Hi all, first of all I want to apologize for the very long email. This
is driving me crazy and in 4 days our current VPN will be dead.
Started over, reconfigured cisco pix following cisco vpn guide and
http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html
(differences in no-xauth no-config-mode, lifetime 28800 and
esp-md5-hmac). Modified rule in firewall, added
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.10.0/24 -d\!
192.168.100.0/24 -j MASQUERADE
not to nat packets going to 192.168.100.0 (am I right?), started ipsec
and connection on the linux box, public ip 162.x.x.90 private network
192.168.10.x this is the result of setkey -DP
192.168.100.0/24[any] 192.168.10.0/24[any] any
in ipsec
esp/tunnel/182.xxx.xxx.130-162.xxx.xxx.90/unique#16385
created: May 25 14:19:10 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=992 seq=8 pid=14415
refcnt=1
192.168.10.0/24[any] 192.168.100.0/24[any] any
out ipsec
esp/tunnel/162.xxx.xxx.90-182.xxx.xxx.130/unique#16385
created: May 25 14:19:10 2005 lastused: May 25 15:42:21 2005
lifetime: 0(s) validtime: 0(s)
spid=1009 seq=7 pid=14415
refcnt=2
192.168.100.0/24[any] 192.168.10.0/24[any] any -----> 192.168.100.0/24
is the cisco private network, is this correct?
fwd ipsec
esp/tunnel/182.xxx.xxx.130-162.xxx.xxx.90/unique#16385
created: May 25 14:19:10 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1002 seq=6 pid=14415
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 25 14:18:40 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=979 seq=5 pid=14415
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 25 14:18:40 2005 lastused: May 25 15:18:31 2005
lifetime: 0(s) validtime: 0(s)
spid=963 seq=4 pid=14415
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
in none
created: May 25 14:18:40 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=947 seq=3 pid=14415
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 25 14:18:40 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=988 seq=2 pid=14415
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 25 14:18:40 2005 lastused: May 25 15:18:33 2005
lifetime: 0(s) validtime: 0(s)
spid=972 seq=1 pid=14415
refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
out none
created: May 25 14:18:40 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=956 seq=0 pid=14415
refcnt=1
if I issue the route command I get
192.168.100.0 * 255.255.255.0 U 0 0 0 eth0
192.168.100.0 ip-pub. 255.255.255.0 UG 0 0 0 eth0
192.168.10.0 * 255.255.255.0 U 0 0 0
eth1
where eth1 is 192.168.10.3 and eth0 is ip-pub. = 162.xxx.xxx.90.
ipsec auto status:
"milan" esp.f02a7d60@xxxxxxxxxxxxxxx esp.f8d6586b@xxxxxxxxxxxxxx
tun.0@xxxxxxxxxxxxxxx tun.0@xxxxxxxxxxxxxx
It looks to me that the vpn is estabilished, but still cannot ping from
one end to the other....
ping 192.168.100.26 -l 192.168.10.3 or even ping from another linuxbox
that's actually natted behind this machine (and can see the web).
Any suggestion on where to look for troubleshooting will be very
appreciated, have a nice day.
Simone
On Tue, 2005-05-24 at 17:07, Peter Farrow wrote:
> Hi there,
>
> the "RESTRICT..." is one of my own iptables rules, which is called from
> the INPUT and FORWARD chains which provides a nice convenient point to
> add it all in in one go.
>
> You should see routes like this if your tunnels are up
>
> 192.168.12.0 ch-rtr.farrows. 255.255.255.0 UG 0 0 0
> ipsec0
>
> issue the route command and see what you get
>
> Don't worry about having long conversations about this: its tricky if
> you have not done it before and I will help as long as it takes
>
> Pete
>
>
> Simone wrote:
>
> > Here again, I don't think I understand what
> > "RESTRICT_EXTERNAL_CONNECTIONS" means. I think I enabled the firewall
> > to accept anything that comes from the external pix IP, the pix
> > gateway IP and the cisco internal lan, so to be sure it is not dropped
> > (not really a iptables guru so I could be wrong). Some strange
> > behaviour include tha fact I can ping from linux to cisco on the
> > public IP but not vice versa, while from another site I can ping the
> > public linux box ip (so it looks like it is not dropped by the
> > firewall config).
> > I am sorry if this is going far too long. Something that's not clear
> > to me is if a device called ipsec0 or whatever I call the connection,
> > should show up somewhere and if a route should be provided to reach
> > the cisco internal network from the linux internal network. Anything
> > could help to figure this out? Firewall rules?
