IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] FreeS/WAN and NAT (secure gateway)

From: Torsten Sorger (torsten.sorger_at_web.de)
Date: Mon Jul 22 2002 - 20:26:31 CEST

Hello,
I am pretty new to this list, but I haven't found a solution to my
problem in the archives or at google:

I have the following setup here:
172.16.0.* <===> 172.16.0.1
                 (dynamic IP) <---> internet

Now my question is, if it is possible to have ipsec-secured LAN and all
traffic from the router, that does NAT to convert the adresses, to the
internet is unencrypted? I have tried the following setup:
Client:
- pgpnet 'IPSEC Host 172.16.0.1'
- default gateway is 172.16.0.1

Router:
- FreeS/WAN ipsec.conf:
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
        uniqueids=yes

conn router-laptop
        auto=add
        authby=secret
        type=tunnel
        left=172.16.0.1
        right=172.16.0.10
        keyexchange=ike
        keylife=8h
        keyingtries=1
        pfs=yes
        rekeymargin=9m
        rekeyfuzz=25%

When I try to ping a host in the internet like www.freeswan.org with and
without using ipsec:

with ipsec:
 eth0:
  19:50:56.283843 172.16.0.10 > 195.24.22.215: icmp: echo request
 ppp0:
  19:50:56.284165 213.191.92.58 > 195.24.22.215: icmp: echo request
  19:50:56.388916 195.24.22.215 > 213.191.92.58: icmp: echo reply

without ipsec:
 eth0:
  19:49:45.822774 172.16.0.10 > 195.24.22.215: icmp: echo request
  19:49:45.987775 195.24.22.215 > 172.16.0.10: icmp: echo reply
 ppp0:
  19:49:45.823016 213.191.92.58 > 195.24.22.215: icmp: echo request
  19:49:45.987675 195.24.22.215 > 213.191.92.58: icmp: echo reply

So the client does not use ipsec and on the way back from the internet
the icmp echo reply packet is somehow discarded ...

I have two problems here:
1: I need a setup for FreeS/WAN to use the router as a secure gateway to
the internet (is this possible ?)
2: If not, then I need to fix somehow my routing tables (see below)
because I think that the lost packet when using ipsec is a routing
problem.

Kernel IP routing table (shortend)
Destination Gateway Genmask Flags Iface
10.0.0.1 0.0.0.0 255.255.255.255 UH eth1
213.191.76.43 0.0.0.0 255.255.255.255 UH ppp0
172.16.0.10 172.16.0.10 255.255.255.255 UGH ipsec0
172.16.0.0 0.0.0.0 255.255.255.0 U eth0
172.16.0.0 0.0.0.0 255.255.255.0 U ipsec0
10.0.0.0 0.0.0.0 255.0.0.0 U eth1
0.0.0.0 213.191.76.43 0.0.0.0 UG ppp0

ppp0 Link encap:Point-to-Point Protocol
          inet addr:213.191.92.58 P-t-P:213.191.76.43
Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1

Does anyone have a helping hand for me to get my settings right?

Thanks in advance,
Torsten

------------------------------------------------------------------------
 Torsten Sorger (torsten.sorger_at_web.de)
 PGP Fingerprint: 586E 02B6 DDDE F6EF 315A FB8F 6849 5488 839F D1CD
------------------------------------------------------------------------

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:25 CEST