VPN from a redhat 9 using free s/wan problem

[administrator <administrator@xxxxxxxxxxxxxxxxxxxx>]

hello i am trying to establish this vpn between a redhat 9 linux server 
that serves NAT for computers on a LAN

to a

Cisco 2600

a complete diagram is provided to show network topology at 
http://213.131.75.130/vpn.jpg
users on network 10.0.0.0 need to user services on servers 
192.168.0.1,200.... , and 172.....
so we need to establish a tunnel from the linux server here using 
freeswan to the cisco
on our linux server a static route for these ips to route traffic for 
the remote servers thru the tunnel

i hope i am clear on this

i have tried to put what i could here

please check my configs , concept and correct me .
administrator@xxxxxxxxxxxxxxxxxxxx


[root@apogee root]# uname -a
Linux apogee.integrated-group.com 2.4.20-20.9 #1 Mon Aug 18 11:45:58 EDT 
2003 i686 i686 i386 GNU/Linux

[root@apogee root]# rpm -qa | grep freeswan
freeswan-module-2.04_2.4.20_20.9-0
freeswan-userland-2.04_2.4.20_20.9-0


[root@apogee root]# service ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 2.04...
ipsec_setup: Using /lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
[root@apogee root]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux FreeS/WAN 2.04
Checking for KLIPS support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets)                       [OK]
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing

Opportunistic Encryption DNS checks:
Looking for TXT in forward map: apogee.integrated-group.com             
[MISSING]
Does the machine have at least one non-private address?                 [OK]
Looking for TXT in reverse map: 130.75.132.213.in-addr.arpa.        
[MISSING]


