[Users] Routing Problem / all traffic should get throw the tunnel / rw / virtual-IP

From: Kevin Gerbracht (kevin_gerbracht_at_hotmail.com)
Date: Wed Jul 31 2002 - 13:47:49 CEST

Hello,

I still have so following situation (Using FreeS/WAN 1.98b/X509_0.9.9.13)

  virual subnet
   |
   |
  Client(RW) 192.168.0.1 / 24 (->Nat=70.0.0.3) <-- virtual IP
     |
     .
     .
     | 192.168.0.2 / 24
Alcatel-VPN-Gate
       | 70.0.0.1 / 24
       |
       x <--
       | 70.0.0.2 / 24
  Router
    | 60.0.0.1 / 24
    |
    |
    |
  Target 60.0.0.2 / 24
                                      x=Network Sniffer

*NAT-Rules on the Client
------------------------
iptables -t nat -A POSTROUTING -s $_ProviderDynIP -d $_RedSubNet -j SNAT
--to-source $_LinuxClientVirtIP
iptables -t nat -A PREROUTING -s $_RedSubNet -d $_LinuxClientVirtIP -j DNAT
--to-destination $_ProviderDynIP

First, if i remove the router and only use the 70.0.0.0/24 as my
target-network then all works fine. But i

need to be routed through the complete network (with the virtual-IP). But i
only get to Point X.

1.. I build the Tunnel between the CLient and the VPN-Gate.

2.. Then i do NAT on the Client (Postrouting/Prerouting) to get the
Client-IP: 70.0.0.3

3.. The Tunnel is up and running. I can ping (from Client) the
VPN-Gate-Sides (192. & 70.) and one

Router-Side(70.0.0.2). I canīt ping the Target (60.0.0.2)

4.. The Router has been corectly configured.
The Target can ping all the way to the 70.0.0.1-side on the vpn-gate
The VPN Gate can ping all the way to the 60.0.0.2 Target

5.. If i "ping 60.0.0.2" (from the Client), i will not see any pakets on
Point X, because the pakets donīt

get into the Tunnel.

A.. what must i do to let all the trafic on the roadwarrior send through the
tunnel ??

What must i do to establish a Client-connection to and from the Target
(60.0.0.2) ???
There is no route for pakets from the Client to the 60.0.0.0/24 network
but i canīt get one established. Can someone give me some tips?

B.. I was adviced to to try "leftsubnet=0.0.0.0/0" to get all trafic be send
throw the tunnel,
but then the tunnel will no longer be established. I get the error-messages
described under E.. and **

C.. The VPN-Gate on the Other Side is a alcatel-vpn-gate. I hope not that
this causes the problem. Perhaps is

there another way to solve my Problem ??

D.. Perhaps a "virtual IP" canīt be routet ?(because of doing the
NAT-Roules* on the Client)

E.. What does the following message mean ?

"
218 "IpsecLinuxClient" #2: STATE_QUICK_I1: INVALID_ID_INFORMATION
003 "IpsecLinuxClient" #2: peer client ID returned doesn't match my proposal
"

I hope someone can help me

kind regards

  Kevin Gerbracht

Kevin_Gerbracht_at_hotmail.com

conn 

----
left=192.168.0.2
leftsubnet=70.0.0.0/255.255.255.0

right=192.168.0.1
rightsubnet=70.0.0.3/32

------------------------------------------------------------------------

Route befor ipsec
-----------------
Ziel         Router        Genmask         Flags Metric Ref    Use Iface
192.168.0.0  *             255.255.255.0   U     0      0        0 eth0
127.0.0.0    *             255.0.0.0       U     0      0        0 lo
default      192.168.0.2   0.0.0.0         UG    0      0        0 eth0

Route after ipsec
-----------------
70.0.0.2        192.168.0.2  255.255.255.0   UG    0      0     0 ipsec0
192.168.0.0     *            255.255.255.0   U     0      0     0 eth0
192.168.0.0     *            255.255.255.0   U     0      0     0 ipsec0
127.0.0.0       *            255.0.0.0       U     0      0     0 lo
default         192.168.0.2  0.0.0.0         UG    0      0     0 eth0

