Thread: [Ipsec-tools-devel] can't access linux after ipsec is up
Brought to you by:
mit_warlord,
netbsd
From: Satavee <sa...@gm...> - 2012-02-25 03:26:50
|
Hi All, I've installed ipsec-tool + racoon for few week,currently Ipsec is up, I can send/receieve data over tunnel from both side. My problem is, I Can't access (ping & ssh) to linux's router after run "setkey start". ---- root@Racoon:/etc# cat ipsec-tools.conf #!/usr/sbin/setkey -f # Flush SAD and SPD flush; spdflush; spdadd 192.168.24.0/24 192.168.0.0/16 any -P out ipsec esp/tunnel/110.110.110.65-112.112.112.95/unique; spdadd 192.168.0.0/16 192.168.24.0/24 any -P in ipsec esp/tunnel/112.112.112.95-110.110.110.65/unique; ------- note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw 192.168.24.1 root@Racoon:/etc/racoon# racoon -V @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) -- Regards Satavee |
From: Stephen C. <scl...@ea...> - 2012-02-25 19:33:51
|
On 02/24/2012 10:26 PM, Satavee wrote: > Hi All, > I've installed ipsec-tool + racoon for few week,currently Ipsec is up, I > can send/receieve data over tunnel from both side. > > My problem is, I Can't access (ping & ssh) to linux's router after run > "setkey start". > > ---- > root@Racoon:/etc# cat ipsec-tools.conf > #!/usr/sbin/setkey -f > # Flush SAD and SPD > flush; > spdflush; > spdadd 192.168.24.0/24 192.168.0.0/16 any -P out ipsec > esp/tunnel/110.110.110.65-112.112.112.95/unique; > spdadd 192.168.0.0/16 192.168.24.0/24 any -P in ipsec > esp/tunnel/112.112.112.95-110.110.110.65/unique; > ------- > note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw > 192.168.24.1 > > root@Racoon:/etc/racoon# racoon -V > @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net > <http://ipsec-tools.sourceforge.net/>) > > -- > > > Regards > Satavee > > > ------------------------------------------------------------------------------ > Virtualization& Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > > > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > /sbin/ip route add 192.168.0.0/16 via 110.110.110.65 dev ethX src 192.168.24.1 -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson) |
From: Satavee <sa...@gm...> - 2012-02-26 06:52:42
|
Hi Stephen, I've tried as your suggeston but My problem is still exist. >> ------- >> note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw >> 192.168.24.1. > /sbin/ip route add 192.168.0.0/16 via 110.110.110.65 dev ethX src 192.168.24.1 This static route is related to right network. ===>>> but my problem is " i cannot ping and ssh form my pc (192.168.24.2) to linux router (192.168.24.1).... Again i can transfer fle btw 192.168.24.1 and 192.168.x.x. Regards, Satavee On Feb 26, 2012, at 2:33, Stephen Clark <scl...@ea...> wrote: > On 02/24/2012 10:26 PM, Satavee wrote: >> >> Hi All, >> I've installed ipsec-tool + racoon for few week,currently Ipsec is up, I >> can send/receieve data over tunnel from both side. >> >> My problem is, I Can't access (ping & ssh) to linux's router after run >> "setkey start". >> >> ---- >> root@Racoon:/etc# cat ipsec-tools.conf >> #!/usr/sbin/setkey -f >> # Flush SAD and SPD >> flush; >> spdflush; >> spdadd 192.168.24.0/24 192.168.0.0/16 any -P out ipsec >> esp/tunnel/110.110.110.65-112.112.112.95/unique; >> spdadd 192.168.0.0/16 192.168.24.0/24 any -P in ipsec >> esp/tunnel/112.112.112.95-110.110.110.65/unique; >> ------- >> note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw >> 192.168.24.1 >> >> root@Racoon:/etc/racoon# racoon -V >> @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) >> >> -- >> >> >> Regards >> Satavee >> >> ------------------------------------------------------------------------------ >> Virtualization & Cloud Management Using Capacity Planning >> Cloud computing makes use of virtualization - but cloud computing >> also focuses on allowing computing to be delivered as a service. >> http://www.accelacomm.com/jaw/sfnl/114/51521223/ >> >> _______________________________________________ >> Ipsec-tools-devel mailing list >> Ips...@li... >> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel >> > > /sbin/ip route add 192.168.0.0/16 via 110.110.110.65 dev ethX src 192.168.24.1 > -- > > "They that give up essential liberty to obtain temporary safety, > deserve neither liberty nor safety." (Ben Franklin) > > "The course of history shows that as a government grows, liberty > decreases." (Thomas Jefferson) > > |
