Re: Linux FreeS/WAN road warrior problem
From: Andrej (andrej_at_rikom.si)
Date: 06/24/03
- Previous message: Jennifer Fountain: "RE: Anti-Keylogger"
- In reply to: Dana Epp: "Re: Linux FreeS/WAN road warrior problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Jun 2003 11:21:26 +0200 (CEST) To: <security-basics@securityfocus.com>
On Mon, 23 Jun 2003, Dana Epp wrote:
> Hey Andrej,
Hello Dana. First of all thanks for your help.
> If you want to hit Host B (linux2) I would bet if you set up a tunnel host
> to host you will have no difficulties.
I would like to hit the whole subnet behind router that is connected to
the eth0 (192.168.15.0/24).
> One thing I am not sure of from your description is if linux2 is a single
> road warrior client, or if it has a net hanging off of it. If it is a road
> warrior client, you obviously won't need NET A to Net B or Host A to Net B.
> :) In other words you would need only two tunnels:
Yes, linux2 is only a single linux client without a subnet behind it.
> 1) Net A to Host B
This is what I'm trying to do - linux2 to net 192.168.15.0/24.
> 2) Host A to Host B
If I would want to ping the router through the tunnel I would have to set
this up right? Well, I followed the manual from
http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/config.html#config.rw
and there is only the road warrior (without subnet behind it) to subnet
described, so I tried to test this configuration first. If it would be
working I would set up the host to host tunnel too (linux2 <-> router).
> With the tunnel up can you hit things on the network, but not the gateway
> itself?
No, I can't hit anything that is on the 192.168.15.0/24 network. If the
tunnel is down I can hit anything that I want on this subnet.
> Also, not sure if you have done so, but check out the latest docs on road
> warrior configurations over at:
>
> http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/config.html#config.rw
Yes, I have read that a couple of times, but it just wont work.
What else can I try?
Greetings from Slovenia,
Andrej.
> ----- Original Message -----
> From: "Andrej" <andrej@rikom.si>
> To: <security-basics@securityfocus.com>
> Sent: Saturday, June 21, 2003 5:08 AM
> Subject: Linux FreeS/WAN road warrior problem
>
>
> > Hello
> >
> > I have set up a network that can be found on
> > http://www.sk-branik.si/ipsec.txt. I have succesfully
> > compiled and installed freeswan 2.0 on router and linux2. Before running
> > freeswan I have checked that all hosts can ping each other - I can ping
> > from linux2 to router (both interfaces) and linux1, etc. Now to my
> > problem, when I start ipsec on linux2 with "ipsec auto --up road" the
> > tunnel is established, but I can't ping linux1. Here's the output of
> > tcpdump on an notebook that was connected to the same HUB that linux2 and
> > router(eth1) :
> >
> > 12:35:04.348781 192.168.200.2 > 192.168.15.100:
> > ESP(spi=0x948a6234,seq=0x1d)
> > 12:35:05.359466 192.168.200.2 > 192.168.15.100:
> > ESP(spi=0x948a6234,seq=0x1e)
> > 12:35:06.359355 192.168.200.2 > 192.168.15.100:
> > ESP(spi=0x948a6234,seq=0x1f)
> > 12:35:07.359278 192.168.200.2 > 192.168.15.100:
> > ESP(spi=0x948a6234,seq=0x20)
> > 12:35:08.359258 192.168.200.2 > 192.168.15.100:
> > ESP(spi=0x948a6234,seq=0x21)
> >
> >
> > On linux2 my ipsec.conf looks like this :
> >
> > ...
> > conn road
> > left=192.168.200.2
> > leftnexthop=%defaultroute
> > leftid=@linux.wlan
> > leftrsasigkey=<key>
> > right=192.168.15.100
> > rightsubnet=192.168.15.0/24
> > rightid=@gw.wlan
> > rightrsasigkey=<key>
> > auto=add
> >
> >
> > On router my ipsec.conf looks like this :
> >
> > ...
> > conn road
> > left=192.168.15.100
> > leftid=@gw.wlan
> > leftsubnet=192.168.15.0/24
> > leftrsasigkey=<key>
> > rightnexthop=%defaultroute
> > right=%any
> > rightid=@linux.wlan
> > rightrsasigkey=<key>
> > auto=add
> >
> > Basicly I'm trying to establish a secure tunnel from linux2 to the LAN
> > behind router (192.168.15.0/24). What am I doing wrong?
> >
> > P.S.: The linux2 and router machine both run RH 7.3 with kernel 2.4.20 and
> > fresswan compiled as modules (make oldmod ; make minstall).
> >
> > Many thanks for your help and have a nice day,
> >
> > Andrej.
> >
> >
> > --------------------------------------------------------------------------
> -
> > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> > The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> > while InStat has confirmed Neoteris as the leader in marketshare.
> >
> > Find out why, and see how you can get plug-n-play secure remote access in
> > about an hour, with no client, server changes, or ongoing maintenance.
> >
> > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> > --------------------------------------------------------------------------
> --
> >
>
>
Lep pozdrav,
Andrej.
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
- Previous message: Jennifer Fountain: "RE: Anti-Keylogger"
- In reply to: Dana Epp: "Re: Linux FreeS/WAN road warrior problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
