Security Basics mailing list archives
Re: Linux FreeS/WAN road warrior problem
From: "Dana Epp" <dana () vulscan com>
Date: Mon, 23 Jun 2003 09:52:16 -0700
Hey Andrej, I believe the problem you are having may be that when the tunnels are up the traffic is getting routed through the tunnel rather than through the normal outside paths. One way that works extremely well for net to net IPSec VPN is to set up 4 tunnels. 1) Net A to Net B 2) Net A to Host B 3) Host A to Net B 4) Host A to Host B This way, you can do complete network diagnostics including pinging on the actual VPN gateways where FreeSwan resides on both ends, to both ends, as well as to the networks. One thing that I have never been able to figure out is how to connect to a service/port on the VPN gateway if I got a tunnel up to it. I can easily hit it THROUGH the tunnel, but I can not seem to route particular ports to be outside the encrypted tunnel to the same location. Perhaps this is a limitation of how FreeSwan acts. Its doing what its intended to do. Route particular networks THROUGH the encrypted tunnel. You just can't be selective and pick which are encrypted, and which are not. (Atleast, I haven't found a way yet) If you want to hit Host B (linux2) I would bet if you set up a tunnel host to host you will have no difficulties. One thing I am not sure of from your description is if linux2 is a single road warrior client, or if it has a net hanging off of it. If it is a road warrior client, you obviously won't need NET A to Net B or Host A to Net B. :) In other words you would need only two tunnels: 1) Net A to Host B 2) Host A to Host B With the tunnel up can you hit things on the network, but not the gateway itself? Also, not sure if you have done so, but check out the latest docs on road warrior configurations over at: http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/config.html#config.rw Good luck. --- Regards, Dana M. Epp ----- Original Message ----- From: "Andrej" <andrej () rikom si> To: <security-basics () securityfocus com> Sent: Saturday, June 21, 2003 5:08 AM Subject: Linux FreeS/WAN road warrior problem
Hello I have set up a network that can be found on http://www.sk-branik.si/ipsec.txt. I have succesfully compiled and installed freeswan 2.0 on router and linux2. Before running freeswan I have checked that all hosts can ping each other - I can ping from linux2 to router (both interfaces) and linux1, etc. Now to my problem, when I start ipsec on linux2 with "ipsec auto --up road" the tunnel is established, but I can't ping linux1. Here's the output of tcpdump on an notebook that was connected to the same HUB that linux2 and router(eth1) : 12:35:04.348781 192.168.200.2 > 192.168.15.100: ESP(spi=0x948a6234,seq=0x1d) 12:35:05.359466 192.168.200.2 > 192.168.15.100: ESP(spi=0x948a6234,seq=0x1e) 12:35:06.359355 192.168.200.2 > 192.168.15.100: ESP(spi=0x948a6234,seq=0x1f) 12:35:07.359278 192.168.200.2 > 192.168.15.100: ESP(spi=0x948a6234,seq=0x20) 12:35:08.359258 192.168.200.2 > 192.168.15.100: ESP(spi=0x948a6234,seq=0x21) On linux2 my ipsec.conf looks like this : ... conn road left=192.168.200.2 leftnexthop=%defaultroute leftid=@linux.wlan leftrsasigkey=<key> right=192.168.15.100 rightsubnet=192.168.15.0/24 rightid=@gw.wlan rightrsasigkey=<key> auto=add On router my ipsec.conf looks like this : ... conn road left=192.168.15.100 leftid=@gw.wlan leftsubnet=192.168.15.0/24 leftrsasigkey=<key> rightnexthop=%defaultroute right=%any rightid=@linux.wlan rightrsasigkey=<key> auto=add Basicly I'm trying to establish a secure tunnel from linux2 to the LAN behind router (192.168.15.0/24). What am I doing wrong? P.S.: The linux2 and router machine both run RH 7.3 with kernel 2.4.20 and fresswan compiled as modules (make oldmod ; make minstall). Many thanks for your help and have a nice day, Andrej. --------------------------------------------------------------------------
-
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Linux FreeS/WAN road warrior problem Andrej (Jun 23)
- Re: Linux FreeS/WAN road warrior problem Dana Epp (Jun 24)
- Re: Linux FreeS/WAN road warrior problem Andrej (Jun 24)
- Re: Linux FreeS/WAN road warrior problem Dana Epp (Jun 24)