From: Christian Knoblauch (knoblauch.praktikant_at_secorvo.de)
Date: Thu Aug 22 2002 - 16:35:52 CEST
Dear all,
I try to build up a vpn using freeS/wan 1.9 and suse linux 7.2.
My network plan looks like (each box with one nic):
192.168.98.95/24--------------192.168.98.94/24
(eth0, ipsec0) (eth0, ipsec0)
not more.
After "ipsec auto --up sample" everything works finde, the tunnel is build
up without any problem (nothing in /var/log/messages or /var/log/warn or
any screen output).
I try to ping from one machine the other, I can see (using tcpdump)
ip-proto-50 packes on both eth0 initerfaces and unencypted icmp packets on
the ipsec0 on the machine where I try to ping from. Can't see anything on
the ipsec0 interface which should get the ping.
I guess it is a problem with my routing, or is it a problem, because I am
in only one subnet?
I am comfortable working with linux and have some small experience with vpns.
Thank you very much!
Best
Christian Knoblauch
I will add some configfiles and screen output to this mail:
----------------- route -n (on 192.168.98.95 before ipsec auto --up sample
----------
Kernel IP routing table
Destination Gateway Genmask
Flags Metric Ref Use Iface
192.168.98.0 * 255.255.255.0
U 0 0 0 eth0
192.168.98.0 *
255.255.255.0 U 0 0 0 ipsec0
default
192.168.98.94 0.0.0.0 UG 0 0 0 eth0
----------------------------------------------------------------------------
---------
----------------- ipsec look (on 192.168.98.95 after ipsec auto --up
sample) -------------------------
linux Thu Aug 22 15:39:24 CEST 2002
192.168.98.0/24 -> 192.168.98.0/24
=> tun0x1002_at_192.168.98.94 esp0x20763d59_at_192.168.98.94
ipsec0->eth0
mtu=16260->1500
esp0x20763d59_at_192.168.98.94 ESP_3DES_HMAC_MD5: dir=out
src=192.168.98.95 iv_bits=64bits iv=0x1a30bfd661027ba9 ooowin=64 alen=128
aklen=128 eklen=192 life(c,s,h)=add(45,0,0)
esp0xd0ba9eb9_at_192.168.98.95
ESP_3DES_HMAC_MD5: dir=in src=192.168.98.94 iv_bits=64bits
iv=0x87a71b9775b36699 ooowin=64 alen=128 aklen=128 eklen=192
life(c,s,h)=add(46,0,0)
tun0x1001_at_192.168.98.95 IPIP: dir=in
src=192.168.98.94 life(c,s,h)=add(46,0,0)
tun0x1002_at_192.168.98.94 IPIP:
dir=out src=192.168.98.95 life(c,s,h)=add(45,0,0)
Destination Gateway
Genmask Flags MSS Window irtt Iface
0.0.0.0
192.168.98.94 0.0.0.0 UG 40 0 0 eth0
192.168.98.0
0.0.0.0 255.255.255.0 U 40 0 0
ipsec0
192.168.98.0 192.168.98.94 255.255.255.0 UG 40 0
0 ipsec0
--------------------------------------------------------------------------
----------- ipsec.conf - the same on both boxes ------------------------
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and
more varied sample configurations can be found
# in FreeS/WAN's
doc/examples file.
# basic configuration
config setup
# THIS SETTING MUST
BE CORRECT or almost nothing will work;
# %defaultroute is okay for most
simple cases.
#interfaces=%defaultroute
interfaces="ipsec0=eth0"
#
Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=all
# Use auto= parameters in conn descriptions
to control startup actions.
plutoload=%search
plutostart=%search
# Close
down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn
%default
# How persistent to be in (re)keying negotiations (0 means
very).
keyingtries=0
# Parameters for manual-keying testing (DON'T USE
OPERATIONALLY).
# Note: only one test connection at a time can use these
parameters!
spi=0x200
esp=3des-md5-96
espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf
# RSA authentication with
keys from DNS.
authby=secret
leftrsasigkey=%dns
rightrsasigkey=%dns
#
sample connection
conn sample
# Left security gateway, subnet behind it,
next hop toward right.
#
left=192.168.98.95
leftsubnet=192.168.98.0/24
leftnexthop=%direct
#
# Right security gateway, subnet behind it, next
hop toward left.
#
right=192.168.98.94
rightsubnet=192.168.98.0/24
rightnexthop=%direct
#
# To authorize this connection, but not actually
start it, at startup,
# uncomment this.
auto=add
------------------------------------------------------------------
-------ipsec.secrets - the same on both boxes ------
192.168.98.95 192.168.98.94 : PSK "test"
----------------------------------------------------
--- ifconfig on 192.168.98.95 -------------------------
eth0 Link encap:Ethernet HWaddr 00:60:08:17:EA:56
inet
addr:192.168.98.95 Bcast:192.168.98.255 Mask:255.255.255.0
UP
BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4
errors:0 dropped:0 overruns:0 frame:0
TX packets:19 errors:0
dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:316 (316.0 b) TX bytes:910 (910.0 b)
Interrupt:10
Base address:0x300
ipsec0 Link encap:Ethernet HWaddr
00:60:08:17:EA:56
inet addr:192.168.98.95 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0
errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0
dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local
Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP
LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:53 errors:0
dropped:0 overruns:0 frame:0
TX packets:53 errors:0 dropped:0
overruns:0 carrier:0
collisions:0 txqueuelen:0
RX
bytes:4808 (4.6 Kb) TX bytes:4808 (4.6 Kb)
----------------------------------------------------------------
-------------------------------------------------------
Christian Knoblauch
Diplomand
Secorvo Security Consulting GmbH
Albert-Nestler-Strasse 9, D-76131 Karlsruhe
Tel. +49 721 6105-500, Fax +49 721 6105-455
E-Mail knoblauch.praktikant_at_secorvo.de, http://www.secorvo.de
-------------------------------------------------------
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Fri Aug 23 2002 - 01:20:14 CEST