Menu
▾
▴
Re: [Ipsec-tools-users] IPSec tunnel VPN issue with ipsec-tools 0.6.6 and linux kernel 2.6.21
|
From: Mick <mic...@gm...> - 2015-05-01 06:17:05
|
I see, you *have* to use 2.6.21 then. :-( The URL you provided is correct, the IPSec keying daemon is supposed to create the forward policy. There was an old bug in racoon where this policy would not be created: https://bugzilla.redhat.com/show_bug.cgi?id=150179 However, ipsec-tools 0.6.6 does not have this bug and should be creating the fwd policy. I can't recall if you tried to add fwd to your setkey policies manually? Can you please try this and check to see if the fwd policy is created? With regards to what is required in the kernel, check that these modules listed here are loaded: http://www.ipsec-howto.org/x304.html Also check that NAT is enabled in the kernel. On Thursday 30 Apr 2015 11:21:47 you wrote: > Hi Mick, > > Reason to use 2.6.21 is that, this SDK only support 2.6.21 and it will be > very big task to upgrade its kernel to latest one 3.2.x > > As I know 2.6.21 is also quite stable for IPSec function using ipsec-tools. > I used ipsec-tools 0.6.6 as it is stable for the ipsec tunnel function as > per > discussion on different forums with 2.6.21 kernel version otherwise I would > have used latest 0.8.2 ipsec-tools version. > > My SDK Linux kernel 2.6.21 netfilter module seems incomplete so I am now > using Ubuntu 12.04 as ipsec-tools server > to find issue and my test shows forwarding policy in Ubuntu and I can ping > LAN PC from router which was not > possible with two router so missing forwarding policy is the issue. > > > How to bring this forwarding policy ? > through kernel patch or is it ipsec-tools compile issue ? > > Like this discussion talks about such forwarding policy and > someone is saying ipsec-tool , racoon suppose to add this forwarding policy > to the kernel. > > http://serverfault.com/questions/635012/why-are-only-3-ip-xfrm-policies-nee > ded-for-a-ipsec-tunnel > > > is that correct ? > > But this ipsec-tools 0.6.6 version already suppose to add forwarding policy > to kernel. > > is that case that racoon try to add but kernel has no support ?? > > or > > ipsec-tools has configured without such option while configuring ?? > > But setting forward policy function must be in ipesc-tools and should not > be configurable. > > Now my task is to bring this forwarding policy anyway either patching or > reconfiguring Linux kernel 2.6.21 > or patching or reconfiguration ipsec-tools 0.6.6. > > what do you think ? > > I read about netfilter types full cone, restricted cone, port restricted > cone.. > will that be any issue ?? > > > Thanks > Jalindar > > On Fri, Apr 24, 2015 at 4:59 AM, Mick <mic...@gm...> wrote: > > Hi Jalindar, > > > > Unless there is some specific reason which you have not shared, I > > recommend that you install more recent kernel and ipsec-tools versions > > and try again. Otherwise, you will wasting a lot of effort to fix > > problems that the later versions do not have. > > > > Specific comments included within your message below. > > > > On Wednesday 22 Apr 2015 08:05:01 JALINDAR wrote: > > > Hi Mick, > > > > > > Yes , I was suspecting regarding setkey policy setting. My check using > > > #setkey -DP find no forwarding policy. > > > But I think forwarding policy should be there,am I right ? > > > > Yes, it should. If it doesn't then you should assume that your system is > > not > > working as intended. > > > > > At Router A : > > > > > > WAN INTERFACE : 192.168.3.11 > > > WAN GATEWAY : 192.168.3.10 > > > > > > LAN N/W ADDRESS : 192.168.1.0/24 > > > LAN GATEWAY : 192.168.1.254 > > > > > > ##without racoon running > > > > Are you sure? Without racoon running there should no policies present, > > unless > > they are some stale ones hanging around? > > > > > # setkey -DP > > > 192.168.8.0/24[any] <http://192.168.8.0/24%5Bany%5D> > > > 192.168.1.0/24[any] > > > > <http://192.168.1.0/24%5Bany%5D> any > > > > > in prio def ipsec > > > esp/tunnel/192.168.2.11-192.168.3.11/require > > > created: Jan 1 00:35:55 2000 lastused: > > > lifetime: 