Hi all, first of all I want to apologize for the very long email. This is driving me crazy and in 4 days our current VPN will be dead. Started over, reconfigured cisco pix following cisco vpn guide and http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (differences in no-xauth no-config-mode, lifetime 28800 and esp-md5-hmac). Modified rule in firewall, added $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.10.0/24 -d\! 192.168.100.0/24 -j MASQUERADE not to nat packets going to 192.168.100.0 (am I right?), started ipsec and connection on the linux box, public ip 162.x.x.90 private network 192.168.10.x this is the result of setkey -DP 192.168.100.0/24[any] 192.168.10.0/24[any] any in ipsec esp/tunnel/182.xxx.xxx.130-162.xxx.xxx.90/unique#16385 created: May 25 14:19:10 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=992 seq=8 pid=14415 refcnt=1 192.168.10.0/24[any] 192.168.100.0/24[any] any out ipsec esp/tunnel/162.xxx.xxx.90-182.xxx.xxx.130/unique#16385 created: May 25 14:19:10 2005 lastused: May 25 15:42:21 2005 lifetime: 0(s) validtime: 0(s) spid=1009 seq=7 pid=14415 refcnt=2 192.168.100.0/24[any] 192.168.10.0/24[any] any -----> 192.168.100.0/24 is the cisco private network, is this correct? fwd ipsec esp/tunnel/182.xxx.xxx.130-162.xxx.xxx.90/unique#16385 created: May 25 14:19:10 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=1002 seq=6 pid=14415 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any in none created: May 25 14:18:40 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=979 seq=5 pid=14415 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any in none created: May 25 14:18:40 2005 lastused: May 25 15:18:31 2005 lifetime: 0(s) validtime: 0(s) spid=963 seq=4 pid=14415 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any in none created: May 25 14:18:40 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=947 seq=3 pid=14415 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out none created: May 25 14:18:40 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=988 seq=2 pid=14415 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out none created: May 25 14:18:40 2005 lastused: May 25 15:18:33 2005 lifetime: 0(s) validtime: 0(s) spid=972 seq=1 pid=14415 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out none created: May 25 14:18:40 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=956 seq=0 pid=14415 refcnt=1 if I issue the route command I get 192.168.100.0 * 255.255.255.0 U 0 0 0 eth0 192.168.100.0 ip-pub. 255.255.255.0 UG 0 0 0 eth0 192.168.10.0 * 255.255.255.0 U 0 0 0 eth1 where eth1 is 192.168.10.3 and eth0 is ip-pub. = 162.xxx.xxx.90. ipsec auto status: "milan" esp.f02a7d60@xxxxxxxxxxxxxxx esp.f8d6586b@xxxxxxxxxxxxxx tun.0@xxxxxxxxxxxxxxx tun.0@xxxxxxxxxxxxxx It looks to me that the vpn is estabilished, but still cannot ping from one end to the other.... ping 192.168.100.26 -l 192.168.10.3 or even ping from another linuxbox that's actually natted behind this machine (and can see the web). Any suggestion on where to look for troubleshooting will be very appreciated, have a nice day. Simone On Tue, 2005-05-24 at 17:07, Peter Farrow wrote: > Hi there, > > the "RESTRICT..." is one of my own iptables rules, which is called from > the INPUT and FORWARD chains which provides a nice convenient point to > add it all in in one go. > > You should see routes like this if your tunnels are up > > 192.168.12.0 ch-rtr.farrows. 255.255.255.0 UG 0 0 0 > ipsec0 > > issue the route command and see what you get > > Don't worry about having long conversations about this: its tricky if > you have not done it before and I will help as long as it takes > > Pete > > > Simone wrote: > > > Here again, I don't think I understand what > > "RESTRICT_EXTERNAL_CONNECTIONS" means. I think I enabled the firewall > > to accept anything that comes from the external pix IP, the pix > > gateway IP and the cisco internal lan, so to be sure it is not dropped > > (not really a iptables guru so I could be wrong). Some strange > > behaviour include tha fact I can ping from linux to cisco on the > > public IP but not vice versa, while from another site I can ping the > > public linux box ip (so it looks like it is not dropped by the > > firewall config). > > I am sorry if this is going far too long. Something that's not clear > > to me is if a device called ipsec0 or whatever I call the