Re: [VF]Re: [Users] super-freeswan-1.99kb2 !pluto failure! <- FIXED

From: James P. Kinney III (jkinney_at_localnetsolutions.com)
Date: Mon Dec 16 2002 - 07:53:03 CET

Net diagram

       LAN x.0.0/24 DSL
Win2K--------------Linux box-----------Internet
x.1.13 x.0.1 w.x.y.z
            eth0/ipsec0 eth1/ppp0

The win2k box is the only thing that is not part of the LAN. I'm using
just the internal LAN connections for testing before I dial out from the
win2k box and come back in on the public IP on the Linux box.

on Linux box, ipsec.coonf

config setup
        interfaces=ipsec0=eth0
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=yes

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=192.168.0.0/24
        also=roadwarrior

conn roadwarrior
        right=%any
        left=192.168.0.1
        leftcert=castle.localnetsolutions.com.pem
        auto=add
        pfs=yes

On win2k, ipsec.conf (using the tools set from Marcus M黮ler)

conn roadwarrior
        right=%any
        left=192.168.0.1
        leftca="C=US<snip>"
        network=auto
        auto=start
        pfs=yes

conn roadwarrior-net
        right=%any
        left=192.168.0.1
        leftsubnet=192.168.0.0/24
        leftca="C=US<snip>"
        network=auto
        auto=start
        pfs=yes

And just for fun, the ifconfig output:
ifconfig
eth0 Link encap:Ethernet HWaddr 00:C0:26:C0:20:35
          inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:134474 errors:0 dropped:0 overruns:0 frame:0
          TX packets:183445 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:12099331 (11.5 Mb) TX bytes:216331118 (206.3 Mb)
          Interrupt:11 Base address:0xe000

eth1 Link encap:Ethernet HWaddr 00:10:DC:01:FB:6B
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:192600 errors:0 dropped:0 overruns:0 frame:0
          TX packets:133976 errors:0 dropped:0 overruns:0 carrier:0
          collisions:73 txqueuelen:100
          RX bytes:220461227 (210.2 Mb) TX bytes:25178944 (24.0 Mb)
          Interrupt:5

ipsec0 Link encap:Ethernet HWaddr 00:C0:26:C0:20:35
          inet addr:192.168.0.1 Mask:255.255.255.0
          UP RUNNING NOARP MTU:16260 Metric:1
          RX packets:7 errors:0 dropped:4 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:180 (180.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:2091 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2091 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3062100 (2.9 Mb) TX bytes:3062100 (2.9 Mb)

ppp0 Link encap:Point-to-Point Protocol
          inet addr:66.149.133.123 P-t-P:66.149.133.1
Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
          RX packets:186353 errors:0 dropped:0 overruns:0 frame:0
          TX packets:127728 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:215986532 (205.9 Mb) TX bytes:22181436 (21.1 Mb)

It is certainly a routing problem. I ran netstat -rn and got:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
66.149.133.1 0.0.0.0 255.255.255.255 UH 40 0 0
ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0
eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0
ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
lo
0.0.0.0 66.149.133.1 0.0.0.0 UG 40 0 0
ppp0

No route to 192.168.1.0 network. So I manually added one and ping to the
gateway linux box now works!!! I then checked the routing table and
FreeSwan had added a specific route to the IP address of the win2k box:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
66.149.133.1 0.0.0.0 255.255.255.255 UH 40 0 0
ppp0
192.168.1.13 192.168.1.13 255.255.255.255 UGH 40 0 0
ipsec0
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0
ipsec0
192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0
eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 40 0 0
ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
lo
0.0.0.0 66.149.133.1 0.0.0.0 UG 40 0 0
ppp0

I really appreciate the assistance. In retrospect, I should be
learning/testing with the linux partition as I am much more comfortable
digging on the linux box than the win2k. :)

On Sun, 2002-12-15 at 23:15, Sam Sgro wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> On 15 Dec 2002, James P. Kinney III wrote:
>
> > I got that problem fixed by removing the "extra stuff" from the
> > ipsec.secrets file.
> >
> > New problem. Testing a connection between a Win2k client and a
> > linux/FreeSWan server on a private network (to avoid the phone dialup
> > while learning).
> >
> > The ipsec starts OK but it can't set the routing to the win2k box. It
> > gripes about missing or bad nexthop setting. The win2k box has no
> > nexthop. It is joined by ethernet through a 100M switch to the head end!
> > I tried the IP address of the head end NIC and also the IP of the win2k
> > box. It seems like this should be similar to the "wireless LAN client
> > VPN connection", i.e. a single box connecting to a gateway.
>
> Perhaps you need to provide a network diagram, and the ipsec.conf file you are
> using. I can't really give you a specific fix without this info.
>
> The mention of the nexthop setting is our guess as to why this route command
> fails:
>
> > Dec 15 21:45:17 castle pluto[4997]: "roadwarrior"[2] 192.168.1.13 #2:
> > route-client output: /usr/local/lib/ipsec/_updown: `route add -net
> > 192.168.1.13 netmask 255.255.255.255 dev ipsec0 gw 192.168.1.13' failed
>
> ... where gw 192.168.1.13 represents your nexthop. It looks like you're using
> nexthop=%direct, the default value if none is set. This may not be
> appropriate, depending on which interface ipsec0 is bound to, and your network
> setup.
>
> If no nexthop exists because this gateway stands on the same network as the
> win2k roadwarrior, then chances are you're using an inappropriate ipsec
> interface - make sure one is bound to the appropriate local IP on the network
> of the roadwarrior. (ie, if you have both 192.168.0.1 and 192.168.1.1 nics on
> this box, make sure you have an interface on 192.168.1.1 and that this is the
> IP the RW is attempting to contact.)
>
> - --
> Sam Sgro
> sam_at_freeswan.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
> Comment: For the matching public key, finger the Reply-To: address.
>
> iQCVAwUBPf1TUkOSC4btEQUtAQHz+gQAooJCCDZhPcAmkHcOiGCbW6o7sLv/g/a+
> Fjg71MWC9MHzKhYwmdpDalIU5AXHN/qX23gbIKe3uYbR65egmuMWhoexmQR2aKEq
> JsHnIwgXleD+Pvzah4atCzab21OuxDcN0qO3/rRoWpdErFdxl7wLQ+jO2irDmVA0
> EPDSAW/4MPU=
> =0bXQ
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
> _______________________________________________
> Ipsec-users mailing list
> Ipsec-users_at_tossell.net
> http://lists.tossell.net/lists/listinfo/ipsec-users 

-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney_at_localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Tue Dec 17 2002 - 05:21:05 CET