From: Juan N. <ju...@gm...> - 2006-11-07 22:11:39
|
Hi... I received no answer from my previous post... I installed now 2 new clean boxes in order to test, using all private IP addresses But this time I'm trying to rise up only 1 VPN, but using the secondary IP address of BOX 1, which is now not on a subinterface, but on another separate interface, another network card And it doesn't work.... If I use BOX 1's primary address instead it works... This is my conf trying to rise up only 1 VPN: ######################## # Box 1 ######################## # dpkg -l | grep ipsec ii ipsec-tools 0.5.2-1sarge1 IPsec tools for Linux # dpkg -l | grep racoon ii racoon 0.5.2-1sarge1 IPsec IKE keying daemon # uname -a Linux debian 2.6.8-3-686 #1 Thu Sep 7 03:38:22 UTC 2006 i686 GNU/Linux # cat /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.0.249 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.250 dns-nameservers 192.168.0.1 auto eth1 iface eth1 inet static address 192.168.0.250 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 auto eth2 iface eth2 inet static address 10.10.0.1 netmask 255.255.255.0 network 10.10.0.0 broadcast 10.10.0.255 auto eth2:1 iface eth2:1 inet static address 20.10.0.1 netmask 255.255.255.0 network 20.10.0.0 broadcast 20.10.0.255 # cat /etc/ipsec-tools.conf #!/usr/sbin/setkey -f flush; spdflush; spdadd 20.10.0.1/32 20.20.0.1/32 any -P out ipsec esp/tunnel/192.168.0.250- 192.168.0.248/require; spdadd 20.20.0.1/32 20.10.0.1/32 any -P in ipsec esp/tunnel/192.168.0.248- 192.168.0.250/require; # cat /etc/racoon/psk.txt 192.168.0.248 test12 # cat /etc/racoon/racoon.conf path pre_shared_key "/etc/racoon/psk.txt"; remote 192.168.0.248 { exchange_mode main; my_identifier address; lifetime time 28800 sec; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } } sainfo address 20.10.0.1/32 any address 20.20.0.1/32 any { pfs_group 2; lifetime time 3600 sec; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } # ip ro ls 20.20.0.1 via 192.168.0.250 dev eth1 src 20.10.0.1 10.10.0.0/24 dev eth2 proto kernel scope link src 10.10.0.1 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.249 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.250 20.10.0.0/24 dev eth2 proto kernel scope link src 20.10.0.1 default via 192.168.0.250 dev eth0 ######################## # Box 2 ######################## # dpkg -l | grep ipsec ii ipsec-tools 0.5.2-1sarge1 IPsec tools for Linux # dpkg -l | grep racoon ii racoon 0.5.2-1sarge1 IPsec IKE keying daemon # uname -a Linux debian 2.6.8-3-686 #1 Thu Sep 7 03:38:22 UTC 2006 i686 GNU/Linux # cat /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.0.248 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 192.168.0.1 auto eth1 iface eth1 inet static address 10.20.0.1 netmask 255.255.255.0 network 10.20.0.0 broadcast 10.20.0.255 auto eth1:1 iface eth1:1 inet static address 20.20.0.1 netmask 255.255.255.0 network 20.20.0.0 broadcast 20.20.0.255 # cat /etc/ipsec-tools.conf #!/usr/sbin/setkey -f flush; spdflush; spdadd 20.10.0.1/32 20.20.0.1/32 any -P in ipsec esp/tunnel/192.168.0.250- 192.168.0.248/require; spdadd 20.20.0.1/32 20.10.0.1/32 any -P out ipsec esp/tunnel/192.168.0.248- 192.168.0.250/require; # cat /etc/racoon/psk.txt 192.168.0.250 test12 # cat /etc/racoon/racoon.conf path pre_shared_key "/etc/racoon/psk.txt"; remote 192.168.0.250 { exchange_mode main; my_identifier address; lifetime time 28800 sec; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } } sainfo address 20.20.0.1/32 any address 20.10.0.1/32 any { pfs_group 2; lifetime time 3600 sec; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } # ip ro ls 20.10.0.1 via 192.168.0.248 dev eth0 src 20.20.0.1 10.20.0.0/24 dev eth1 proto kernel scope link src 10.20.0.1 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.248 20.20.0.0/24 dev eth1 proto kernel scope link src 20.20.0.1 default via 192.168.0.1 dev eth0 ################## When I start setkey and racoon on both hosts, and send a ping from one host to the other one the VPN seems to rise up: on BOX 1 I see: # cat /var/log/daemon.log Nov 7 19:56:59 debian racoon: