Re: VPN from a redhat 9 using free s/wan problem

[crucificator <crucificator@xxxxxxx>]

administrator wrote:

> thanks i did remove the duplication and now i get this .
>
> and why when i run freeswan all my connection drops i.e: internet goes 
> down , its like it takes over eth0 , here is my ipsec.conf
>
> please  view http://213.131.75.130/vpn.jpg  < network layout
>
>
> cat /etc/ipsec.conf
>
> config setup
>       # THIS SETTING MUST BE CORRECT or almost nothing will work;
>       # %defaultroute is okay for most simple cases.
>       interfaces=%defaultroute
>       # Debug-logging controls:  "none" for (almost) none, "all" for 
> lots.
>       klipsdebug=none
>       plutodebug=none
>       # Use auto= parameters in conn descriptions to control startup 
> actions.
>       # Close down old connection when new one using same ID shows up.
>
>
> conn cisco
>       type=tunnel
>       authby=secret
>       # Left security gateway, subnet behind it, next hop toward right.
>       left=10.0.0.16
>       leftnexthop=213.132.75.130
>       leftsubnet=10.0.0.0/24
>       # Right security gateway, subnet behind it, next hop toward left.
>       #right=213.131.64.250
>       rightnexthop=213.132.64.250
>       rightsubnet=62.241.134.0/28
>       pfs=no
>       keyexchange=ike
>       auto=start
>       # How persistent to be in (re)keying negotiations (0 means very).
>       esp=3des-md5-96
>       # key lifetime (before automatic rekeying)
>       pfs=no
>       keyexchange=ike
>
> #cat /etc/ipsec.sercrets
> 213.132.71.130 213.131.64.250: PSK "preshared-key"
>
>
>
> [root@apogee root]#
> #tail -f /var/log/messages
>
> Dec  9 14:02:19 apogee ipsec_setup: Starting FreeS/WAN IPsec 2.04...
> Dec  9 14:02:19 apogee ipsec_setup: Starting FreeS/WAN IPsec 2.04...
> Dec  9 14:02:19 apogee ipsec_setup: Using 
> /lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
> Dec  9 14:02:19 apogee ipsec_setup: Using 
> /lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
> Dec  9 14:02:19 apogee kernel: klips_info:ipsec_init: KLIPS startup, 
> FreeS/WAN IPSec version: 2.04
> Dec  9 14:02:19 apogee kernel: klips_info:ipsec_init: KLIPS startup, 
> FreeS/WAN IPSec version: 2.04
> Dec  9 14:02:19 apogee kernel: divert: not allocating divert_blk for 
> non-ethernet device ipsec0
> Dec  9 14:02:19 apogee kernel: divert: not allocating divert_blk for 
> non-ethernet device ipsec1
> Dec  9 14:02:19 apogee kernel: divert: not allocating divert_blk for 
> non-ethernet device ipsec2
> Dec  9 14:02:19 apogee kernel: divert: not allocating divert_blk for 
> non-ethernet device ipsec3
> Dec  9 14:02:19 apogee /etc/hotplug/net.agent: invoke ifup ipsec3
> Dec  9 14:02:19 apogee /etc/hotplug/net.agent: invoke ifup ipsec3
> Dec  9 14:02:19 apogee ipsec_setup: KLIPS debug `none'
> Dec  9 14:02:19 apogee ipsec_setup: KLIPS debug `none'
> Dec  9 14:02:19 apogee kernel:
> Dec  9 14:02:19 apogee kernel:
> Dec  9 14:02:20 apogee /etc/hotplug/net.agent: invoke ifup ipsec2
> Dec  9 14:02:20 apogee /etc/hotplug/net.agent: invoke ifup ipsec2
> Dec  9 14:02:20 apogee /etc/hotplug/net.agent: invoke ifup ipsec0
> Dec  9 14:02:20 apogee /etc/hotplug/net.agent: invoke ifup ipsec0
> Dec  9 14:02:20 apogee /etc/hotplug/net.agent: invoke ifup ipsec1
> Dec  9 14:02:20 apogee /etc/hotplug/net.agent: invoke ifup ipsec1
> Dec  9 14:02:20 apogee ipsec_setup: KLIPS ipsec0 on eth0 
> 213.132.75.130/255.255.255.0 broadcast 213.132.75.255
> Dec  9 14:02:20 apogee ipsec_setup: KLIPS ipsec0 on eth0 
> 213.132.75.130/255.255.255.0 broadcast 213.132.75.255
> Dec  9 14:02:20 apogee ipsec__plutorun: Starting Pluto subsystem...