Ipsec eroute
0          70.0.0.3/32  -> 70.0.0.0/24  => tun0x1002_at_192.168.0.2

conn
----
left=192.168.0.2
leftsubnet=70.0.0.0/255.255.255.0

right=192.168.0.1
rightsubnet=70.0.0.3/32

**
---------  leftsubnet=70.0.0.0/255.255.255.0  ----------------
002 "IpsecLinuxClient" #1: initiating Main Mode
104 "IpsecLinuxClient" #1: STATE_MAIN_I1: initiate
003 "IpsecLinuxClient" #1: ignoring Vendor ID payload
106 "IpsecLinuxClient" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "IpsecLinuxClient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "IpsecLinuxClient" #1: Peer ID is ID_IPV4_ADDR: '192.168.0.2'
002 "IpsecLinuxClient" #1: ISAKMP SA established
004 "IpsecLinuxClient" #1: STATE_MAIN_I4: ISAKMP SA established
002 "IpsecLinuxClient" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
112 "IpsecLinuxClient" #2: STATE_QUICK_I1: initiate
002 "IpsecLinuxClient" #2: sent QI2, IPsec SA established
004 "IpsecLinuxClient" #2: STATE_QUICK_I2: sent QI2, IPsec SA established

-------------The barf tells the following---------------
Jul 23 11:01:32 nepthun Pluto[16706]: | our client is 70.0.0.3/32
Jul 23 11:01:32 nepthun Pluto[16706]: | peer client is subnet 70.0.0.0/24
Jul 23 11:01:32 nepthun Pluto[16706]: | ***emit ISAKMP Hash Payload:
Jul 23 11:01:32 nepthun Pluto[16706]: |    next payload type: 
ISAKMP_NEXT_NONE
Jul 23 11:01:32 nepthun Pluto[16706]: | emitting 16 zero bytes of HASH into 
ISAKMP Hash Payload
Jul 23 11:01:32 nepthun Pluto[16706]: | emitting length of ISAKMP Hash 
Payload: 20

--------------  leftsubnet=0.0.0.0  -------------------
002 "IpsecLinuxClient" #1: initiating Main Mode
104 "IpsecLinuxClient" #1: STATE_MAIN_I1: initiate
003 "IpsecLinuxClient" #1: ignoring Vendor ID payload
106 "IpsecLinuxClient" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "IpsecLinuxClient" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "IpsecLinuxClient" #1: Peer ID is ID_IPV4_ADDR: '192.168.0.2'
002 "IpsecLinuxClient" #1: ISAKMP SA established
004 "IpsecLinuxClient" #1: STATE_MAIN_I4: ISAKMP SA established
002 "IpsecLinuxClient" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS
112 "IpsecLinuxClient" #2: STATE_QUICK_I1: initiate
003 "IpsecLinuxClient" #2: peer client ID returned doesn't match my proposal
218 "IpsecLinuxClient" #2: STATE_QUICK_I1: INVALID_ID_INFORMATION
003 "IpsecLinuxClient" #2: peer client ID returned doesn't match my proposal
218 "IpsecLinuxClient" #2: STATE_QUICK_I1: INVALID_ID_INFORMATION
010 "IpsecLinuxClient" #2: STATE_QUICK_I1: retransmission; will wait 20s for 
response
003 "IpsecLinuxClient" #2: peer client ID returned doesn't match my proposal
218 "IpsecLinuxClient" #2: STATE_QUICK_I1: INVALID_ID_INFORMATION
003 "IpsecLinuxClient" #2: peer client ID returned doesn't match my proposal
218 "IpsecLinuxClient" #2: STATE_QUICK_I1: INVALID_ID_INFORMATION
003 "IpsecLinuxClient" #2: peer client ID returned doesn't match my proposal
218 "IpsecLinuxClient" #2: STATE_QUICK_I1: INVALID_ID_INFORMATION
010 "IpsecLinuxClient" #2: STATE_QUICK_I1: retransmission; will wait 40s for 
response
031 "IpsecLinuxClient" #2: max number of retransmissions (2) reached 
STATE_QUICK_I1.  No acceptable response

to our first

Quick Mode message: perhaps peer likes no proposal
000 "IpsecLinuxClient" #2: starting keying attempt 2 of at most 2, but 
releasing whack

---------the barf tells the following-----------------------
ul 23 10:56:37 nepthun Pluto[16143]: | our client is 70.0.0.3/32
Jul 23 10:56:37 nepthun Pluto[16143]: | peer client is 0.0.0.0/32
Jul 23 10:56:37 nepthun Pluto[16143]: "IpsecLinuxClient" #2: peer client ID
returned doesn't match my proposal
Jul 23 10:56:37 nepthun Pluto[16143]: | state transition function for
STATE_QUICK_I1 failed: INVALID_ID_INFORMATION
Jul 23 10:56:37 nepthun Pluto[16143]: | next event EVENT_RETRANSMIT in 8
seconds for #2
Jul 23 10:56:45 nepthun Pluto[16143]: |

_________________________________________________________________
Senden und empfangen Sie MSN Hotmail über Ihren PocketPC: 
http://pocketpc.msn.de

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:34 CEST