| View previous topic :: View next topic |
| Author |
Message |
makenoob
Apprentice
Joined: 19 Aug 2004
Posts: 272
Location: /Germany/Düsseldorf
|
 Posted: Fri Mar 11, 2005 12:16 pm Post subject: pluto (vpn) takes wrong if for route |
 |
|
I'm trying to set up a vpn between two gentoo-boxes. I followed this HOWTO changed the configuration to fit my needs (pluto didn't found the %defaultroute on my box, so i had two put in the adresses for rghtnexthop and leftnexthop). when i fire "/etc/init.d/ipsec start" up it says in /var/log/messages:
| Code: |
Mar 11 12:41:09 losraidonos ipsec_setup: Starting Openswan IPsec U2.2.0/K2.6.10-gentoo-r6...
Mar 11 12:41:09 losraidonos ipsec_setup: KLIPS ipsec0 on ppp0 111.222.333.444/255.255.255.255 pointopoint 111.222.333.445
Mar 11 12:41:10 losraidonos ipsec__plutorun: Starting Pluto subsystem...
Mar 11 12:41:10 losraidonos pluto[14305]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Mar 11 12:41:10 losraidonos pluto[14305]: including NAT-Traversal patch (Version 0.6c) [disabled]
Mar 11 12:41:10 losraidonos pluto[14305]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 11 12:41:10 losraidonos pluto[14305]: Using Linux 2.6 IPsec interface code
Mar 11 12:41:10 losraidonos pluto[14305]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Mar 11 12:41:10 losraidonos pluto[14305]: Could not change to directory '/etc/ipsec/ipsec.d/aacerts'
Mar 11 12:41:10 losraidonos pluto[14305]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Mar 11 12:41:10 losraidonos pluto[14305]: Changing to directory '/etc/ipsec/ipsec.d/crls'
Mar 11 12:41:10 losraidonos pluto[14305]: Warning: empty directory
Mar 11 12:41:10 losraidonos ipsec_setup: ...Openswan IPsec started
Mar 11 12:41:10 losraidonos pluto[14305]: added connection description "leo-koehnen"
Mar 11 12:41:10 losraidonos pluto[14305]: listening for IKE messages
Mar 11 12:41:10 losraidonos pluto[14305]: adding interface ppp0/ppp0 111.222.333.444
Mar 11 12:41:10 losraidonos pluto[14305]: adding interface lo/lo 127.0.0.1
Mar 11 12:41:10 losraidonos pluto[14305]: adding interface eth0/eth0 192.168.1.1
Mar 11 12:41:10 losraidonos pluto[14305]: loading secrets from "/etc/ipsec/ipsec.secrets"
Mar 11 12:41:10 losraidonos pluto[14305]: "leo-koehnen": route-client output: /usr/lib/ipsec/_updown: doroute `ip route add 172.16.0.0/24 via 111.222.333.445 dev eth0 ' failed (RTNETLINK answers: Network is unreachable)
Mar 11 12:41:10 losraidonos pluto[14305]: "leo-koehnen" #1: initiating Main Mode
Mar 11 12:41:10 losraidonos ipsec__plutorun: 104 "leo-koehnen" #1: STATE_MAIN_I1: initiate
Mar 11 12:41:10 losraidonos ipsec__plutorun: ...could not start conn "leo-koehnen"
Mar 11 12:41:12 losraidonos pluto[14305]: packet from 444.333.222.111:500: initial Main Mode message received on 111.222.333.444:500 but no connection has been authorized
|
when pluto tries to add the route, it takes the wrong interface. it has to be ppp0, where the net (111.222.333.445) is attached to, and not eth0.
the other box is working like a charm, except it cannot complete the connection because of the wrong routing interface (eth0) on the other side
| Code: |
Mar 11 12:39:21 marvin ipsec_setup: Starting Openswan IPsec U2.2.0/K2.6.10-gentoo-r6...
Mar 11 12:39:21 marvin ipsec_setup: KLIPS ipsec0 on eth1 444.333.222.111/255.255.255.0 broadcast 444.333.222.255
Mar 11 12:39:21 marvin ipsec__plutorun: Starting Pluto subsystem...
