Firewall Wizards mailing list archives
VPN help !! please
From: Bill Asher <basher () schultz-design com>
Date: Thu, 19 Jul 2001 08:10:39 -0500
My network: ba-fw01 PPP 199.217.219.121 199.217.219.126 Home LAN -- Firewall(ba-fw01) -- modem -->internet<-- Router -- Firewall(fw02) -- Office LAN 10.2.2.X -- 10.2.2.1 -- modem -->internet<-- 10.0.0.1 -- 10.0.0.x I'm having a few issues getting my VPN tunnel made. Below are my config files, I used jixen.tripod.com RoadWarrior as an example. I am a bit confused on the left and right aspects for each location. I have read that the configs should be identical, while other examples show the left and right information swapping for each firewall. I have also added: ipchains -A forward -i $GREEN_DEV -d $GREEN_NETADDRESS/$GREEN_NETMASK -j ACCEPT to each firewall's rc.firewall.up config. Also, what exactly should be in my ipsec.secrets config file?? Any suggestions, show me where I'm going wrong!! Thanks, Bill ######### Configs #################### # Road - Work VPN # Road /etc/ipsec.conf config file - 7/16/01 config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search conn %default keyingtries=1 conn road-work left=%defaultroute leftsubnet= leftnexthop= right=199.217.219.126 rightsubnet=10.0.0.0/8 rightnexthop=199.217.219.121 auto=start authby=rsasig leftid=@ba-fw01.basher.com rightid=@fw02.schultz-design.com leftrsasigkey=0x0A rightrsasigkey=0x0B # Road - Work VPN # Work /etc/ipsec.conf config file - 7/16/01 config setup interfaces="ipsec0=eth2" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search conn %default keyingtries=1 conn road-work left=0.0.0.0 leftsubnet= leftnexthop= right=199.217.219.126 rightsubnet=10.0.0.0/8 rightnexthop=199.217.219.121 auto=add authby=rsasig leftid=@ba-fw01.basher.com rightid=@fw02.schultz-design.com leftrsasigkey=0x0A rightrsasigkey=0x0B Error Messages: root@ba-fw01~# ipsec setup --restart ipsec_setup: Stopping FreeS/WAN IPSEC... ipsec_setup: Starting FreeS/WAN IPSEC 1.8... ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0) ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0) ipsec_setup: 102 "road-work" #1: STATE_MAIN_I1: initiate ipsec_setup: 104 "road-work" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2 ipsec_setup: 106 "road-work" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3 ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no leading 00. Bad key? ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION ipsec_setup: 010 "road-work" #1: STATE_MAIN_I3: retransmission; will wait 20s for response ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no leading 00. Bad key? ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION ipsec_setup: 010 "road-work" #1: STATE_MAIN_I3: retransmission; will wait 40s for response ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no leading 00. Bad key? ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION ipsec_setup: 031 "road-work" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message root@ba-fw01~# ipsec auto --up road-work 102 "road-work" #2: STATE_MAIN_I1: initiate 104 "road-work" #2: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2 106 "road-work" #2: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3 003 "road-work" #2: SIG did not decrypt into good ECB: no leading 00. Bad key? 217 "road-work" #2: STATE_MAIN_I3: INVALID_KEY_INFORMATION 010 "road-work" #2: STATE_MAIN_I3: retransmission; will wait 20s for response 003 "road-work" #2: SIG did not decrypt into good ECB: no leading 00. Bad key? 217 "road-work" #2: STATE_MAIN_I3: INVALID_KEY_INFORMATION root@ba-fw01~# cat /proc/net/ipsec_tncfg ipsec0 -> ppp0 mtu=16260 -> 1524 ipsec1 -> NULL mtu=0 -> 0 ipsec2 -> NULL mtu=0 -> 0 ipsec3 -> NULL mtu=0 -> 0 root@fw02~# cat /proc/net/ipsec_tncfg ipsec0 -> eth2 mtu=16260 -> 1500 ipsec1 -> NULL mtu=0 -> 0 ipsec2 -> NULL mtu=0 -> 0 ipsec3 -> NULL mtu=0 -> 0 B . A s h e r IT Manager S C H U L T Z D E S I G N (636)936-2900 www.schultz-design.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN help !! please Bill Asher (Jul 19)