INFO: unsupported PF_KEY message REGISTER Nov 7 19:56:59 debian racoon: INFO: caught signal 15 Nov 7 19:57:00 debian racoon: INFO: racoon shutdown Nov 7 19:57:00 debian racoon: INFO: @(#)ipsec-tools 0.5.2 ( http://ipsec-tools.sourceforge.net) Nov 7 19:57:00 debian racoon: INFO: @(#)This product linked OpenSSL 0.9.7e25 Oct 2004 ( http://www.openssl.org/) Nov 7 19:57:01 debian racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8) Nov 7 19:57:01 debian racoon: INFO: 127.0.0.1[500] used for NAT-T Nov 7 19:57:01 debian racoon: INFO: 192.168.0.249[500] used as isakmp port (fd=9) Nov 7 19:57:01 debian racoon: INFO: 192.168.0.249[500] used for NAT-T Nov 7 19:57:01 debian racoon: INFO: 192.168.0.250[500] used as isakmp port (fd=10) Nov 7 19:57:01 debian racoon: INFO: 192.168.0.250[500] used for NAT-T Nov 7 19:57:01 debian racoon: INFO: 10.10.0.1[500] used as isakmp port (fd=11) Nov 7 19:57:01 debian racoon: INFO: 10.10.0.1[500] used for NAT-T Nov 7 19:57:01 debian racoon: INFO: 20.10.0.1[500] used as isakmp port (fd=12) Nov 7 19:57:01 debian racoon: INFO: 20.10.0.1[500] used for NAT-T Nov 7 19:57:01 debian racoon: INFO: ::1[500] used as isakmp port (fd=13) Nov 7 19:57:01 debian racoon: INFO: fe80::250:4ff:fed3:bb9d%eth0[500] used as isakmp port (fd=14) Nov 7 19:57:01 debian racoon: INFO: fe80::250:4ff:fecf:20b1%eth1[500] used as isakmp port (fd=15) Nov 7 19:57:01 debian racoon: INFO: fe80::250:daff:feb3:db45%eth2[500] used as isakmp port (fd=16) Nov 7 19:57:17 debian racoon: INFO: IPsec-SA request for 192.168.0.248queued due to no phase1 found. Nov 7 19:57:17 debian racoon: INFO: initiate new phase 1 negotiation: 192.168.0.250[500]<=>192.168.0.248[500] Nov 7 19:57:17 debian racoon: INFO: begin Identity Protection mode. Nov 7 19:57:17 debian racoon: INFO: received Vendor ID: DPD Nov 7 19:57:17 debian racoon: INFO: ISAKMP-SA established 192.168.0.250 [500]-192.168.0.248[500] spi:8b5798310685deb9:60872345d290fa0c Nov 7 19:57:18 debian racoon: INFO: initiate new phase 2 negotiation: 192.168.0.250[0]<=>192.168.0.248[0] Nov 7 19:57:19 debian racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.0.248->192.168.0.250 spi=99414467(0x5ecf1c3) Nov 7 19:57:19 debian racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.0.250->192.168.0.248 spi=233314950(0xde81a86) # setkey -D 192.168.0.250 192.168.0.248 esp mode=tunnel spi=233314950(0x0de81a86) reqid=0(0x00000000) E: 3des-cbc 610ac72e 4ea36fb2 8c6ffd98 ffaadddc cbc4103b bb787425 A: hmac-md5 2fa9ee36 a2e3d4ab 60533a72 e9dbafe2 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Nov 7 19:57:19 2006 current: Nov 7 19:58:52 2006 diff: 93(s) hard: 3600(s) soft: 2880(s) last: Nov 7 19:57:20 2006 hard: 0(s) soft: 0(s) current: 408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=1 pid=2339 refcnt=0 192.168.0.248 192.168.0.250 esp mode=tunnel spi=99414467(0x05ecf1c3) reqid=0(0x00000000) E: 3des-cbc 97e71617 fa18958c c0b03bee 3426d1ae 821fb8d2 714e49b2 A: hmac-md5 0da0e554 1c499d06 c1bd83d9 175a797a seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Nov 7 19:57:19 2006 current: Nov 7 19:58:52 2006 diff: 93(s) hard: 3600(s) soft: 2880(s) last: Nov 7 19:57:20 2006 hard: 0(s) soft: 0(s) current: 252(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=0 pid=2339 refcnt=0 # setkey -DP 20.20.0.1[any] 20.10.0.1[any] any in ipsec esp/tunnel/192.168.0.248-192.168.0.250/require created: Nov 7 19:56:59 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=808 seq=20 pid=2340 refcnt=1 20.10.0.1[any] 20.20.0.1[any] any out ipsec esp/tunnel/192.168.0.250-192.168.0.248/require created: Nov 7 19:56:59 2006 lastused: Nov 7 19:57:22 2006 lifetime: 0(s) validtime: 0(s) spid=801 seq=19 pid=2340 refcnt=3 20.20.0.1[any] 20.10.0.1[any] any fwd ipsec esp/tunnel/192.168.0.248-192.168.0.250/require created: Nov 7 19:56:59 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=818 seq=18 pid=2340 refcnt=1 (per-socket policy) in none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=955 seq=17 pid=2340 refcnt=1 (per-socket policy) in none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=939 seq=16 pid=2340 