Dec  8 07:07:59 apogee ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Dec  8 07:07:59 apogee ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Dec  8 07:08:02 apogee ipsec_setup: Using 
/lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
Dec  8 07:08:02 apogee ipsec_setup: Using 
/lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
Dec  8 07:08:02 apogee kernel: klips_info:ipsec_init: KLIPS startup, 
FreeS/WAN IPSec version: 2.04
Dec  8 07:08:02 apogee kernel: klips_info:ipsec_init: KLIPS startup, 
FreeS/WAN IPSec version: 2.04
Dec  8 07:08:02 apogee kernel: divert: not allocating divert_blk for 
non-ethernet device ipsec0
Dec  8 07:08:02 apogee kernel: divert: not allocating divert_blk for 
non-ethernet device ipsec1
Dec  8 07:08:02 apogee kernel: divert: not allocating divert_blk for 
non-ethernet device ipsec2
Dec  8 07:08:02 apogee kernel: divert: not allocating divert_blk for 
non-ethernet device ipsec3
Dec  8 07:08:02 apogee ipsec_setup: KLIPS debug `none'
Dec  8 07:08:02 apogee ipsec_setup: KLIPS debug `none'
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec0
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec0
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec3
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec3
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec2
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec2
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec1
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec1
Dec  8 07:08:03 apogee kernel:
Dec  8 07:08:03 apogee kernel:
Dec  8 07:08:03 apogee ipsec_setup: KLIPS ipsec0 on eth0 
213.132.75.130/255.255.255.0 broadcast 213.132.75.255
Dec  8 07:08:03 apogee ipsec_setup: KLIPS ipsec0 on eth0 
213.132.75.130/255.255.255.0 broadcast 213.132.75.255
Dec  8 07:08:04 apogee ipsec__plutorun: Starting Pluto subsystem...
Dec  8 07:08:04 apogee ipsec_setup: ...FreeS/WAN IPsec started
Dec  8 07:08:04 apogee ipsec_setup: ...FreeS/WAN IPsec started
Dec  8 07:08:04 apogee pluto[3763]: Starting Pluto (FreeS/WAN Version 
2.04 PLUTO_USES_KEYRR)
Dec  8 07:08:04 apogee pluto[3763]: Using KLIPS IPsec interface code
Dec  8 07:08:04 apogee pluto[3763]: added connection description 
"packetdefault"
Dec  8 07:08:04 apogee ipsec__plutorun: ipsec_auto: fatal error in 
"cisco": (/etc/ipsec.conf, line 50) duplicated
parameter "keyingtries"
Dec  8 07:08:04 apogee ipsec__plutorun: ipsec_auto: fatal error in 
"cisco": (/etc/ipsec.conf, line 50) duplicated
parameter "keyingtries"
Dec  8 07:08:04 apogee ipsec__plutorun: ...could not add conn "cisco"
Dec  8 07:08:04 apogee ipsec__plutorun: ...could not add conn "cisco"
Dec  8 07:08:04 apogee pluto[3763]: added connection description "block"
Dec  8 07:08:04 apogee pluto[3763]: added connection description 
"clear-or-private"
Dec  8 07:08:04 apogee pluto[3763]: added connection description "clear"
Dec  8 07:08:04 apogee pluto[3763]: added connection description 
"private-or-clear"
Dec  8 07:08:05 apogee pluto[3763]: added connection description "private"
Dec  8 07:08:05 apogee pluto[3763]: listening for IKE messages
Dec  8 07:08:05 apogee pluto[3763]: adding interface ipsec0/eth0 
213.132.75.130
Dec  8 07:08:15 apogee pluto[3763]: loading secrets from 
"/etc/ipsec.secrets"
Dec  8 07:08:15 apogee pluto[3763]: loading group 
"/etc/ipsec.d/policies/private"
Dec  8 07:08:15 apogee pluto[3763]: loading group 
"/etc/ipsec.d/policies/private-or-clear"
Dec  8 07:08:15 apogee pluto[3763]: loading group 
"/etc/ipsec.d/policies/clear"
Dec  8 07:08:15 apogee pluto[3763]: loading group 
"/etc/ipsec.d/policies/clear-or-private"
Dec  8 07:08:15 apogee pluto[3763]: loading group 
"/etc/ipsec.d/policies/block"
Dec  8 07:08:15 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec  8 07:08:15 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec  8 07:08:15 apogee ipsec__plutorun: ...could not route conn "cisco"
Dec  8 07:08:15 apogee ipsec__plutorun: ...could not route conn "cisco"
Dec  8 07:08:16 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec  8 07:08:16 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec  8 07:08:16 apogee ipsec__plutorun: ...could not start conn "cisco"
Dec  8 07:08:16 apogee ipsec__plutorun: ...could not start conn "cisco"
Dec  8 07:08:36 apogee pluto[3763]: can not use our IP 
(213.132.75.130:TXT) as identity: no TXT RR found for us
Dec  8 07:08:55 apogee xinetd[2146]: START: pop3 pid=3979 
from=213.132.75.130
Dec  8 07:08:56 apogee pluto[3763]: can not use our hostname 
(@apogee.integrated-group.com:TXT) as identity: no TXT RR
found for us
Dec  8 07:07:59 apogee ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Dec  8 07:07:59 apogee ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Dec  8 07:08:02 apogee ipsec_setup: Using 
/lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
Dec  8 07:08:02 apogee ipsec_setup: Using 
/lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
Dec  8 07:08:02 apogee kernel: klips_info:ipsec_init: KLIPS startup, 
FreeS/WAN IPSec version: 2.04
Dec  8 07:08:02 apogee kernel: klips_info:ipsec_init: KLIPS startup, 
FreeS/WAN IPSec version: 2.04
Dec  8 07:08:02 apogee kernel: divert: not allocating divert_blk for 
non-ethernet device ipsec0
Dec  8 07:08:02 apogee kernel: divert: not allocating divert_blk for 
non-ethernet device ipsec1
Dec  8 07:08:02 apogee kernel: divert: not allocating divert_blk for 
non-ethernet device ipsec2
Dec  8 07:08:02 apogee kernel: divert: not allocating divert_blk for 
non-ethernet device ipsec3
Dec  8 07:08:02 apogee ipsec_setup: KLIPS debug `none'
Dec  8 07:08:02 apogee ipsec_setup: KLIPS debug `none'
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec0
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec0
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec3
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec3
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec2
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec2
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec1
Dec  8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec1
Dec  8 07:08:03 apogee kernel:
Dec  8 07:08:03 apogee kernel:
Dec  8 07:08:03 apogee ipsec_setup: KLIPS ipsec0 on eth0 
213.132.75.130/255.255.255.0 broadcast 213.132.75.255
Dec  8 07:08:03 apogee ipsec_setup: KLIPS ipsec0 on eth0 
213.132.75.130/255.255.255.0 broadcast 213.132.75.255
Dec  8 07:08:04 apogee ipsec__plutorun: Starting Pluto subsystem...
Dec  8 07:08:04 apogee ipsec_setup: ...FreeS/WAN IPsec started
Dec  8 07:08:04 apogee ipsec_setup: ...FreeS/WAN IPsec started
Dec  8 07:08:04 apogee pluto[3763]: Starting Pluto (FreeS/WAN Version 
2.04 PLUTO_USES_KEYRR)
Dec  8 07:08:04 apogee pluto[3763]: Using KLIPS IPsec interface code
Dec  8 07:08:04 apogee pluto[3763]: added connection description 
"packetdefault"
Dec  8 07:08:04 apogee ipsec__plutorun: ipsec_auto: fatal error in 
"cisco": (/etc/ipsec.conf, line 50) duplicated
parameter "keyingtries"
Dec  8 07:08:04 apogee ipsec__plutorun: ipsec_auto: fatal error in 
"cisco": (/etc/ipsec.conf, line 50) duplicated
parameter "keyingtries"
Dec  8 07:08:04 apogee ipsec__plutorun: ...could not add conn "cisco"
Dec  8 07:08:04 apogee ipsec__plutorun: ...could not add conn "cisco"
Dec  8 07:08:04 apogee pluto[3763]: added connection description "block"
Dec  8 07:08:04 apogee pluto[3763]: added connection description 
"clear-or-private"
Dec  8 07:08:04 apogee pluto[3763]: added connection description "clear"
Dec  8 07:08:04 apogee pluto[3763]: added connection description 
"private-or-clear"
Dec  8 07:08:05 apogee pluto[3763]: added connection description "private"
Dec  8 07:08:05 apogee pluto[3763]: listening for IKE messages
Dec  8 07:08:05 apogee pluto[3763]: adding interface ipsec0/eth0 
213.132.75.130
Dec  8 07:08:15 apogee pluto[3763]: loading secrets from 
"/etc/ipsec.secrets"
Dec  8 07:08:15 apogee pluto[3763]: loading group 
"/etc/ipsec.d/policies/private"
Dec  8 07:08:15 apogee pluto[3763]: loading group 
"/etc/ipsec.d/policies/private-or-clear"
Dec  8 07:08:15 apogee pluto[3763]: loading group 
"/etc/ipsec.d/policies/clear"
Dec  8 07:08:15 apogee pluto[3763]: loading group 
"/etc/ipsec.d/policies/clear-or-private"
Dec  8 07:08:15 apogee pluto[3763]: loading group 
"/etc/ipsec.d/policies/block"
Dec  8 07:08:15 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec  8 07:08:15 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec  8 07:08:15 apogee ipsec__plutorun: ...could not route conn "cisco"
Dec  8 07:08:15 apogee ipsec__plutorun: ...could not route conn "cisco"
Dec  8 07:08:16 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec  8 07:08:16 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec  8 07:08:16 apogee ipsec__plutorun: ...could not start conn "cisco"
Dec  8 07:08:16 apogee ipsec__plutorun: ...could not start conn "cisco"
Dec  8 07:08:36 apogee pluto[3763]: can not use our IP 
(213.132.75.130:TXT) as identity: no TXT RR found for us
Dec  8 07:08:55 apogee xinetd[2146]: START: pop3 pid=3979 
from=213.132.75.130
Dec  8 07:08:56 apogee pluto[3763]: can not use our hostname 
(@apogee.integrated-group.com:TXT) as identity: no TXT RR
found for us




