Re: [VF]Re: [Users] super-freeswan-1.99kb2 !pluto failure! <- FIXED

From: Enrique Sanchez Vela (esanchezvela_at_yahoo.com)
Date: Mon Dec 16 2002 - 17:04:30 CET

Hi James,

 it seems to me that you should be trying to reach the
other side (eth1 or ppp0 or even better the dsl modem)
of the linux box, not the same LAN as the eth0.

regards,
esv.
--- "James P. Kinney III"
<jkinney_at_localnetsolutions.com> wrote:
> Net diagram
>
> LAN x.0.0/24 DSL
> Win2K--------------Linux box-----------Internet
> x.1.13 x.0.1 w.x.y.z
> eth0/ipsec0 eth1/ppp0
>
>
> The win2k box is the only thing that is not part of
> the LAN. I'm using
> just the internal LAN connections for testing before
> I dial out from the
> win2k box and come back in on the public IP on the
> Linux box.
>
>
> on Linux box, ipsec.coonf
>
> config setup
> interfaces=ipsec0=eth0
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
> nat_traversal=yes
>
> conn %default
> keyingtries=1
> compress=yes
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
>
> conn roadwarrior-net
> leftsubnet=192.168.0.0/24
> also=roadwarrior
>
> conn roadwarrior
> right=%any
> left=192.168.0.1
> leftcert=castle.localnetsolutions.com.pem
> auto=add
> pfs=yes
>
>
> On win2k, ipsec.conf (using the tools set from
> Marcus Müller)
>
> conn roadwarrior
> right=%any
> left=192.168.0.1
> leftca="C=US<snip>"
> network=auto
> auto=start
> pfs=yes
>
> conn roadwarrior-net
> right=%any
> left=192.168.0.1
> leftsubnet=192.168.0.0/24
> leftca="C=US<snip>"
> network=auto
> auto=start
> pfs=yes
>
>
> And just for fun, the ifconfig output:
> ifconfig
> eth0 Link encap:Ethernet HWaddr
> 00:C0:26:C0:20:35
> inet addr:192.168.0.1 Bcast:192.168.0.255
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500
> Metric:1
> RX packets:134474 errors:0 dropped:0
> overruns:0 frame:0
> TX packets:183445 errors:0 dropped:0
> overruns:0 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:12099331 (11.5 Mb) TX
> bytes:216331118 (206.3 Mb)
> Interrupt:11 Base address:0xe000
>
> eth1 Link encap:Ethernet HWaddr
> 00:10:DC:01:FB:6B
> UP BROADCAST RUNNING MULTICAST MTU:1500
> Metric:1
> RX packets:192600 errors:0 dropped:0
> overruns:0 frame:0
> TX packets:133976 errors:0 dropped:0
> overruns:0 carrier:0
> collisions:73 txqueuelen:100
> RX bytes:220461227 (210.2 Mb) TX
> bytes:25178944 (24.0 Mb)
> Interrupt:5
>
> ipsec0 Link encap:Ethernet HWaddr
> 00:C0:26:C0:20:35
> inet addr:192.168.0.1 Mask:255.255.255.0
> UP RUNNING NOARP MTU:16260 Metric:1
> RX packets:7 errors:0 dropped:4 overruns:0
> frame:0
> TX packets:0 errors:0 dropped:0 overruns:0
> carrier:0
> collisions:0 txqueuelen:10
> RX bytes:180 (180.0 b) TX bytes:0 (0.0 b)
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:2091 errors:0 dropped:0
> overruns:0 frame:0
> TX packets:2091 errors:0 dropped:0
> overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:3062100 (2.9 Mb) TX
> bytes:3062100 (2.9 Mb)
>
> ppp0 Link encap:Point-to-Point Protocol
> inet addr:66.149.133.123
> P-t-P:66.149.133.1
> Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST
> MTU:1492 Metric:1
> RX packets:186353 errors:0 dropped:0
> overruns:0 frame:0
> TX packets:127728 errors:0 dropped:0
> overruns:0 carrier:0
> collisions:0 txqueuelen:3
> RX bytes:215986532 (205.9 Mb) TX
> bytes:22181436 (21.1 Mb)
>
>
>
> It is certainly a routing problem. I ran netstat -rn
> and got:
> Kernel IP routing table
> Destination Gateway Genmask
> Flags MSS Window irtt
> Iface
> 66.149.133.1 0.0.0.0 255.255.255.255 UH
> 40 0 0
> ppp0
> 192.168.0.0 0.0.0.0 255.255.255.0 U
> 40 0 0
> eth0
> 192.168.0.0 0.0.0.0 255.255.255.0 U
> 40 0 0
> ipsec0
> 127.0.0.0 0.0.0.0 255.0.0.0 U
> 40 0 0
> lo
> 0.0.0.0 66.149.133.1 0.0.0.0 UG
> 40 0 0
> ppp0
>
> No route to 192.168.1.0 network. So I manually added
> one and ping to the
> gateway linux box now works!!! I then checked the
> routing table and
> FreeSwan had added a specific route to the IP
> address of the win2k box:
>
> Kernel IP routing table
> Destination Gateway Genmask
