[Users] WIN2K VPN Client can ping Freeswan gateway but doesn't attempt to negotiate ipsec on private subnet behind?

From: Alistair Nelson (alistair.nelson_at_eb2b.com.au)
Date: Fri Sep 13 2002 - 04:04:58 CEST

• Next message: Sunny Cheung: "RE: FW: [Users] IPsec SA expired (LATEST!)"
• Previous message: Mikael Lönnroth: "[Users] SSH Sentinel + X.509 + weird certificate problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I have been trying to get Nate Carlson's documented advice for Win2K
client -> Freeswan
gateway working for a while, getting closer and closer but have hit a
brickwall.

Below you can see the output as a laptop dials in and gets a dynamic IP
address assigned,
then attempts to setup an ipsec connection with a private subnet behind
a Freeswan gateway.

As you can see, Marcus's client negotiates ipsec when attempting to ping
the gateway
connection. But when attempting to ping the actual private subnet
connection, it's as if
the subnet ipsec connection was never configured??????? The ping packets
aren't being
interpreted by the client at all, even though the roadwarrior-net
connection is configured
to connect to a private class c address.

Why doesn't the 192.168... ping get encapsulated and forwarded to the
gateway???

The configuration is:

WIN2K laptop <> internet <> firewall <> f/s gateway <> private subnet

Really appreciate any gelp. secure.log and oakley.log aren't included as
ipsec isn't
being negotiated, I imagine they are no help.

==========Running ipsec and ping from the client============
C:\ipsec>ipsec
IPSec Version 2.1.4 (c) 2001,2002 Marcus Mueller
Getting running Config ...
Microsoft's Windows 2000 identified
Host name is: Troy
1 RAS connection(s) found!
RAS IP Address: 61.68.133.25
Setting up IPSec ...

        Deactivating old policy...
        Removing old policy...

Connection roadwarrior:
        MyTunnel : 61.68.133.25
        MyNet : 61.68.133.25/255.255.255.255
        PartnerTunnel: 210.8.191.252
        PartnerNet : 210.8.191.252/255.255.255.255
        CA (ID) : censored
        PFS : y
        Auto : start
        Auth.Mode : MD5
        Rekeying : 3600S/50000K
        Activating policy...

Connection roadwarrior-net:
        MyTunnel : 61.68.133.25
        MyNet : 61.68.133.25/255.255.255.255
        PartnerTunnel: 210.8.191.252
        PartnerNet : 192.168.1.255/255.255.254.0
        CA (ID) : censored
        PFS : y
        Auto : start
        Auth.Mode : MD5
        Rekeying : 3600S/50000K
        Activating policy...

C:\ipsec>ping 210.8.191.252

Pinging 210.8.191.252 with 32 bytes of data:

Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.
Negotiating IP Security.

Ping statistics for 210.8.191.252:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\ipsec>ping 210.8.191.252

Pinging 210.8.191.252 with 32 bytes of data:

Reply from 210.8.191.252: bytes=32 time=300ms TTL=255
Reply from 210.8.191.252: bytes=32 time=280ms TTL=255
Reply from 210.8.191.252: bytes=32 time=261ms TTL=255
Reply from 210.8.191.252: bytes=32 time=270ms TTL=255

Ping statistics for 210.8.191.252:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 261ms, Maximum = 300ms, Average = 277ms

C:\ipsec>ping 192.168.1.16

Pinging 192.168.1.16 with 32 bytes of data:

Reply from 203.63.11.13: Destination host unreachable.
Request timed out.
Reply from 203.63.11.13: Destination host unreachable.
Reply from 203.63.11.13: Destination host unreachable.

Ping statistics for 192.168.1.16:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
=================================================

=======================================================
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.

# basic configuration
config setup
        interfaces="ipsec0=eth0 ipsec1=eth0:0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        #uniqueids=yes

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior1-net
        leftsubnet=192.168.1.255/255.255.254.0
        also=roadwarrior1

conn roadwarrior2-net
        leftsubnet=192.168.1.255/255.255.254.0
        also=roadwarrior2

conn roadwarrior1
        right=%any
        left=192.168.1.16
        leftcert=vpn.pem
        auto=add
        pfs=yes

conn roadwarrior2
        right=%any
        left=210.8.191.252
        leftnexthop=210.8.191.250
        leftcert=vpn.pem
        auto=add
        pfs=yes
========================================

Thankyou kindly in advance for any help!

Sincerely,

Alistair.

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Sunny Cheung: "RE: FW: [Users] IPsec SA expired (LATEST!)"
• Previous message: Mikael Lönnroth: "[Users] SSH Sentinel + X.509 + weird certificate problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 15 2002 - 05:20:05 CEST