IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

Re: [Users] Network <-> Network VPN Problems: Help Please

From: dapunk (dapunk_at_sskid.org)
Date: Fri May 24 2002 - 20:29:01 CEST

Ok,

It looks like both gateways are making a connection now, but I still
cant ping one subnet from another. I wanna be able to ping 192.168.10.20
from 192.168.20.20.

Here are my new config, and log files.

#########################################################################################
IPSEC.CONF:

config setup
        interfaces="%defaultroute"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=0

conn datacenter-anywhere
        left=209.xxx.xxx.245
        leftsubnet=192.168.10.0/24
        right=209.xxx.xxx.246
        rightsubnet=192.168.20.0/24
        auto=add

#########################################################################################
IPSEC.SECRETS:
209.123.216.245 209.123.216.246 : PSK "INSERT SECRET KEY"

#########################################################################################
And here is my IPTABLES config (firewall.sh):

#!/bin/sh

echo "0" > /proc/sys/net/ipv4/ip_forward

#-----------------------------------------------------------------
# Flushing the chains.
iptables -F
iptables -t nat -F
iptables -X
iptables -Z # zero all counters

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow local device trafic
iptables -A OUTPUT -p ALL -o lo -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT

# NAT Stuff
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ipsec+ -j MASQUERADE

iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

# We would like to ask for names from our floppyfw box
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Keep state.
#
iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i eth0 -j DROP

# Ping and friends.
iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
iptables -A INPUT -p icmp -j ACCEPT

# And also, DHCP, but we can basically accept anything from the inside.
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

#-----------------------------------------------------------------
# Allow IPsec
# IKE negotiations
iptables -A INPUT -p udp -i eth0 --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 500 --dport 500 -j ACCEPT

# ESP encrypton and authentication
iptables -A INPUT -p 50 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT

# AH authentication header
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT

echo 7 > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#########################################################################################
/var/log/messages <--- On The DataCenter Gateway (209.xxx.xxx.245)

May 24 12:58:20 syslogd 1.4-0: restart. ( Nothing usefull)

#########################################################################################
/var/log/secure <--- On The DataCenter Gateway (209.xxx.xxx.245)

May 24 13:02:36 BrunoWall Pluto[418]: "datacenter-anywhere" #1:
responding to Main Mode
May 24 13:02:36 BrunoWall Pluto[418]: "datacenter-anywhere" #1: sent
MR3, ISAKMP SA established
May 24 13:02:36 BrunoWall Pluto[418]: "datacenter-anywhere" #2:
responding to Quick Mode
May 24 13:02:37 BrunoWall Pluto[418]: "datacenter-anywhere" #2: IPsec SA
established
May 24 13:03:03 BrunoWall Pluto[418]: "datacenter-anywhere" #3:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
May 24 13:03:03 BrunoWall Pluto[418]: "datacenter-anywhere" #3: sent
QI2, IPsec SA established

#########################################################################################
ipsec look <--- On The DataCenter Gateway (209.xxx.xxx.245)

