| View previous topic :: View next topic |
| Author |
Message |
unax
n00b
Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)
|
 Posted: Fri Dec 03, 2010 3:36 am Post subject: Set the configuration of interfaces for IPSec-tunnels |
 |
|
Hello, comrades! I have a tiny question.
Suppose, create a tunnel between two addresses 100.111.222.1 and 100.111.222.2 uses (net-firewall/ipsec-tools-0.7.3-r1 USE="iconv ipv6 nat pam readline -hybrid -idea -kerberos -ldap -rc5 (-selinux)")
In first server have the configuration like this: (in /etc/racoon/racoon.conf)
| Code: | path pre_shared_key "/etc/racoon/psk.txt"
remote 100.111.222.2[500]
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
}
sainfo anonymous
{
pfs_group 2;
lfetime time 12 hour ;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
} |
in /etc/racoon/ipsec.conf
| Code: | spdadd 100.111.222.2/32 100.111.222.1/32 ipencap -P in ipsec
esp/tunnel/100.111.222.2-100.111.222.1/require;
spdadd 100.111.222.1/32 100.111.222.2/32 ipencap -P out ipsec
esp/tunnel/100.111.222.1-100.111.222.2/require; |
and in /etc/racoon/psk.txt
| Code: | | 100.111.222.1 keykeykeykeykeykey |
similar to the second server of tunnel..
And finaly, how to create virtual interfaces in /etc/conf.d/net ?? needed to set local addreses of tunnel and names of virtual interfaces. This needed for iptables and routing settings.
In FreeBSD this is simply. in /etc/rc.conf declare interfaces... For example:
| Code: | gifconfig_gif3="100.111.222.1 100.111.222.2"
ifconfig_gif3="inet 10.10.1.1 10.10.2.1 netmask 255.255.255.255" |
How i can to declare virtual interfaces and to set his configuration for tunnel?
Waiting for your advice. |
|
| Back to top |
|
 |
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Fri Dec 03, 2010 8:00 pm Post subject: |
|
|
| Unlike FreeBSD, Linux does not use separate interface for ipsec, rather the ipsec policies define what gets tunneled and how. |
|
| Back to top |
|
|
unax
n00b
Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)
|
| Posted: Sun Dec 05, 2010 4:38 pm Post subject: |
|
|
| salahx wrote: | | Unlike FreeBSD, Linux does not use separate interface for ipsec, rather the ipsec policies define what gets tunneled and how. |
hmm.. then I can declare ip-addresses and names of interfaces in configuration files of racoon.. still not known, how its done...
Anybody can share their experiences? what to write?  |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Sun Dec 05, 2010 8:07 pm Post subject: |
|
|
Well, I'm not exactly sure how you've got your network configured, but given that you are using tunnel model it sounds like you a probably trying to connect 2 networks at different sites.
So using the IP you gave: 100.111.222.1 and 100.111.222.2, lets presume 100.111.222.1 has a 192.168.1.0/24 behind it, and 100.111.222.2 has a 192.168.2.0/24 behind it.
So, for the router on 100.111.222.1, the ipsec.conf would be as follows
| Code: |
#!/usr/sbin/setkey
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
esp/tunnel/100.111.222.1-100.111.222.2/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/100.111.222.1-100.111.222.2/require;
#spdadd 192.168.2.0/24 192.168.1.0/24 any -P fwd ipsec
# esp/tunnel/100.111.222.1-100.111.222.2/require;
|
For the other router, the rules are similar, except the source and destination rules are reversed (under Linux, the "fwd" rule is implied by the "in" rule so I commented it out)
And that's it. Any traffic from 192.168.1.0/24 going to 192.168.2.0/24 will be transparently tunneled from 100.111.222.1 to 100.111.222.2 and appear on the other side as though it came from 192.168.1.0/24.