[root@apogee root]# ipsec barf


gave  nothing at all


[root@apogee root]# cat /etc/ipsec.conf
config setup
       # THIS SETTING MUST BE CORRECT or almost nothing will work;
       # %defaultroute is okay for most simple cases.
       interfaces=%defaultroute
       # Debug-logging controls:  "none" for (almost) none, "all" for lots.
       klipsdebug=none
       plutodebug=none
       # Use auto= parameters in conn descriptions to control startup 
actions.
       # Close down old connection when new one using same ID shows up.
       uniqueids=yes


conn cisco
       type=tunnel
       keyingtries=0
       authby=secret
       # Left security gateway, subnet behind it, next hop toward right.
       left=10.0.0.16
       leftnexthop=213.132.75.130
       leftsubnet=10.0.0.0/24
       # Right security gateway, subnet behind it, next hop toward left.
       right=213.132.64.249
       # rightnexthop=213.132.64.249
       rightsubnet=62.241.134.0/28
       keylife=8h
       auto=start
   # How persistent to be in (re)keying negotiations (0 means very).
       keyingtries=0
       esp=3des-md5-96
       # key lifetime (before automatic rekeying)
       keylife=8h



[root@apogee root]# pico /etc/ipsec.secrets

: RSA   {
       # RSA 2192 bits   apogee.integrated-group.com   Sat Dec  6 
00:38:26 2003
       # for signatures only, UNSAFE FOR ENCRYPTION
       
#pubkey=0sAQPgaOVjp4CndkvaBLxh/ScD973FKHbHmI0/BWPiJcm2y/c/RTYPRzp9ZBdrxN16P1KEXGX64Uu28i6LPGk7nbqr1QC9VfSwMLTfLaNtW$
       Modulus:
0xe068e563a780a7764bda04bc61fd2703f7bdc52876c7988d3f0563e225c9b6cbf73f45360f473a7d64176bc4dd7a3f52845c65fa$
       PublicExponent: 0x03
       # everything after this point is secret
       PrivateExponent:
0x2566d0e5f1401be90ca4561f65aa312b53f4f631692144178a80e5fb064c4921fe8a8b89028bdf14e603e74b7a3f0a8d$
       Prime1:
0xf433e0c7fb6f398ff53afdee6cbfce883e5e7c7c9e1470093f686d14ee104675bfb0b10debdc0ec7c50c29ea1ae31a687264c9052$
       Prime2:
0xeb403bd5c6e5025292faf60929d6a4fb65aefb219b8515ac4503319865b3764b4ba7c2b7d61c5d544dae095ae4dd5c30f40975749$
       Exponent1:
0xa2cd4085524a265ff8d1fe9ef32a89b0299452fdbeb84ab0d4f048b89eb5844e7fcb20b3f292b4852e081bf16742119af6eddb$
       Exponent2:
0x9cd57d392f4356e1b751f95b7139c35243c9fcc11258b91d8357766599224edcdd1a81cfe412e8e2de74063c989392cb4d5ba3$
       Coefficient:
0xe5328ceec18b1a34ad7101fa303dd5fa5b505ea704b1c1981095eeb2ff5bcd539933b83afb39843e37041f8be23196efb5d8$
       }
# do not change the indenting of that "}"
213.132.75.130 213.132.64.249: PSK "preshared-key"






--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list