From: Pierrick LE FOL (pierrick.lefol_at_safety-host.com)
Date: Fri Aug 09 2002 - 14:16:19 CEST
Hi all,
I'm a new freeswan user and I try to set up a simple vpn just to begin.
So I found a good doc with some sample of configuration:
http://bec.at/support/ipsec/configs/
So I tried to realize the first example: Simple subnet-to-subnet configuration (RSA).
10.33.56.0/24 freeswan box "VPN" 207.151.222.0 /24 router 172.35.55.0/24 freeswan box "SPIDER" 192.168.1.0/24
--------------------------//////////////////////////////---------------------------------------////////////////////---------------------------------------//////////////////////////////////-----------------------------
254 2 1 1 8 254
This is configuration of every machine:
> freeswan box "VPN"
_ ifconfig:
[root_at_vpn etc]# ifconfig
eth0 Lien encap:Ethernet HWaddr 00:D0:B7:1E:99:A2
inet adr:10.33.56.254 Bcast:10.33.56.255 Masque:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:77537 errors:0 dropped:0 overruns:0 frame:0
TX packets:9870 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
RX bytes:8019821 (7.6 Mb) TX bytes:875892 (855.3 Kb)
Interruption:7 Adresse de base:0x6000
eth1 Lien encap:Ethernet HWaddr 00:D0:B7:1E:99:A3
inet adr:207.151.222.2 Bcast:207.151.222.255 Masque:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12731 errors:0 dropped:0 overruns:0 frame:0
TX packets:9078 errors:0 dropped:0 overruns:10 carrier:0
collisions:2 lg file transmission:100
RX bytes:2247751 (2.1 Mb) TX bytes:1220670 (1.1 Mb)
Interruption:7 Adresse de base:0x8000
ipsec0 Lien encap:Ethernet HWaddr 00:D0:B7:1E:99:A3
inet adr:207.151.222.2 Masque:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:4119 errors:0 dropped:4 overruns:0 carrier:0
collisions:0 lg file transmission:10
RX bytes:0 (0.0 b) TX bytes:897942 (876.8 Kb)
lo Lien encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:135 errors:0 dropped:0 overruns:0 frame:0
TX packets:135 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:16908 (16.5 Kb) TX bytes:16908 (16.5 Kb)
_ route:
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
207.151.222.0 * 255.255.255.0 U 0 0 0 eth1
207.151.222.0 * 255.255.255.0 U 0 0 0 ipsec0
192.168.1.0 207.151.222.1 255.255.255.0 UG 0 0 0 ipsec0
10.33.56.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 207.151.222.1 0.0.0.0 UG 0 0 0 eth1
