From: Garrett Laska (laska_at_indigocorp.com)
Date: Tue Jan 14 2003 - 00:18:49 CET
when starting out, use the simplest configuration possible, then tighten
the security once you've gotten it to work... in other words, set iptables
to default ACCEPT for all...
>My VPN should connect net 10.1.0.0/24 and 10.12.0.0/24. Each of the two
Freeswan systems are running Red Hat 8.0 and have multiple nics (only two
being used for the VPN). My ipsec.conf files >identical on both systems
and appear as follows:
>
>config setup
> interfaces="ipsec0=eth0"
> klipsdebug=none
> plutodebug=none
what about eth1??
Garrett Laska
Indigo Information Systems
laska_at_indigocorp.com
-----Original Message-----
From: users-admin_at_lists.freeswan.org
[mailto:users-admin_at_lists.freeswan.org]On Behalf Of bdushok_at_luzerne.edu
Sent: Saturday, January 11, 2003 15:13
To: users_at_lists.freeswan.org
Subject: [Users] So close.....
I've been reading docs and attempting to configure Freeswan for a VPN
between two of our locations for a couple of days. I think I'm REALLY
close, but I can't communicate between my two VPNed networks.
It appears my VPNs are starting as I'm seeing the following in my logs:
Jan 11 15:11:20 bgw ipsec_setup: ...FreeS/WAN IPsec started
Jan 11 15:11:22 bgw ipsec__plutorun: 104 "bw-lccc" #1: STATE_MAIN_I1:
initiate
Jan 11 15:11:22 bgw ipsec__plutorun: 106 "bw-lccc" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Jan 11 15:11:22 bgw ipsec__plutorun: 108 "bw-lccc" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Jan 11 15:11:22 bgw ipsec__plutorun: 004 "bw-lccc" #1: STATE_MAIN_I4:
ISAKMP SA established
Jan 11 15:11:22 bgw ipsec__plutorun: 112 "bw-lccc" #2: STATE_QUICK_I1:
initiate
Jan 11 15:11:22 bgw ipsec__plutorun: 004 "bw-lccc" #2: STATE_QUICK_I2:
sent QI2, IPsec SA established
Do the IPsec SA and ISAKMP SA messages indicate that my VPN is running?
These messages appear in the logs for both systems.
My VPN should connect net 10.1.0.0/24 and 10.12.0.0/24. Each of the two
Freeswan systems are running Red Hat 8.0 and have multiple nics (only two
being used for the VPN). My ipsec.conf files are identical on both systems
and appear as follows:
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
conn %default
keyingtries=0
conn bw-lccc
left=123.123.123.123 (public ip used in place of 111.222.333.444)
leftsubnet=10.12.0.0/24
leftnexthop=123.123.123.124 (ISP router/default gw used here)
right=111.111.111.111 (public ip used here)
rightsubnet=10.1.0.0/24
rightnexthop=111.111.111.112 (router/default gw used here)
auto=start
leftid=123.123.123.123
rightid=111.111.111.111
authby=rsasig
leftrsasigkey=(key placed here - generated on each side using
ipsec rsasigkey 1024)
rightrsasigkey=(key placed here)
To test the connection I'm attempting to telnet from 10.12.0.2 to 10.1.2.1
without any success. I've been reading "Red Hat Linux Firewalls" from Red
Hat Press, thinking the problem was iptables related. I ended up ditching
my iptables config for troubleshooting purposes and am trying the sample
they state work with Freeswan and allows any VPN connection. On each end
I'm setting up iptables using the following script:
#!/bin/sh
IPT=/sbin/iptables
IP=(eth0/public IP used here)
LAN=10.12.0.0/16 (local net placed here)
$IPT -F FORWARD
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -A INPUT -i lp -j ACCEPT
$IPT -A INPUT -p udp -d $IP --dport 500 -j ACCEPT
$IPT -A INPUT -p 50 -d $IP -j ACCEPT
$IPT -A INPUT -p 51 -d $IP -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP --dport 500 -j ACCEPT
$IPT -A OUTPUT -p 50 -s $IP -j ACCEPT
$IPT -A OUTPUT -p 51 -s $IP -j ACCEPT
$IPT -A FORWARD -s $LAN -d $LAN -j ACCEPT
With this iptables config I'm having the same problem.
Any suggestions would be appreciated.
Thanks!
Bob