Mar 11 12:39:21 marvin pluto[7423]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Mar 11 12:39:21 marvin pluto[7423]: including NAT-Traversal patch (Version 0.6c) [disabled]
Mar 11 12:39:21 marvin ipsec_setup: ...Openswan IPsec started
Mar 11 12:39:21 marvin pluto[7423]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 11 12:39:21 marvin pluto[7423]: Using Linux 2.6 IPsec interface code
Mar 11 12:39:21 marvin pluto[7423]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Mar 11 12:39:21 marvin pluto[7423]: Could not change to directory '/etc/ipsec/ipsec.d/aacerts'
Mar 11 12:39:21 marvin pluto[7423]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Mar 11 12:39:21 marvin pluto[7423]: Changing to directory '/etc/ipsec/ipsec.d/crls'
Mar 11 12:39:21 marvin pluto[7423]: Warning: empty directory
Mar 11 12:39:22 marvin pluto[7423]: added connection description "leo-koehnen"
Mar 11 12:39:22 marvin pluto[7423]: listening for IKE messages
Mar 11 12:39:22 marvin pluto[7423]: adding interface eth2/eth2 444.333.222.222
Mar 11 12:39:22 marvin pluto[7423]: adding interface lo/lo 127.0.0.1
Mar 11 12:39:22 marvin pluto[7423]: adding interface eth1/eth1 444.333.222.111
Mar 11 12:39:22 marvin pluto[7423]: adding interface eth0:2/eth0:2 192.168.0.1
Mar 11 12:39:22 marvin pluto[7423]: adding interface eth0:1/eth0:1 192.168.2.1
Mar 11 12:39:22 marvin pluto[7423]: adding interface eth0/eth0 172.16.0.1
Mar 11 12:39:22 marvin pluto[7423]: loading secrets from "/etc/ipsec/ipsec.secrets"
Mar 11 12:39:22 marvin pluto[7423]: "leo-koehnen" #1: initiating Main Mode
Mar 11 12:39:22 marvin RULE 9 -- ACCEPT IN= OUT=eth1 SRC=444.333.222.111 DST=111.222.333.444 LEN=204 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=500 DPT=500 LEN=184
Mar 11 12:39:22 marvin ipsec__plutorun: 104 "leo-koehnen" #1: STATE_MAIN_I1: initiate
Mar 11 12:39:22 marvin ipsec__plutorun: ...could not start conn "leo-koehnen"
Mar 11 12:39:22 marvin pluto[7423]: "leo-koehnen" #1: ERROR: asynchronous network error report on eth1 for message to 111.222.333.444 port 500, complainant 111.222.333.444: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
|
box b has a fix ip and box a's ip is dynamic. the route to my net on box b is configured correctly on eth1.
i think, the connection doesn't go up because of the wrong routing interface on the first box (111.222.333.444 - box a)
anyone any ideas, how i can tell pluto to take the interface "ppp0" for routing?
here are my configs (box a)
| Code: |
losraidonos ipsec # cat /etc/ipsec/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
#interfaces="ipsec0=ppp0"
# klipsdebug=none
# plutodebug="control parsing"
# Add connections here
# sample VPN connection
#sample# conn sample
#sample# # Left security gateway, subnet behind it, next hop toward right.
#sample# left=10.0.0.1
#sample# leftsubnet=172.16.0.0/24
#sample# leftnexthop=10.22.33.44
#sample# # Right security gateway, subnet behind it, next hop toward left.
#sample# right=10.12.12.1
#sample# rightsubnet=192.168.0.0/24
#sample# rightnexthop=10.101.102.103
#sample# # To authorize this connection, but not actually start it, at startup,
#sample# # uncomment this.
#sample# #auto=start
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
include /etc/ipsec/leo-koehnen.conf
|
| Code: |
losraidonos ipsec # cat /etc/ipsec/leo-koehnen.conf
conn leo-koehnen
type=tunnel
left=444.333.222.111
leftsubnet=172.16.0.0/24
leftid=@boxb.example.com
leftrsasigkey=0sA...
leftnexthop=444.333.222.112
right=boxa.example.com
rightsubnet=192.168.1.0/24
rightid=@boxa.example.com
rightrsasigkey=0sAQO...
