From: Denny Figuerres (denny_at_figuerres.com)
Date: Wed Oct 30 2002 - 21:55:48 CET
Thanks for the reply...
Let me see if I can hit a few of the items:
Linksys box: manual and embedded web pages say that
"IPSec pass thru is supported for VPN, limited to a single session"
so I can have it handle one nat-ipsec which is all I need.
( if the docs are valid )
Ok I'll try changing the road-warrior to a new subnet range away from .1 and
.2 ( both used at office side)
Firewall: yes all the IPSEC and VPN related ports and protocols are open
Btw: I am using FirewallBuilder from sourceforge and it ROCKS!!! Very easy
to use!
IP Tables firewall
Both sides are Red Hat 7.3 Kernel 2.4.18-3
Rp_filter == tell me more?
I see a message but am not sure what to do about that??
I'll check on the NAT patch ... may need it....
Sounds like I am close to a working config ? just a few tweaks ....
One big ?? what do I need to do to assign an address for the road-warrior
on the inside LAN ??
Where does that part happen / get done ??
Thanks!
-----Original Message-----
From: Sam Sgro [mailto:sam_at_freeswan.org]
Sent: Wednesday, October 30, 2002 3:18 PM
To: denny
Cc: Users_at_lists.freeswan.org
Subject: Re: [Users] confused! Help!
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 30 Oct 2002, denny wrote:
> ok I think I am close to working here.... I see the problem but not the
solution just yet.
>
> here is my config:
>
> my side outbound
> PC ------ Linksys router/firewall ----[roadrunner modem]---- internet
One thing you may not be aware of: NAT changes everything, and does cause
problems with IPSec. What you are attempting isn't for the faint of heart.
What you may wish to consider is NAT traversal; there is a patch available
at
www.freeswan.ca or open-source.arkoon.net. I won't describe that solution
here.
Given all that, let's see what we can do here:
> here are the configs:
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
> #
> # firewall box in office
> #
> # basic configuration
> config setup
> interfaces="ipsec0=eth1"
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
>
> conn %default
> keyingtries=1
> authby=rsasig
>
> conn outbound
> left=0.0.0.0
> leftsubnet=192.168.1.0/32
> leftnexthop=192.168.1.1
Unless you're doing proxy-arp or something, having the same subnet specified
on both ends of the connection causes problems. My recommendation: renumber
the NAT'd subnet on the linksys box, and choose a static NAT'd IP for the
freeswan roadwarrior. Change the leftsubnet to that IP address, in this
fashion:
leftsubnet=192.168.22.101/32
> right=216.136.30.246
> rightsubnet=192.168.1.0/24
> rightid=@firebox.figuerres.com
> # RSA 2192 bits firebox Tue Oct 29 14:03:30 2002
> rightrsasigkey=0sAQOWh5uR....
> leftid=@home.figuerres.com
> # RSA 2192 bits home.denny.figuerres.com Tue Oct 29 19:19:09
2002
> leftrsasigkey=0sAQN69oME....
> auto=add
I don't think you'll need to alter your roadwarrior connection definition.
Give this a shot, and see what errors you find. :)
BTW, have you turned off rp_filter on the ipsec interface and the public
interface it is bound to on both machines? Does the linksys box have ipsec
passthrough enabled? Have you made appropriate holes in the firewall on
firebox.figuerres.com?
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPcA+c0OSC4btEQUtAQHYoQQAviO1UaFce13YvIEvbybkp1hqK6HTuzS7
qvxXqpMGNo/gD+WjggXfLSgp7q8RrpwEsQL17c44ZCrPE9BkHwmaX3ibj5U+UgmX
eHsG0gg9Eu4y3ANZ+ZpA+50R1ytiFpjx8Xy2j0FMM4Igik+8csS+wqgTXVv2X1Xv
DYq67YPJQCw=
=zQGF
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 31 2002 - 05:20:35 CET