From: Denny Figuerres (denny_at_figuerres.com)
Date: Wed Oct 30 2002 - 19:31:41 CET
Did the email go thru or.....
-----Original Message-----
From: Postmaster [mailto:Postmaster]
Sent: Wednesday, October 30, 2002 12:54 PM
To: denny_at_figuerres.com
Subject: Error delivering message to: denny_at_figuerres.com!
Your message was not delivered for the following reason:
E-mail Account: mailinglists is over the limit of 31457280 bytes.
Automated Postmaster
--------Original E-mail--------
>From denny_at_figuerres.com Wed Oct 30 11:54:20 2002
Return-Path: <denny_at_figuerres.com>
Received: from mail.freeswan.org ([194.109.218.210]) by ; Wed, 30 Oct 2002
11:54:19 -0600
Received: from adams.freeswan.org (localhost.localdomain [127.0.0.1])
by mail.freeswan.org (8.11.6/8.11.0) with ESMTP id g9UEnni25732;
Wed, 30 Oct 2002 15:49:49 +0100
Received: from mail.figuerres.com ([216.136.31.197])
by mail.freeswan.org (8.11.6/8.11.0) with ESMTP id g9UESvi25600
for <Users_at_lists.freeswan.org>; Wed, 30 Oct 2002 15:29:01 +0100
Message-Id: <200210301038.AA18808864_at_mail.figuerres.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
From: "denny " <denny_at_figuerres.com>
Reply-To: <denny_at_figuerres.com>
X-Sender: <denny_at_figuerres.com>
To: <Users_at_lists.freeswan.org>
Subject: Re: [Users] confused! Help!
X-Mailer: <IMail v7.10>
Sender: users-admin_at_lists.freeswan.org
Errors-To: users-admin_at_lists.freeswan.org
X-BeenThere: users_at_lists.freeswan.org
X-Mailman-Version: 2.0.2
Precedence: bulk
List-Help: <mailto:users-request_at_lists.freeswan.org?subject=help>
List-Post: <mailto:users_at_lists.freeswan.org>
List-Subscribe: <http://lists.freeswan.org/mailman/listinfo/users>,
<mailto:users-request_at_lists.freeswan.org?subject=subscribe>
List-Id: Discussion on day to day usage of FreeS/WAN IPSEC
<users.lists.freeswan.org>
List-Unsubscribe: <http://lists.freeswan.org/mailman/listinfo/users>,
<mailto:users-request_at_lists.freeswan.org?subject=unsubscribe>
List-Archive: <http://lists.freeswan.org/pipermail/users/>
Date: Wed, 30 Oct 2002 10:38:05 -0500
X-Rcpt-To: <mailinglists_at_linux.co.tt>
ok I think I am close to working here.... I see the problem but not the
solution just yet.
here is my config:
my side outbound
PC ------ Linksys router/firewall ----[roadrunner modem]---- internet
at work coming in
internet----[dsl modem] ---- linux firewall / router / freeSWAN --- 2 local
networks (DMZ servers, local users)
I have a connection from end to end.
the linux firewall is logging to /var/log/secure
this message:
Oct 30 10:24:22 firebox pluto[7933]: "outbound"[1] 65.34.96.47 #1:
responding to Main Mode from unknown peer 65.34.96.47
Oct 30 10:24:24 firebox pluto[7933]: "outbound"[1] 65.34.96.47 #1: sent MR3,
ISAKMP SA established
Oct 30 10:24:24 firebox pluto[7933]: "outbound"[1] 65.34.96.47 #1: cannot
respond to IPsec SA request because no connection is known for
192.168.1.0/24===216.136.30.246[@firebox.figuerres.com]...65.34.96.47[@home.
figuerres.com]===192.168.1.101/32
so I see that I need to alter my configs to account for the linksys box if I
am on the right track.... does that sound right??
here are the configs:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
#
# firewall box in office
#
# basic configuration
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=1
authby=rsasig
conn outbound
left=0.0.0.0
leftsubnet=192.168.1.0/32
leftnexthop=192.168.1.1
right=216.136.30.246
rightsubnet=192.168.1.0/24
rightid=@firebox.figuerres.com
# RSA 2192 bits firebox Tue Oct 29 14:03:30 2002
rightrsasigkey=0sAQOWh5uR....
leftid=@home.figuerres.com
# RSA 2192 bits home.denny.figuerres.com Tue Oct 29 19:19:09
2002
leftrsasigkey=0sAQN69oME....