> Dec  9 14:02:20 apogee pluto[14106]: Starting Pluto (FreeS/WAN Version 
> 2.04 PLUTO_USES_KEYRR)
> Dec  9 14:02:20 apogee pluto[14106]: Using KLIPS IPsec interface code
> Dec  9 14:02:20 apogee ipsec_setup: ...FreeS/WAN IPsec started
> Dec  9 14:02:20 apogee ipsec_setup: ...FreeS/WAN IPsec started
> Dec  9 14:02:20 apogee pluto[14106]: added connection description 
> "packetdefault"
> Dec  9 14:02:20 apogee pluto[14106]: added connection description "block"
> Dec  9 14:02:20 apogee pluto[14106]: added connection description 
> "clear-or-private"
> Dec  9 14:02:20 apogee pluto[14106]: added connection description "clear"
> Dec  9 14:02:21 apogee pluto[14106]: added connection description 
> "private-or-clear"
> Dec  9 14:02:21 apogee pluto[14106]: added connection description 
> "private"
> Dec  9 14:02:21 apogee pluto[14106]: listening for IKE messages
> Dec  9 14:02:21 apogee pluto[14106]: adding interface ipsec0/eth0 
> 213.132.75.130
> Dec  9 14:02:21 apogee pluto[14106]: loading secrets from 
> "/etc/ipsec.secrets"
> Dec  9 14:02:21 apogee pluto[14106]: loading group 
> "/etc/ipsec.d/policies/private"
> Dec  9 14:02:21 apogee pluto[14106]: loading group 
> "/etc/ipsec.d/policies/private-or-clear"
> Dec  9 14:02:21 apogee pluto[14106]: loading group 
> "/etc/ipsec.d/policies/clear"
> Dec  9 14:02:21 apogee pluto[14106]: loading group 
> "/etc/ipsec.d/policies/clear-or-private"
> Dec  9 14:02:21 apogee pluto[14106]: loading group 
> "/etc/ipsec.d/policies/block"
> Dec  9 14:02:21 apogee ipsec__plutorun: 021 no connection named "cisco"
> Dec  9 14:02:21 apogee ipsec__plutorun: 021 no connection named "cisco"
> Dec  9 14:02:21 apogee ipsec__plutorun: ...could not route conn "cisco"
> Dec  9 14:02:21 apogee ipsec__plutorun: ...could not route conn "cisco"
> Dec  9 14:02:21 apogee ipsec__plutorun: 021 no connection named "cisco"
> Dec  9 14:02:21 apogee ipsec__plutorun: 021 no connection named "cisco"
> Dec  9 14:02:21 apogee ipsec__plutorun: ...could not start conn "cisco"
> Dec  9 14:02:21 apogee ipsec__plutorun: ...could not start conn "cisco"
> Dec  9 14:02:43 apogee pluto[14106]: can not use our IP 
> (213.132.75.130:TXT) as identity: we don't know our own RSA key
> Dec  9 14:03:03 apogee pluto[14106]: can not use our hostname 
> (@apogee.integrated-group.com:TXT) as identity: we don't know our own 
> RSA key
> Dec  9 14:03:21 apogee pluto[14106]: shutting down
> Dec  9 14:03:21 apogee pluto[14106]: forgetting secrets
> Dec  9 14:03:21 apogee pluto[14106]: "private": deleting connection
> Dec  9 14:03:21 apogee pluto[14106]: "private-or-clear#0.0.0.0/0": 
> deleting connection
> Dec  9 14:03:21 apogee pluto[14106]: "private-or-clear": deleting 
> connection
> Dec  9 14:03:21 apogee pluto[14106]: "clear": deleting connection
> Dec  9 14:03:21 apogee pluto[14106]: "clear-or-private": deleting 
> connection
> Dec  9 14:03:21 apogee pluto[14106]: "block": deleting connection
> Dec  9 14:03:21 apogee pluto[14106]: "packetdefault": deleting connection
> Dec  9 14:03:21 apogee ipsec_setup: Stopping FreeS/WAN IPsec...
> Dec  9 14:03:21 apogee ipsec_setup: Stopping FreeS/WAN IPsec...
> Dec  9 14:03:21 apogee pluto[14106]: shutting down interface 
> ipsec0/eth0 213.132.75.130
> Dec  9 14:03:23 apogee pluto[14106]: ADNS process terminated by signal 13
> Dec  9 14:03:24 apogee kernel: IPSEC EVENT: KLIPS device ipsec0 shut 
> down.
> Dec  9 14:03:24 apogee kernel: IPSEC EVENT: KLIPS device ipsec0 shut 
> down.
