From: Sam Sgro (sam_at_freeswan.org)
Date: Mon Dec 16 2002 - 21:31:45 CET
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 16 Dec 2002, GHG wrote:
> Errr...that depends on what you mean. I know the
> router has the capability of doing IPSec on its own
> with a software upgrade, but currently it shouldn't be
> doing anything to the packets except for routing them
> to the proper host. Although, I am running firewall
> packet filtering but made sure I opened ports 500 and
> 51 and since I'm getting error messages logged on the
> gateway, at least some of the packets are getting
> through. If the firewall was catching them, they'd
> simply be dropped.
IPSec Passthrough is a technology which allows for IPSec devices to function
through a NAT'ed gateway - it uses UDP, instead of TCP, for the IPSec packets,
which prevents them being mangled. Thankfully, it's commonly available on most
routers these days. You should have it turned on, should it be available -
check the spec on your router.
NAT causes problems with IPSec. If your Roadwarriors are behind NAT, the setup
we discuss below will *not* without without some tweaking.
>
> > Nothing jumps out at me, but I need more info. Send
> > me the output of the
> > "ipsec barf" command as a Roadwarrior starts to
> > connect; I'll be able to see
> > if FS started correctly, whether it like the conn,
> > etc.
>
> Below is a copy of ipsec barf on the gateway system:
The fact that there weren't any log excerpts suprised me, given that you have
a redhat system.
Things I can point out, though:
> + ipsec auto --status
> 000 interface ipsec0/eth0 192.168.68.195
> 000
> 000
> 000
Your connections, despite the use of "auto=add", have not actually been added
to Pluto's database - thus, the error message you've been receiving. Why? I
don't have the log excerpts to tell you, but I can make a few guesses.
When you see the connections present in the output of "ipsec auto --status", I
expect you'll have tackled a part of the problem.
ipsec.conf excerpt:
> interfaces=%defaultroute
You're using %defaultroute - take advantage of this in your connection:
> # Debug-logging controls: "none" for (almost) none,
> "all" for lots.
> klipsdebug=none
> plutodebug=none
> # Use auto= parameters in conn descriptions to
> control startup actions.
> plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same
> ID shows up.
> uniqueids=yes
>
>
>
> # defaults for subsequent connection descriptions
> conn %default
> keyingtries=0
> compress=yes
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
>
> conn rw-net
> leftsubnet=192.168.68.0/24
> also=rw
If you plan on having your gateway protect packets for a subnet, generally, it
wouldn't be the same as the network the ipsec interface lies on. However, I
don't think this is untenable, given your setup.
> conn rw
> right=%any
> left=192.168.68.195
> leftnexthop = %defaultroute
I wonder if the spacing on "leftnexthop" is causing trouble?
In any case, replace both the "left" and "leftnexthop" entries with this one
line:
left=%defaultroute
> proc/sys/net/ipv4/ip_forward
> + cat /proc/sys/net/ipv4/ip_forward
> 0
um... I'd turn this to 1. I'm not convinced that you need to, given that you
are protecting the same subnet the interface lies on.
> + _________________________
> proc/sys/net/ipv4/conf/star-rp_filter
> + cd /proc/sys/net/ipv4/conf
> + egrep '^' all/rp_filter default/rp_filter
> eth0/rp_filter ipsec0/rp_filter lo/rp_filter
> all/rp_filter:0
> default/rp_filter:1
> eth0/rp_filter:1
FreeS/WAN log messages end up in /var/log/messages and /var/log/secure. You
might have noticed some interesting error messages about rp_filter in
/var/log/messages... in any case, please set the default and eth0 entries to
"0". route packet filtering plays havoc without our virtual interfaces.
Try it now.
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPf44M0OSC4btEQUtAQGBNwP+MRJQujyClNMZLt01XQ710Bg+61EjWTXk
3+Ukv7SJuHOMxjmMCDKFZv+DtPXyJzBLl5mn6Ras3lyvdBr5dXu4fX5Qm6aRL/us
WF5C38TPmdjr1rDV/xmRuSBJJTv1pDlpg76GHt2v4wPKq2/q7RaHYV2LSmGAh2xA
dTS+wJf3nV0=
=XTxs
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Tue Dec 17 2002 - 05:21:05 CET