refcnt=1 (per-socket policy) in none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=923 seq=15 pid=2340 refcnt=1 (per-socket policy) in none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=907 seq=14 pid=2340 refcnt=1 (per-socket policy) in none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=891 seq=13 pid=2340 refcnt=1 (per-socket policy) in none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=875 seq=12 pid=2340 refcnt=1 (per-socket policy) in none created: Nov 7 19:57:01 2006 lastused: Nov 7 19:57:19 2006 lifetime: 0(s) validtime: 0(s) spid=859 seq=11 pid=2340 refcnt=1 (per-socket policy) in none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=843 seq=10 pid=2340 refcnt=1 (per-socket policy) in none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=827 seq=9 pid=2340 refcnt=1 (per-socket policy) out none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=964 seq=8 pid=2340 refcnt=1 (per-socket policy) out none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=948 seq=7 pid=2340 refcnt=1 (per-socket policy) out none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=932 seq=6 pid=2340 refcnt=1 (per-socket policy) out none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=916 seq=5 pid=2340 refcnt=1 (per-socket policy) out none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=900 seq=4 pid=2340 refcnt=1 (per-socket policy) out none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=884 seq=3 pid=2340 refcnt=1 (per-socket policy) out none created: Nov 7 19:57:01 2006 lastused: Nov 7 19:57:19 2006 lifetime: 0(s) validtime: 0(s) spid=868 seq=2 pid=2340 refcnt=1 (per-socket policy) out none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=852 seq=1 pid=2340 refcnt=1 (per-socket policy) out none created: Nov 7 19:57:01 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=836 seq=0 pid=2340 refcnt=1 and on BOX 2 I see: # cat /var/log/daemon.log Nov 7 19:56:00 debian2 racoon: INFO: purged IPsec-SA proto_id=ESP spi=191805744. Nov 7 19:56:01 debian2 racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP spi=1b0bc08c5f871dc1:e3b18b7da0f3a158. Nov 7 19:56:02 debian2 racoon: INFO: ISAKMP-SA deleted 192.168.0.248[500]- 192.168.0.250[500] spi:1b0bc08c5f871dc1:e3b18b7da0f3a158 Nov 7 19:56:08 debian2 racoon: INFO: unsupported PF_KEY message REGISTER Nov 7 19:56:08 debian2 racoon: INFO: caught signal 15 Nov 7 19:56:09 debian2 racoon: INFO: racoon shutdown Nov 7 19:56:09 debian2 racoon: INFO: @(#)ipsec-tools 0.5.2 ( http://ipsec-tools.sourceforge.net) Nov 7 19:56:09 debian2 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e25 Oct 2004 ( http://www.openssl.org/) Nov 7 19:56:10 debian2 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8) Nov 7 19:56:10 debian2 racoon: INFO: 127.0.0.1[500] used for NAT-T Nov 7 19:56:10 debian2 racoon: INFO: 192.168.0.248[500] used as isakmp port (fd=9) Nov 7 19:56:10 debian2 racoon: INFO: 192.168.0.248[500] used for NAT-T Nov 7 19:56:10 debian2 racoon: INFO: 10.20.0.1[500] used as isakmp port (fd=10) Nov 7 19:56:10 debian2 racoon: INFO: 10.20.0.1[500] used for NAT-T Nov 7 19:56:10 debian2 racoon: INFO: 20.20.0.1[500] used as isakmp port (fd=11) Nov 7 19:56:10 debian2 racoon: INFO: 20.20.0.1[500] used for NAT-T Nov 7 19:56:10 debian2 racoon: INFO: ::1[500] used as isakmp port (fd=12) Nov 7 19:56:10 debian2 racoon: INFO: fe80::250:4ff:fed3:9f6b%eth0[500] used as isakmp port (fd=13) Nov 7 19:56:10 debian2 racoon: INFO: fe80::250:4ff:fed3:bbbb%eth1[500] used as isakmp port (fd=14) Nov 7 19:56:19 debian2 racoon: INFO: respond new phase 1 negotiation: 192.168.0.248[500]<=>192.168.0.250[500] Nov 7 19:56:19 debian2 racoon: INFO: begin Identity Protection mode. Nov 7 19:56:19 debian2 racoon: INFO: received Vendor ID: DPD Nov 7 19:56:19 debian2 racoon: INFO: ISAKMP-SA established 192.168.0.248 [500]-192.168.0.250[500] spi:8b5798310685deb9:60872345d290fa0c Nov 7 19:56:20 debian2 racoon: INFO: respond new phase 2 negotiation: 192.168.0.248[0]<=>192.168.0.250[0] Nov 7 19:56:20 debian2 racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.0.250->192.168.0.248 