From: Thomas H. <th...@ho...> - 2004-08-26 12:59:09
|
Hi, I'm having big problems understanding exactly how I am supposed to configure my gateway to make an IPSec tunnel work, despite a lot of searching on the net I've failed to find an answer to my questions, so I hope someone can explain this. My setup is this: I have a Linux gateway/firewall routing traffic for a small network (A), 10.1.0.0/16. It has an external IP 217.x.x.34 and a default gateway (ADSL router) 217.x.x.47. I want to establish an ESP tunnel to our corporate HQ netork (B) 10.0.0.0/16, which has a Cisco VPN concentrator at 80.x.x.18. So basically: [Network A]--[Gateway] <--[internet]--> [Cisco]--Network B My setkey.conf looks like this: #!/usr/sbin/setkey -f flush; spdflush; spdadd 10.1.0.0/16 10.0.0.0/16 any -P out ipsec esp/tunnel/217.xxx.xxx.34-80.xxx.xxx.18/require; spdadd 10.0.0.0/16 10.1.0.0/16 any -P in ipsec esp/tunnel/80.xxx.xxx.18-217.xxx.xxx.34/require; and my racoon.conf like this: path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; log debug; remote 80.xxx.xxx.18 { exchange_mode main,aggressive; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } generate_policy off; } sainfo address 10.1.0.0/16 any address 10.0.0.0/16 any { pfs_group 2; encryption_algorithm 3des; authentication_algorithm hmac_md5; lifetime time 1 hour; compression_algorithm deflate; } The IKE negotiation goes well, and the SA's look correct from setkey -D. Also the Cisco admin reports that the SA's look right on the remote side. Now there are a few things I don't understand, and that I couldn't find documented anywhere. I might have misunderstood something basic, because I haven't been able to find anyone even mentioning similar problems. 1) How should my routing table on the gateway look, so that the gateway itself will use it's 10.0.1.1 address to contact network B? I have tried two options: a: Not adding a route to network B at all: In this case the box uses my default route (on the external interface) when I try to ping a host on network B from the box. I can see the unencrypted ICMP packet going out on the external interface. b: Adding a route to the gateway's own internal IP (route add -net 10.0.0.0/24 gw 10.1.0.1) This seems to work: when I ping 10.0.8.1 (a host on network B), with tcpdump I can see an ESP packet going out on the external interface, and I can see an ESP packet coming back from the remote Cisco. Also, the admin of network B tells me he can see my ICMP Echo packets on his network (and the response). However the packet somehow gets lost before it reaches the ping program because I never see a response. So my question is: What is the correct route to set up, and why am I not seeing the ICMP Echo response? 2) I try to ping from another host on Network A to 10.0.8.1 on network B. Again, how should my route be set up (and do I need a route at all for this to work?). In either case, I don't see any outgoing ESP (or other packets) from the gateway. First I thought it was a problem with my iptables firewall rules, so I flushed them all and set policy to Accept, however, this doesn't fix the problem. Any help will be greatly appreciated, I have tried all that I can think of and I don't understand why this isn't working as I expected. Best regards, Thomas |