From: Pierre C. <pie...@fr...> - 2012-02-26 10:44:57
|
Hi Satavee, It might be related to the fact that you have overlapping networks on both sides of your VPN tunnel. What I suspect is that the TCP/ICMP packet reach your linux router in 192.168.24.1 but the packet is then processed by the racoon daemon and the packet with destination IP 192.168.24.1 is then pushed into the VPN tunnel. Now I suspect that the packet is bounced between the two VPN tunnels extremity until the TTL is expired our it will be dropped on the other side of your tunnel as src.IP is in a dst.network. This might be possible to check if there is a way to make a tcpdump in the encrypted tunnel. I don't know if this is possible, if someone can tell me a way for that ? Easy way for solving your issue might be to use a different network on 192.168.24.0/24 side which will not be in 192.16.0.0/16 range. Regards, Pierre Le 26/02/12 07:52, Satavee a écrit : > Hi Stephen, > > I've tried as your suggeston but My problem is still exist. > >>> ------- >>> note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw >>> 192.168.24.1. > >> /sbin/ip route add 192.168.0.0/16 via 110.110.110.65 dev ethX src >> 192.168.24.1 > > This static route is related to right network. ===>>> but my problem > is " i cannot ping and ssh form my pc (192.168.24.2) to linux router > (192.168.24.1).... > > > > Again i can transfer fle btw 192.168.24.1 and 192.168.x.x. > > > Regards, > Satavee > On Feb 26, 2012, at 2:33, Stephen Clark <scl...@ea... > <mailto:scl...@ea...>> wrote: > >> On 02/24/2012 10:26 PM, Satavee wrote: >>> Hi All, >>> I've installed ipsec-tool + racoon for few week,currently Ipsec is up, I >>> can send/receieve data over tunnel from both side. >>> >>> My problem is, I Can't access (ping & ssh) to linux's router after run >>> "setkey start". >>> >>> ---- >>> root@Racoon:/etc# cat ipsec-tools.conf >>> #!/usr/sbin/setkey -f >>> # Flush SAD and SPD >>> flush; >>> spdflush; >>> spdadd 192.168.24.0/24 192.168.0.0/16 any -P out ipsec >>> esp/tunnel/110.110.110.65-112.112.112.95/unique; >>> spdadd 192.168.0.0/16 192.168.24.0/24 any -P in ipsec >>> esp/tunnel/112.112.112.95-110.110.110.65/unique; >>> ------- >>> note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw >>> 192.168.24.1 >>> >>> root@Racoon:/etc/racoon# racoon -V >>> @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net >>> <http://ipsec-tools.sourceforge.net/>) >>> >>> -- >>> >>> >>> Regards >>> Satavee >>> >>> >>> ------------------------------------------------------------------------------ >>> Virtualization& Cloud Management Using Capacity Planning >>> Cloud computing makes use of virtualization - but cloud computing >>> also focuses on allowing computing to be delivered as a service. >>> http://www.accelacomm.com/jaw/sfnl/114/51521223/ >>> >>> >>> _______________________________________________ >>> Ipsec-tools-devel mailing list >>> Ips...@li... >>> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel >>> >> >> /sbin/ip route add 192.168.0.0/16 via 110.110.110.65 dev ethX src >> 192.168.24.1 >> -- >> >> "They that give up essential liberty to obtain temporary safety, >> deserve neither liberty nor safety." (Ben Franklin) >> >> "The course of history shows that as a government grows, liberty >> decreases." (Thomas Jefferson) >> >> > > > ------------------------------------------------------------------------------ > Virtualization& Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > > > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |
From: Satavee <sa...@gm...> - 2012-02-26 12:51:28
|