connection, > > should show up somewhere and if a route should be provided to reach > > the cisco internal network from the linux internal network. Anything > > could help to figure this out? Firewall rules? > > > > Thanks, have a nice day > > > > Peter Farrow wrote: > > > >> If your seeing the communication like this its not being dumped or > >> dropped by your firewall, you could add an accept rule for all > >> protocols from the far end Ips at each site, just for debugging > >> purposes and to rule out the firewall itself.. > >> > >> This is almost there now, make sure that you have lines like this in > >> your firewall: > >> > >> $IPTABLES -A RESTRICT_EXTERNAL_CONNECTIONS -m state --state > >> ESTABLISHED,RELATED -j ACCEPT > >> $IPTABLES -A RESTRICT_EXTERNAL_CONNECTIONS -m state --state NEW > >> --in-interface ! $EXT_IFACE -j ACCEPT > >> > >> $IPTABLES -A INPUT -j RESTRICT_EXTERNAL_CONNECTIONS > >> $IPTABLES -A FORWARD -j RESTRICT_EXTERNAL_CONNECTIONS > >> > >> Notice I accept all new interfaces on anything that's not the > >> external network card, this automatically includes lo, internet > >> ethernet and all ipsec interfaces you will of course need to change > >> these to suit your firewall config.... > >> > >> Becareful (dont use it unmodified) using a rule like this if you have > >> more than one external [untrusted] interface.... > >> > >> > >> P. > >> > >> > >> simone wrote: > >> > >>> Hi there. Installed openswan, and followed the instructions :) . It > >>> looks like tunnel is estabilished now: > >>> > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: initiating Main > >>> Mode > >>> May 24 14:19:33 fbctestvpn pluto[7063]: | no IKE algorithms for this > >>> connection ---> is this bad.... > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from > >>> state STATE_MAIN_I1 to state STATE_MAIN_I2 > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID > >>> payload [XAUTH] > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID > >>> payload [Dead Peer Detection] > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID > >>> payload [Cisco-Unity] > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring unknown > >>> Vendor ID payload [xxxxxxxxxxxxxxxxxxxxxxx] > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: I did not send a > >>> certificate because I do not have one. > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from > >>> state STATE_MAIN_I2 to state STATE_MAIN_I3 > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: Main mode peer > >>> ID is > >>> ID_IPV4_ADDR: 'xxx.xxx.xxx.130' --> this being the external ip of the > >>> cisco pix 525 > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from > >>> state STATE_MAIN_I3 to state STATE_MAIN_I4 > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ISAKMP SA > >>> established > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: initiating Quick > >>> Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1} > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring > >>> informational payload, type IPSEC_INITIAL_CONTACT > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received and > >>> ignored > >>> informational message > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: ignoring > >>> informational payload, type IPSEC_RESPONDER_LIFETIME > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: transition from > >>> state STATE_QUICK_I1 to state STATE_QUICK_I2 > >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: sent QI2, IPsec SA > >>> established {ESP=>0x6xxx23f <0x07xxxx7} > >>> > >>> 000 "milan": > >>> 192.168.10.0/24===xxx.xxx.xxx.90---xxx.xxx.xxx.65...xxx.xxx.xxx.129---xxx.xxx.xxx.130===192.168.100.0/24; > >>> unrouted; eroute owner: #0 > >>> > >>> 192.168.10.3 internal linux box ip (and default gateway for the natted > >>> workstations) > >>> 192.168.100.2 internal cisco pix ip (and default gateway for the natted > >>> workstations) > >>> > >>> conn milan left=xxx.xxx.xxx.90 > >>> public ip linux box leftnexthop=xxx.xxx.xxx.65 > >>> default gateway linux leftsubnet=192.168.10.0/24 > >>> right=xxx.xxx.xxx.130 public ip cisco > >>> rightsubnet=192.168.100.0/24 network behind cisco > >>> rightnexthop=xxx.xxx.xxx.129 default gateway cisco > >>> authby=secret > >>> pfs=no auto=add > >>> esp=3des-md5-96 > >>> The firewall on the linuxbox is natting the 192.168.10.x network and > >>> accepting anything coming from 192.168.100.x, I