So that means on 100.111.222.2 interface, packets will be appearing on it from 192.168.1.0/24. You'll need to setup ip forwarding and setup a route from 192.168.1.0/24 to 192.168.2.0/24 via whatever interface 100.111.222.2 is on. Note that this means you'll be legitimately getting private IP's from an interface with a public IP. Make sure you're not blocking all 192.168.0.0/16 packets on the 100.111.222.2 interface via iptables (you can use iptables to set the ones in the tunnel though while blocking non-tunneled ones). |
|
| Back to top |
|
|
unax
n00b
Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)
|
| Posted: Mon Dec 06, 2010 10:33 am Post subject: |
|
|
thanks for all! i made as you advised..
But, today i try to create the tunnels between 2 servers in my home lan. And has a problem 
i think, working configuration now in test's servers, but don't understand, why tunnel is no created. Even servers without firewall! (ACCEPT default policy uses on ipitables) I hope someone can help me understand the error... 
Configurations:
test server 1:
| Code: | config_eth0=( "10.0.11.26 netmask 255.255.255.0" )
config_eth1=( "192.168.1.1 netmask 255.255.255.0" ) |
eth1 eth0 real interfaces and they working.
/etc/racoon/racoon.conf
| Code: | path include "/etc/racoon";
log debug;
path pre_shared_key "/etc/racoon/psk.txt";
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
listen
{
isakmp 10.0.11.26 [500];
}
timer
{
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
remote 10.0.11.20[500]
{
my_identifier address 10.0.11.26;
exchange_mode aggressive,main;
initial_contact off;
doi ipsec_doi;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
} |
here /etc/racoon/ipsec.conf
| Code: | #!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P fwd ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P fwd ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require; |
/etc/racoon/psk.txt consist one line: 10.0.11.20 gentoothebest
more.. server 2 has configurations:
net..
| Code: | config_eth0=( "10.0.11.20 netmask 255.255.255.0" )
vlans_eth0="1"
vconfig_eth0=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
vconfig_vlan1=( "set_flag 1" "set_egress_map 2 6" )
|
for test i use virtual interface, to him ping exist from localhost.
file /etc/racoon/racoon.conf like as test server 1, differs only ip-addresses
/etc/racoon/ipsec.conf
| Code: | #!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P fwd ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P fwd ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require; |
10.0.11.26 gentoothebest in /etc/racoon/psk.txt finaly.
so... test_server1#/etc/init.d/racoon start
test_server2#/etc/init.d/racoon start
and see..
#setkey -DP
| Code: | (per-socket policy)
Policy:[Invalid direciton]
created: Dec 6 15:08:39 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=716 seq=1 pid=24704
refcnt=1
(per-socket policy)
Policy:[Invalid direciton]
created: Dec 6 15:08:39 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=707 seq=2 pid=24704
refcnt=1
192.168.2.0/24[any] 192.168.1.0/24[any] any
fwd prio def ipsec
esp/tunnel/10.0.11.20-10.0.11.26/require
created: Dec 6 15:08:39 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=698 seq=3 pid=24704
refcnt=1
192.168.2.0/24[any] 192.168.1.0/24[any] any
in prio def ipsec
esp/tunnel/10.0.11.20-10.0.11.26/require
created: Dec 6 15:08:39 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=688 seq=4 pid=24704
refcnt=1
192.168.1.0/24[any] 192.168.2.0/24[any] any
fwd prio def ipsec
esp/tunnel/10.0.11.26-10.0.11.20/require
created: Dec 6 15:08:39 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=682 seq=5 pid=24704
refcnt=1
192.168.1.0/24[any] 192.168.2.0/24[any] any
out prio def ipsec
esp/tunnel/10.0.11.26-10.0.11.20/require
created: Dec 6 15:08:39 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=673 seq=0 pid=24704
refcnt=1
|
Nothing
and most incomprehensible to me...