BrunoWall Fri May 24 13:22:08 UTC 2002
192.168.10.0/24 -> 192.168.20.0/24 => tun0x1004_at_209.xxx.xxx.246
esp0x16d5c019_at_209.xxx.xxx.246 (0)
ipsec0->eth0 mtu=16260(1500)->1500
esp0x16d5c018_at_209.xxx.xxx.246 ESP_3DES_HMAC_MD5: dir=out
src=209.xxx.xxx.245 iv_bits=64bits iv=0x3e8ab0b4ae571219 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(280,0,0)
esp0x16d5c019_at_209.xxx.xxx.246 ESP_3DES_HMAC_MD5: dir=out
src=209.xxx.xxx.245 iv_bits=64bits iv=0xd8c418d455767b2d ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(307,0,0)
esp0x601ddbe_at_209.xxx.xxx.245 ESP_3DES_HMAC_MD5: dir=in
src=209.xxx.xxx.246 iv_bits=64bits iv=0x7a71d0b1a1db4d30 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(280,0,0)
esp0x601ddbf_at_209.xxx.xxx.245 ESP_3DES_HMAC_MD5: dir=in
src=209.xxx.xxx.246 iv_bits=64bits iv=0x5f7cd189593ae129 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(307,0,0)
tun0x1001_at_209.xxx.xxx.245 IPIP: dir=in src=209.xxx.xxx.246
life(c,s,h)=addtime(280,0,0)
tun0x1002_at_209.xxx.xxx.246 IPIP: dir=out src=209.xxx.xxx.245
life(c,s,h)=addtime(280,0,0)
tun0x1003_at_209.xxx.xxx.245 IPIP: dir=in src=209.xxx.xxx.246
life(c,s,h)=addtime(307,0,0)
tun0x1004_at_209.xxx.xxx.246 IPIP: dir=out src=209.xxx.xxx.245
life(c,s,h)=addtime(307,0,0)
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 209.xxx.xxx.225 0.0.0.0 UG 40 0 0
eth0
192.168.20.0 209.xxx.xxx.246 255.255.255.0 UG 40 0 0
ipsec0
209.xxx.xxx.224 0.0.0.0 255.255.255.224 U 40 0 0
eth0
209.xxx.xxx.224 0.0.0.0 255.255.255.224 U 40 0 0
ipsec0

#########################################################################################
/var/log/messages <--- On The "Anywhere" Gateway (209.xxx.xxx.246)

May 24 14:02:31 BrunoWall dhcpd: DHCPDISCOVER from 00:80:c7:a5:d2:4c via
eth1
May 24 14:02:32 BrunoWall dhcpd: DHCPOFFER on 192.168.20.20 to
00:80:c7:a5:d2:4c via eth1
May 24 14:02:32 BrunoWall dhcpd: DHCPDISCOVER from 00:80:c7:a5:d2:4c via
eth1
May 24 14:02:33 BrunoWall dhcpd: DHCPOFFER on 192.168.20.20 to
00:80:c7:a5:d2:4c via eth1
May 24 14:02:33 BrunoWall dhcpd: DHCPREQUEST for 192.168.20.20 from
00:80:c7:a5:d2:4c via eth1
May 24 14:02:33 BrunoWall dhcpd: DHCPACK on 192.168.20.20 to
00:80:c7:a5:d2:4c via eth1

#########################################################################################
/var/log/secure <--- On The "Anywhere" Gateway (209.xxx.xxx.246)

May 24 14:03:35 BrunoWall Pluto[419]: "datacenter-anywhere" #1:
initiating Main Mode
May 24 14:03:35 BrunoWall Pluto[419]: "datacenter-anywhere" #1: ISAKMP
SA established
May 24 14:03:35 BrunoWall Pluto[419]: "datacenter-anywhere" #2:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
May 24 14:03:36 BrunoWall Pluto[419]: "datacenter-anywhere" #2: sent
QI2, IPsec SA established
May 24 14:04:02 BrunoWall Pluto[419]: "datacenter-anywhere" #3:
responding to Quick Mode
May 24 14:04:02 BrunoWall Pluto[419]: "datacenter-anywhere" #3: IPsec SA
established

#########################################################################################
ipsec look <--- On The "Anywhere" Gateway (209.xxx.xxx.246)

