From: Mario O. <mar...@gm...> - 2005-08-23 11:06:15
|
Hello List, i want to connect two networks via VPN with ipsec. I am reading the ipsec howto: http://www.ipsec-howto.org/x287.html My setup: home network ---- Linux-VPN1-Firewall-------\ line break 192.168.1.0/24 pub addr: 84.157.45.20 \ line break --- Linux-VPN2-Firewall --- home network pub addr: 84.160.217.88 192.168.0.0/24 Here is what i get: ------------------------------------------------------------------- #setkey -f /etc/setkey.conf && racoon -F -f /etc/racoon/racoon.conf Foreground mode. 2005-08-23 10:56:43: INFO: @(#)ipsec-tools 0.5.2 (http://ipsec-tools.sourceforge.net) 2005-08-23 10:56:43: INFO: @(#)This product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/) 2005-08-23 10:56:43: INFO: 127.0.0.1[500] used as isakmp port (fd=7) 2005-08-23 10:56:43: INFO: 127.0.0.1[500] used for NAT-T 2005-08-23 10:56:43: INFO: 192.168.0.10[500] used as isakmp port (fd=8) 2005-08-23 10:56:43: INFO: 192.168.0.10[500] used for NAT-T 2005-08-23 10:56:43: INFO: ::1[500] used as isakmp port (fd=9) 2005-08-23 10:56:43: INFO: fe80::20c:29ff:fe5f:3117%eth0[500] used as isakmp port (fd=10) and then it just sits there. I started a ping into the other network (ping 192.168.1.254 - connect: Resource temporarily unavailable) and exspected racoon to establish a connection. any idea why it wont send my packets trough the tunnel? the ping tells me that my box has no idea where to put that packet. Here my configs: ==================== VPN1 =========================== cat /etc/psk.txt --- # IPv4 Adressen 84.160.217.88 simple psk 5.0.0.1 0xe10bd52b0529b54aac97db63462850f3 # USER_FQDN ra...@sp... This is a psk for an email address # FQDN www.spenneberg.net This is a psk cat /etc/setkey.conf --- #!/usr/sbin/setkey -f # # Flush SAD and SPD flush; spdflush; # Create policies for racoon spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/84.157.45.20-84.160.217.88/require; spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/84.160.217.88-84.157.45.20/require; cat /etc/racoon/racoon.conf --- path pre_shared_key "/etc/psk.txt"; remote 84.160.217.88 { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; ===================== VPN1 END ============================================= ==================== VPN2 =========================== cat /etc/psk.txt --- # IPv4 Adressen 84.157.45.20 simple psk 5.0.0.1 0xe10bd52b0529b54aac97db63462850f3 # USER_FQDN ra...@sp... This is a psk for an email address # FQDN www.spenneberg.net This is a psk cat /etc/setkey.conf --- #!/usr/sbin/setkey -f # # Flush SAD and SPD flush; spdflush; # Create policies for racoon spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/84.157.45.20-84.160.217.88/require; spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/84.160.217.88-84.157.45.20/require; cat /etc/racoon/racoon.conf --- path pre_shared_key "/etc/psk.txt"; remote 84.157.45.20 { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.0.0/24 any address 192.168.1.0/24 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; ==================== VPN2 END ======================= Any ideas? Thanks, Mario |
From: VANHULLEBUS Y. <va...@fr...> - 2005-08-23 11:38:40
|
On Tue, Aug 23, 2005 at 01:05:55PM +0200, Mario Ohnewald wrote: > Hello List, Hi. > i want to connect two networks via VPN with ipsec. > I am reading the ipsec howto: http://www.ipsec-howto.org/x287.html > > My setup: > > home network ---- Linux-VPN1-Firewall-------\ line break > 192.168.1.0/24 pub addr: 84.157.45.20 \ line break > > --- Linux-VPN2-Firewall --- home network > pub addr: 84.160.217.88 192.168.0.0/24 > > > Here is what i get: > ------------------------------------------------------------------- > #setkey -f /etc/setkey.conf && racoon -F -f /etc/racoon/racoon.conf > Foreground mode. > 2005-08-23 10:56:43: INFO: @(#)ipsec-tools 0.5.2 > (http://ipsec-tools.sourceforge.net) > 2005-08-23 