#tcpdump -i eth0 port 500 or host 10.0.11.20 (in any server)
NOTHING!! O_o no try to connect, but the network without restrictions!
see logs...
| Code: | 2010-12-06 15:08:39: INFO: 10.0.11.26[500] used as isakmp port (fd=6)
2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv()
2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message
2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv()
2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2010-12-06 15:08:39: DEBUG: db :0x97b8d00: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=fwd
2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv()
2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=fwd
2010-12-06 15:08:39: DEBUG: db :0x97b8d00: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=fwd
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=fwd
2010-12-06 15:08:39: DEBUG: db :0x97b8f48: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv()
2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
2010-12-06 15:08:39: DEBUG: db :0x97b8d00: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=fwd
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
2010-12-06 15:08:39: DEBUG: db :0x97b8f48: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
2010-12-06 15:08:39: DEBUG: db :0x97b9190: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=fwd |
no errors no warrnings... 
Tunnels still down.. What happens... |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Mon Dec 06, 2010 4:55 pm Post subject: |
|
|
Ok, if server1 has an extrnal IP of 10.0.11.26 and an internal IP of 192.168.1.1 (with a 192.168.1.0/24 behind it) and server2 ha an external IP of 10.0.11.20 and an internal IP for 192.168.2.1 (with a 192.168.2.0/24 behind it), then it should go something like this:
for server1 /etc/ipsec.conf:
| Code: |
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
esp/tunnel/10.0.11.26-10.0.11.20/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/10.0.11.26-10.0.11.20/require;
|
for server2 /etc/ipsec.conf:
| Code: |
flush;
spdflush;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec
esp/tunnel/10.0.11.20-10.0.11.26/require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec
esp/tunnel/10.0.11.20-10.0.11.26/require;
|
Now, from server1, ping 192.168.2.1 . You should see it go over the tunnel. Note, however, with this setup, any traffic going directly from 10.0.11.26 to 10.0.11.20 (or vice versa) does NOT go over the tunnel, only stuff from 192.168.1.0/24 to 192.168.2.0/24 (or vice versa). So "ping 10.0.11.20" from 10.0.11.26 does NOT go over the ipsec tunnel with these rules, but if you want it to, adding a rule to do that is simple. |
|
| Back to top |
|
|
unax
n00b
Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)
|
| Posted: Tue Dec 07, 2010 2:45 am Post subject: |
|
|
| salahx wrote: |
Now, from server1, ping 192.168.2.1 . You should see it go over the tunnel. |
All the problem is that the tunnel is not created  I have already written to many variants of different configuration... and still don't see my error..
I got the impression that the whole server does not try to establish a connection... |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Tue Dec 07, 2010 7:44 am Post subject: |
|
|
Maybe something is wrong with /etc/racoon/racoon.conf. There a lot of extraneous stuff in there.
I suspect this ought to work (unfortunately while experimenting with this I killed the other machine and have no physical access to it right now)
For 10.0.11.26:
| Code: |
path pre_shared_key "/etc/racoon/psk.txt";
path script "/etc/racoon/scripts";
remote 10.0.11.20 {
exchange_mode main;
my_identifier address 10.0.11.26;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 14;
}
}
sainfo subnet 192.168.1.0/24 any address 192.168.2.0/24 any {
pfs_group 2;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
sainfo address 10.0.11.20 any address 10.0.11.26 any {
pfs_group 2;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
|
For 10.0.11.20:
| Code: |
path pre_shared_key "/etc/racoon/psk.txt";
path script "/etc/racoon/scripts";
remote 10.0.11.26 {
exchange_mode main;
my_identifier address 10.0.11.20;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 14;
}
}
sainfo subnet 192.168.2.0/24 any address 192.168.1.0/24 any {
pfs_group 2;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
sainfo address 10.0.11.26 any address 10.0.11.20 any {
pfs_group 2;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
|
You probably don't need both sainfo statement, but I'm not sure which one is correct, having both won't do any harm. |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Wed Dec 08, 2010 7:38 am Post subject: |
|
|
Ok, after some test, this ought to do it I've tested between 2 machines and packets flow though the tunnel.