0(s) validtime: 0(s) > > > spid=40 seq=1 pid=1948 > > > refcnt=1 > > > > > > 192.168.1.0/24[any] <http://192.168.1.0/24%5Bany%5D> > > > 192.168.8.0/24[any] > > > > <http://192.168.8.0/24%5Bany%5D> any > > > > > out prio def ipsec > > > esp/tunnel/192.168.3.11-192.168.2.11/require > > > created: Jan 1 00:35:55 2000 lastused: > > > lifetime: 0(s) validtime: 0(s) > > > spid=33 seq=0 pid=1948 > > > refcnt=1 > > > > > > ##with racoon running > > > > > > # setkey -DP > > > 192.168.8.0/24[any] <http://192.168.8.0/24%5Bany%5D> > > > 192.168.1.0/24[any] > > > > <http://192.168.1.0/24%5Bany%5D> any > > > > > in prio def ipsec > > > esp/tunnel/192.168.2.11-192.168.3.11/require > > > created: Jan 1 00:35:55 2000 lastused: > > > lifetime: 0(s) validtime: 0(s) > > > spid=40 seq=1 pid=2522 > > > refcnt=1 > > > > > > 192.168.1.0/24[any] <http://192.168.1.0/24%5Bany%5D> > > > 192.168.8.0/24[any] > > > > <http://192.168.8.0/24%5Bany%5D> any > > > > > out prio def ipsec > > > esp/tunnel/192.168.3.11-192.168.2.11/require > > > created: Jan 1 00:35:55 2000 lastused: > > > lifetime: 0(s) validtime: 0(s) > > > spid=33 seq=2 pid=2522 > > > refcnt=1 > > > > > > (per-socket policy) > > > > > > in none > > > created: Jan 1 00:37:16 2000 lastused: > > > lifetime: 0(s) validtime: 0(s) > > > spid=51 seq=3 pid=2522 > > > refcnt=1 > > > > > > (per-socket policy) > > > > > > out none > > > created: Jan 1 00:37:16 2000 lastused: > > > lifetime: 0(s) validtime: 0(s) > > > spid=60 seq=0 pid=2522 > > > refcnt=1 > > > > You should definitely have a fwd SA present in there. Your system is not > > working as it should. > > > > > For /etc/setkey.conf file below: > > > > > > # cat /etc/setkey.conf > > > > > > #!/sbin/setkey -f > > > > > > #flush SAD and SPD > > > > > > flush; > > > > > > spdflush; > > > > > > > > > > > > #create polices from racoon > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec > > > > > > esp/tunnel/192.168.3.11-192.168.2.11/require; > > > > Put each directive on a single line; i.e. > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec \ > > esp/tunnel/192.168.3.11-192.168.2.11/require; > > > > (Where "\" indicates a line break to stop my mail client messing up the > > line > > wrapping around. You should have both lines above on a single line in > > the configuration file.) > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec > > > > > > esp/tunnel/192.168.2.11-192.168.3.11/require; > > > > > > *I test using adding :* > > > > > > *spdadd 192.168.8.0/24 <http://192.168.8.0/24> 192.168.1.0/24 > > > <http://192.168.1.0/24> any -P fwd ipsec* > > > > > > *esp/tunnel/192.168.2.11-192.168.3.11/require;* > > > > > > output of #setkey -f /etc/setkey.conf with forward policy is > > > > > > The result of line 14: File exists. > > > > > > this line 14 is second line of the forward policy added > > > > > > But some documents like this one: > > > http://www.ipsec-howto.org/x304.html > > > > > > says : > > > > > > *Attention: When using the Linux kernel >= 2.6.10 you also have to > > > define the forward policy if packets need to be fowarded by the box. > > > Just make sure you use the ipsec-tools 0.5 which add this policy > > > automatically or > > > > add > > > > > it yourself if using older tools. If you are running setkey in > > > > Kernel-mode > > > > > (-k) you have to add the fwd-policy manually, too.* > > > > This page was written 10 years ago. To save your time and effort I would > > strongly recommend that you install a recent kernel and a more up to date > > version of ipsec-tools. > > > > I run ipsec-tools-0.8.2 on a 3.18.11 kernel and I do not have such > > problems. > > > > > As I am using ipsec-tools 0.6.6 , I expect no need to include this > > > forward policy in setkey. > > > > Correct. It should be created by your system when you ping the remote > > host and SAs are created, but it isn't being created, which indicates > > that your system is not working as it should. > > > > > but it is missing in #setkey -DP > > > > > > Anything wrong with setkey settings ?? > > > > I can't see anything wrong with your settings. The