From: John M Soto (jsoto_at_jointtechgroup.com)
Date: Sat Nov 02 2002 - 09:03:35 CET
Thanks!!! That did the trick!!! I can ping and maintain secure connection
from PC to GW... ipsec auto --status and ipsec look are below.
Only problem I seem to have now is... I can't surf the web and cannot
retrieve email... I'm assuming it's bcuz I'm sending out encrypted
packets???
Originally I was under the impression that the tunnel would terminate at the
GW... Additionally, is there a way to implement OE without an RR on my
side. From my understanding of the documentation, the answer is no... But, I
had to ask... You never know. You don't ask, you don't get.
Those conf files are a bit confusing in the beginning...Thanks much for the
help!!!
root_at_littleman etc]# ipsec auto --status
000 interface ipsec0/eth0 204.215.152.222
000 interface ipsec1/eth1 90.0.0.6
000
000 "roadwarrior-net"[1]: 90.0.0.6[C=US, ST=NY, L=NY, O=Joint Technologies
Group Inc, CN=littleman, E=jsoto_at_jointtechgroup.com]...90.0.0.4[C=US, ST=NY,
L=NY, O=Joint Technologies Group Inc, CN=johnpc, E=jsoto_at_jointtechgroup.com]
000 "roadwarrior-net"[1]: ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior-net"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface:
eth1; erouted
000 "roadwarrior-net"[1]: newest ISAKMP SA: #3; newest IPsec SA: #4;
eroute owner: #4
000 "roadwarrior-net": 90.0.0.6[C=US, ST=NY, L=NY, O=Joint Technologies
Group Inc, CN=littleman, E=jsoto_at_jointtechgroup.com]...%any
000 "roadwarrior-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1;
unrouted
000 "roadwarrior-net": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000 "roadwarrior": 90.0.0.6[C=US, ST=NY, L=NY, O=Joint Technologies Group
Inc, CN=littleman, E=jsoto_at_jointtechgroup.com]...%any
000 "roadwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth1;
unrouted
000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000
000 #2: "roadwarrior-net"[1] 90.0.0.4 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3233s
000 #2: "roadwarrior-net"[1] 90.0.0.4 esp.f8231960_at_90.0.0.4
esp.7c9b2557_at_90.0.0.6 tun.1002_at_90.0.0.4 tun.1001_at_90.0.0.6
000 #1: "roadwarrior-net"[1] 90.0.0.4 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3227s
000 #4: "roadwarrior-net"[1] 90.0.0.4 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3296s; newest IPSEC; eroute owner
000 #4: "roadwarrior-net"[1] 90.0.0.4 esp.6b459803_at_90.0.0.4
esp.7c9b2558_at_90.0.0.6 tun.1004_at_90.0.0.4 tun.1003_at_90.0.0.6
000 #3: "roadwarrior-net"[1] 90.0.0.4 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3290s; newest ISAKMP
000
[root_at_littleman etc]# ipsec look
littleman.sotomojo.com Sat Nov 2 01:50:25 EST 2002
90.0.0.6/32 -> 90.0.0.4/32 => tun0x1004_at_90.0.0.4
esp0x6b459803_at_90.0.0.4 (450)
ipsec0->eth0 mtu=16260(1500)->1500
ipsec1->eth1 mtu=16260(1443)->1500
esp0x6b459803_at_90.0.0.4 ESP_3DES_HMAC_MD5: dir=out src=90.0.0.6
iv_bits=64bits iv=0x75f364d6e2bbe9a3 ooowin=64 seq=228 alen=128 aklen=128
eklen=192
life(c,s,h)=bytes(231200,0,0)addtime(46,0,0)usetime(42,0,0)packets(228,0,0)
idle=0
esp0x7c9b2557_at_90.0.0.6 ESP_3DES_HMAC_MD5: dir=in src=90.0.0.4
iv_bits=64bits iv=0xf3f0129dc0115b03 ooowin=64 seq=129
bit=0xffffffffffffffff alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(9800,0,0)addtime(110,0,0)usetime(109,0,0)packets(129,0,0)
idle=107
esp0x7c9b2558_at_90.0.0.6 ESP_3DES_HMAC_MD5: dir=in src=90.0.0.4
iv_bits=64bits iv=0x753936d415a59c8e ooowin=64 seq=180
bit=0xffffffffffffffff alen=128 aklen=128 eklen=192
life(c,s,h)=bytes(13620,0,0)addtime(47,0,0)usetime(47,0,0)packets(180,0,0)
idle=0
esp0xf8231960_at_90.0.0.4 ESP_3DES_HMAC_MD5: dir=out src=90.0.0.6
iv_bits=64bits iv=0xea473b68f34fd0fb ooowin=64 seq=20 alen=128 aklen=128
eklen=192
life(c,s,h)=bytes(15816,0,0)addtime(108,0,0)usetime(103,0,0)packets(20,0,0)