For 10.0.11.26 raccon.conf:
| Code: |
path pre_shared_key "/etc/racoon/psk.txt";
path script "/etc/racoon/scripts";
remote 10.0.11.20 {
exchange_mode main;
my_identifier address 10.0.11.26;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 14;
}
}
sainfo subnet 192.168.1.0/24 any address 192.168.2.0/24 any {
pfs_group 2;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
|
For 10.0.11.26 ipsec.conf:
| Code: |
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
esp/tunnel/10.0.11.26-10.0.11.20/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/10.0.11.20-10.0.11.26/require;
|
For 10.0.11.20 racoon.conf:
| Code: |
path pre_shared_key "/etc/racoon/psk.txt";
path script "/etc/racoon/scripts";
remote 10.0.11.26 {
exchange_mode main;
my_identifier address 10.0.11.20;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 14;
}
}
sainfo subnet 192.168.2.0/24 any address 192.168.1.0/24 any {
pfs_group 2;
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
|
For 10.0.11.20 ipsec.conf:
| Code: |
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec
esp/tunnel/10.0.11.20-10.0.11.26/require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec
esp/tunnel/10.0.11.26-10.0.11.20/require;
|
Now, on 10.0.11.26:
| Code: | | ping -I eth1 192.168.2.1 |
This will cause the tunnel to be established, and encrypted packets will start flying over the link (you may not get a reply from the ping, that's OK, we don't have routes set up yet)
You can see it with:
| Code: | | tcpdump -i eth0 ip proto 50 |
You'll need to create the required routes:
On 10.0.11.26:
| Code: | | ip route add 192.168.2.0/24 via 10.0.11.20 |
On 10.0.11.20:
| Code: | | ip route add 192.168.1.0/24 via 10.0.11.26 |
One other thing: On my machine, to get this to work. I had to disable reverse path filtering over the interface the packets were being tunneled (in your case, that'll be eth0).
So you may need something like this on each machine
| Code: | | echo -n 2 >/proc/sys/net/ipv4/conf/eth0/rp_filter |
|
|
| Back to top |
|
|
unax
n00b
Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)
|
| Posted: Mon Dec 13, 2010 1:52 pm Post subject: |
|
|
hm... how options of kernel "Network device support -> Universal TUN/TAP device driver support" affects on the racoon works?This option required for IPsec tunnels?
now i use the OpenVPN, i like it  but setup the racoon too |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Mon Dec 13, 2010 8:11 pm Post subject: |
|
|
You don't need tap/tun support for IPsec (you do for openvpn, however).
The config files above should establish the tunnel. Remember though, make sure when testing the applications are being to the right interface - in particular, most program bind to the interface which the default gateway
So use something like this:
| Code: |
tcpdump -I eth0 ip proto 50 or 51
ping -I eth1 192.168.2.1
traceroute -s 192.168.1.1 192.168.1.1
|
You should ESP packets flowing. Then the tricky part is setting up the routing, in my case, it got complicated because in the testbed I was using (2 computer connect via openvpn), neither was the default gateway (or even a router, so I had to turn on ip forwarding on both and convert them to routers) and both external connection were on the same subnet. |
|
| Back to top |
|
|
unax
n00b
Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)
|
| Posted: Wed Dec 22, 2010 5:44 pm Post subject: |
|
|
I decided to continue experimenting, getting closer to solving the... salahx my great thanks.
But all very strange stell.
in general, the main task in setting up tunnels gentoo<===>freebsd.
