From: Michael Wittmann (mikewittmann_at_t-online.de)
Date: Sun Sep 01 2002 - 20:05:11 CEST
Hi,
i try to setup a VPN gateway on a 7.3 Red Hat system. I used freeswan 1.98b together with the current x509 patch.
Installation worked so far as it should.
ipsec verify tells me now that everything is ok.
one thing to is maybe worth to mention:
the last test of verify : Does the machine have at least one non-private address always failed, which makes no sense, because
it has a non-private address 195.30.X.X on eth0. After studying the verify script i found out, that the script tried to list
the installed interfaces with the command ifconfig and a grep to 'inet addr'. this always failed on my computer because i installed
it with german language support and the output of ifconfig is something like 'inet Adre.....'. A change in the script solved this problem, but i wonder
if similar effects could happen in other cases.
Now to my problem:
I have 2 ethernet interfaces: one is connected to a local private subnet 10.1.1.0/24 with ip address: 10.1.1.103
the other adapter has a non private address: 195.30.X.X and is member of a small subnet before our Internet gateway 192.30.X.Y.
in parallel to the VPN gateway there is a firewall with NAT.
i try to connect with a roadwarrior on Windows XP, which is behind a NAT router on a dynamic ip-address (DSL)
the local private adress of the PC is 192.168.1.3.
i tried ping but it didn't work:
this is how the ipsec.conf looks like: (i have changed part of my real addresses to X.Y for security reasons)
[root_at_DIGAVPN etc]# cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth0 ipsec1=eth1"
# interfaces="ipsec0=eth0"
# interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=195.30.X.Y
leftsubnet=10.1.1.0/24
leftid="C=DE, L=ZZZZ, O=XXXX, OU=YYYY, CN=Gateway"
conn roadwarrior
right=%any
rightsubnet=192.168.1.0/24
auto=add
this is what /var/log/secure shows:
Sep 1 17:23:56 DIGAVPN pluto[1238]: "roadwarrior"[1] 217.228.221.37 #1: responding to Main Mode from unknown peer 217.228.221.37
Sep 1 17:23:56 DIGAVPN pluto[1238]: "roadwarrior"[1] 217.228.221.37 #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, L=ZZZZ, O=XXXX, OU=YYYY, CN=roadwarrior'
Sep 1 17:23:56 DIGAVPN pluto[1238]: "roadwarrior"[1] 217.228.221.37 #1: Issuer CRL not found
Sep 1 17:23:56 DIGAVPN pluto[1238]: "roadwarrior"[1] 217.228.221.37 #1: Issuer CRL not found
Sep 1 17:23:56 DIGAVPN pluto[1238]: "roadwarrior"[2] 217.228.221.37 #1: deleting connection "roadwarrior" instance with peer 217.228.221.37
Sep 1 17:23:56 DIGAVPN pluto[1238]: "roadwarrior"[2] 217.228.221.37 #1: sent MR3, ISAKMP SA established
Sep 1 17:23:56 DIGAVPN pluto[1238]: "roadwarrior"[2] 217.228.221.37 #1: cannot respond to IPsec SA request because no connection is known for 10.1.1.0/24===195.30.X.Y[C=DE, L=ZZZZ, O=XXXX, OU=YYYY, CN=Gateway]...217.228.221.37[C=DE, L=ZZZZ, O=XXXX, OU=YYYY, CN=roadwarrior]===192.168.1.3/32
Sep 1 17:23:57 DIGAVPN pluto[1238]: "roadwarrior"[2] 217.228.221.37 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xcf2181b4 (perhaps this is a duplicated packet)
[root_at_DIGAVPN etc]#
route -n shows:
[root_at_DIGAVPN sysconfig]# route -n
Kernel IP Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
195.30.X.Y 0.0.0.0 255.255.255.248 U 0 0 0 eth0
195.30.X.Y 0.0.0.0 255.255.255.248 U 0 0 0 ipsec0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 195.30.X.Z 0.0.0.0 UG 0 0 0 eth0
[root_at_DIGAVPN sysconfig]#
it seems that pluto didn't know how to connect between our local net and the eth0 address, but what can i do, to get it running ???
thanks,
Michael
P.S: http://www.freeswan.org is down for several days. Who knows why ?
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Sun Sep 01 2002 - 22:19:52 CEST