> >
> > Thanks, have a nice day
> >
> > Peter Farrow wrote:
> >
> >> If your seeing the communication like this its not being dumped or
> >> dropped by your firewall, you could add an accept rule for all
> >> protocols from the far end Ips at each site, just for debugging
> >> purposes and to rule out the firewall itself..
> >>
> >> This is almost there now, make sure that you have lines like this in
> >> your firewall:
> >>
> >> $IPTABLES -A RESTRICT_EXTERNAL_CONNECTIONS -m state --state
> >> ESTABLISHED,RELATED -j ACCEPT
> >> $IPTABLES -A RESTRICT_EXTERNAL_CONNECTIONS -m state --state NEW
> >> --in-interface ! $EXT_IFACE -j ACCEPT
> >>
> >> $IPTABLES -A INPUT -j RESTRICT_EXTERNAL_CONNECTIONS
> >> $IPTABLES -A FORWARD -j RESTRICT_EXTERNAL_CONNECTIONS
> >>
> >> Notice I accept all new interfaces on anything that's not the
> >> external network card, this automatically includes lo, internet
> >> ethernet and all ipsec interfaces you will of course need to change
> >> these to suit your firewall config....
> >>
> >> Becareful (dont use it unmodified) using a rule like this if you have
> >> more than one external [untrusted] interface....
> >>
> >>
> >> P.
> >>
> >>
> >> simone wrote:
> >>
> >>> Hi there. Installed openswan, and followed the instructions :) . It
> >>> looks like tunnel is estabilished now:
> >>>
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: initiating Main
> >>> Mode
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: | no IKE algorithms for this
> >>> connection ---> is this bad....
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
> >>> state STATE_MAIN_I1 to state STATE_MAIN_I2
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
> >>> payload [XAUTH]
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
> >>> payload [Dead Peer Detection]
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
> >>> payload [Cisco-Unity]
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring unknown
> >>> Vendor ID payload [xxxxxxxxxxxxxxxxxxxxxxx]
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: I did not send a
> >>> certificate because I do not have one.
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
> >>> state STATE_MAIN_I2 to state STATE_MAIN_I3
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: Main mode peer
> >>> ID is
> >>> ID_IPV4_ADDR: 'xxx.xxx.xxx.130' --> this being the external ip of the
> >>> cisco pix 525
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
> >>> state STATE_MAIN_I3 to state STATE_MAIN_I4
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ISAKMP SA
> >>> established
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: initiating Quick
> >>> Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring
> >>> informational payload, type IPSEC_INITIAL_CONTACT
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received and
> >>> ignored
> >>> informational message
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: ignoring
> >>> informational payload, type IPSEC_RESPONDER_LIFETIME
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: transition from
> >>> state STATE_QUICK_I1 to state STATE_QUICK_I2
> >>> May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: sent QI2, IPsec SA
> >>> established {ESP=>0x6xxx23f <0x07xxxx7}
> >>>
> >>> 000 "milan":
> >>> 192.168.10.0/24===xxx.xxx.xxx.90---xxx.xxx.xxx.65...xxx.xxx.xxx.129---xxx.xxx.xxx.130===192.168.100.0/24;
> >>> unrouted; eroute owner: #0
> >>>
> >>> 192.168.10.3 internal linux box ip (and default gateway for the natted
> >>> workstations)
> >>> 192.168.100.2 internal cisco pix ip (and default gateway for the natted
> >>> workstations)
> >>>
> >>> conn milan left=xxx.xxx.xxx.90
> >>> public ip linux box leftnexthop=xxx.xxx.xxx.65
> >>> default gateway linux leftsubnet=192.168.10.0/24
> >>> right=xxx.xxx.xxx.130 public ip cisco
> >>> rightsubnet=192.168.100.0/24 network behind cisco
> >>> rightnexthop=xxx.xxx.xxx.129 default gateway cisco
> >>> authby=secret
> >>> pfs=no auto=add
> >>> esp=3des-md5-96
> >>> The firewall on the linuxbox is natting the 192.168.10.x network and
> >>> accepting anything coming from 192.168.100.x, I added udp port 500 to
> >>> INPUT and OUTPUT chains in iptables, but still cannot ping (even from
> >>> other workstations) or reach a web page on the other network. Anything
> >>> else I am missing or should be looking for?
> >>>
> >>>
> >>>> Remember you will need to allow the ipsec interface in your firewall
> >>>>
> >>>
> >>> How do I do this?