added udp port 500 to > >>> INPUT and OUTPUT chains in iptables, but still cannot ping (even from > >>> other workstations) or reach a web page on the other network. Anything > >>> else I am missing or should be looking for? > >>> > >>> > >>>> Remember you will need to allow the ipsec interface in your firewall > >>>> > >>> > >>> How do I do this? > >>> Thanks for all your help, really appreciate this. > >>> Simone > >>> > >>> > >>> > >>> > >>> On Tue, 2005-05-24 at 01:35, Peter Farrow wrote: > >>> > >>> > >>>> Hi there, yes it was with a Nortel contivity on a few occassions and > >>>> the other times with a Cisco pix. interstingly enough the Cisco VPNs > >>>> often required updates to the IOS to make them 3Des compliant, > >>>> As its late here in the UK (past midnight GMT+1) here is a very quick > >>>> and dirty freeswan guide. > >>>> > >>>> Needless to say the things that cause the biggest headache for most > >>>> users is the use of RSA keys and opportunistic encryption. Since this > >>>> is NOT what 99.9% of the masses need or want then there is a quick and > >>>> simple and just as secure alternative setup, but its not that well > >>>> documented. Opportunistic encryption came in versions 2 and above of > >>>> freeswan by default, this has the effect of clobbering the network > >>>> default route and replacing it down the ipsec interface (what you want > >>>> if you want to encrypt everything, but not really any great use in the > >>>> real world). Most people want to do site <-> site vpns and these are > >>>> best achieved without opportunistic encryption and by the use of > >>>> preshared keys. > >>>> > >>>> 1)Make sure you get a version of freeswan suitable for your kernel, if > >>>> you can't find one go to somewhere like rpms.pbone.net and find a > >>>> kernel for which there is a freeswan version. Many people try and > >>>> hunt a freeswan version to match their kernel, I do it the otherway > >>>> round, find the latest freeswan compatible kernel you can for your > >>>> architecture, you can always compile it from source but why my life > >>>> harder for yourself. > >>>> 2)get the freeswan module for the kernel you found, and the same > >>>> freeswan-userland version as well. then proceed as follows: after you > >>>> have installed the [from rpm] > >>>> > >>>> > >>>> Typically to kill opportunistic encryption add these lines to your > >>>> ipsec.conf file: after the config setup section near the top, > >>>> > >>>> conn block > >>>> auto=ignore > >>>> > >>>> conn private > >>>> auto=ignore > >>>> > >>>> conn private-or-clear > >>>> auto=ignore > >>>> > >>>> conn clear-or-private > >>>> auto=ignore > >>>> > >>>> conn clear > >>>> auto=ignore > >>>> > >>>> conn packetdefault > >>>> auto=ignore > >>>> > >>>> Doing this stops all the crap you get when ipsec starts and then kicks > >>>> you off the system about 60 seconds later if you're connected remotely > >>>> as this kills the opportunistic setup feature. Do the same at the > >>>> other end as well. > >>>> Then start the service. > >>>> > >>>> Then add a section for each tunnel you want to set up. if you have > >>>> multiple subnets at each site which can't be encapsulated in a single > >>>> subnet declaration, you will need to add a new tunnel defintion for > >>>> each. Here is an example : > >>>> > >>>> conn site1-site2 #this is the connection name > >>>> [tunnel] identifier > >>>> left=21.21.100.10 #This is the ip address of the > >>>> first linux box > >>>> leftnexthop=21.21.100.9 #This is usually set to the > >>>> defualt gateway for the first linux box > >>>> leftsubnet=10.11.2.0/24 #This is the LAN subnet behind > >>>> the first linux box > >>>> right=21.21.100.178 #This is the IP address of the > >>>> second linux box at the other end of the tunnel > >>>> rightsubnet=10.11.4.0/24 #This is the LAN subnet behind > >>>> the second linux box > >>>> rightnexthop=21.21.100.177 #This is the IP address of the > >>>> default gateway setting of the other linux box > >>>> authby=secret #We are going to use a > >>>> "password" or secret to encrypt/auth the link > >>>> pfs=no #Turn off perfect forward > >>>> security, this makes it faster and easier but less secure > >>>> auto=add #Authorise but don't start > >>>> esp=3des-md5-96 #encapsulating security payload > >>>> setting, encryption used for auth and data > >>>> > >>>> > >>>> Now cut and paste this and add