RE: [Users] Please Help

From: John Sullivan (John.Sullivan_at_nexusmgmt.com)
Date: Thu Oct 31 2002 - 04:42:34 CET

 Is leftsubnet=192.168.1.0/32 a typo in the mail message or in the config
file? - John

-----Original Message-----
From: Denny Figuerres
To: users_at_lists.freeswan.org
Sent: 10/30/02 3:39 PM
Subject: [Users] Please Help

Re sending this due to list sending me back errors.... If you have seen
this
please ignore any duplicates.
I hope the list is fixed now?

ok I think I am close to working here.... I see the problem but not the
solution just yet.

here is my config:

my side outbound
PC ------ Linksys router/firewall ----[roadrunner modem]---- internet

at work coming in

internet----[dsl modem] ---- linux firewall / router / freeSWAN --- 2
local
networks (DMZ servers, local users)

I have a connection from end to end.
the linux firewall is logging to /var/log/secure
this message:
Oct 30 10:24:22 firebox pluto[7933]: "outbound"[1] 65.34.96.47
#1:responding
to Main Mode from unknown peer 65.34.96.47
Oct 30 10:24:24 firebox pluto[7933]: "outbound"[1] 65.34.96.47 #1: sent
MR3,
ISAKMP SA established
Oct 30 10:24:24 firebox pluto[7933]: "outbound"[1] 65.34.96.47 #1:
cannot
respond to IPsec SA request because no connection is known for
192.168.1.0/24===216.136.30.246[@firebox.figuerres.com]...65.34.96.47[@h
ome.
figuerres.com]===192.168.1.101/32

so I see that I need to alter my configs to account for the linksys box
if
I am on the right track.... does that sound right??

here are the configs:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
#
# firewall box in office
#
# basic configuration
config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=1
        authby=rsasig

conn outbound
        left=0.0.0.0
        leftsubnet=192.168.1.0/32
        leftnexthop=192.168.1.1
        right=216.136.30.246
        rightsubnet=192.168.1.0/24
        rightid=@firebox.figuerres.com
        # RSA 2192 bits firebox Tue Oct 29 14:03:30 2002
        rightrsasigkey=0sAQOWh5uR....
        leftid=@home.figuerres.com
        # RSA 2192 bits home.denny.figuerres.com Tue Oct 29 19:19:09
2002
        leftrsasigkey=0sAQN69oME....
        auto=add

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
#
# pc at home on linksys box to roadruner
#
# basic configuration
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=1
        authby=rsasig

conn outbound
        left=%defaultroute
        leftsubnet=
        leftnexthop=
        right=216.136.30.246
        rightsubnet=192.168.1.0/24
        rightid=@firebox.figuerres.com
        # RSA 2192 bits firebox Tue Oct 29 14:03:30 2002
        rightrsasigkey=0sAQOWh5uRIWhW...
        leftid=@home.figuerres.com
        # RSA 2192 bits home.denny.figuerres.com Tue Oct 29 19:19:09
2002
        leftrsasigkey=0sAQN69oMEGe6...
        auto=start

if someone could show me where I need to make changes?
please....

thanks.....

---------- Original Message ----------------------------------
From: Sam Sgro <sam_at_freeswan.org>
Date: Wed, 30 Oct 2002 02:08:10 -0500 (EST)

>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>On Wed, 30 Oct 2002, denny wrote:
>
>> Hi, Well I have been reading the "online documentation"
>> and so far I think I get part of it but am very lost with the way you
folks describe this stuff...
>>
>> example: Left Vs. Right
>>
>> seems like if this is a Peer to Peer that is symetric that my left
right
would get inverted on the other end IE:
>>
>> my left is local right is remote on my pc
>> so
>> on the remote peer the same should be true
>> left is local right is remote
>> and in the config files for us to connect we should each have a local
left that is connecting to the other sides right, right?
>
>When ipsec.conf is parsed, "left", or "right" entries are examined to
see
>if we have an ipsec interface with an IP address that matches. If so,
we
>assume that this end - be it left or right - applies to our end of the
>connection, and the other represents our peer.
>
>A static-static, classical VPN connection can be copied to both
machines
with
>no changes. As long as the connection is correctly defined, our scripts
will
>sort out which of left or right pertain.
>
>You can't always copy connections identically from machine to machine;
for
>example, take your roadwarrior situation - a static-dynamic connection.
On
the
>static end, you might have the connection defined in this fashion:
>
>conn server-rw
> left=12.12.12.12
> leftnexthop=12.12.12.1
> leftsubnet=192.168.1.0/24
> leftrsasigkey=0xAQ....
> right=%any
> rightid=@anything.you.want.as.id
> rightrsasigkey=0xAQ....
> auto=add
>
>(You can't "auto=start" a connection like this; it doesn't make any
sense,
as
>you don't know who your partner is. The server is passive, waiting for
>incoming connections.)
>
>On the dynamic end, you might define the same connection like this:
>
>conn client-rw
> left=12.12.12.12
> leftsubnet=192.168.1.0/24
> leftrsasigkey=0xAQ....
> right=%defaultroute
> rightid=@anything.you.want.as.id
> rightrsasigkey=0xAQ....
> auto=start
>
>Here, the roadwarrior considers itself "right", by referring to
>"%defaultroute" - this is a "magic" value, which fills in its own IP
address
>and rightnexthop, as long as you are using "interfaces=%defaultroute".
The
id
>is in FQDN format - the "@" ensures that the FQDN will not be resolved,
so
use
>whatever strikes your fancy - and allows you to have multiple
roadwarriors
>connecting with different RSA keys. The ID information tells the
"server"
>which connection to use, and, by extension, which RSA key to use during
>negotiation for that particular roadwarrior.
>
>You could have rewritten the above connections, reversing left or right
as
you
>saw fit.
>
>If you need more advice, post your configs and/or relevant log
snippets.
See
>doc/trouble.html.
>
>- --
>Sam Sgro
>sam_at_freeswan.org
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.3ia
>Charset: noconv
>Comment: For the matching public key, finger the Reply-To: address.
>
>iQCVAwUBPb+FW0OSC4btEQUtAQENSQQAkGbU00HaNEYd2vuIE8Xada7uvmacHzSG
>oVK4wDdENWbQKiZvHUwKf9Jfo15am+vPCSmRyOmqgjShDXsr8Smip/GYFLtqlCYm
>pcGc4oC5DOkwSm8qG/VFuWR+kDtFnPj++lw9rznRr9XIXxLfiOqMam2OLpGFKB4f
>4czS9vOkXoI=
>=PsDA
>-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 05:20:36 CET