sslug-teknik team mailing list archive
-
sslug-teknik team
-
Mailing list archive
-
Message #60423
FreeS/WAN help needed...
Hej alle,
Nu kaster jeg håndklædet i ringen :-)
Jeg sidder med en RH 8.0 / 2.4.20 installation (upgrade fra 6.2 / 2.4.14)
med iptables og FreeS/WAN 1.99.
Jeg prøver at få en VPN tunnel op mellem en ServGate 100 (linux 2.4.19 /
FreeS/WAN 1.96) og ovennævnte. I første omgang vha. shared secret.
Det ser altså således ud:
PC <-> SG100 <-> RH 8
192.168.1.5 <-> 192.168.1.1 + 80.63.191.1 <-> 80.63.191.20 192.168.10.20
Fra indersiden af SG100 kan jeg fint få hul igennem. Ex. kan jeg fra 'PC'
pinge 192.168.10.20 uden problemer, høre ssh osv.
Den anden vej (RH8 -> PC) kniber det en del - der kommer nul traffik
igennem.
Fra RH8 kan jeg pinge 80.63.191.1 (dvs. WAN IF på SG100).
Er der nogen, der kan give lidt hjælp? Jeg har postet lidt info nedenfor -
hvis der skal bruges mere, så spørg.
På forhånd tak for svar!
Jens-Peter
Info fra RH8:
Route tabellen:
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.0 80.63.191.1 255.255.255.0 UG 0 0 0
ipsec0
80.63.191.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
80.63.191.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 80.63.191.1 0.0.0.0 UG 0 0 0 eth1
ipsec.conf (benytter ed-rgk forbindelsen til at teste med):
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand
# connection description for opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
conn me-to-anyone
left=%defaultroute
right=%opportunistic
keylife=1h
rekey=no
# for initiator only OE, uncomment and uncomment this
# after putting your key in your forward map
#leftid=@myhostname.example.com
# uncomment this next line to enable it
#auto=route
# Connection from E&D to RGK
conn ed-rgk
type = tunnel
# Left security gateway, subnet behind it, next hop toward right.
left=80.63.191.20
leftsubnet=192.168.10.0/255.255.255.0
leftnexthop=
# Right security gateway, subnet behind it, next hop toward left.
right=80.63.191.1
rightsubnet=192.168.1.0/255.255.255.0
rightnexthop=
#
#keyexchange = ike
auth = esp
authby = secret
pfs = yes
keylife = 1h
keyingtries = 0
#dpddelay=9
#dpdtimeout=30
# authorize this connection at startup and start it
auto=start
# sample VPN connection
conn sample
# Left security gateway, subnet behind it, next hop toward right.
left=10.0.0.1
leftsubnet=172.16.0.0/24
leftnexthop=10.22.33.44
# Right security gateway, subnet behind it, next hop toward left.
right=10.12.12.1
rightsubnet=192.168.0.0/24
rightnexthop=10.101.102.103
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
#auto=add
Hvis jeg har down'et ed-rgk forbindelsen og starter den igen, får jeg
følgende:
[root@firewall etc]# ipsec auto --up ed-rgk
104 "ed-rgk" #9: STATE_MAIN_I1: initiate
003 "ed-rgk" #9: ignoring Vendor ID payload
106 "ed-rgk" #9: STATE_MAIN_I2: sent MI2, expecting MR2
108 "ed-rgk" #9: STATE_MAIN_I3: sent MI3, expecting MR3
004 "ed-rgk" #9: STATE_MAIN_I4: ISAKMP SA established
112 "ed-rgk" #11: STATE_QUICK_I1: initiate
004 "ed-rgk" #11: STATE_QUICK_I2: sent QI2, IPsec SA established
ipsec verify giver følgende:
[root@firewall etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
DNS checks.
Looking for forward key for firewall.ed.dk [FAILED]
Looking for KEY in reverse map: 20.191.63.80.in-addr.arpa [FAILED]
Does the machine have at least one non-private address [OK]
IPTABLES regler:
[root@firewall etc]# cat /usr/local/sbin/iptables.rules
#!/bin/sh
# IP Tables init script
# Internal LAN interface: eth0
# External LAN interface: eth1
OFFICELAN_IF=eth0
OFFICELAN_IP=192.168.10.20
ROUTERLAN_IF=eth1
#ROUTERLAN_IP=192.168.1.101
ROUTERLAN_IP=80.63.191.20
SERVER_IP=192.168.10.10
# IP Tables executable
IPTABLES="/usr/local/sbin/iptables"
# Flush existing policies, chains and tables
/usr/local/sbin/iptables.flush
# While testing: full access from all machines
$IPTABLES -A INPUT -i $ROUTERLAN_IF -s 0.0.0.0/0 -j ACCEPT
# Allow IPSec
#
# IKE negotiations
$IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
$IPTABLES -A OUTPUT -p 50 -j ACCEPT
$IPTABLES -A INPUT -p 50 -j ACCEPT
# AH authentication header
$IPTABLES -A OUTPUT -p 51 -j ACCEPT
$IPTABLES -A INPUT -p 51 -j ACCEPT
# Enable portforwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
exit 0;
FreeS/WAN hjælp ønskes
Follow ups