problem is with your > > kernel and potentially with the version of ipsec-tools. Run the most > > recent > > version your distribution offers. > > > > > My packet scan is going on and I found ping from LAN PC goes to other > > > router(ESP packet) if > > > > > > I add: > > > > > > *#iptables -t NAT -I POSTROUTING --dst 192.168.8.0/24 > > > <http://192.168.8.0/24> -j SNAT --to-source 192.168.1.254* > > > > > > in router with 192.168.1.254 LAN gateway and remote LAN address > > > 192.168.8.0/24 . > > > > > > that make me specious of my net-filter broken or not complete needed > > > for IPSec. > > > > > > is that correct ? > > > > You shouldn't need iptables to forward packets within the router's own > > subnet. > > > > > What is left is to check that: > > > > > > 1. ICMP packets are forwarded from the remote peer to the LAN PCs > > > behind it. > > > > > > >>ICMP packet goes to remote router from LAN PC but remote router do > > > >>not > > > > > > forward it to LAN > > > I can see ESP packet both direction but at LAN PC no ICMP response > > > > received > > > > > to request. > > > > > > How can I fix it ? is it router problem or IPSec or net-filter ? > > > > > > 2. That ICMP packets are received by the PCs in the remote LAN and > > > responded to. These PCs may be have been configured to only respond to > > > ICMP requests from IP addresses in their own local subnet, or not > > > respond to ICMP packets at > > > all. > > > > > > >>ICMP packet is received by remote router but it do not forward it to > > > > LAN > > > > > PC. > > > > > > Thanks > > > Jalindar > > > > > > On Wed, Apr 22, 2015 at 3:08 AM, Mick <mic...@gm...> wrote: > > > > Yes, racoon and IPSec work fine, since you can establish a tunnel > > > > between > > > > > > the > > > > two peers. > > > > > > > > You can check that the ESP tunnel is configured correctly to connect > > > > the > > > > > > two > > > > > > > > LANs by studying the output of: > > > > setkey -DP > > > > > > > > This should show SAs created for in/out/fwd. > > > > > > > > Also check the output of your syslog. > > > > > > > > Then from my previous suggestion you have checked that the kernel is > > > > configured to forward packets, according to sysctl. > > > > > > > > What is left is to check that: > > > > > > > > 1. ICMP packets are forwarded from the remote peer to the LAN PCs > > > > behind > > > > > > it. > > > > > > > > 2. That ICMP packets are received by the PCs in the remote LAN and > > > > responded > > > > to. These PCs may be have been configured to only respond to ICMP > > > > requests from IP addresses in their own local subnet, or not respond > > > > to ICMP packets at > > > > all. > > > > > > > > Have you performed these checks and what have you found out? > > > > > > > > Kernel version 2.6.21 is rather old, like 8 years old! You should > > > > update > > > > > > this > > > > to a more recent kernel regardless, although I suspect that it is not > > > > related > > > > to your problem. > > > > > > > > On Tuesday 21 Apr 2015 12:17:00 you wrote: > > > > > Hi Mick, > > > > > > > > > > Ok that help me to tab the issue but I would like to divide this > > > > issue > > > > > > into > > > > > > > > > three, for fixing it: > > > > > > > > > > 1.* raccon:* As IKE is working all ok and IPSec is set to kernel, > > > > > it > > > > > > > > should > > > > > > > > > not have any issue. > > > > > and anyway its role is to keyexchange and not much into actual > > > > > IPSec > > > > , > > > > > > > which kernel has to do. > > > > > > > > > > 2. *setkey :* SPD setting should be ok > > > > > > > > > > 3. *linux Kernel: *IPSec setting of kernel should not be ok. > > > > > > > > > > from my conclusion , it seems like I have something either missing > > > > > or in error inside Linux kernel. > > > > > As I know IPSec do not need any special routing to work. > > > > > > > > > > Is my conclusion is correct ? > > > > > > > > > > if yes then is there any document which says what detailed kernel > > > > > modules needed for IPSec. > > > > > like in netfilter mangle table needed ?? > > > > > > > > > > I am using linux kernel 2.6.21.x > > > > > > > > > > > > > > > Thanks > > > > > Jalindar > > > > > > > > > > On Fri, Apr 10, 2015 at 3:50 AM, Mick <mic...