isp which to protect the
innocent I'll call aaa.bbb.ccc.ddd.

Once dialled up and freeswan started, I can
exchange keys (using ike), but cannot telnet to
the other network at work. Other internet access
from both machines at home is fine (i.e
masquerading is working).

However:

Here's tcpdump on 192.168.201.1 for eth0 and ppp0
after key exchange when trying to telnet from the
win95 machine to a machine at work: (192.168.201.5
-> 192.168.0.201)

nymphalis:/home/polytope# tcpdump -vvv
 tcpdump: listening on eth0
 23:33:08.520568 apatura.polytope.org.1038 >
192.168.0.201.telnet: S [tcp
 sum ok] 2204831:2204831(0) win 8192 <mss 1460>
(DF) (ttl 32, id 32512,
 len 44)
 23:33:11.751101 apatura.polytope.org.1038 >
192.168.0.201.telnet: S [tcp
 sum ok] 2204831:2204831(0) win 8192 <mss 1460>
(DF) (ttl 32, id 32768,
 len 44)
 23:33:18.340586 apatura.polytope.org.1038 >
192.168.0.201.telnet: S [tcp
 sum ok] 2204831:2204831(0) win 8192 <mss 1460>
(DF) (ttl 32, id 33024,
 len 44)
 23:33:31.519589 apatura.polytope.org.1038 >
192.168.0.201.telnet: S [tcp
 sum ok] 2204831:2204831(0) win 8192 <mss 1460>
(DF) (ttl 32, id 33280,
 len 44)

nymphalis:/home/polytope# tcpdump -vvv -i ppp0
 tcpdump: listening on ppp0
 23:33:08.524972 aaa.bbb.ccc.ddd.1025 >
212.46.128.1.domain: [udp sum ok]
 27875+ PTR? 201.0.168.192.in-addr.arpa. [|domain]
(ttl 64, id 58, len
 72)
 23:33:08.689275 212.46.128.1.domain >
aaa.bbb.ccc.ddd.1025: 27875
 NXDomain* q: PTR? 201.0.168.192.in-addr.arpa.
0/1/0 ns:
 168.192.in-addr.arpa. (141) (ttl 63, id 27756,
len 169)

My ipsec.conf is attached - the connection
'me-flo' is the one I want to work!:

ipsec eroute:

nymphalis:/home/polytope# ipsec eroute
0 192.168.201.0/24 ->
192.168.0.0/24 =>
tun0x1002_at_194.216.251.1
0 aaa.bbb.ccc.ddd/32 ->
194.216.251.1/32 =>
tun0x1004_at_194.216.251.1
nymphalis:/home/polytope#

ipsec whack -- status:

nymphalis:/home/polytope# ipsec whack --status
000 interface ipsec0/ppp0 aaa.bbb.ccc.ddd
000
000 "me-fw1":
aaa.bbb.ccc.ddd---212.46.128.11...194.216.251.254---194.216.251.1

000 "me-fw1": ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "me-fw1": policy:
PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK;
interface: ppp0; erouted
000 "me-fw1": newest ISAKMP SA: #0; newest IPsec
SA: #3; eroute owner:
#3
000 "me-flo":
192.168.201.0/24===aaa.bbb.ccc.ddd---212.46.128.11...194.216.251.254---194.2
16.251.1===192.168.0.0/24

