Security Basics mailing list archives

Re: Linux FreeS/WAN road warrior problem

From: "Dana Epp" <dana () vulscan com>
Date: Mon, 23 Jun 2003 09:52:16 -0700

Hey Andrej,

I believe the problem you are having may be that when the tunnels are up the
traffic is getting routed through the tunnel rather than through the normal
outside paths.

One way that works extremely well for net to net IPSec VPN is to set up 4
tunnels.

1) Net A to Net B
2) Net A to Host B
3) Host A to Net B
4) Host A to Host B

This way, you can do complete network diagnostics including pinging on the
actual VPN gateways where FreeSwan resides on both ends, to both ends, as
well as to the networks.

One thing that I have never been able to figure out is how to connect to a
service/port on the VPN gateway if I got a tunnel up to it. I can easily hit
it THROUGH the tunnel, but I can not seem to route particular ports to be
outside the encrypted tunnel to the same location. Perhaps this is a
limitation of how FreeSwan acts. Its doing what its intended to do. Route
particular networks THROUGH the encrypted tunnel. You just can't be
selective and pick which are encrypted, and which are not. (Atleast, I
haven't found a way yet)

If you want to hit Host B (linux2) I would bet if you set up a tunnel host
to host you will have no difficulties.

One thing I am not sure of from your description is if linux2 is a single
road warrior client, or if it has a net hanging off of it. If it is a road
warrior client, you obviously won't need NET A to Net B or Host A to Net B.
:) In other words you would need only two tunnels:

1) Net A to Host B
2) Host A to Host B

With the tunnel up can you hit things on the network, but not the gateway
itself?

Also, not sure if you have done so, but check out the latest docs on road
warrior configurations over at:

http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/config.html#config.rw

Good luck.

---
Regards,
Dana M. Epp


----- Original Message ----- 
From: "Andrej" <andrej () rikom si>
To: <security-basics () securityfocus com>
Sent: Saturday, June 21, 2003 5:08 AM
Subject: Linux FreeS/WAN road warrior problem

Hello

I have set up a network that can be found on
http://www.sk-branik.si/ipsec.txt. I have succesfully
compiled and installed freeswan 2.0 on router and linux2. Before running
freeswan I have checked that all hosts can ping each other - I can ping
from linux2 to router (both interfaces) and linux1, etc. Now to my
problem, when I start ipsec on linux2 with "ipsec auto --up road" the
tunnel is established, but I can't ping linux1. Here's the output of
tcpdump on an notebook that was connected to the same HUB that linux2 and
router(eth1) :

12:35:04.348781 192.168.200.2 > 192.168.15.100:
ESP(spi=0x948a6234,seq=0x1d)
12:35:05.359466 192.168.200.2 > 192.168.15.100:
ESP(spi=0x948a6234,seq=0x1e)
12:35:06.359355 192.168.200.2 > 192.168.15.100:
ESP(spi=0x948a6234,seq=0x1f)
12:35:07.359278 192.168.200.2 > 192.168.15.100:
ESP(spi=0x948a6234,seq=0x20)
12:35:08.359258 192.168.200.2 > 192.168.15.100:
ESP(spi=0x948a6234,seq=0x21)


On linux2 my ipsec.conf looks like this :

...
conn road
        left=192.168.200.2
        leftnexthop=%defaultroute
        leftid=@linux.wlan
        leftrsasigkey=<key>
        right=192.168.15.100
        rightsubnet=192.168.15.0/24
        rightid=@gw.wlan
        rightrsasigkey=<key>
        auto=add


On router my ipsec.conf looks like this :

...
conn road
    left=192.168.15.100
    leftid=@gw.wlan
    leftsubnet=192.168.15.0/24
    leftrsasigkey=<key>
    rightnexthop=%defaultroute
    right=%any
    rightid=@linux.wlan
    rightrsasigkey=<key>
    auto=add

Basicly I'm trying to establish a secure tunnel from linux2 to the LAN
behind router (192.168.15.0/24). What am I doing wrong?

P.S.: The linux2 and router machine both run RH 7.3 with kernel 2.4.20 and
fresswan compiled as modules (make oldmod ; make minstall).

Many thanks for your help and have a nice day,

        Andrej.


--------------------------------------------------------------------------

Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
--------------------------------------------------------------------------

--



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

Linux FreeS/WAN road warrior problem Andrej (Jun 23)
- Re: Linux FreeS/WAN road warrior problem Dana Epp (Jun 24)
  - Re: Linux FreeS/WAN road warrior problem Andrej (Jun 24)