_ ipsec.conf:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
# sample VPN connection
conn site1-site2
# Left security gateway, subnet behind it, next hop toward right.
left=207.151.222.2
leftsubnet=10.33.56.0/24
leftnexthop=207.151.222.1
# Right security gateway, subnet behind it, next hop toward left.
right=172.35.55.8
rightsubnet=192.168.1.0/24
rightnexthop=172.35.55.1
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=start
authby=rsasig
leftid=207.151.222.2
rightid=172.35.55.8
leftrsasigkey=0sAQOPyH6kubBWqS2p6/vCh7EwdwrWe7p61YceraZo+/Q6pGsF9gg3O7U3M4s95zqclQnBE7mZMnlYrRfJZtZI+yVB
rightrsasigkey=0sAQOPyH6kubBWqS2p6/vCh7EwdwrWe7p61YceraZo+/Q6pGsF9gg3O7U3M4s95zqclQnBE7mZMnlYrRfJZtZI+yVB
_ ipsec.secrets:
: RSA {
# RSA 512 bits site1-site2 Wed Aug 7 16:05:10 2002
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQOPyH6kubBWqS2p6/vCh7EwdwrWe7p61YceraZo+/Q6pGsF9gg3O7U3M4s95zqclQnBE7mZMnlYrRfJZtZI+yVB
#IN KEY 0x4200 4 1 AQOPyH6kubBWqS2p6/vCh7EwdwrWe7p61YceraZo+/Q6pGsF9gg3O7U3M4s95zqclQnBE7mZMnlYrRfJZtZI+yVB
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: 0x8fc87ea4b9b056a92da9ebfbc287b130770ad67bba7ad5871eada668fbf43aa46b05f608373bb537338b3de73a9c9509c113b999327958ad17c966d648fb2541
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x17f6bfc61ef2b91c3246fca9f5c14832be81ce69f469ce412fc79bbc29fe09c5d1359c270bb79e905e8c23ec7976dabb170732c3cb83980c310a3976f6c2d3c1
Prime1: 0xddda46b7dbb018bc77647deb919a773740954fa47d175345a436eff4c285a51f
Prime2: 0xa5ea0666153de51884dde870d038fd6ff653395df04c751e4d551e17bde4899f
Exponent1: 0x93e6d9cfe7cabb284f9853f26111a4cf80638a6da8ba3783c2cf4aa32c5918bf
Exponent2: 0x6e9c04440e294365ade945a08ad0a8f54ee2263ea032f8bede38beba7e985bbf
Coefficient: 0x20b3547913ce972ba1753c6cc0f8a22649cbc7fda391e446976f8bd340fd939e
}
# do not change the indenting of that "}"
> freeswan box "SPIDER"
_ ifconfig:
eth0 Lien encap:Ethernet HWaddr 00:06:29:B7:1D:4F
inet adr:192.168.1.254 Bcast:192.168.1.255 Masque:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:85222 errors:0 dropped:0 overruns:0 frame:2
TX packets:9958 errors:0 dropped:0 overruns:0 carrier:0
collisions:42 lg file transmission:100
RX bytes:8842575 (8.4 Mb) TX bytes:793850 (775.2 Kb)
Interruption:10 Adresse de base:0xc000
eth1 Lien encap:Ethernet HWaddr 00:06:29:B7:1D:50
inet adr:172.35.55.8 Bcast:172.35.55.255 Masque:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:72420 errors:0 dropped:0 overruns:0 frame:0
TX packets:12607 errors:0 dropped:0 overruns:20 carrier:0
collisions:0 lg file transmission:100
RX bytes:8265506 (7.8 Mb) TX bytes:2202941 (2.1 Mb)
Interruption:11 Adresse de base:0xe000
ipsec0 Lien encap:Ethernet HWaddr 00:06:29:B7:1D:50
inet adr:172.35.55.8 Masque:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Lien encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:130 errors:0 dropped:0 overruns:0 frame:0
TX packets:130 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
RX bytes:13342 (13.0 Kb) TX bytes:13342 (13.0 Kb)
_ route:
Destination Passerelle Genmask Indic Metric Ref Use Iface
207.151.222.0 * 255.255.255.0 U 0 0 0 eth1
207.151.222.0 * 255.255.255.0 U 0 0 0 ipsec0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
10.33.56.0 207.151.222.1 255.255.255.0 UG 0 0 0 ipsec0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 207.151.222.1 0.0.0.0 UG 0 0 0 eth1