000 "me-flo": ike_life: 3600s; ipsec_life:
28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "me-flo": policy:
PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK;
interface: ppp0; erouted
000 "me-flo": newest ISAKMP SA: #1; newest IPsec
SA: #2; eroute owner:
#2
000
000 #3: "me-fw1" STATE_QUICK_I2 (sent QI2, IPsec
SA established);
EVENT_SA_REPLACE in 27826s; newest IPSEC; eroute
owner
000 #3: "me-fw1" esp.1bf65f8a_at_194.216.251.1
esp.f9589c10_at_aaa.bbb.ccc.ddd
tun.1004_at_194.216.251.1 tun.1003_at_aaa.bbb.ccc.ddd
000 #2: "me-flo" STATE_QUICK_I2 (sent QI2, IPsec
SA established);
EVENT_SA_REPLACE in 27296s; newest IPSEC; eroute
owner
000 #2: "me-flo" esp.1bf65f89_at_194.216.251.1
esp.f9589c0f_at_aaa.bbb.ccc.ddd
tun.1002_at_194.216.251.1 tun.1001_at_aaa.bbb.ccc.ddd
000 #1: "me-flo" STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_REPLACE
in 2535s; newest ISAKMP
nymphalis:/home/polytope#

ipsec look:

nymphalis:/home/polytope# ipsec look
nymphalis Wed Apr 17 23:31:20 BST 2002
192.168.201.0/24 -> 192.168.0.0/24 =>
tun0x1002_at_194.216.251.1
esp0x1bf65f89_at_194.216.251.1 (0)
aaa.bbb.ccc.ddd/32 -> 194.216.251.1/32 =>
tun0x1004_at_194.216.251.1
esp0x1bf65f8a_at_194.216.251.1 (0)
ipsec0->ppp0 mtu=16260(1500)->1500
esp0x1bf65f89_at_194.216.251.1 ESP_3DES_HMAC_MD5:
dir=out src=aaa.bbb.ccc.ddd
iv_bits=64bits iv=0xcebb7058df0b91e2 ooowin=64
alen=128 aklen=128
eklen=192 life(c,s,h)=addtime(843,0,0)
esp0x1bf65f8a_at_194.216.251.1 ESP_3DES_HMAC_MD5:
dir=out src=aaa.bbb.ccc.ddd
iv_bits=64bits iv=0x97110ff8ad195d55 ooowin=64
alen=128 aklen=128
eklen=192 life(c,s,h)=addtime(891,0,0)
esp0xf9589c0f_at_aaa.bbb.ccc.ddd ESP_3DES_HMAC_MD5:
dir=in src=194.216.251.1
iv_bits=64bits iv=0xd89cdd03e4c793e1 ooowin=64
alen=128 aklen=128
eklen=192 life(c,s,h)=addtime(841,0,0)
esp0xf9589c10_at_aaa.bbb.ccc.ddd ESP_3DES_HMAC_MD5:
dir=in src=194.216.251.1
iv_bits=64bits iv=0x095dae69152069cb ooowin=64
alen=128 aklen=128
eklen=192 life(c,s,h)=addtime(889,0,0)
tun0x1001_at_aaa.bbb.ccc.ddd IPIP: dir=in
src=194.216.251.1
life(c,s,h)=addtime(841,0,0)
tun0x1002_at_194.216.251.1 IPIP: dir=out
src=aaa.bbb.ccc.ddd
life(c,s,h)=addtime(843,0,0)
tun0x1003_at_aaa.bbb.ccc.ddd IPIP: dir=in
src=194.216.251.1
life(c,s,h)=addtime(890,0,0)
tun0x1004_at_194.216.251.1 IPIP: dir=out
src=aaa.bbb.ccc.ddd
life(c,s,h)=addtime(891,0,0)
Destination Gateway Genmask
Flags MSS Window irtt
Iface
0.0.0.0 212.46.128.11 0.0.0.0
UG 0 0 0
ppp0
192.168.0.0 212.46.128.11 255.255.255.0
UG 0 0 0
ipsec0
194.216.251.1 212.46.128.11 255.255.255.255
UGH 0 0 0
ipsec0
212.46.128.11 0.0.0.0 255.255.255.255
UH 0 0 0
ipsec0
212.46.128.11 0.0.0.0 255.255.255.255
UH 0 0 0
ppp0
nymphalis:/home/polytope#

ipsec barf also attached, but it's big!

Thanks for any help - I am on the verge of giving
up!

Martin

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:53 CEST