BrunoWall Fri May 24 14:18:07 UTC 2002
192.168.20.0/24 -> 192.168.10.0/24 => tun0x1004_at_209.xxx.xxx.245
esp0x601ddbf_at_209.xxx.xxx.245 (0)
ipsec0->eth0 mtu=16260(1500)->1500
esp0x16d5c018_at_209.xxx.xxx.246 ESP_3DES_HMAC_MD5: dir=in
src=209.xxx.xxx.245 iv_bits=64bits iv=0xc8c090f5aa77caf8 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(130,0,0)
esp0x16d5c019_at_209.xxx.xxx.246 ESP_3DES_HMAC_MD5: dir=in
src=209.xxx.xxx.245 iv_bits=64bits iv=0x3a6dd2284e4e8732 ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(156,0,0)
esp0x601ddbe_at_209.xxx.xxx.245 ESP_3DES_HMAC_MD5: dir=out
src=209.xxx.xxx.246 iv_bits=64bits iv=0xf1d2411e31bb625e ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(130,0,0)
esp0x601ddbf_at_209.xxx.xxx.245 ESP_3DES_HMAC_MD5: dir=out
src=209.xxx.xxx.246 iv_bits=64bits iv=0xbbec1227955326bd ooowin=64
alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(156,0,0)
tun0x1001_at_209.xxx.xxx.246 IPIP: dir=in src=209.xxx.xxx.245
life(c,s,h)=addtime(130,0,0)
tun0x1002_at_209.xxx.xxx.245 IPIP: dir=out src=209.xxx.xxx.246
life(c,s,h)=addtime(130,0,0)
tun0x1003_at_209.xxx.xxx.246 IPIP: dir=in src=209.xxx.xxx.245
life(c,s,h)=addtime(156,0,0)
tun0x1004_at_209.xxx.xxx.245 IPIP: dir=out src=209.xxx.xxx.246
life(c,s,h)=addtime(156,0,0)
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 209.xxx.xxx.225 0.0.0.0 UG 40 0 0
eth0
192.168.10.0 209.xxx.xxx.245 255.255.255.0 UG 40 0 0
ipsec0
209.xxx.xxx.224 0.0.0.0 255.255.255.224 U 40 0 0
eth0
209.xxx.xxx.224 0.0.0.0 255.255.255.224 U 40 0 0
ipsec0

#########################################################################################

Thanks much for help :-)

-DaPunk

On Fri, 2002-05-24 at 13:18, Sam Sgro wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> On Fri, 24 May 2002, dapunk wrote:
>
> > conn datacenter-anywhere
> > left=209.1xx.xxx.xxx # Ext IP of Datacenter(static)
> > leftsubnet=192.168.10.0/24 # Datacenter Subnet
> > right=%any # Any machine can try to connect
> > rightsubnet=192.168.20.0/24 # Subnet of first Client Gateway
>
> Given your setup, do not use right=%any. Instead, make 3 connections,
> one for each gateway in question; otherwise, how would FreeS/WAN know
> which subnet is behind which gateway?
>
> > auth=ah # Authenication
>
> Is there a reason why you're trying to specify the authentication method
> as AH? ESP is the default value here, and can do both authentication and
> encryption; and, given that you're trying to connect FreeS/WAN-FreeS/WAN
> connections here, why bother using anything else? ESP with AH
> authentication is arguably no better than ESP doing its own
> authentication. See doc/ipsec.html for more info.
>
> > conn datacenter-anywhere
> > left=209.1xx.xxx.xxx # Ext IP of Datacenter(static)
> > leftsubnet=192.168.10.0/24 # Datacenter Subnet
> > right=%defaultroute # Any machine can try to connect
> > rightsubnet=192.168.20.0/24 # Subnet of first Client Gateway
> > auth=ah # Authenication
> > auto=start
>
>
> right="itsIP"
> right subnet="subnet"
> Leave auth blank.
>
> > #-----------------------------------------------------------------
> >
> >
> > Both the Datacenter and Client ipsec.secrets look the same:
> > 209.1xx.xxx.xxx 0.0.0.0 "insert long secret string here and stuff"
>
> Use the explicit IPs of each machine.
>
> Sam Sgro
> sam_at_freeswan.org
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
> Comment: For the matching public key, finger the Reply-To: address.
>
> iQCVAwUBPO517kOSC4btEQUtAQF5kQQAr+5eUAvOWxC+UpIsSndCG96t+rAGhD6A
> aTO15h9POjPgAeZiezMPxTmESQy8LePEiZfryDS5OdSJrVorlN1YAnO4Uiad3yMJ
> WJVSBiiRYoLeGqVQnkZYbfsVN8bjiyxg2HD8UsZv6PPBugcfIBlpGK8Jof+hK/Oa
> AgHwvyi/aMg=
> =GNqB
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:06 CEST