rightnexthop=111.222.333.445
authby=rsasig
auto=start
|
| Code: |
losraidonos ipsec # ifconfig
eth0 Link encap:Ethernet HWaddr 00:0A:E6:10:EE:C0
inet addr:192.168.1.20 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2946 errors:0 dropped:0 overruns:0 frame:0
TX packets:4915 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:377176 (368.3 Kb) TX bytes:4705848 (4.4 Mb)
Interrupt:10 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 00:50:BA:8F:2E:E9
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:50191 errors:0 dropped:0 overruns:0 frame:0
TX packets:52799 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9106753 (8.6 Mb) TX bytes:5333005 (5.0 Mb)
Interrupt:11 Base address:0xd400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:745 errors:0 dropped:0 overruns:0 frame:0
TX packets:745 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:75354 (73.5 Kb) TX bytes:75354 (73.5 Kb)
ppp0 Link encap:Point-to-Point Protocol
inet addr:111.222.333.444 P-t-P:111.222.333.445 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:42494 errors:0 dropped:0 overruns:0 frame:0
TX packets:45103 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:7709893 (7.3 Mb) TX bytes:3878807 (3.6 Mb)
|
| Code: |
losraidonos ipsec # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
111.222.333.445 * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 111.222.333.445 0.0.0.0 UG 0 0 0 ppp0
|
|
|
| Back to top |
|
 |
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Fri Mar 11, 2005 3:33 pm Post subject: |
|
|
I also tried this how to. And the outcome was similar. You will find this is a very dead topic on these forums. You also may want to consider what type of Operating Systems will be connecting to this because this is not very good for windows and mac.. I set up a Openswan / l2tp connect so our windows users and mac users can connect from the default built in client. However I am trying to run it behind a NAT so I am in a world of shit trying to get it to work.. Outside a nat works like a charm. The only thing I can say is I get the same error as you if my left is not defined correctly.
| Code: | | packet from 444.333.222.111:500: initial Main Mode message received on 111.222.333.444:500 but no connection has been authorized |
My words of advise..
Do not try to run a vpn behind a nat
Really read up on your options for client side support if you have a user base using different OS's..
I have a post out there to look at maybe.
https://forums.gentoo.org/viewtopic-t-303867-highlight-.html
On top of that this has to be the hardest project I have ever had to do and the support is tough to find. Good Luck!
_________________
write quit bang |
|
| Back to top |
|
|
makenoob
Apprentice
Joined: 19 Aug 2004
Posts: 272
Location: /Germany/Düsseldorf
|
| Posted: Mon Mar 14, 2005 9:22 am Post subject: |
|
|
I do not try to run this vpn behind a nat. the two boxes are directly connected to the internet, one with a static ip an the other with a dynamic adresse (and forced disconnection etc.)
i don't have to use different os's, all the boxes can be migrated to gentoo, but i need to set up vpn tunnels on them and get this thing running. |
|
| Back to top |
|
|
Prompty
Apprentice
Joined: 08 Feb 2004
Posts: 292
|
| Posted: Mon Mar 14, 2005 1:59 pm Post subject: |
|
|
i assume you opened the right ports ??
edit: port 500 AFAIR and check the key
_________________
<input stupid message here> |
|
| Back to top |
|
|
makenoob
Apprentice
Joined: 19 Aug 2004
Posts: 272
Location: /Germany/Düsseldorf
|
| Posted: Mon Mar 14, 2005 7:33 pm Post subject: |
|
|
the port on both boxes is open and the keys are also right set.
box a:
| Code: |
cat leo-koehnen.conf
conn leo-koehnen
type=tunnel
left=boxa.example.com
leftsubnet=192.168.1.0/24
leftid=@boxa.example.com
leftrsasigkey=0sAQPUklfqXBtm5En/iCjf7lU...
right=boxb.example.com
rightsubnet=172.16.0.0/24
rightid=@boxb.example.com
rightrsasigkey=0sAQO1VcbbstisyIvliF1Z...
rightnexthop=%defaultroute
authby=rsasig
auto=start
|
box b:
| Code: |
cat leo-koehnen.conf
conn leo-koehnen
type=tunnel
left=boxb.example.com
leftsubnet=172.16.0.0/24
leftid=@boxb.example.com
leftrsasigkey=0sAQO1VcbbstisyIvliF1Z...
leftnexthop=%defaultroute
right=boxa.example.com
rightsubnet=192.168.1.0/24
rightid=@boxa.example.com
rightrsasigkey=0sAQPUklfqXBtm5En/iCjf7lU...
rightnexthop=%defaultroute
authby=rsasig
auto=start
|
i updated openswan and ipsec-tools to ~x86 and now my box is accepting "%defaultroute" but nothing changed on the wrong route interface:
| Code: |
Mar 14 16:41:02 losraidonos ipsec_setup: Starting Openswan IPsec 2.3.0...