> >>> Thanks for all your help, really appreciate this.
> >>> Simone
> >>>
> >>>
> >>>
> >>>
> >>> On Tue, 2005-05-24 at 01:35, Peter Farrow wrote:
> >>>
> >>>
> >>>> Hi there, yes it was with a Nortel contivity on a few occassions and
> >>>> the other times with a Cisco pix. interstingly enough the Cisco VPNs
> >>>> often required updates to the IOS to make them 3Des compliant,
> >>>> As its late here in the UK (past midnight GMT+1) here is a very quick
> >>>> and dirty freeswan guide.
> >>>>
> >>>> Needless to say the things that cause the biggest headache for most
> >>>> users is the use of RSA keys and opportunistic encryption. Since this
> >>>> is NOT what 99.9% of the masses need or want then there is a quick and
> >>>> simple and just as secure alternative setup, but its not that well
> >>>> documented. Opportunistic encryption came in versions 2 and above of
> >>>> freeswan by default, this has the effect of clobbering the network
> >>>> default route and replacing it down the ipsec interface (what you want
> >>>> if you want to encrypt everything, but not really any great use in the
> >>>> real world). Most people want to do site <-> site vpns and these are
> >>>> best achieved without opportunistic encryption and by the use of
> >>>> preshared keys.
> >>>>
> >>>> 1)Make sure you get a version of freeswan suitable for your kernel, if
> >>>> you can't find one go to somewhere like rpms.pbone.net and find a
> >>>> kernel for which there is a freeswan version. Many people try and
> >>>> hunt a freeswan version to match their kernel, I do it the otherway
> >>>> round, find the latest freeswan compatible kernel you can for your
> >>>> architecture, you can always compile it from source but why my life
> >>>> harder for yourself.
> >>>> 2)get the freeswan module for the kernel you found, and the same
> >>>> freeswan-userland version as well. then proceed as follows: after you
> >>>> have installed the [from rpm]
> >>>>
> >>>>
> >>>> Typically to kill opportunistic encryption add these lines to your
> >>>> ipsec.conf file: after the config setup section near the top,
> >>>>
> >>>> conn block
> >>>> auto=ignore
> >>>>
> >>>> conn private
> >>>> auto=ignore
> >>>>
> >>>> conn private-or-clear
> >>>> auto=ignore
> >>>>
> >>>> conn clear-or-private
> >>>> auto=ignore
> >>>>
> >>>> conn clear
> >>>> auto=ignore
> >>>>
> >>>> conn packetdefault
> >>>> auto=ignore
> >>>>
> >>>> Doing this stops all the crap you get when ipsec starts and then kicks
> >>>> you off the system about 60 seconds later if you're connected remotely
> >>>> as this kills the opportunistic setup feature. Do the same at the
> >>>> other end as well.
> >>>> Then start the service.
> >>>>
> >>>> Then add a section for each tunnel you want to set up. if you have
> >>>> multiple subnets at each site which can't be encapsulated in a single
> >>>> subnet declaration, you will need to add a new tunnel defintion for
> >>>> each. Here is an example :
> >>>>
> >>>> conn site1-site2 #this is the connection name
> >>>> [tunnel] identifier
> >>>> left=21.21.100.10 #This is the ip address of the
> >>>> first linux box
> >>>> leftnexthop=21.21.100.9 #This is usually set to the
> >>>> defualt gateway for the first linux box
> >>>> leftsubnet=10.11.2.0/24 #This is the LAN subnet behind
> >>>> the first linux box
> >>>> right=21.21.100.178 #This is the IP address of the
> >>>> second linux box at the other end of the tunnel
> >>>> rightsubnet=10.11.4.0/24 #This is the LAN subnet behind
> >>>> the second linux box
> >>>> rightnexthop=21.21.100.177 #This is the IP address of the
> >>>> default gateway setting of the other linux box
> >>>> authby=secret #We are going to use a
> >>>> "password" or secret to encrypt/auth the link
> >>>> pfs=no #Turn off perfect forward
> >>>> security, this makes it faster and easier but less secure
> >>>> auto=add #Authorise but don't start
> >>>> esp=3des-md5-96 #encapsulating security payload
> >>>> setting, encryption used for auth and data
> >>>>
> >>>>
> >>>> Now cut and paste this and add it to the ipsec.conf file on the second
> >>>> machine completely as is, unmodified.