auto=add
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
#
# pc at home on linksys box to roadruner
#
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=1
authby=rsasig
conn outbound
left=%defaultroute
leftsubnet=
leftnexthop=
right=216.136.30.246
rightsubnet=192.168.1.0/24
rightid=@firebox.figuerres.com
# RSA 2192 bits firebox Tue Oct 29 14:03:30 2002
rightrsasigkey=0sAQOWh5uRIWhW...
leftid=@home.figuerres.com
# RSA 2192 bits home.denny.figuerres.com Tue Oct 29 19:19:09
2002
leftrsasigkey=0sAQN69oMEGe6...
auto=start
if someone could show me where I need to make changes?
please....
thanks.....
---------- Original Message ----------------------------------
From: Sam Sgro <sam_at_freeswan.org>
Date: Wed, 30 Oct 2002 02:08:10 -0500 (EST)
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>On Wed, 30 Oct 2002, denny wrote:
>
>> Hi, Well I have been reading the "online documentation"
>> and so far I think I get part of it but am very lost with the way you
folks describe this stuff...
>>
>> example: Left Vs. Right
>>
>> seems like if this is a Peer to Peer that is symetric that my left right
would get inverted on the other end IE:
>>
>> my left is local right is remote on my pc
>> so
>> on the remote peer the same should be true
>> left is local right is remote
>> and in the config files for us to connect we should each have a local
left that is connecting to the other sides right, right?
>
>When ipsec.conf is parsed, "left", or "right" entries are examined to see
>if we have an ipsec interface with an IP address that matches. If so, we
>assume that this end - be it left or right - applies to our end of the
>connection, and the other represents our peer.
>
>A static-static, classical VPN connection can be copied to both machines
with
>no changes. As long as the connection is correctly defined, our scripts
will
>sort out which of left or right pertain.
>
>You can't always copy connections identically from machine to machine; for
>example, take your roadwarrior situation - a static-dynamic connection. On
the
>static end, you might have the connection defined in this fashion:
>
>conn server-rw
> left=12.12.12.12
> leftnexthop=12.12.12.1
> leftsubnet=192.168.1.0/24
> leftrsasigkey=0xAQ....
> right=%any
> rightid=@anything.you.want.as.id
> rightrsasigkey=0xAQ....
> auto=add
>
>(You can't "auto=start" a connection like this; it doesn't make any sense,
as
>you don't know who your partner is. The server is passive, waiting for
>incoming connections.)
>
>On the dynamic end, you might define the same connection like this:
>
>conn client-rw
> left=12.12.12.12
> leftsubnet=192.168.1.0/24
> leftrsasigkey=0xAQ....
> right=%defaultroute
> rightid=@anything.you.want.as.id
> rightrsasigkey=0xAQ....
> auto=start
>
>Here, the roadwarrior considers itself "right", by referring to
>"%defaultroute" - this is a "magic" value, which fills in its own IP
address
>and rightnexthop, as long as you are using "interfaces=%defaultroute". The
id
>is in FQDN format - the "@" ensures that the FQDN will not be resolved, so
use
>whatever strikes your fancy - and allows you to have multiple roadwarriors
>connecting with different RSA keys. The ID information tells the "server"
>which connection to use, and, by extension, which RSA key to use during
>negotiation for that particular roadwarrior.
>
>You could have rewritten the above connections, reversing left or right as
you
>saw fit.
>
>If you need more advice, post your configs and/or relevant log snippets.
See
>doc/trouble.html.
>
>- --
>Sam Sgro
>sam_at_freeswan.org
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.3ia
>Charset: noconv
>Comment: For the matching public key, finger the Reply-To: address.
>
>iQCVAwUBPb+FW0OSC4btEQUtAQENSQQAkGbU00HaNEYd2vuIE8Xada7uvmacHzSG
>oVK4wDdENWbQKiZvHUwKf9Jfo15am+vPCSmRyOmqgjShDXsr8Smip/GYFLtqlCYm
>pcGc4oC5DOkwSm8qG/VFuWR+kDtFnPj++lw9rznRr9XIXxLfiOqMam2OLpGFKB4f
>4czS9vOkXoI=
>=PsDA
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Users mailing list
>Users_at_lists.freeswan.org
>http://lists.freeswan.org/mailman/listinfo/users
>
-- Denny -- _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 31 2002 - 05:20:35 CET