IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Updated road warrior config (firewall section included)

From: Brian (blanda_at_mnsi.net)
Date: Sun Jun 30 2002 - 02:59:27 CEST

IPSec with FreeSWan as the server and SSH Sentinel 1.31 as the windows
client

Here is a working config for road warrior:

1.) I used PSK (or Pre-Shared Secret)

2.) Suse Linux 8.0 PRo

This is my LAB IPSec setup:

Windows 2000 Pro
Ip address 192.168.0.50 or private address , I have SSH Sentinel loaded on
my Win2K

Linux Box (Suse) Freeswan 1.96 complied (two nic)
Ip address 192.168.0.45 255.255.255.0 eth0
Ip address 10.1.1.1 255.255.255.0 eth1 (10.1.1.0/255.255.255.0)

Windows 98se Computer sitting on the eth1 segment
ip address 10.1.1.2 255.255.255.0
Gateway 10.1.1.1
----------------------------------------------------------------

I had to setup routing on my Linux box, I used this

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -j ACCEPT

-------------------------------------------------------

Firewall out on my eth0 or my so called WAN interface...is also works

iptables -I INPUT -i eth0 -p udp --sport 67 --dport 68 -j ACCEPT
iptables -I INPUT -i eth0 -p tcp --sport 1024: --dport 1723 -j ACCEPT
iptables -I INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I INPUT -i eth0 -p udp --dport 5050 -j ACCEPT
iptables -I INPUT -i eth0 -p esp -j ACCEPT
iptables -I INPUT -i eth0 -p ah -j ACCEPT
iptables -I INPUT -i eth0 -p 47 -j ACCEPT
iptables -P INPUT DROP

---------------------------------------------------------------------------- 

---

I was now able to ping from 10.1.1.2 to 192.168.0.50 when I brought up the
tunnel.

Here is my IPSec config

config setup
       interfaces="ipsec0=eth0"
       klipsdebug=none
       plutodebug=none
       plutoload=%search
       plutostart=%search
       uniqueids=yes

conn  %default
       keyingtries=1
       authby=secret

conn  tunnel-one
      type=tunnel
      left=192.168.0.45 ( my eth0 interface)
      leftnexthop=
      leftsubnet=10.1.1.0/255.255.255.0  (this is my eth1 segment)
      right= %any         (this is my windows 2000 pro box, with SSH
Sentinel)
      keyexchange =ike
      ikelifetime= 240m
      pfs = yes
      keylife = 1h
      #rightsubnet = /255.255.255.0
      rightnexthop =
      compress = no
      auto = add

------------------------------------------

Here is my ipsec.secrets config

192.168.0.45 %any: PSK "junk"

-------------------------------------------

Here is a map of my network

Win2KPro    -----------> Linux (Ipsec)
192.168.0.50             192.168.0.45 eth0 (left)
road warrior             10.1.1.1 eth1
(right)                  (10.1.1.0) (leftsubnet) ------> window98se
(10.1.1.2) gateway 10.1.1.1

192.168.0.50 could be a DHCP or a private address , I just use that address
in my lab.
I used a ethernet crossover cable between my W2K pro and my Linux box.
Remember that you must use
the same pre-shared key "junk" when you configure SSH Sentinel.  There is a
section at the SSH Sentinel
site that shows you how configure SSH Sentinel.

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:17 CEST