10:56:43: INFO: @(#)This product linked OpenSSL 0.9.7e 25 Oct > 2004 (http://www.openssl.org/) > 2005-08-23 10:56:43: INFO: 127.0.0.1[500] used as isakmp port (fd=7) > 2005-08-23 10:56:43: INFO: 127.0.0.1[500] used for NAT-T > 2005-08-23 10:56:43: INFO: 192.168.0.10[500] used as isakmp port (fd=8) > 2005-08-23 10:56:43: INFO: 192.168.0.10[500] used for NAT-T > 2005-08-23 10:56:43: INFO: ::1[500] used as isakmp port (fd=9) > 2005-08-23 10:56:43: INFO: fe80::20c:29ff:fe5f:3117%eth0[500] used as > isakmp port (fd=10) For some reason I don't know, it looks like racoon don't bind (can't bind ?) the public address (84.160.217.88). That probably means there is some networking problem somewhere on the gate ! > > and then it just sits there. I started a ping into the other network > (ping 192.168.1.254 - connect: Resource temporarily unavailable) and > exspected racoon to establish a connection. Did you try that ping on the gate itself ? If that's what you did, you should try a ping -S 192.168.0.10 192.168.1.254, to force the source address of the ICMP request, because if you don't do that, the system will probably use the public address as source, so the packet won't match the IPSec policy. [the conf] I just had a quick look at your conf, but it seems to be ok. Yvan. |
From: Mario O. <mar...@gm...> - 2005-08-23 14:13:31
|
Hi, i think i have a few general questions. Writing it down in a mail sometimes helps yourself to analyse problems, too :P On Tue, 2005-08-23 at 13:38 +0200, VANHULLEBUS Yvan wrote: > On Tue, Aug 23, 2005 at 01:05:55PM +0200, Mario Ohnewald wrote: > > Hello List, > > Hi. > > > i want to connect two networks via VPN with ipsec. > > I am reading the ipsec howto: http://www.ipsec-howto.org/x287.html > > > > My setup: > > > > home network ---- Linux-VPN1-Firewall-------\ line break > > 192.168.1.0/24 pub addr: 84.157.45.20 \ line break > > > > --- Linux-VPN2-Firewall --- home network > > pub addr: 84.160.217.88 192.168.0.0/24 > > > > i am a little confused....in this example: http://www.ipsec-howto.org/images/tunnel.png Should those two computers in the middle not have two interfaces? How can 192.168.1.0/24 communicate with 192.168.2.0/24? ok, lets assume those VPN gateways have two interfaces and are behind a firewall which has a public ip (123.123.123.123), where in the config do i tell racoon to connecto to the other VPN gateway? Would i have to change remote 192.168.2.100 { to remote 123.123.123.123 and dont change the rest of the config examples? What is the line: # IPv4 Adressen 192.168.2.100 simple psk in psk.txt for? Only the host with the ip 192.168.2.100 is allowed to auth? Or should it be 123.123.123.123 in my case? setkey.txt: # Create policies for racoon spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec esp/tunnel/192.168.1.100-192.168.2.100/require; # ^this net ^and this net will be send through this tunnel? ^^^^^^^^^^^^^^^^^^^^^^^^^^ Thanks a lot, Mario |
From: Aidas K. <a.k...@gm...> - 2005-08-23 15:03:02
|
Mario Ohnewald wrote: > i am a little confused....in this example: > http://www.ipsec-howto.org/images/tunnel.png > > Should those two computers in the middle not have two interfaces? > How can 192.168.1.0/24 communicate with 192.168.2.0/24? They definitely have -- you see two lines comming into each of them -- this means two interfaces. [On the side note, it is possible to use just a single interface; in that case you should employ logical interfaces, VLANs, or route some subnet through non default router -- box with that single interface.] > > ok, lets assume those VPN gateways have two interfaces and are behind a > firewall which has a public ip (123.123.123.123), where in the config do > i tell racoon to connecto to the other VPN gateway? > If they are behind the same firewall and packets from one to another do not have to cross it, then address of that firewall doesn't