it to the ipsec.conf file on the second > >>>> machine completely as is, unmodified. > >>>> > >>>> Then in you /etc/ipsec.secrets file on each machine you will need to > >>>> add a password [secret] for each each of the tunnels you have > >>>> specified, in the above example we would have: > >>>> > >>>> 21.21.100.10 21.21.100.178 : PSK "a-passwordin-here-with-the-quotes" > >>>> > >>>> Add this to the very top of the ipsec secrets file, one entry for each > >>>> pair of machines in this format > >>>> > >>>> leftmachineip rightmachineip : PSK "password" > >>>> > >>>> Then do a service ipsec restart on each machine, bring the link up > >>>> with this command, it only needs to be invoked from either one of the > >>>> ends > >>>> > >>>> ipsec auto --up site1-site2 > >>>> > >>>> You should get output like this if you did it right: > >>>> ipsec auto --up site1-site2 > >>>> 104 "site1-site2" #2086: STATE_MAIN_I1: initiate > >>>> 106 "site1-site2" #2086: STATE_MAIN_I2: sent MI2, expecting MR2 > >>>> 108 "site1-site2" #2086: STATE_MAIN_I3: sent MI3, expecting MR3 > >>>> 004 "site1-site2" #2086: STATE_MAIN_I4: ISAKMP SA established > >>>> 112 "site1-site2" #2087: STATE_QUICK_I1: initiate > >>>> 004 "site1-site2" #2087: STATE_QUICK_I2: sent QI2, IPsec SA > >>>> established > >>>> > >>>> Remember you will need to allow the ipsec interface in your firewall > >>>> and you will need to add lines like this: > >>>> > >>>> # Accept udp connections to port 500 for ipsec > >>>> $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT > >>>> $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT > >>>> > >>>> This is just about the quickest way to set up a VPN tunnel with > >>>> Freeswan, it takes minutes. If you want to make if more secure, you > >>>> can tune the config once you get it running this way! > >>>> > >>>> Remember the only machines that can't see the full extent of the other > >>>> LAN network are the linux boxes creating the tunnel. So the left > >>>> linux box will not be able to ping stuff on 10.11.4.0/24 network and > >>>> the right linux box will not be able to ping stuff on 10.11.2.0/24 > >>>> network - don't forget this.... its commonly mistaken by some to mean > >>>> the tunnel isn't working, to truly test it end to end you need hosts > >>>> on the LANs at each end to ping each other. > >>>> > >>>> If you want to make it work through NATing gateways you will need to > >>>> port forward the udp 500 setting above on your firewall. > >>>> > >>>> Enjoy! > >>>> > >>>> Pete > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> Kennedy Clark wrote: > >>>> > >>>> > >>>>> Any chance of getting a quick HOW-TO posted to the group for that? > >>>>> ;-) Sounds interesting. > >>>>> > >>>>> I saw your post about using it with Cisco & Nortel equipment -- I > >>>>> work > >>>>> with both a lot at my current customer. What types of equipment have > >>>>> you used it with from both vendors (e.g., Cisco: IOS, PIX, VPN3K; > >>>>> Nortel = Contivity)? > >>>>> > >>>>> Thanks!! > >>>>> Kennedy > >>>>> > >>>>> > >>>> > >>>> ______________________________________________________________________ > >>>> _______________________________________________ > >>>> CentOS mailing list > >>>> CentOS@xxxxxxxxxx > >>>> http://lists.centos.org/mailman/listinfo/centos > >>>> > >>> > >>> > >>> > >>> > >>> -- > >>> Email.it, the professional e-mail, gratis per te: http://www.email.it/f > >>> > >>> Sponsor: > >>> Bisogno di liquidità ? Non devi spiegare per cosa. Fino a 4.000 â?¬ a > >>> casa tua > >>> Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2291&d=24-5 > >>> _______________________________________________ > >>> CentOS mailing list > >>> CentOS@xxxxxxxxxx > >>> http://lists.centos.org/mailman/listinfo/centos > >>> > >>> > >> ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> CentOS mailing list > >> CentOS@xxxxxxxxxx > >> http://lists.centos.org/mailman/listinfo/centos > >> > >> > > _______________________________________________ > > CentOS mailing list > > CentOS@xxxxxxxxxx > > http://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos -- Email.it, the professional e-mail, gratis per te: http://www.email.it/f Sponsor: Vuoi ricevere gratuitamente, ogni giorno, un trucco per imparare a smanettare con il tuo PC? * Iscriviti ad Untruccoalgiorno, è GRATIS, è per tutti! Clicca qui Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=3413&d=25-5