Mar 14 16:41:02 losraidonos ipsec_setup: insmod /lib/modules/2.6.10-gentoo-r6/kernel/net/key/af_key.ko
Mar 14 16:41:02 losraidonos NET: Registered protocol family 15
Mar 14 16:41:02 losraidonos ipsec_setup: insmod /lib/modules/2.6.10-gentoo-r6/kernel/net/xfrm/xfrm_user.ko
Mar 14 16:41:02 losraidonos Initializing IPsec netlink socket
Mar 14 16:41:02 losraidonos ipsec_setup: KLIPS ipsec0 on ppp0 213.23.160.205/255.255.255.255 pointopoint 145.253.4.146
Mar 14 16:41:03 losraidonos ipsec__plutorun: Starting Pluto subsystem...
Mar 14 16:41:03 losraidonos ipsec_setup: ...Openswan IPsec started
Mar 14 16:41:03 losraidonos pluto[19904]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Mar 14 16:41:03 losraidonos pluto[19904]: Setting port floating to on
Mar 14 16:41:03 losraidonos pluto[19904]: port floating activate 1/1
Mar 14 16:41:03 losraidonos pluto[19904]: including NAT-Traversal patch (Version 0.6c)
Mar 14 16:41:03 losraidonos pluto[19904]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 14 16:41:03 losraidonos pluto[19904]: starting up 1 cryptographic helpers
Mar 14 16:41:03 losraidonos pluto[19904]: started helper pid=19924 (fd:6)
Mar 14 16:41:03 losraidonos pluto[19904]: Using Linux 2.6 IPsec interface code
Mar 14 16:41:03 losraidonos pluto[19904]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Mar 14 16:41:03 losraidonos pluto[19904]: Could not change to directory '/etc/ipsec/ipsec.d/aacerts'
Mar 14 16:41:03 losraidonos pluto[19904]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Mar 14 16:41:03 losraidonos pluto[19904]: Changing to directory '/etc/ipsec/ipsec.d/crls'
Mar 14 16:41:03 losraidonos pluto[19904]: Warning: empty directory
Mar 14 16:41:03 losraidonos pluto[19904]: added connection description "leo-koehnen"
Mar 14 16:41:03 losraidonos pluto[19904]: listening for IKE messages
Mar 14 16:41:03 losraidonos pluto[19904]: adding interface ppp0/ppp0 213.23.160.205
Mar 14 16:41:03 losraidonos pluto[19904]: adding interface ppp0/ppp0 213.23.160.205:4500
Mar 14 16:41:03 losraidonos pluto[19904]: adding interface lo/lo 127.0.0.1
Mar 14 16:41:03 losraidonos pluto[19904]: adding interface lo/lo 127.0.0.1:4500
Mar 14 16:41:03 losraidonos pluto[19904]: adding interface eth0/eth0 192.168.75.20
Mar 14 16:41:03 losraidonos pluto[19904]: adding interface eth0/eth0 192.168.75.20:4500
Mar 14 16:41:03 losraidonos pluto[19904]: loading secrets from "/etc/ipsec/ipsec.secrets"
Mar 14 16:41:03 losraidonos pluto[19904]: "leo-koehnen": route-client output: /usr/lib/ipsec/_updown: doroute `ip route add 192.168.83.0/24 via 194.245.124.34 dev eth0 ' failed (RTNETLINK answers: Network is unreachable)
Mar 14 16:41:03 losraidonos pluto[19904]: "leo-koehnen" #1: initiating Main Mode
Mar 14 16:41:03 losraidonos pluto[19904]: | no IKE algorithms for this connection
Mar 14 16:41:03 losraidonos ipsec__plutorun: 104 "leo-koehnen" #1: STATE_MAIN_I1: initiate
Mar 14 16:41:03 losraidonos ipsec__plutorun: ...could not start conn "leo-koehnen"
Mar 14 16:41:18 losraidonos pluto[19904]: packet from 194.245.124.34:500: received Vendor ID payload [Dead Peer Detection]
Mar 14 16:41:18 losraidonos pluto[19904]: packet from 194.245.124.34:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Mar 14 16:41:18 losraidonos pluto[19904]: packet from 194.245.124.34:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
Mar 14 16:41:18 losraidonos pluto[19904]: packet from 194.245.124.34:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar 14 16:41:18 losraidonos pluto[19904]: packet from 194.245.124.34:500: initial Main Mode message received on 213.23.160.205:500 but no connection has been authorized
Mar 14 16:41:28 losraidonos pluto[19904]: packet from 194.245.124.34:500: received Vendor ID payload [Dead Peer Detection]
Mar 14 16:41:28 losraidonos pluto[19904]: packet from 194.245.124.34:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Mar 14 16:41:28 losraidonos pluto[19904]: packet from 194.245.124.34:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
|
someone any ideas? |
|
| Back to top |
|
|
Prompty
Apprentice
Joined: 08 Feb 2004
Posts: 292
|
| Posted: Mon Mar 14, 2005 7:52 pm Post subject: |
|
|
my notes based on my implementation
you don't have to specify all nexthops ( you need nexthop only on the current box )
try adding "rekey=yes" ( I don't know what it does exactly :] )
my case it looks like that
| Code: |
conn someconn
leftid=@k1.w.c
left=%defaultroute
leftsubnet=192.168.255.0/24
leftrsasigkey=0sAQ.........
