| View previous topic :: View next topic |
| Author |
Message |
Tom.bEE
n00b
Joined: 21 Nov 2004
Posts: 5
Location: Düsseldorf, Germany
|
 Posted: Wed Apr 20, 2005 8:51 am Post subject: IPSec over NAT/Routing(??) |
 |
|
Hi there,
I know this is probably not the best forum to ask, but I'm sure there are some brave souls around who can help me. I am really really stuck now ;(
My Problem:
I've got a server running debian, linux 2.6 and racoon 0.5 on a static IP. I now want to connect to it with my notebook running Gentoo, kernel 2.6 and racoon 0.5. My Notebook is placed behind another debian-box which is my gateway at home (dynamic ip).
There is a tunnel established between the server and my notebook successfully. I can ping the notebook from the server, but not the other way around. I can even ssh to my notebook (if I call some ncurses-based programes like top, the connection breaks immediately), but there is no chance to get a single bit from the notebook to the server.
When I do a tcpdump at the server's side I can see the ESP-packeges coming from the notebook. The server seems to just not decrypt the packeges and doesn't reply therefore. Usually the server is able to decrypt esp-packeges. I have got another client (not nat-ed), which works fine.
The firewall-rules are disabled between both machines, as well.
I really do not have a clue what's going on. Maybe someone out there can give me a hint or something.
Please Help!!
Thank you very much,
regards,
Thomas
my Config:
--------------
Notebook:
Main-IP 192.168.15.55
VPN-IP 192.168.16.55 (tried it without, but inserted it to have a similar setup to many howtos)
spdadd 192.168.0.1/32 192.168.16.0/24 any -P in ipsec
esp/tunnel/x.x.x.x-192.168.15.55/require;
spdadd 192.168.16.0/24 192.168.0.1/32 any -P out ipsec
esp/tunnel/192.168.15.55-x.x.x.x/require;
ip route:
192.168.0.1 via 192.168.15.55 dev eth1 src 192.168.16.55
Server:
Main-IP: x.x.x.x
VPN-IP 192.168.0.1
policies generated automaticly:
192.168.16.0/24[any] 192.168.0.1[any] any
in ipsec
esp/tunnel/[home]-x.x.x.x/require
created: Apr 20 09:55:31 2005 lastused: Apr 20 09:55:38 2005
lifetime: 28800(s) validtime: 0(s)
spid=6864 seq=6 pid=29894
refcnt=2
192.168.0.1[any] 192.168.16.0/24[any] any
out ipsec
esp/tunnel/x.x.x.x-[home]/require
created: Apr 20 09:55:31 2005 lastused: Apr 20 09:55:38 2005
lifetime: 28800(s) validtime: 0(s)
spid=6881 seq=5 pid=29894
refcnt=2
192.168.16.0/24[any] 192.168.0.1[any] any
fwd ipsec
esp/tunnel/[home]-x.x.x.x/require
created: Apr 20 09:55:31 2005 lastused:
lifetime: 28800(s) validtime: 0(s)
spid=6874 seq=4 pid=29894
refcnt=2
ip route:
192.168.16.0/24 via x.x.x.x dev eth0 src 192.168.0.1 |
|
| Back to top |
|
 |
Tom.bEE
n00b
Joined: 21 Nov 2004
Posts: 5
Location: Düsseldorf, Germany
|
| Posted: Wed Apr 20, 2005 10:10 am Post subject: solved |
|
|
Sorry guys!!!
It's been my firewall's fault.
In my lastest iptables-config I accepted VPN-Traffic with:
$iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
Using NAT now, traffic doesn't go through port 'esp' anymore, but through 4500!!!
So, I have added the following to my config and everything works as expected:
$iptables -t mangle -A PREROUTING -i eth0 -p udp --dport 4500 -j MARK --set-mark 1
Thank you anyway. Maybe this is helpful for someone else.
best regards,
Thomas |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