> Dec  9 14:03:24 apogee kernel:
> Dec  9 14:03:24 apogee kernel:
> Dec  9 14:03:24 apogee kernel: divert: no divert_blk to free, ipsec0 
> not ethernet
> Dec  9 14:03:24 apogee kernel: divert: no divert_blk to free, ipsec1 
> not ethernet
> Dec  9 14:03:24 apogee kernel: divert: no divert_blk to free, ipsec2 
> not ethernet
> Dec  9 14:03:24 apogee kernel: divert: no divert_blk to free, ipsec3 
> not ethernet
> Dec  9 14:03:24 apogee kernel:
> Dec  9 14:03:24 apogee kernel:
> Dec  9 14:03:24 apogee kernel: klips_info:pfkey_cleanup: shutting down 
> PF_KEY domain sockets.
> Dec  9 14:03:24 apogee kernel: klips_info:pfkey_cleanup: shutting down 
> PF_KEY domain sockets.
> Dec  9 14:03:24 apogee kernel: klips_info:cleanup_module: ipsec module 
> unloaded.
> Dec  9 14:03:24 apogee kernel: klips_info:cleanup_module: ipsec module 
> unloaded.
> Dec  9 14:03:24 apogee ipsec_setup: ...FreeS/WAN IPsec stopped
> Dec  9 14:03:24 apogee ipsec_setup: ...FreeS/WAN IPsec stopped
> Dec  9 14:03:24 apogee /etc/hotplug/net.agent: NET unregister event 
> not supported
> Dec  9 14:03:24 apogee /etc/hotplug/net.agent: NET unregister event 
> not supported
> Dec  9 14:03:24 apogee last message repeated 3 times
>
>
> [root@apogee root]# route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    
> Use Iface
> 10.0.0.0        *               255.255.255.0   U     0      0        
> 0 eth1
> 213.132.75.0    *               255.255.255.0   U     0      0        
> 0 eth0
> 213.132.75.0    *               255.255.255.0   U     0      0        
> 0 ipsec0
> 169.254.0.0     *               255.255.0.0     U     0      0        
> 0 eth1
> 127.0.0.0       *               255.0.0.0       U     0      0        
> 0 lo
> default         213.132.75.129           128.0.0.0       UG    0      
> 0        0 ipsec0
> 128.0.0.0       213.132.75.129          128.0.0.0       UG    0      
> 0        0 ipsec0
> default         cisco           213.132.75.129        UG    0      
> 0        0 eth0
> [root@apogee root]# route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    
> Use Iface
> 10.0.0.0        *               255.255.255.0   U     0      0        
> 0 eth1
> 213.132.75.0    *               255.255.255.0   U     0      0        
> 0 eth0
> 169.254.0.0     *               255.255.0.0     U     0      0        
> 0 eth1
> 127.0.0.0       *               255.0.0.0       U     0      0        
> 0 lo
> default         213.132.75.129           0.0.0.0         UG    0      
> 0        0 eth0
>
> root@apogee root]# cat /etc/ipsec.d/policies/
> block             clear             clear-or-private  
> private           private-or-clear
>
> [root@apogee root]# cat /etc/ipsec.d/policies/*
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should never be allowed.
> #
> # See /usr/local/share/doc/freeswan/policygroups.html for details.
> #
> # $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
>
>
>
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should always be in the clear.
> #
> # See /usr/local/share/doc/freeswan/policygroups.html for details.
> #
> # $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
>
>
> # This file defines the set of CIDRs (network/mask-length) to which
> # we will communicate in the clear, or, if the other side initiates 
> IPSEC,
> # using encryption.  This behaviour is also called "Opportunistic 
> Responder".
> #
> # See /usr/local/share/doc/freeswan/policygroups.html for details.
> #
>
>
>
> # $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should always be private (i.e. encrypted).
> # See /usr/local/share/doc/freeswan/policygroups.html for details.
> #
>
>
> # $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
> #
> #62.241.134.0/28                # 2600 router
> # This file defines the set of CIDRs (network/mask-length) to which
> # communication should be private, if possible, but in the clear 
> otherwise.
> #
>
>
> # If the target has a TXT (later IPSECKEY) record that specifies
> # authentication material, we will require private (i.e. encrypted)
> # communications.  If no such record is found, communications will be
> # in the clear.
> #
> # See /usr/local/share/doc/freeswan/policygroups.html for details.
> #
> # $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
> #
>
> 0.0.0.0/0
>
> ^ is this whats causing all traffic passing thru to die , because it 
> puts all traffic going to 0.0.0.0/0 in ipsec0
>
>
>
>
> #cat /etc/ipsec.sercrets >misspelling ???
> 213.132.71.130 213.131.64.250: PSK "preshared-key"
>
>
>
>
>
>
> \




--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list