At now exist server with freebsd, and he has several working tunnels.. on server i create a new tunnel, like other in this server
Main FreeBSD server name "Server F" and his ip = xx.xx.xx.xx, localnet = 10.10.1.0/24
One of my Gentoo server has ip = yy.yy.yy.yy, localnet = 10.10.5.1/24 name = "Server G"
Server G: net-firewall/ipsec-tools-0.7.3-r1 USE="iconv ipv6 nat pam rc5 readline -hybrid -idea -kerberos -ldap (-selinux)"
in /etc/racoon/racoon.conf
| Code: | path pre_shared_key "/etc/racoon/psk.txt";
remote xx.xx.xx.xx {
exchange_mode main;
my_identifier address yy.yy.yy.yy;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo subnet 10.10.5.0/24 any address 10.10.1.0/24 any
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
} |
| Code: | #!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 10.10.5.0/24 10.10.1.0/24 any -P out ipsec esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/require;
spdadd 10.10.1.0/24 10.10.5.0/24 any -P in ipsec esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/require; |
/etc/conf.d/racoon
| Code: | ACOON_OPTS=" -l /var/log/racoon.log -v"
RACOON_CONF="/etc/racoon/racoon.conf"
RACOON_PSK_FILE="/etc/racoon/psk.txt"
SETKEY_CONF="/etc/ipsec.conf"
RACOON_RESET_TABLES="true" |
/etc/racoon/psk.txt exist to..
firewall has true configuration (iptables and ipfw)
1) # /etc/init.d/ipsec start
| Code: | * Starting IPSEC ... ...
ipsec_setup: Starting Openswan IPsec 2.4.15...
|
and for a long long time thinking... Then I press Ctrl+C... It is unclear why not start correctly О_о
more.. time to try started racoon
2) /etc/init.d/racoon start, ps ax said: /usr/sbin/racoon -f /etc/racoon/racoon.conf -l /var/log/racoon.log -v
Look in the log file in the Server F, looking attempt to connect.. And nothing about tunnel from ServerG!
ОК, look in fileon G server...
| Code: | 2010-12-23 05:49:12: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
2010-12-23 05:49:12: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
2010-12-23 05:49:12: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2010-12-23 05:49:13: ERROR: failed to bind to address 127.0.0.1[500] (Address already in use). <= x_X
2010-12-23 05:49:13: ERROR: failed to bind to address 10.10.5.1[500] (Address already in use).
2010-12-23 05:49:13: ERROR: failed to bind to address yy.yy.yy.yy[500] (Address already in use).
2010-12-23 05:49:13: ERROR: failed to bind to address ::1[500] (Address already in use).
2010-12-23 05:49:13: INFO: fe80::2e0:4cff:fea0:8bbf%eth0[500] used as isakmp port (fd=6)
2010-12-23 05:49:13: INFO: fe80::4e00:10ff:fea1:95b9%eth1[500] used as isakmp port (fd=7)
2010-12-23 06:27:17: INFO: caught signal 15 |
"addres in use" in use for wat O_o What does this mean... And what ipsec start problem mean... |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Wed Dec 22, 2010 9:58 pm Post subject: |
|
|
| "Address in use" means something already listing on that port. If you're trying to run both Openswan and racoon on the same machine, don't, as they both do the same thing and will conflict with one another. |
|
| Back to top |
|
|
unax
n00b
Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)
|
| Posted: Thu Dec 23, 2010 3:37 pm Post subject: |
|
|
Ok.. now start without ipsec (to avoid any conflict)
log in Server G:
| Code: | 2010-12-24 04:21:26: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
2010-12-24 04:21:26: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
2010-12-24 04:21:26: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2010-12-24 04:21:26: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
2010-12-24 04:21:26: INFO: 127.0.0.1[500] used for NAT-T
2010-12-24 04:21:26: INFO: 10.10.5.1[500] used as isakmp port (fd=7)
2010-12-24 04:21:26: INFO: 10.10.5.1[500] used for NAT-T
2010-12-24 04:21:26: INFO: yy.yy.yy.yy[500] used as isakmp port (fd=8)
2010-12-24 04:21:26: INFO: yy.yy.yy.yy[500] used for NAT-T
2010-12-24 04:21:26: INFO: ::1[500] used as isakmp port (fd=9)
2010-12-24 04:21:26: INFO: fe80::2e0:4cff:fea0:8bbf%eth0[500] used as isakmp port (fd=10)
2010-12-24 04:21:26: INFO: fe80::4e00:10ff:fea1:95b9%eth1[500] used as isakmp port (fd=11) |
and looking on Server F logs: nothing again! no logs about try to connect from server G
Obsalyutno not understand, why he was not trying to connection with Server F >_< |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 559
|
| Posted: Fri Dec 24, 2010 1:55 am Post subject: |
|
|
racoon won't bring up the tunnel until something actually needs it. So do:
| Code: | | ping -I eth1 10.10.1.0 |
(where eth1 the the interface connected to your INTERNAL network). You should see the tunnel get established. |
|
| Back to top |
|
|
unax
n00b
Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)
|
| Posted: Sat Dec 25, 2010 6:59 pm Post subject: |
|
|
 Yes it work! I just forget something roles for firewall, but tcpdump fix my problems with iptables)
p.s.