#
right=11.22.33.444
rightid=@k2.w.c
rightsubnet=192.168.254.0/8
rightrsasigkey=0sAQ......
rekey=yes
auto=start
|
<EDIT>
other side looks like that
| Code: |
conn kielce
left=%any
leftid=@k1.w.c
leftsubnet=192.168.255.0/8
leftrsasigkey=0sA.....
right=IP_OF_THIS_STATION
rightid=@k2.w.c
rightsubnet=192.168.254.0/24
rightnexthop=IP_OF_THE_GATEWAY
rightrsasigkey=0sAQ.....
rekey=yes
auto=add
|
</EDIT>
_________________
<input stupid message here>
Last edited by Prompty on Mon Mar 14, 2005 7:59 pm; edited 1 time in total |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Mon Mar 14, 2005 7:59 pm Post subject: |
|
|
@ Prompty
are you using this in a production env ? If so what OSs are you using client side and what clients are they using?
_________________
write quit bang |
|
| Back to top |
|
|
Prompty
Apprentice
Joined: 08 Feb 2004
Posts: 292
|
| Posted: Mon Mar 14, 2005 8:01 pm Post subject: |
|
|
@init-zero
fedoras (redhats) and suses running pluto why ?
define prod env ... it's a nationwide company ... all sections connect to the headquaters thru ipsec
_________________
<input stupid message here> |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Mon Mar 14, 2005 8:09 pm Post subject: |
|
|
I set up a openswan / l2tp vpn server. I am looking for a server that will work with windows mac and linux. The default windows client works with it linux I did not test but sure I could get it to work but with macs the default client does not support NAT-T implementation Openswan uses.. Which is a standared! Mac just decided to write there own implementation that sucks.. Anyways I am just looking for a server with good / easy to setup client side support. This has been a nightmare... My only issue with the one I was testing, again was the limitation of the mac. 
_________________
write quit bang |
|
| Back to top |
|
|
Prompty
Apprentice
Joined: 08 Feb 2004
Posts: 292
|
| Posted: Mon Mar 14, 2005 8:14 pm Post subject: |
|
|
you might consider going cisco  ))
pix-firewall is great for vpn ... and cisco vpn-client has implementations for mac ( I mightbe wrong tho )
_________________
<input stupid message here> |
|
| Back to top |
|
|
makenoob
Apprentice
Joined: 19 Aug 2004
Posts: 272
Location: /Germany/Düsseldorf
|
| Posted: Tue Mar 15, 2005 10:52 am Post subject: |
|
|
okay, now the ipsec-tunnel is up, but the two boxes don't seem to route through the tunnel but over the internet.
i post my config, maybe anyone can give me the right hints for setting up an "ipsec0" device for routing (i dunno if its needed):
box a:
| Code: |
losraidonos openvpn # cat /etc/ipsec/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.3.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
interfaces=%defaultroute
nat_traversal=yes
# klipsdebug=none
# plutodebug="control parsing"
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
include /etc/ipsec/leo-koehnen.conf
|
| Code: |
losraidonos openvpn # cat /etc/ipsec/leo-koehnen.conf
conn leo-koehnen
type=tunnel
leftid=@boxb.example.com
left=<ip-adress-of-box-b>
leftsubnet=192.168.1.0/24
leftrsasigkey=0sAQO1Vcbb...
