From: Sam Sgro (sam_at_freeswan.org)
Date: Fri Oct 11 2002 - 20:28:25 CEST
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 11 Oct 2002, Donald Teed wrote:
>
> I am trying to learn how to set up a network to network VPN.
> I have two linux boxes, both running Redhat 7.2 and with FreeS/Wan
> 1.98b. I am using RSA keys and they seem to be fine.
>
> There are 2 machines in my test. One happens to be a DNS server (192.168.0.2),
> but I'm not using DNS forward keys as authentication method.
> The other happens to be the gateway to the internet (192.168.0.1), but my
> problems persist even when iptables service is stopped prior to
> starting ipsec service.
Won't shutting down your iptables service kill your masqueradeing as well?
I have 0 echoed in ip_forward and rp_filter
> under proc, prior to starting the ipsec service.
Don't echo "0" to ip_forward. No data will be transferred if you
do that to the subnet if you do that; make sure ip_forward is set to "1".
> When ipsec service is running on both machines, everything is OK.
> I can ping from any machine in 192.168.0.0 to anywhere else
> in the same net.
>
> Once I have run the add command:
>
> ipsec auto --up sample
>
> The LAN dies except for this VPN connection.
It's the output of this command, the log messages that get deposited in
/var/log/messages, that tell you whether or not the command succeeds.
> Here is the config section of ipsec.conf from 192.168.0.2:
>
> conn sample
> leftrsasigkey=[key deleted]
> left=192.168.0.2
> leftsubnet=192.168.0.0/24
> leftnexthop=
> rightrsasigkey=[key deleted]
> right=192.168.0.1
> rightsubnet=192.168.0.0/24
> rightnexthop=
You don't want to have overlapping subnets, unless you're got some sort of
"proxy arp" thing going on. Otherwise a machine on the 192.168.0.0/24 subnet
thinks any machine on that range is local, and does not sent such packets to
the gateway (ie, the IPSec machine.)
Renumber one of the subnets to another 192.168.x class C.
Depending on your MASQUERADE rule, you may also need to exempt packets
destined for the remote non-routable subnet:
http://lists.freeswan.org/pipermail/users/2002-August/012918.html
> The connection suceeds (as shown with ipsec look), but nothing
> on the network can ping anything else. That is, 192.168.0.7 cannot
> ping 192.168.0.5 (both Windows boxes). This is a peer to peer
> Windows and Linux network. The only pings that work anywhere
> on the LAN are between 192.168.0.1 and 192.168.0.2.
>
> When I stop ipsec on both machines, I have to ifup the eth0 on
> each machine involved in IPSEC to restore their networks.
(Mayhaps this restores ip_forward to "1"?)
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPacYTEOSC4btEQUtAQG1WwP/fi8UINj3IfyAYbHVRV3agSOn83svadCQ
o+KjKYW093LH/IuqWKonccYWrvKl96DOdYxTe9O9UNI+7olEEgqsvFU3tp57JZg+
H52NGfkzlZdIWtT9avoFP5In+3/EgjUHS59j4eQtPzFOGLcTiZk4RPF3I/XjJm+s
aGwIZipUubY=
=O9T4
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sat Oct 12 2002 - 05:20:25 CEST