Maybe someone will be helpful.. Something about a firewall for client-server (remote office)
this example of iptables roles apply only for work local network of offices
| Code: |
LOCAL_NET=10.10.5.0/24 # office network
LAN_IP=10.10.5.1 # ip office gateway
WAN_IP=yy.yy.yy.yy # ip ppp0
REMOTE_LAN=10.0.10.0/24 # remote lan
IPSEC_SERVER=xx.xx.xx.xx # server of main office
IINTERFACE=eth1 # LAN office
OINTERFACE=eth0 # for pppoe
VINTERFACE=ppp0 # pppoe iface
$IPTABLES -A INPUT -i $IINTERFACE -s $REMOTE_LAN -j ACCEPT
$IPTABLES -A INPUT -i lo -s $REMOTE_LAN -j ACCEPT
$IPTABLES -A INPUT -p udp -s $IPSEC_SERVER -d $WAN_IP --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $IPSEC_SERVER -d $WAN_IP --dport 4500 -j ACCEPT
$IPTABLES -A INPUT -p esp -s $IPSEC_SERVER -d $WAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ah -s $IPSEC_SERVER -d $WAN_IP -j ACCEPT
$IPTABLES -A INPUT -p gre -s $IPSEC_SERVER -d $WAN_IP -j ACCEPT
inet=`cat /etc/firewall/IP_FULL_ACCEESS_LIST | grep -v "#"` # ip list of office LAN for full intrnet access
$IPTABLES -A FORWARD -i $IINTERFACE -o $VINTERFACE -d $REMOTE_LAN -s $LOCAL_NET -j ACCEPT
$IPTABLES -A FORWARD -i $VINTERFACE -o $IINTERFACE -s $REMOTE_LAN -d $LOCAL_NET -j ACCEPT
$IPTABLES -A FORWARD -i $VINTERFACE -o $IINTERFACE ! --source $REMOTE_LAN --destination $LOCAL_NET --match state --state ESTABLISHED -j ACCEPT
for ip in $inet
{
$IPTABLES -A FORWARD -i $IINTERFACE -o $VINTERFACE --source $ip ! --destination $REMOTE_LAN --match state --state NEW,ESTABLISHED -j ACCEPT
}
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_NET ! -d $REMOTE_LAN -o $VINTERFACE -p ALL -j SNAT --to-source $WAN_IP
|
|
|
| Back to top |
|
|
unax
n00b
Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)
|
| Posted: Thu Jan 27, 2011 8:31 am Post subject: |
|
|
i have tiny question..
If I specify interface, the traffic goes into the tunnel.
| Quote: | | ping -I eth1 10.100.1.100 |
When 10.100.1.0/24 is remote subnet.
How configurate routing for direct access... (just ping 10.100.1.10)
if set new route
| Quote: | | route add -net 10.100.1.0/24 dev eth0 |
access to remote subnet is not.. Perhaps this can be done by iptables, but I do not know what to write exactly |
|
| Back to top |
|
|
unax
n00b
Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)
|
| Posted: Fri Jan 28, 2011 4:05 am Post subject: |
|
|
so.. One route decided my problem
#ip route add -net <remote lan> via <global ip of router> src <local ip of router>
everything is fine |
|
| Back to top |
|
|
|
Networking & Security