idle=46
tun0x1001_at_90.0.0.6 IPIP: dir=in src=90.0.0.4
policy=90.0.0.4/32->90.0.0.6/32 flags=0x8<>
life(c,s,h)=bytes(9800,0,0)addtime(110,0,0)usetime(109,0,0)packets(129,0,0)
idle=107
tun0x1002_at_90.0.0.4 IPIP: dir=out src=90.0.0.6
life(c,s,h)=bytes(15168,0,0)addtime(108,0,0)usetime(103,0,0)packets(20,0,0)
idle=46
tun0x1003_at_90.0.0.6 IPIP: dir=in src=90.0.0.4
policy=90.0.0.4/32->90.0.0.6/32 flags=0x8<>
life(c,s,h)=bytes(13620,0,0)addtime(47,0,0)usetime(47,0,0)packets(180,0,0)
idle=0
tun0x1004_at_90.0.0.4 IPIP: dir=out src=90.0.0.6
life(c,s,h)=bytes(223420,0,0)addtime(46,0,0)usetime(42,0,0)packets(228,0,0)
idle=0
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 204.215.152.209 0.0.0.0 UG 40 0 0
eth0
204.215.152.208 0.0.0.0 255.255.255.240 U 40 0 0
eth0
204.215.152.208 0.0.0.0 255.255.255.240 U 40 0 0
ipsec0
90.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
eth1
90.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
ipsec1
90.0.0.4 90.0.0.4 255.255.255.255 UGH 40 0 0
ipsec1
----- Original Message -----
From: "Sam Sgro" <sam_at_freeswan.org>
To: "John M Soto" <jsoto_at_jointtechgroup.com>
Cc: <users_at_lists.freeswan.org>
Sent: Friday, November 01, 2002 2:44 AM
Subject: Re: [Users] Re: Testing FreeSwan Gateway...
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> On Thu, 31 Oct 2002, John M Soto wrote:
>
> > OK, I'm new to this and have been banging away at this for over a week
now.
> >
> > Installed FreeSwan 1.98b (pre-patched with X509) from freeswan.ca.
Installed it from RPM on
> > RedHat 7.2 with kernel 2.4.7-10
> >
> > Also installed Win XP vpn client from http://vpn.ebootis.de/... I just
want to be able to test connectivity from inside my network..
> >
> > JOHNPC 90.0.0.4<--------->GateWay/Firewall
> >
> > Is this unreasonalbe...
>
> Not unreasonable, but unless your goal is to allow secure communication
> between between clients inside your network and your gateway, it is not an
> ideal test. However, testing the authentication mechanism can be helpful.
(ie,
> if your certs have been created and signed properly)
>
> The major problem you have is that FreeS/WAN isn't listening on that inner
IP
> address:
>
> > ipsec0 Link encap:Ethernet HWaddr 00:01:02:D1:11:D7
> > inet addr:204.215.152.222 Mask:255.255.255.240
> > UP RUNNING NOARP MTU:16260 Metric:1
> > RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> > collisions:0 txqueuelen:10
> > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>
> This is because you are using "interfaces=%defaultroute". Most people use
> this because it automatically fills in the "nexthop" value with your
> FreeS/WAN device's default gateway.
>
> So, redefine the interfaces line from ipsec.conf like so:
>
> interfaces="ipsec0=eth0 ipsec1=eth1"
>
> You'll have to specify your roadwarrior connection details to suit this:
>
> > conn roadwarrior
> > right=%any
> > left=%defaultroute
> > leftcert=littleman.sotomojo.com.pem
> > auto=add
> > pfs=yes
>
> Replace left=%defaultroute with:
>
> left=90.0.0.6
> leftnexthop=%direct
>
> leftnextop always represents the next hop towards right. In this case,
> you are on the same network as the peer you are trying to talk with.
%direct
> will automatically fill in the nexthop value with the peer's IP address.
>
>
> - --
> Sam Sgro
> sam_at_freeswan.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
> Comment: For the matching public key, finger the Reply-To: address.
>
> iQCVAwUBPcIwy0OSC4btEQUtAQHu5gP+LdDgaYzZyN5PgBFeBK70VzMPPppzQcnk
> NbzsiN34mBceIqDt8uGJVzebAJrX9BTXUlnuSglQRv+kAOZDnEdsle1k9m6auDol
> 92qno/VkcaZ3BOHB7qGEjFNYkU2WL19dGBeQ6RgEQD6hDtXHViL/lao1yyjCAU1+
> YgNDn8o4ODg=
> =7t0Z
> -----END PGP SIGNATURE-----
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sun Nov 03 2002 - 05:20:35 CET