| View previous topic :: View next topic |
| Author |
Message |
Holly
n00b
Joined: 08 Mar 2003
Posts: 67
|
 Posted: Sun Dec 21, 2003 10:41 pm Post subject: "wlan-through-vpn" setup (ipsec) |
 |
|
I'm going to set up a WLAN at home and have several questions. as i think the wlan encryption is not secure enough, i want to tunnel the connection through a ipsec-vpn (super-freeswan).
the network-topology looks like the following. so far everything but the wlan-stuff exists.
| Code: | <Internet>
|
| ppp0/eth2
|
eth0 192.168.100.42
192.168.0.0/24---------internet gateway
ethernet |-->and vpn server
| |
| | eth1
| |
| 192.168.100.0/24 --------- 192.168.100.1
| ethernet Windows-Workstation
V | |
P | |
N | |
| 192.168.100.100 (192.168.200.X ?)
| WLAN Access Point
| |
| |
| |
|-->192.168.200.0/24
<WLAN Clients>
|
so, the wlan-clients should only be able to connect to the vpn-server on 192.168.100.42 via their "normal" connection. but when they connect through the vpn, they should have access to the whole network (192.168.0.0/24, 192.168.100.0/24 and the internet).
the first question regards the routing to the access point. does it have to have an ip-adress in the ethernet-subnet 192.168.100.0/24 or in the wlan-subnet 192.168.200.0/24?
besides that i have some problems with ipsec. i'm currently testing it with the a windows xp machine (192.168.100.1).
the windows machine times out:
| Code: | | Error 792: The L2TP connection attempt failed because security negotiation timed out. |
And i'm getting the following errormessages in syslog when i connect.
| Code: | Dec 21 22:34:23 [pluto] packet from 192.168.100.1:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Dec 21 22:34:23 [pluto] "heartofgold"[1] 192.168.100.1 #1: responding to Main Mode from unknown peer 192.168.100.1
Dec 21 22:34:23 [pluto] "heartofgold"[1] 192.168.100.1 #1: Peer ID is ID_IPV4_ADDR: '192.168.100.1'
Dec 21 22:34:23 [pluto] "heartofgold"[1] 192.168.100.1 #1: sent MR3, ISAKMP SA established
Dec 21 22:34:23 [pluto] "heartofgold"[1] 192.168.100.1 #1: cannot respond to IPsec SA request because no connection is known for 192.168.100.42:17/0...192.168.100.1:17/1701
Dec 21 22:34:23 [pluto] "heartofgold"[1] 192.168.100.1 #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.1:500
Dec 21 22:34:24 [pluto] "heartofgold"[1] 192.168.100.1 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xa7daab92 (perhaps this is a duplicated packet)
Dec 21 22:34:24 [pluto] "heartofgold"[1] 192.168.100.1 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.100.1:500 |
the connection in ipsec.conf:
| Code: | conn heartofgold
right=192.168.100.42
left=%any
rightsubnet=0.0.0.0/0
auto=add |
and this is what "ipsec auto --status" says, while i'm trying to connect:
| Code: | 000 interface ipsec0/eth1 192.168.100.42
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536 (extension), bits=1536
000 algorithm IKE dh group: id=42048, name=OAKLEY_GROUP_MODP2048 (extension), bits=2048
000 algorithm IKE dh group: id=43072, name=OAKLEY_GROUP_MODP3072 (extension), bits=3072
000 algorithm IKE dh group: id=44096, name=OAKLEY_GROUP_MODP4096 (extension), bits=4096
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "heartofgold"[1]: 0.0.0.0/0===192.168.100.42...192.168.100.1
000 "heartofgold"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "heartofgold"[1]: policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth1; unrouted
000 "heartofgold"[1]: newest ISAKMP SA: #1; newest IPsec SA: #0; eroute owner: #0
000 "heartofgold"[1]: IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "heartofgold"[1]: IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "heartofgold"[1]: IKE algorithm newest: 3DES_CBC_192-SHA-MODP1024
000 "heartofgold"[1]: ESP algorithms wanted: 3_000-1, flags=-strict
000 "heartofgold"[1]: ESP algorithms loaded: 3_168-1_096,
000 "heartofgold": 0.0.0.0/0===192.168.100.42...%any
000 "heartofgold": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "heartofgold": policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth1; unrouted
000 "heartofgold": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "heartofgold": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "heartofgold": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "heartofgold": ESP algorithms wanted: 3_000-1, flags=-strict
000 "heartofgold": ESP algorithms loaded: 3_168-1_096,
000
000 #1: "heartofgold"[1] 192.168.100.1 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3328s; newest ISAKMP |
i guess, i will be able to set the wlan up correctly when i have it, but ipsec is pain in the ass  |
|
| Back to top |
|
 |
Holly
n00b
Joined: 08 Mar 2003
Posts: 67
|
| Posted: Mon Dec 22, 2003 9:59 pm Post subject: |
|
|
ok, the wlan itself works. the setup is a little different from the drawing above, but i think the changes don't regard the vpn.