@gm...> > > > > wrote: > > > > > > On Thursday 09 Apr 2015 10:03:19 you wrote: > > > > > > > Hi Mick, > > > > > > > > > > > > > > I tried your suggestion but result is same. > > > > > > > > > > > > > > If there was setting issue then IPSec would not have worked at > > > > all. > > > > > > > > Not necessarily, it could work partially. You could be > > > > communicating > > > > > > > > with the > > > > > > gateway, but getting no further than that because the router does > > > > not > > > > > > > > forward > > > > > > packets to the subnet behind it. > > > > > > > > > > > > > But it works. IPSec set to kernel. Lan devices can ping other > > > > Lan > > > > > > > > gateway, > > > > > > > > > > > > > like 192.168.8.100 can ping 192.168.1.254 and reverse. But > > > > router > > > > > > > > > or LAN > > > > > > > > > > > > > > PC can not ping to other LAN PC. > > > > > > > > > > > > I understand. You could check that ICMP packets actually leave > > > > > > the router towards the LAN PCs behind it; i.e. that the router > > > > processes > > > > > > and > > > > > > > > > > forwards incoming packets to PCs within its own LAN. You can use > > > > > > tcpdump or wireshark > > > > > > for this. You can also check if the LAN PCs receive these ICMP > > > > > > packets and not respond to them, or if they do not receive them > > > > > > at all. > > > > > > > > > > > > > On Thu, Apr 9, 2015 at 2:03 PM, Mick > > > > > > > <mic...@gm...> > > > > > > > > wrote: > > > > > > > > On Thursday 09 Apr 2015 03:30:40 JALINDAR wrote: > > > > > > > > > Hi All, > > > > > > > > > > > > > > > > > > I am using ipsec-tools 0.6.6 to get IPSec tunnl vpn to > > > > connect > > > > > > two > > > > > > > > > > LAN. > > > > > > > > > > > > > > > LAN A and B. > > > > > > > > > > > > > > > > > > Check the diagram for more details. > > > > > > > > > My setting are as below. > > > > > > > > > *Router A:* > > > > > > > > > > > > > > > > > > # cat /etc/racoon.conf > > > > > > > > > > > > > > > > > > path pre_shared_key "/etc/psk.txt" ; > > > > > > > > > > > > > > > > > > listen { > > > > > > > > > isakmp 1.2.3.4 ; > > > > > > > > > strict_address ; > > > > > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > remote 5.6.7.8 { > > > > > > > > > > > > > > > > > > exchange_mode main,base ; > > > > > > > > > lifetime time 12 hour ; > > > > > > > > > > > > > > > > > > proposal { > > > > > > > > > > > > > > > > > > encryption_algorithm 3des ; > > > > > > > > > hash_algorithm md5 ; > > > > > > > > > authentication_method pre_shared_key ; > > > > > > > > > dh_group 2 ; > > > > > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > sainfo anonymous { > > > > > > > > > > > > > > > > > > pfs_group 2 ; > > > > > > > > > lifetime time 12 hour; > > > > > > > > > encryption_algorithm 3des ; > > > > > > > > > authentication_algorithm hmac_md5 ; > > > > > > > > > compression_algorithm deflate ; > > > > > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > > > > > > > > # cat /etc/setkey.conf > > > > > > > > > > > > > > > > > > #!/sbin/setkey -f > > > > > > > > > #flush SAD and SPD > > > > > > > > > flush; > > > > > > > > > spdflush; > > > > > > > > > > > > > > > > > > #create polices from racoon > > > > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P out ipsec > > > > > > > > > esp/tunnel/1.2.3.4 -5.6.7.8/require; > > > > > > > > > > > > > > > > I assume this is a typo? It should be: > > > > > > > > esp/tunnel/1.2.3.4-5.6.7.8/require; > > > > > > > > > > > > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P in ipsec > > > > > > > > > esp/tunnel/5.6.7.8-1.2.3.4 /require; > > > > > > > > > > > > > > > > This should also no have a space before "/require;" > > > > > > > > > > > > > > > > > # cat /etc/psk.txt > > > > > > > > > #IPv4 Address > > > > > > > > > 5.6.7.8 123456789 > > > > > > > > > > > > > > > > > > *Router B:* > > > > > > > > > > > > > > > > > > # cat /etc/racoon.conf path pre_shared_key "/etc/psk.txt" > > > > > > > > > ; > > > > > > > > > > > > > > > > > > listen { > > > > > > > > > isakmp 5.6.7.8 ; > > > > > > > > > > > > > > > > > > strict_address ; > > > > > > > > > } > > > > > > > > > > > > > > > > > > remote 1.2.3.4 { > > > > > > > > > > > > > > > > > > exchange_mode main,base ; > > > > > > > > > > > > > > > > > > lifetime time 12 hour ; > > > > > > > > > > > > > > > > > > proposal { > > > > > > > > > > > > > > > > > > encryption_algorithm 3des ; > > > > > > > > > > > > > > > > > > hash_algorithm md5 ; > > > > > > > > > authentication_method pre_shared_key ; > > > > > > > > > > > > > > > > > > dh_group 2 ; > > > > > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > sainfo anonymous { > > > > > > > > > > > > > > > > > > pfs_group 2 ; > > > > > > > > > lifetime time 12 hour; > > > > > > > > > > > > > > > > > > encryption_algorithm 3des ; > > > > > > > > > > > > > > > > > > authentication_algorithm hmac_md5 ; > > > > > > > > > compression_algorithm deflate ; > > > > > > > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > # cat /etc/setkey.conf > > > > > > > > > #!/sbin/setkey -f > > > > > > > > > #flush SAD and SPD > > > > > > > > > > > > > > > > > > flush; > > > > > > > > > spdflush; > > > > > > > > > > > > > > > > > > #create polices from racoon > > > > > > > > > spdadd 192.168.8.0/24 192.168.1.0/24 any -P out ipsec > > > > > > > > > esp/tunnel/5.6.7.8 -1.2.3.4/require; > > > > > > > > > > > > > > > > Same as I commented above. > > > > > > > > > > > > > > > > > spdadd 192.168.1.0/24 192.168.8.0/24 any -P in ipsec > > > > > > > > > esp/tunnel/1.2.3.4-5.6.7.8 /require; > > > > > > > > > > > > > > > > Same as I commented above. > > > > > > > > > > > > > > > > > # cat /etc/psk.txt > > > > > > > > > #IPv4 Address > > > > > > > > > 1.2.3.4 123456789 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Router A Lan > > > > > > > > > > > > > > > > > > Router B Lan > > > > > > > > 192.168.1.0/24 > > > > > > > > > > > > > 192.168.8.0/24 > > > > > > > > > Gateway: > > > > > > > > > 192.168.1.254 > > > > > > > > > Gateway:192.168.8.254 > > > > > > > > > > > > > > > > > > |_|_|_|______*Router A > > > > 1..2.3.4>>>>>internet<<<<<5.6.7.8 > > > > > > > > > > > |Router B* > > > > > > > > > > > > > > > > > > ______|_|_|_| > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I can ping 192.168.1.254 gateway from 192.168.8.100 and > > > > > > > > similarly > > > > > > > > > > from > > > > > > > > > > > > > > > other side LAN network PC. > > > > > > > > > > > > > > > > > > I can ping 192.168.1.100 from 192.168.8.254 OK and > > > > > > > > > similarly from > > > > > > > > > > > > other > > > > > > > > > > > > > > > side. > > > > > > > > > > > > > > > > > > I can open router management server web page from LAN PC > > > > > > > > > at > > > > > > > > other > > > > > > > > > > LAN > > > > > > > > > > > > > > > network. > > > > > > > > > > > > > > > > > > But I can not ping 192.168.1.100 from 192.168.8.100 and > > > > reverse > > > > > > > > > > > way. only LAN gateways are reachable. > > > > > > > > > > > > > > > > This statement contradicts the previous regarding what you > > > > > > > > can ping and what > > > > > > > > not. I assume that you cannot ping 192.168.8.100 from > > > > > > > > 192.168.1.100? > > > > > > > > > > > > > where as whole LAN should be reachable from other LAN. > > > > > > > > > > > > > > > > > > am I missing some setting ? > > > > > > > > > > > > > > > > Check that Router B has been set up to allow ip forwarding; > > > > e.g. > > > > > > > > > > sysclt -a | grep eth0.forwarding > > > > > > > > > > > > > > > > net.ipv4.conf.eth0.forwarding = 1 > > > > > > > > > > > > > > > > > > > > > > > > also check that the firewall on Router B is similarly allowed > > > > to > > > > > > > > forward > > > > > > > > > > > > > > packets. > > > > > > > > > > > > > > > > If not adjust accordingly. > > > > > > > > > > > > > > > > -- > > > > > > > > Regards, > > > > > > > > Mick > > > > > > > > > > > > -- > > > > > > Regards, > > > > > > Mick > > > > > > > > -- > > > > Regards, > > > > Mick > > > > -- > > Regards, > > Mick -- Regards, Mick |