spi=233314950(0xde81a86) Nov 7 19:56:20 debian2 racoon: INFO: IPsec-SA established: ESP/Tunnel 192.168.0.248->192.168.0.250 spi=99414467(0x5ecf1c3) # setkey -D 192.168.0.250 192.168.0.248 esp mode=tunnel spi=233314950(0x0de81a86) reqid=0(0x00000000) E: 3des-cbc 610ac72e 4ea36fb2 8c6ffd98 ffaadddc cbc4103b bb787425 A: hmac-md5 2fa9ee36 a2e3d4ab 60533a72 e9dbafe2 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Nov 7 19:56:20 2006 current: Nov 7 19:58:23 2006 diff: 123(s) hard: 3600(s) soft: 2880(s) last: Nov 7 19:56:21 2006 hard: 0(s) soft: 0(s) current: 252(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=1 pid=2407 refcnt=0 192.168.0.248 192.168.0.250 esp mode=tunnel spi=99414467(0x05ecf1c3) reqid=0(0x00000000) E: 3des-cbc 97e71617 fa18958c c0b03bee 3426d1ae 821fb8d2 714e49b2 A: hmac-md5 0da0e554 1c499d06 c1bd83d9 175a797a seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Nov 7 19:56:20 2006 current: Nov 7 19:58:23 2006 diff: 123(s) hard: 3600(s) soft: 2880(s) last: Nov 7 19:56:21 2006 hard: 0(s) soft: 0(s) current: 408(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 3 hard: 0 soft: 0 sadb_seq=0 pid=2407 refcnt=0 # setkey -DP 20.10.0.1[any] 20.20.0.1[any] any in ipsec esp/tunnel/192.168.0.250-192.168.0.248/require created: Nov 7 19:56:08 2006 lastused: Nov 7 19:56:23 2006 lifetime: 0(s) validtime: 0(s) spid=3040 seq=16 pid=2408 refcnt=2 20.20.0.1[any] 20.10.0.1[any] any out ipsec esp/tunnel/192.168.0.248-192.168.0.250/require created: Nov 7 19:56:08 2006 lastused: Nov 7 19:56:23 2006 lifetime: 0(s) validtime: 0(s) spid=3057 seq=15 pid=2408 refcnt=2 20.10.0.1[any] 20.20.0.1[any] any fwd ipsec esp/tunnel/192.168.0.250-192.168.0.248/require created: Nov 7 19:56:08 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3050 seq=14 pid=2408 refcnt=1 (per-socket policy) in none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3163 seq=13 pid=2408 refcnt=1 (per-socket policy) in none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3147 seq=12 pid=2408 refcnt=1 (per-socket policy) in none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3131 seq=11 pid=2408 refcnt=1 (per-socket policy) in none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3115 seq=10 pid=2408 refcnt=1 (per-socket policy) in none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3099 seq=9 pid=2408 refcnt=1 (per-socket policy) in none created: Nov 7 19:56:10 2006 lastused: Nov 7 19:56:20 2006 lifetime: 0(s) validtime: 0(s) spid=3083 seq=8 pid=2408 refcnt=1 (per-socket policy) in none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3067 seq=7 pid=2408 refcnt=1 (per-socket policy) out none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3172 seq=6 pid=2408 refcnt=1 (per-socket policy) out none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3156 seq=5 pid=2408 refcnt=1 (per-socket policy) out none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3140 seq=4 pid=2408 refcnt=1 (per-socket policy) out none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3124 seq=3 pid=2408 refcnt=1 (per-socket policy) out none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3108 seq=2 pid=2408 refcnt=1 (per-socket policy) out none created: Nov 7 19:56:10 2006 lastused: Nov 7 19:56:20 2006 lifetime: 0(s) validtime: 0(s) spid=3092 seq=1 pid=2408 refcnt=1 (per-socket policy) out none created: Nov 7 19:56:10 2006 lastused: lifetime: 0(s) validtime: 0(s) spid=3076 seq=0 pid=2408 refcnt=1 Everything seems fine, but I can not send traffic between 20.10.0.1 and 20.20.0.1... nothing happens... If I set up the same VPN, but using 192.168.0.249 in BOX 1, everything works fine... 192.168.0.249 is the BOX 1's main IP address on eth0.... Why doesn't the VPN work when using the IP address 192.168.0.250 from eth1??? Any clues?? I'm stuck with this... and having to use another host for rising up both VPN's at the same time is like nonsense... Before anyone asks, there are no firewall rules :) BOX 1: # iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination BOX 2: # iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Thanks in advance, Juan |