> Flags MSS Window irtt
> Iface
> 66.149.133.1 0.0.0.0 255.255.255.255 UH
> 40 0 0
> ppp0
> 192.168.1.13 192.168.1.13 255.255.255.255 UGH
> 40 0 0
> ipsec0
> 192.168.1.0 0.0.0.0 255.255.255.0 U
> 40 0 0
> ipsec0
> 192.168.0.0 0.0.0.0 255.255.255.0 U
> 40 0 0
> eth0
> 192.168.0.0 0.0.0.0 255.255.255.0 U
> 40 0 0
> ipsec0
> 127.0.0.0 0.0.0.0 255.0.0.0 U
> 40 0 0
> lo
> 0.0.0.0 66.149.133.1 0.0.0.0 UG
> 40 0 0
> ppp0
>
> I really appreciate the assistance. In retrospect, I
> should be
> learning/testing with the linux partition as I am
> much more comfortable
> digging on the linux box than the win2k. :)
>
> On Sun, 2002-12-15 at 23:15, Sam Sgro wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> >
> > On 15 Dec 2002, James P. Kinney III wrote:
> >
> > > I got that problem fixed by removing the "extra
> stuff" from the
> > > ipsec.secrets file.
> > >
> > > New problem. Testing a connection between a
> Win2k client and a
> > > linux/FreeSWan server on a private network (to
> avoid the phone dialup
> > > while learning).
> > >
> > > The ipsec starts OK but it can't set the routing
> to the win2k box. It
> > > gripes about missing or bad nexthop setting. The
> win2k box has no
> > > nexthop. It is joined by ethernet through a 100M
> switch to the head end!
> > > I tried the IP address of the head end NIC and
> also the IP of the win2k
> > > box. It seems like this should be similar to the
> "wireless LAN client
> > > VPN connection", i.e. a single box connecting to
> a gateway.
> >
> > Perhaps you need to provide a network diagram, and
> the ipsec.conf file you are
> > using. I can't really give you a specific fix
> without this info.
> >
> > The mention of the nexthop setting is our guess as
> to why this route command
> > fails:
> >
> > > Dec 15 21:45:17 castle pluto[4997]:
> "roadwarrior"[2] 192.168.1.13 #2:
> > > route-client output:
> /usr/local/lib/ipsec/_updown: `route add -net
> > > 192.168.1.13 netmask 255.255.255.255 dev ipsec0
> gw 192.168.1.13' failed
> >
> > ... where gw 192.168.1.13 represents your nexthop.
> It looks like you're using
> > nexthop=%direct, the default value if none is set.
> This may not be
> > appropriate, depending on which interface ipsec0
> is bound to, and your network
> > setup.
> >
> > If no nexthop exists because this gateway stands
> on the same network as the
> > win2k roadwarrior, then chances are you're using
> an inappropriate ipsec
> > interface - make sure one is bound to the
> appropriate local IP on the network
> > of the roadwarrior. (ie, if you have both
> 192.168.0.1 and 192.168.1.1 nics on
> > this box, make sure you have an interface on
> 192.168.1.1 and that this is the
> > IP the RW is attempting to contact.)
> >
> > - --
> > Sam Sgro
> > sam_at_freeswan.org
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: 2.6.3ia
> > Charset: noconv
> > Comment: For the matching public key, finger the
> Reply-To: address.
> >
> >
>
iQCVAwUBPf1TUkOSC4btEQUtAQHz+gQAooJCCDZhPcAmkHcOiGCbW6o7sLv/g/a+
> >
>
Fjg71MWC9MHzKhYwmdpDalIU5AXHN/qX23gbIKe3uYbR65egmuMWhoexmQR2aKEq
> >
>
JsHnIwgXleD+Pvzah4atCzab21OuxDcN0qO3/rRoWpdErFdxl7wLQ+jO2irDmVA0
> > EPDSAW/4MPU=
> > =0bXQ
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > Users mailing list
> > Users_at_lists.freeswan.org
> > http://lists.freeswan.org/mailman/listinfo/users
> > _______________________________________________
> > Ipsec-users mailing list
> > Ipsec-users_at_tossell.net
> >
> http://lists.tossell.net/lists/listinfo/ipsec-users
> --
> James P. Kinney III \Changing the mobile computing
> world/
> President and CEO \ one Linux user
> /
> Local Net Solutions,LLC \ at a time.
> /
> 770-493-8244
> \.___________________________./
>
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney_at_localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190
> ADC3 829C 6CA7
>
>
>

> ATTACHMENT part 2 application/pgp-signature
name=signature.asc

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Tue Dec 17 2002 - 05:21:05 CET