Hi Pierre, You're rigth. It's work. Next question, any command to let racoon/ipsec-toools support this overlapping ..? Regards, Satavee On Feb 26, 2012, at 17:44, Pierre Christensen <pie...@fr...> wrote: > Hi Satavee, > > It might be related to the fact that you have overlapping networks on both sides of your VPN tunnel. > What I suspect is that the TCP/ICMP packet reach your linux router in 192.168.24.1 but the packet is then processed by the racoon daemon and the packet with destination IP 192.168.24.1 is then pushed into the VPN tunnel. > Now I suspect that the packet is bounced between the two VPN tunnels extremity until the TTL is expired our it will be dropped on the other side of your tunnel as src.IP is in a dst.network. > This might be possible to check if there is a way to make a tcpdump in the encrypted tunnel. I don't know if this is possible, if someone can tell me a way for that ? > > Easy way for solving your issue might be to use a different network on 192.168.24.0/24 side which will not be in 192.16.0.0/16 range. > > Regards, > Pierre > > Le 26/02/12 07:52, Satavee a écrit : >> >> Hi Stephen, >> >> I've tried as your suggeston but My problem is still exist. >> >>>> ------- >>>> note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw >>>> 192.168.24.1. >> >>> /sbin/ip route add 192.168.0.0/16 via 110.110.110.65 dev ethX src 192.168.24.1 >> >> This static route is related to right network. ===>>> but my problem is " i cannot ping and ssh form my pc (192.168.24.2) to linux router (192.168.24.1).... >> >> >> >> Again i can transfer fle btw 192.168.24.1 and 192.168.x.x. >> >> >> Regards, >> Satavee >> On Feb 26, 2012, at 2:33, Stephen Clark <scl...@ea...> wrote: >> >>> On 02/24/2012 10:26 PM, Satavee wrote: >>>> >>>> Hi All, >>>> I've installed ipsec-tool + racoon for few week,currently Ipsec is up, I >>>> can send/receieve data over tunnel from both side. >>>> >>>> My problem is, I Can't access (ping & ssh) to linux's router after run >>>> "setkey start". >>>> >>>> ---- >>>> root@Racoon:/etc# cat ipsec-tools.conf >>>> #!/usr/sbin/setkey -f >>>> # Flush SAD and SPD >>>> flush; >>>> spdflush; >>>> spdadd 192.168.24.0/24 192.168.0.0/16 any -P out ipsec >>>> esp/tunnel/110.110.110.65-112.112.112.95/unique; >>>> spdadd 192.168.0.0/16 192.168.24.0/24 any -P in ipsec >>>> esp/tunnel/112.112.112.95-110.110.110.65/unique; >>>> ------- >>>> note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw >>>> 192.168.24.1 >>>> >>>> root@Racoon:/etc/racoon# racoon -V >>>> @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) >>>> >>>> -- >>>> >>>> >>>> Regards >>>> Satavee >>>> >>>> ------------------------------------------------------------------------------ >>>> Virtualization & Cloud Management Using Capacity Planning >>>> Cloud computing makes use of virtualization - but cloud computing >>>> also focuses on allowing computing to be delivered as a service. >>>> http://www.accelacomm.com/jaw/sfnl/114/51521223/ >>>> >>>> _______________________________________________ >>>> Ipsec-tools-devel mailing list >>>> Ips...@li... >>>> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel >>>> >>> >>> /sbin/ip route add 192.168.0.0/16 via 110.110.110.65 dev ethX src 192.168.24.1 >>> -- >>> >>> "They that give up essential liberty to obtain temporary safety, >>> deserve neither liberty nor safety." (Ben Franklin) >>> >>> "The course of history shows that as a government grows, liberty >>> decreases." (Thomas Jefferson) >>> >>> >> >> >> ------------------------------------------------------------------------------ >> Virtualization & Cloud Management Using Capacity Planning >> Cloud computing makes use of virtualization - but cloud computing >> also focuses on allowing computing to be delivered as a service. >> http://www.accelacomm.com/jaw/sfnl/114/51521223/ >> >> >> _______________________________________________ >> Ipsec-tools-devel mailing list >> Ips...@li... >> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > ------------------------------------------------------------------------------ > Virtualization & Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |
From: Pierre C. <pie...@fr...> - 2012-02-26 15:14:25
|