i'm still stuck with that problem. connecting to the vpn via wlan doesn't change anything. does anybody have an idea? |
|
| Back to top |
|
|
Holly
n00b
Joined: 08 Mar 2003
Posts: 67
|
| Posted: Tue Dec 23, 2003 8:11 pm Post subject: |
|
|
| well, does anyone have *any* working (super-)freeswan config, that is similar to mine? i can't imagine, i'm the only one who uses this kind of setup. |
|
| Back to top |
|
|
Holly
n00b
Joined: 08 Mar 2003
Posts: 67
|
| Posted: Wed Dec 24, 2003 2:24 am Post subject: |
|
|
i have some more information on my problem. i tcpdump'ed the traffic during a vpn-connection attempt (heartofgold is the server, deepthought the windows-client):
| Code: | tcpdump: listening on eth1
03:15:00.791188 deepthought.1031 > heartofgold.domain: 107+ A? heartofgold. (39)
03:15:00.793457 heartofgold.domain > deepthought.1031: 107* 1/0/0 A[|domain] (DF)
03:15:00.818779 deepthought.1471 > heartofgold.1723: S 3870137625:3870137625(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
03:15:00.818976 heartofgold.1723 > deepthought.1471: R 0:0(0) ack 3870137626 win 0 (DF)
03:15:01.260230 deepthought.1471 > heartofgold.1723: S 3870137625:3870137625(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
03:15:01.260474 heartofgold.1723 > deepthought.1471: R 0:0(0) ack 1 win 0 (DF)
03:15:01.760968 deepthought.1471 > heartofgold.1723: S 3870137625:3870137625(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
03:15:01.761236 heartofgold.1723 > deepthought.1471: R 0:0(0) ack 1 win 0 (DF)
03:15:01.790607 deepthought.1031 > heartofgold.domain: 108+ A? heartofgold. (39)
03:15:01.791314 heartofgold.domain > deepthought.1031: 108* 1/0/0 A[|domain] (DF)
03:15:01.819599 deepthought.500 > heartofgold.500: isakmp: phase 1 I ident: [|sa]
03:15:01.819865 heartofgold > deepthought: icmp: heartofgold udp port 500 unreachable [tos 0xc0]
03:15:02.813509 deepthought.500 > heartofgold.500: isakmp: phase 1 I ident: [|sa]
03:15:02.813804 heartofgold > deepthought: icmp: heartofgold udp port 500 unreachable [tos 0xc0]
03:15:04.816631 deepthought.500 > heartofgold.500: isakmp: phase 1 I ident: [|sa]
03:15:04.818200 heartofgold.500 > deepthought.500: isakmp: phase 1 R ident: [|sa] (DF)
03:15:04.878904 deepthought.500 > heartofgold.500: isakmp: phase 1 I ident: [|ke]
03:15:04.912604 heartofgold.500 > deepthought.500: isakmp: phase 1 R ident: [|ke] (DF)
03:15:04.941091 deepthought.500 > heartofgold.500: isakmp: phase 1 I ident[E]: [encrypted id]
03:15:04.942899 heartofgold.500 > deepthought.500: isakmp: phase 1 R ident[E]: [encrypted id] (DF)
03:15:04.944568 deepthought.500 > heartofgold.500: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash]
03:15:05.938233 deepthought.500 > heartofgold.500: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash]
03:15:07.940526 deepthought.500 > heartofgold.500: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash]
03:15:11.947012 deepthought.500 > heartofgold.500: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash]
03:15:14.232225 deepthought.500 > heartofgold.500: isakmp: phase 2/others I inf[E]: [encrypted hash]
03:15:14.234019 heartofgold.500 > deepthought.500: isakmp: phase 2/others R inf[E]: [encrypted hash] (DF) |
might the "udp port 500 unreachable" a problem? actually there should be no port blocked like with iptables. |
|
| Back to top |
|
|
puke
Tux's lil' helper
Joined: 05 Oct 2002
Posts: 128
|
| Posted: Fri Apr 16, 2004 12:51 pm Post subject: |
|
|
You must allow IPsec packets (IKE on UDP port 500 plus ESP, protocol 50) in and out of your gateway.
Ripped from freeswan.org:
| Code: | # IKE negotiations
iptables -A INPUT -p udp -i $world --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o $world --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -A INPUT -p 50 -i $world -j ACCEPT
iptables -A OUTPUT -p 50 -o $world -j ACCEPTOptionally, you could restrict this, allowing these packets only to and from a list of known gateways.
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