#
right=boxa.example.com
rightsubnet=192.168.0.0/24
rightid=@boxa.example.com
rightrsasigkey=0sAQPUklfqX...
rightnexthop=%defaultroute
authby=rsasig
rekey=yes
auto=start
|
box b:
| Code: |
marvin ipsec # cat /etc/ipsec/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.3.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
interfaces=%defaultroute
nat_traversal=yes
# klipsdebug=none
# plutodebug="control parsing"
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
include /etc/ipsec/leo-koehnen.conf
|
| Code: |
marvin ipsec # cat /etc/ipsec/leo-koehnen.conf
conn leo-koehnen
type=tunnel
leftid=@boxb.example.com
left=<ip-adress-auf-box-b>
leftsubnet=192.168.1.0/24
leftrsasigkey=0sAQO1Vcbb...
#
right=boxa.example.com
rightid=@boxa.example.com
rightsubnet=192.168.0.0/24
rightrsasigkey=0sAQPUklfqX...
rightnexthop=%defaultroute
authby=rsasig
rekey=yes
auto=start
|
okay, thats the config, which establishs a tunnel but doesn't route through it.
@prompty:
| Code: |
rekey whether a connection should be renegotiated when it is about to expire; acceptable values are yes (the default) and no.
The two ends need not agree, but while a value of no prevents Pluto from requesting renegotiation, it does not prevent
responding to renegotiation requested from the other end, so no will be largely ineffective unless both ends agree on
it.
|
|
|
| Back to top |
|
|
Prompty
Apprentice
Joined: 08 Feb 2004
Posts: 292
|
| Posted: Tue Mar 15, 2005 8:58 pm Post subject: |
|
|
sorry for the late reply ... a properly configured ipsec should lift up a route
but you can try shutting down and tunring on connections a few times and see what's in logs
to down and up connections ...mainetnence i.e.
| Code: |
ipsec auto --down name
ipsec auto --up name
|
after making changes in the configurations files ( no downing and uping connections won't do the trick )
| Code: |
ipsec auto --delete name
ipsec auto --add name
|
If that's too obvious too you then sorry . I know I had a few hours overtime becouse of that :]
<EDIT>
my ipsec.conf if you want it for a reason or another
| Code: |
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# options for super_freeswan only
nat_traversal=yes
nocrsend=yes
virtual_private=%v4:172.25.0.0/16
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%dns
rightrsasigkey=%dns
#ikelifetime=10m
#keylife=10m
#rekey=yes
#rekeymargin=1m
|
_________________
<input stupid message here> |
|
| Back to top |
|
|
makenoob
Apprentice
Joined: 19 Aug 2004
Posts: 272
Location: /Germany/Düsseldorf
|
| Posted: Tue Mar 15, 2005 9:14 pm Post subject: |
|
|
i tried it with "interface="ipsec0=ppp0"" but an interface "ipsec0" won't come up and the route wasn't set right, so that a ping to a private adresse to the other subnet was blocked from the provider's router (as it should be).
the problem that i have, that's just my opinion, is that i don't have an interface called ipsec0 that comes up with "/etc/init.d/ipsec start" and so the routing can't be done right by the gateways.
i will give it another try tomorrow.
thx.
marc
ps: what about setting up a virtual interface ipsec0 (sorry, but i'm not knowing how to do this with gentoo's ifconfig) and then bridge it with bridge utils that it might look something like
| Code: |
bridge="br100"
bridge_br100_devices="ppp0 ipsec0"
|
i dunno if that might help, but it seems to work for openvpn. it may be a nasty trick, but if it works, it might be useful. anyone knows, how to set up a virtual interface with "ifconfig"? |
|
| Back to top |
|
|
makenoob
Apprentice
Joined: 19 Aug 2004
Posts: 272
Location: /Germany/Düsseldorf
|
| Posted: Thu Mar 17, 2005 9:40 am Post subject: |
|
|
back again and still no ipsec-based vpn running. i don't know, what i'm doing wrong, but when i start my ipsec-connection with "/etc/init.d/ipsec start" no ipsec0-interface shows up to route the connection through the tunnel. both gateways try to route through the internetgateways, which block the requests.
anybody got a hint for me, how to get this interface up and running for routing the tunnel? |
|
| Back to top |
|
|
|
Networking & Security