> >>>>
> >>>> Then in you /etc/ipsec.secrets file on each machine you will need to
> >>>> add a password [secret] for each each of the tunnels you have
> >>>> specified, in the above example we would have:
> >>>>
> >>>> 21.21.100.10 21.21.100.178 : PSK "a-passwordin-here-with-the-quotes"
> >>>>
> >>>> Add this to the very top of the ipsec secrets file, one entry for each
> >>>> pair of machines in this format
> >>>>
> >>>> leftmachineip rightmachineip : PSK "password"
> >>>>
> >>>> Then do a service ipsec restart on each machine, bring the link up
> >>>> with this command, it only needs to be invoked from either one of the
> >>>> ends
> >>>>
> >>>> ipsec auto --up site1-site2
> >>>>
> >>>> You should get output like this if you did it right:
> >>>> ipsec auto --up site1-site2
> >>>> 104 "site1-site2" #2086: STATE_MAIN_I1: initiate
> >>>> 106 "site1-site2" #2086: STATE_MAIN_I2: sent MI2, expecting MR2
> >>>> 108 "site1-site2" #2086: STATE_MAIN_I3: sent MI3, expecting MR3
> >>>> 004 "site1-site2" #2086: STATE_MAIN_I4: ISAKMP SA established
> >>>> 112 "site1-site2" #2087: STATE_QUICK_I1: initiate
> >>>> 004 "site1-site2" #2087: STATE_QUICK_I2: sent QI2, IPsec SA
> >>>> established
> >>>>
> >>>> Remember you will need to allow the ipsec interface in your firewall
> >>>> and you will need to add lines like this:
> >>>>
> >>>> # Accept udp connections to port 500 for ipsec
> >>>> $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> >>>> $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
> >>>>
> >>>> This is just about the quickest way to set up a VPN tunnel with
> >>>> Freeswan, it takes minutes. If you want to make if more secure, you
> >>>> can tune the config once you get it running this way!
> >>>>
> >>>> Remember the only machines that can't see the full extent of the other
> >>>> LAN network are the linux boxes creating the tunnel. So the left
> >>>> linux box will not be able to ping stuff on 10.11.4.0/24 network and
> >>>> the right linux box will not be able to ping stuff on 10.11.2.0/24
> >>>> network - don't forget this.... its commonly mistaken by some to mean
> >>>> the tunnel isn't working, to truly test it end to end you need hosts
> >>>> on the LANs at each end to ping each other.
> >>>>
> >>>> If you want to make it work through NATing gateways you will need to
> >>>> port forward the udp 500 setting above on your firewall.
> >>>>
> >>>> Enjoy!
> >>>>
> >>>> Pete
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Kennedy Clark wrote:
> >>>>
> >>>>
> >>>>> Any chance of getting a quick HOW-TO posted to the group for that?
> >>>>> ;-) Sounds interesting.
> >>>>>
> >>>>> I saw your post about using it with Cisco & Nortel equipment -- I
> >>>>> work
> >>>>> with both a lot at my current customer. What types of equipment have
> >>>>> you used it with from both vendors (e.g., Cisco: IOS, PIX, VPN3K;
> >>>>> Nortel = Contivity)?
> >>>>>
> >>>>> Thanks!!
> >>>>> Kennedy
> >>>>>
> >>>>>
> >>>>
> >>>> ______________________________________________________________________
> >>>> _______________________________________________
> >>>> CentOS mailing list
> >>>> CentOS@xxxxxxxxxx
> >>>> http://lists.centos.org/mailman/listinfo/centos
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> Email.it, the professional e-mail, gratis per te: http://www.email.it/f
> >>>
> >>> Sponsor:
> >>> Bisogno di liquidità ? Non devi spiegare per cosa. Fino a 4.000 � a
> >>> casa tua
> >>> Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2291&d=24-5
> >>> _______________________________________________
> >>> CentOS mailing list
> >>> CentOS@xxxxxxxxxx
> >>> http://lists.centos.org/mailman/listinfo/centos
> >>>
> >>>
> >> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> CentOS mailing list
> >> CentOS@xxxxxxxxxx
> >> http://lists.centos.org/mailman/listinfo/centos
> >>
> >>
> > _______________________________________________
> > CentOS mailing list
> > CentOS@xxxxxxxxxx
> > http://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
Vuoi ricevere gratuitamente, ogni giorno, un trucco per imparare a smanettare con il tuo PC?
* Iscriviti ad Untruccoalgiorno, è GRATIS, è per tutti! Clicca qui
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=3413&d=25-5