Hi Satavee, The usual way to solve this kind of issue is to use nat and faked natted networks. I find a page on the internet explaining the concept: http://wiki.openwrt.org/doc/howto/vpn.ipsec.overlappingsubnets Now, how to implement this, is completely depending on the unix/linux distribution you're using. Hope this will help. Regards, Pierre Le Sun Feb 26 13:51:13 2012, Satavee a écrit : > Hi Pierre, > You're rigth. It's work. > > Next question, any command to let racoon/ipsec-toools support this > overlapping ..? > > Regards, > Satavee > > > > On Feb 26, 2012, at 17:44, Pierre Christensen > <pie...@fr... <mailto:pie...@fr...>> wrote: > >> Hi Satavee, >> >> It might be related to the fact that you have overlapping networks on >> both sides of your VPN tunnel. >> What I suspect is that the TCP/ICMP packet reach your linux router in >> 192.168.24.1 but the packet is then processed by the racoon daemon >> and the packet with destination IP 192.168.24.1 is then pushed into >> the VPN tunnel. >> Now I suspect that the packet is bounced between the two VPN tunnels >> extremity until the TTL is expired our it will be dropped on the >> other side of your tunnel as src.IP is in a dst.network. >> This might be possible to check if there is a way to make a tcpdump >> in the encrypted tunnel. I don't know if this is possible, if someone >> can tell me a way for that ? >> >> Easy way for solving your issue might be to use a different network >> on 192.168.24.0/24 side which will not be in 192.16.0.0/16 range. >> >> Regards, >> Pierre >> >> Le 26/02/12 07:52, Satavee a écrit : >>> Hi Stephen, >>> >>> I've tried as your suggeston but My problem is still exist. >>> >>>>> ------- >>>>> note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw >>>>> 192.168.24.1. >>> >>>> /sbin/ip route add 192.168.0.0/16 via 110.110.110.65 dev ethX src >>>> 192.168.24.1 >>> >>> This static route is related to right network. ===>>> but my problem >>> is " i cannot ping and ssh form my pc (192.168.24.2) to linux router >>> (192.168.24.1).... >>> >>> >>> >>> Again i can transfer fle btw 192.168.24.1 and 192.168.x.x. >>> >>> >>> Regards, >>> Satavee >>> On Feb 26, 2012, at 2:33, Stephen Clark <scl...@ea... >>> <mailto:scl...@ea...>> wrote: >>> >>>> On 02/24/2012 10:26 PM, Satavee wrote: >>>>> Hi All, >>>>> I've installed ipsec-tool + racoon for few week,currently Ipsec is >>>>> up, I >>>>> can send/receieve data over tunnel from both side. >>>>> >>>>> My problem is, I Can't access (ping & ssh) to linux's router after run >>>>> "setkey start". >>>>> >>>>> ---- >>>>> root@Racoon:/etc# cat ipsec-tools.conf >>>>> #!/usr/sbin/setkey -f >>>>> # Flush SAD and SPD >>>>> flush; >>>>> spdflush; >>>>> spdadd 192.168.24.0/24 192.168.0.0/16 any -P out ipsec >>>>> esp/tunnel/110.110.110.65-112.112.112.95/unique; >>>>> spdadd 192.168.0.0/16 192.168.24.0/24 any -P in ipsec >>>>> esp/tunnel/112.112.112.95-110.110.110.65/unique; >>>>> ------- >>>>> note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw >>>>> 192.168.24.1 >>>>> >>>>> root@Racoon:/etc/racoon# racoon -V >>>>> @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net >>>>> <http://ipsec-tools.sourceforge.net/>) >>>>> >>>>> -- >>>>> >>>>> >>>>> Regards >>>>> Satavee >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Virtualization& Cloud Management Using Capacity Planning >>>>> Cloud computing makes use of virtualization - but cloud computing >>>>> also focuses on allowing computing to be delivered as a service. >>>>> http://www.accelacomm.com/jaw/sfnl/114/51521223/ >>>>> >>>>> >>>>> _______________________________________________ >>>>> Ipsec-tools-devel mailing list >>>>> Ips...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel >>>>> >>>> >>>> /sbin/ip route add 192.168.0.0/16 via 110.110.110.65 dev ethX src >>>> 192.168.24.1 >>>> -- >>>> >>>> "They that give up essential liberty to obtain temporary safety, >>>> deserve neither liberty nor safety." (Ben Franklin) >>>> >>>> "The course of history shows that as a government grows, liberty >>>> decreases." (Thomas Jefferson) >>>> >>>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Virtualization& Cloud Management Using Capacity Planning >>> Cloud computing makes use of virtualization - but cloud computing >>> also focuses on allowing computing to be delivered as a service. >>> http://www.accelacomm.com/jaw/sfnl/114/51521223/ >>> >>> >>> _______________________________________________ >>> Ipsec-tools-devel mailing list >>> Ips...