matter -- you don't have to change anything. If your packets cross firewalls and you operate on private addresses, then you most likely have to cross two firewalls, let's assume 123.123.123.123 and 34.34.34.34. In this case, you have to change: 1) spdadd lines: you should use -- remote tunnel endpoint should be PUBLIC (34.34.34.34) address of another side; -- local tunnel endpoint should be an address from an interface on the box running racoon, i.e. 192.168.0.10 or similar. [because this is the place which tells system that some packet has to be ipsec-processed, who to contact to negotiate security parameters, and whom to send ipsec-processed traffic.] 2) remote lines: you should use PUBLIC address of another side; [ because these lines specify HOW to negotiate security parameters with particular peer.] 3) I'm not sure about psk file (never set up a box which uses psk and is behind nat). I don't think you should need to change it, because in principle strings there are IDs and most likely remote side will send an internal address as an ID (and NAT is not capable to change it). But there may be special treatment for IP addresses used as IDs, so if debug info says that you have problems with authentication, add a line with public IP there. > Would i have to change > remote 192.168.2.100 { > > to > remote 123.123.123.123 > > and dont change the rest of the config examples? > > > > > What is the line: > # IPv4 Adressen > 192.168.2.100 simple psk > in psk.txt for? > Only the host with the ip 192.168.2.100 is allowed to auth? > Or should it be 123.123.123.123 in my case? > > > > setkey.txt: > # Create policies for racoon > spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec esp/tunnel/192.168.1.100-192.168.2.100/require; > # ^this net ^and this net will be send through this tunnel? ^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Assuming that on left box interface towards center has address 192.168.0.1 and remote end has public address 34.34.34.34 the rule should look like this: spdadd 172.16.1.0/24 172.16.2.0/24 any -P out ipsec esp/tunnel/192.168.0.1-34.34.34.34/require; -- Aidas Kasparas IT administrator GM Consult Group, UAB |
From: Mario O. <mar...@gm...> - 2005-08-23 16:51:23
|
Its getting a lot clearer now! ;) Here my setup at the moment. Not simplyfied as i tried to explain it before. ------------------------------------------ | eth0 192.168.1.201 --> VPN1 BOX | ------------------------------------------ | | (192.168.1.254) firewall_1 ppp0 (123.123.123.123) | | |internet | | (234.234.234.234) ppp0 firewall_2 (192.168.0.1) | | ----------------------------------------- |192.168.0.10 - eth0 --> VPN2 BOX | ----------------------------------------- 2005-08-23 18:40:48: INFO: ISAKMP-SA established 192.168.1.201[500]-84.160.217.88[500] spi:b09a8f88dde50e7f:ba0a991ed4949a84 2005-08-23 18:40:48: INFO: initiate new phase 2 negotiation: 192.168.1.201[500]<=>84.160.217.88[500] 2005-08-23 18:40:48: INFO: IPsec-SA established: ESP/Tunnel 84.160.217.88[500]->192.168.1.201[500] spi=140777020(0x864163c) 2005-08-23 18:40:48: INFO: IPsec-SA established: ESP/Tunnel 192.168.1.201[500]->84.160.217.88[500] spi=260883458(0xf8cc402) It almost works. The ping gets from VPN1 eth0 to VPN2 eth0 But the packet never returns: vpn2:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:5F:31:17 inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe5f:3117/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:17478 errors:0 dropped:0 overruns:0 frame:0 TX packets:6324 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4738690 (4.5 MiB) TX bytes:1119070 (1.0 MiB) Interrupt:185 Base address:0x1080 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) vpn2:~# tcpdump -i eth0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 13:25:39.582816 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request seq 153 13:25:39.607842 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request seq 153 13:25:39.794471 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request seq 154 13:25:39.794716 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request seq 154 13:25:39.993432 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request seq 155 13:25:39.993520 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request seq 155 Is this a routing problem? Here my setkey.txt from VPN2: #!