From: bdushok_at_luzerne.edu
Date: Mon Jan 13 2003 - 23:34:02 CET
I posted this message yesterday to the list, but noticed today that my
message appears corrupted (uuencoded?) in the web archive at
lists.freeswan.org. Please excuse the duplication if the message did
reach the list successfully yesteday.
Bob
I've been reading docs and attempting to configure Freeswan for a VPN
between two of our locations for a couple of days. I think I'm REALLY
close, but I can't communicate between my two VPNed networks.
It appears my VPNs are starting as I'm seeing the following in my logs:
Jan 11 15:11:20 bgw ipsec_setup: ...FreeS/WAN IPsec started
Jan 11 15:11:22 bgw ipsec__plutorun: 104 "bw-lccc" #1: STATE_MAIN_I1:
initiate
Jan 11 15:11:22 bgw ipsec__plutorun: 106 "bw-lccc" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Jan 11 15:11:22 bgw ipsec__plutorun: 108 "bw-lccc" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Jan 11 15:11:22 bgw ipsec__plutorun: 004 "bw-lccc" #1: STATE_MAIN_I4:
ISAKMP SA established
Jan 11 15:11:22 bgw ipsec__plutorun: 112 "bw-lccc" #2: STATE_QUICK_I1:
initiate
Jan 11 15:11:22 bgw ipsec__plutorun: 004 "bw-lccc" #2: STATE_QUICK_I2:
sent QI2, IPsec SA established
Do the IPsec SA and ISAKMP SA messages indicate that my VPN is running?
These messages appear in the logs for both systems.
My VPN should connect net 10.1.0.0/24 and 10.12.0.0/24. Each of the two
Freeswan systems are running Red Hat 8.0 and have multiple nics (only two
being used for the VPN). My ipsec.conf files are identical on both
systems and appear as follows:
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
conn %default
keyingtries=0
conn bw-lccc
left=123.123.123.123 (public ip used in place of 111.222.333.444)
leftsubnet=10.12.0.0/24
leftnexthop=123.123.123.124 (ISP router/default gw used here)
right=111.111.111.111 (public ip used here)
rightsubnet=10.1.0.0/24
rightnexthop=111.111.111.112 (router/default gw used here)
auto=start
leftid=123.123.123.123
rightid=111.111.111.111
authby=rsasig
leftrsasigkey=(key placed here - generated on each side using
ipsec rsasigkey 1024)
rightrsasigkey=(key placed here)
To test the connection I'm attempting to telnet from 10.12.0.2 to 10.1.2.1
without any success. I've been reading "Red Hat Linux Firewalls" from Red
Hat Press, thinking the problem was iptables related. I ended up ditching
my iptables config for troubleshooting purposes and am trying the sample
they state work with Freeswan and allows any VPN connection. On each end
I'm setting up iptables using the following script:
#!/bin/sh
IPT=/sbin/iptables
IP=(eth0/public IP used here)
LAN=10.12.0.0/16 (local net placed here)
$IPT -F FORWARD
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -A INPUT -i lp -j ACCEPT
$IPT -A INPUT -p udp -d $IP --dport 500 -j ACCEPT
$IPT -A INPUT -p 50 -d $IP -j ACCEPT
$IPT -A INPUT -p 51 -d $IP -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP --dport 500 -j ACCEPT
$IPT -A OUTPUT -p 50 -s $IP -j ACCEPT
$IPT -A OUTPUT -p 51 -s $IP -j ACCEPT
$IPT -A FORWARD -s $LAN -d $LAN -j ACCEPT
With this iptables config I'm having the same problem.
Any suggestions would be appreciated.
Thanks!
Bob
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Jan 15 2003 - 20:11:39 CET