_ ipsec.conf:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
# sample VPN connection
conn site1-site2
# Left security gateway, subnet behind it, next hop toward right.
left=207.151.222.2
leftsubnet=10.33.56.0/24
leftnexthop=207.151.222.1
# Right security gateway, subnet behind it, next hop toward left.
right=172.35.55.8
rightsubnet=192.168.1.0/24
rightnexthop=172.35.55.1
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=start
authby=rsasig
leftid=207.151.222.2
rightid=172.35.55.8
leftrsasigkey=0sAQOPyH6kubBWqS2p6/vCh7EwdwrWe7p61YceraZo+/Q6pGsF9gg3O7U3M4s95zqclQnBE7mZMnlYrRfJZtZI+yVB
rightrsasigkey=0sAQOPyH6kubBWqS2p6/vCh7EwdwrWe7p61YceraZo+/Q6pGsF9gg3O7U3M4s95zqclQnBE7mZMnlYrRfJZtZI+yVB
_ ipsec.secrets
: RSA {
# RSA 512 bits site1-site2 Wed Aug 7 16:05:10 2002
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQOPyH6kubBWqS2p6/vCh7EwdwrWe7p61YceraZo+/Q6pGsF9gg3O7U3M4s95zqclQnBE7mZMnlYrRfJZtZI+yVB
#IN KEY 0x4200 4 1 AQOPyH6kubBWqS2p6/vCh7EwdwrWe7p61YceraZo+/Q6pGsF9gg3O7U3M4s95zqclQnBE7mZMnlYrRfJZtZI+yVB
# (0x4200 = auth-only host-level, 4 = IPSec, 1 = RSA)
Modulus: 0x8fc87ea4b9b056a92da9ebfbc287b130770ad67bba7ad5871eada668fbf43aa46b05f608373bb537338b3de73a9c9509c113b999327958ad17c966d648fb2541
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x17f6bfc61ef2b91c3246fca9f5c14832be81ce69f469ce412fc79bbc29fe09c5d1359c270bb79e905e8c23ec7976dabb170732c3cb83980c310a3976f6c2d3c1
Prime1: 0xddda46b7dbb018bc77647deb919a773740954fa47d175345a436eff4c285a51f
Prime2: 0xa5ea0666153de51884dde870d038fd6ff653395df04c751e4d551e17bde4899f
Exponent1: 0x93e6d9cfe7cabb284f9853f26111a4cf80638a6da8ba3783c2cf4aa32c5918bf
Exponent2: 0x6e9c04440e294365ade945a08ad0a8f54ee2263ea032f8bede38beba7e985bbf
Coefficient: 0x20b3547913ce972ba1753c6cc0f8a22649cbc7fda391e446976f8bd340fd939e
}
# do not change the indenting of that "}"
> router:
C 207.151.222.0/24 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
S 10.33.56.0 is directly connected
S 192.168.1.0/24 [1/0] via 217.147.192.1
172.0.0.0/24 is subnetted, 1 subnets
C 172.35.55.0 is directly connected, FastEthernet1/0
"VPN" can ping "SPIDER" and inversemment.
> Setup tunnel problem
[root_at_vpn etc]# ipsec setup --status
IPsec running
pluto pid 10960
[root_at_vpn etc]# ipsec whack --status
000 interface ipsec0/eth1 207.151.222.2
000
000 "site1-site2": 10.33.56.0/24===207.151.222.2---207.151.222.1...172.35.55.1---192.168.1.254[172.35.55.1]===192.168.1.0/24
000 "site1-site2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "site1-site2": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth1; trap erouted
000 "site1-site2": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000
000 #9: "site1-site2" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 19s
It seems that tunnel is up
But when I look /var/log/messages pluto indicate that conn "site1-site2" is down:
Aug 9 09:32:53 vpn ipsec_setup: ...FreeS/WAN IPsec started
Aug 9 09:46:04 vpn ipsec__plutorun: 104 "site1-site2" #1: STATE_MAIN_I1: initiate
Aug 9 09:46:04 vpn ipsec__plutorun: 010 "site1-site2" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
Aug 9 09:46:04 vpn ipsec__plutorun: 010 "site1-site2" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
Aug 9 09:46:04 vpn ipsec__plutorun: 031 "site1-site2" #1: max number of retransmissions (20) reached STATE_MAIN_I1. No acceptable response to our first IKE me
ssage
Aug 9 09:46:04 vpn ipsec__plutorun: 000 "site1-site2" #1: starting keying attempt 2 of an unlimited number, but releasing whack
Aug 9 09:46:04 vpn ipsec__plutorun: ...could not start conn "site1-site2"
I don't know what I can do more.
Someone have any suggestions ?
Thanks for your reply.
_ Pierrick
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Fri Aug 09 2002 - 17:19:33 CEST