/usr/sbin/setkey -f # # Flush SAD and SPD flush; spdflush; # Create policies for racoon spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec esp/tunnel/84.157.60.63-192.168.0.10/require; spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/192.168.0.10-84.157.60.63/require; Thanks, Mario |
From: Aidas K. <a.k...@gm...> - 2005-08-23 17:10:53
|
Try tcpdump'ing esp or all packets. It is possible that tcpdump get hands on icmp packet when it is already encapsulated into esp packet and therefore you filter it out. Also, if nat involved, that packet may be even further encapsulated into UDP datagram. From what you send before, I was suprised that you listen on port 500 (insted of 4500) for nat-t isakmp traffic. Mario Ohnewald wrote: > Its getting a lot clearer now! ;) > > Here my setup at the moment. Not simplyfied as i tried to explain it > before. > > ------------------------------------------ > | eth0 192.168.1.201 --> VPN1 BOX | > ------------------------------------------ > | > | > (192.168.1.254) firewall_1 ppp0 (123.123.123.123) > | > | > |internet > | > | > (234.234.234.234) ppp0 firewall_2 (192.168.0.1) > | > | > ----------------------------------------- > |192.168.0.10 - eth0 --> VPN2 BOX | > ----------------------------------------- > > > 2005-08-23 18:40:48: INFO: ISAKMP-SA established > 192.168.1.201[500]-84.160.217.88[500] > spi:b09a8f88dde50e7f:ba0a991ed4949a84 > 2005-08-23 18:40:48: INFO: initiate new phase 2 negotiation: > 192.168.1.201[500]<=>84.160.217.88[500] > 2005-08-23 18:40:48: INFO: IPsec-SA established: ESP/Tunnel > 84.160.217.88[500]->192.168.1.201[500] spi=140777020(0x864163c) > 2005-08-23 18:40:48: INFO: IPsec-SA established: ESP/Tunnel > 192.168.1.201[500]->84.160.217.88[500] spi=260883458(0xf8cc402) > > > It almost works. The ping gets from VPN1 eth0 to VPN2 eth0 > But the packet never returns: > vpn2:~# ifconfig > eth0 Link encap:Ethernet HWaddr 00:0C:29:5F:31:17 > inet addr:192.168.0.10 Bcast:192.168.0.255 > Mask:255.255.255.0 > inet6 addr: fe80::20c:29ff:fe5f:3117/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:17478 errors:0 dropped:0 overruns:0 frame:0 > TX packets:6324 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:4738690 (4.5 MiB) TX bytes:1119070 (1.0 MiB) > Interrupt:185 Base address:0x1080 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > vpn2:~# tcpdump -i eth0 icmp > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 13:25:39.582816 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request > seq 153 > 13:25:39.607842 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request > seq 153 > 13:25:39.794471 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request > seq 154 > 13:25:39.794716 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request > seq 154 > 13:25:39.993432 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request > seq 155 > 13:25:39.993520 IP 192.168.1.201 > 192.168.0.1: icmp 64: echo request > seq 155 > > > > Is this a routing problem? > > Here my setkey.txt from VPN2: > > #!/usr/sbin/setkey -f > # > # Flush SAD and SPD > flush; > spdflush; > > # Create policies for racoon > spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec > esp/tunnel/84.157.60.63-192.168.0.10/require; > spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec > esp/tunnel/192.168.0.10-84.157.60.63/require; > > > Thanks, Mario > > -- Aidas Kasparas IT administrator GM Consult Group, UAB |