@li... >>> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel >> ------------------------------------------------------------------------------ >> Virtualization & Cloud Management Using Capacity Planning >> Cloud computing makes use of virtualization - but cloud computing >> also focuses on allowing computing to be delivered as a service. >> http://www.accelacomm.com/jaw/sfnl/114/51521223/ >> _______________________________________________ >> Ipsec-tools-devel mailing list >> Ips...@li... >> <mailto:Ips...@li...> >> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |
From: Hooman F. <fa...@se...> - 2012-02-27 07:56:14
|
exclude traffic between 192.168.24.2 and 192.168.24.1 from ipsec: spdadd 192.168.24.1/32 192.168.24.2/32 any -P out none spdadd 192.168.24.2/32 192.168.24.1/32 any -P in none On 2/25/2012 6:56 AM, Satavee wrote: > Hi All, > I've installed ipsec-tool + racoon for few week,currently Ipsec is up, I > can send/receieve data over tunnel from both side. > > My problem is, I Can't access (ping & ssh) to linux's router after run > "setkey start". > > ---- > root@Racoon:/etc# cat ipsec-tools.conf > #!/usr/sbin/setkey -f > # Flush SAD and SPD > flush; > spdflush; > spdadd 192.168.24.0/24 192.168.0.0/16 any -P out ipsec > esp/tunnel/110.110.110.65-112.112.112.95/unique; > spdadd 192.168.0.0/16 192.168.24.0/24 any -P in ipsec > esp/tunnel/112.112.112.95-110.110.110.65/unique; > ------- > note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw > 192.168.24.1 > > root@Racoon:/etc/racoon# racoon -V > @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net <http://ipsec-tools.sourceforge.net/>) > > -- > > > Regards > Satavee > > > ------------------------------------------------------------------------------ > Virtualization& Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing > also focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > > > _______________________________________________ > Ipsec-tools-users mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users |
From: Satavee <sa...@gm...> - 2012-02-27 08:38:40
|
Hi Hooman, Yes. It's working fine now! Thank you very much ... Regards, Satavee On Feb 27, 2012, at 14:28, Hooman Fazaeli <fa...@se...> wrote: > exclude traffic between 192.168.24.2 and 192.168.24.1 from ipsec: > > spdadd 192.168.24.1/32 192.168.24.2/32 any -P out none > spdadd 192.168.24.2/32 192.168.24.1/32 any -P in none > > On 2/25/2012 6:56 AM, Satavee wrote: >> >> Hi All, >> I've installed ipsec-tool + racoon for few week,currently Ipsec is up, I >> can send/receieve data over tunnel from both side. >> >> My problem is, I Can't access (ping & ssh) to linux's router after run >> "setkey start". >> >> ---- >> root@Racoon:/etc# cat ipsec-tools.conf >> #!/usr/sbin/setkey -f >> # Flush SAD and SPD >> flush; >> spdflush; >> spdadd 192.168.24.0/24 192.168.0.0/16 any -P out ipsec >> esp/tunnel/110.110.110.65-112.112.112.95/unique; >> spdadd 192.168.0.0/16 192.168.24.0/24 any -P in ipsec >> esp/tunnel/112.112.112.95-110.110.110.65/unique; >> ------- >> note: router ip = 192.168.24.1/24 and my pc =192.168.24.2/24 gw >> 192.168.24.1 >> >> root@Racoon:/etc/racoon# racoon -V >> @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net) >> >> -- >> >> >> Regards >> Satavee >> >> >> ------------------------------------------------------------------------------ >> Virtualization & Cloud Management Using Capacity Planning >> Cloud computing makes use of virtualization - but cloud computing >> also focuses on allowing computing to be delivered as a service. >> http://www.accelacomm.com/jaw/sfnl/114/51521223/ >> >> >> _______________________________________________ >> Ipsec-tools-users mailing list >> Ips...@li... >> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users |