Hello you all,
I have also some major problems, using the _updown script.
maybe someon of you could give me a hint of what
is going wrong:
You will find attatched the entire _updown file....
But here is the Sektion, which makes problems:
down-client:)
NETDEV=100.200.300.400
FW=/usr/sbin/iptables
INTADDR='$FW -L -t nat -n | grep $PLUTO_PEER | cut -d : -f 2 | tail -n 1'
EXTADDR='$FW -L -t nat -n | grep $PLUTO_PEER | cut -d : -f 2 | head -n 1'
if (test $INTADDR = $EXTADDR )
then exit 1
echo Fatal error: $EXTARRD masked to $INTADDR this can't be... >> /var/log/ipsec_down.log
exit 2
else
$FW -D INPUT -p tcp -s $PLUTO_PEER --sport 500 -d $NETDEV --dport 500 -j ACCEPT
$FW -D OUTPUT -p tcp -s $NETDEV --sport 500 -d $PLUTO_PEER --dport 500 -j ACCEPT
$FW -t nat -D POSTROUTING -s $PLUTO_PEER -d 10.0.0.0/8 -j SNAT --to $INTADDR
$FW -t nat -D PREROUTING -d $EXTADDR -j DNAT --to $PLUTP_PEER
fi
;;
WHat I want to to:
I have some roadwarriors comming into a network via ipsec...
But as under Windows p12 key's are vallid for the computer and not user
specified, I have designed a tiny Pre Authentifications Program - far far
away from a Radius Server, but it's doing a quiet good job...
In the case, that the User hast authenticated successfully, my programm
inserts an iptables directive for the authenticated client the way, that
sport 500 - and dport 500 (udp) are opened.... (p50 and 51 are always
opened - as there is no reason for any security leak)...
Also every client is masked to an interial unique IP Adress - this is
needed for a proper routing in LAN and WAN...
So far - so good...
Now we want - if the ipsec connection gets down also reverse the iptables
directives....
This should be finaly done by the client - down section in the _updown
skript... but... it doesn't work out.. here the error messages from the
syslog:
Jul 4 22:44:44 lx02 Pluto[2325]: "roadwarrior-lan" 137.208.99.35 #299: max number of retransmissions (2) reached STATE_Jul 4 22:44:44 lx02 Pluto[2325]:
ERROR: "roadwarrior-lan" 137.208.99.35 #299: pfkey write() of SADB_DELETE message 6172
Jul 4 22:44:44 lx02 Pluto[2325]: | 02 04 00 03 0a 00 00 00 1c 18 00 00 15 09 00 00
Jul 4 22:44:44 lx02 Pluto[2325]: | 02 00 01 00 26 8f c6 c2 00 01 00 00 00 00 00 00
Jul 4 22:44:44 lx02 Pluto[2325]: | 03 00 05 00 00 00 00 00 02 00 01 f4 89 d0 63 23
Jul 4 22:44:44 lx02 Pluto[2325]: | 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00
Jul 4 22:44:44 lx02 Pluto[2325]: | 02 00 00 00 c3 3d a1 83 00 00 00 00 00 00 00 00
Result for a Client user:
is I ping from my windows box an ipadress from the lan, then I only get
the "Negotiating IP Security" message...which usualy comes about 3 or 4
times, before the ipsec connection is fully setted up....
Gosh - I think that's all information I have for you.. I realy hope, you
will be able to help me to make this thing work...or at least a reason,
why it doesn't.
Hope, you will help me,
regards,
Felix Joussein
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:18 CEST