Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] vpn tunnel behind and through corporate firewall

From: Kai McBride (kmc_at_techsquare.com)
Date: Fri Jun 07 2002 - 17:06:47 CEST

Next message: Isamp: "[Users] --- Problem with PGPFreeware connection"
Previous message: Norm Dressler: "[Users] RE: --- Problem with PGPFreeware connection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

hello freeS/WAN users,

I want to setup a tunnel from a freeS/WAN box behind our
corporate firewall to a cisco1720 at another location
outside the firewall. Here's the layout:

                  ____________
[192.168.1.0/24]--| cisco1720 |---------\
                  | w/IPSec | |
                  | 199.X.X.69| |
                  ------------- I
                                        N
                                        T
                                        E
                                        R
                                        N
                                        E
                                        T
                                        |
                                        |
_________________ ________________ |
| freeS/WAN host | | Corp router | |
| 172.16.10.10 |---| NAT/FIREWALL |--/
|________________| | X.X.X.64 |
                     |_______________|

The good news is I have a working freeS/WAN connection peer to peer
with the cisco 1720 when I'm outside the firewall.
Unfortunately, having IKE failures when i try behind the firewall.

I don't have access to the Corporate router, but the
network admins claim they have modified it to allow
IPSec traffic to flow. The router NAT's all outgoing
traffic to show up from one external ipaddress.
I've used that address as my peer setting on the Cisco.
There is no one-to-one NAT from external to internal machines.

I've setup the freeS/WAN host like this:

config setup
        interfaces="ipsec0=eth0"
        klipsdebug=all
        plutodebug=all
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
keyingtries=0
disablearrivalcheck=no

conn cisco
        left=172.16.10.10
        leftnexthop=172.16.1.1
        right=199.X.X.69
        rightsubnet=192.168.1.0/24
        auto=start
        keyexchange=ike
        authby=secret
        keyingtries=20

I'm hoping that the corporate router passes all
isakmp/ipsec traffic back and forth to the internal host.
But I'm not sure this is the case. I'm suspecting that
the key exchange is failing because the cisco attempts
to directly exchange information with the corp router
and the router gets confused.

Following the negotiations as outlined in the Cisco VPN
documentation, this is what I'm seeing:
Phase 1 of the IKE exchange successfully negotiates the
protocols "use 3des and md5" , and they even validate
the shared key. But if fails in Phase 2 immediately after
the IPSEC SA is established and goes into "Quick Mode".

I'm not even sure if this _can_ work. Will more magic
need to be done at the corp router ?

thank you,

-kmc

-- Kai McBride | http://www.mumbleBunnies.org | mailto:kmc_at_techsquare.com GnuPG Fingerprint: C00D ADFC 7D13 8C08 FEBF CA6A 3B4F 19CA FBCD D110

_______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users

Next message: Isamp: "[Users] --- Problem with PGPFreeware connection"
Previous message: Norm Dressler: "[Users] RE: --- Problem with PGPFreeware connection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:13 CEST