Re: Freeswan IPsec routing problem... ;^(
From: Bryan Packer (bryanp_at_visi.com)
Date: 06/14/03
- Next message: Allen Kistler: "Re: ssh2"
- Previous message: Icky The Poo: "/proc/net/tcp and /proc/net/udp"
- In reply to: Nicola Pedrozzi: "Re: Freeswan IPsec routing problem... ;^("
- Next in thread: nikita: "Re: Freeswan IPsec routing problem... ;^("
- Reply: nikita: "Re: Freeswan IPsec routing problem... ;^("
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 14 Jun 2003 14:25:00 -0500
Nicola Pedrozzi wrote:
> Hello again,
> I forgot to mention that my ADSL connection is based on Dinamyc IPs,
> thought it stays the same during my testing sessions.
> Is maybe because of this that the Zyxel IP and its gateway IP are
> the same? May be a problem?
a) Dynamic IP is fine, but whenever the IP actually does change, you will have
to change the addresses in both sides config files and restart.
b) You need a right nexthop in your config. FreeS/wan doesn't like not having
one. I don't believe that the ADSL box can be it's own gateway. By definition
the default gateway is the place that a machine directs all packets it doesn't
know how to route. Routing it to itself wouldn't do much good would it? Do a
route or netstat -rn from that box and look for default or 0.0.0.0 in the
destination column. It to will change when your address changes.
c) Check /var/log/secure for any error messages when you start or stop ipsec.
d) Keep in mind that you have to test from an address *behind* your firewall, to
an address *behind* the other firewall. The tunnel won't route packets that
originate from the firewall itself or aimed at the inside address of the
opposite firewall. (Replies from the inside of the other firewall leave with a
source address of the *outside* address of that machine, and won't come back
through the tunnel.)
e) Make sure *both* sides are not NAT'ing outbound packets. Make sure the rule
that SNAT's the packets explicitly states *only* -o $INET_IF. Packets traversing
the tunnel leave via ipsec0 and will not be NAT'd then. (Which by the way I
can't see any reason you mention ipsec1 on a simple point to point tunnel. Both
sides should use ipsec0.)
f) Check your firewall rules. If you reference interfaces using -o and -i
options (which is good policy), did you allow for packets that come and go on
interface ipsec0? Even though it may physically leave on eth0 or eth1,
*logically* it leaves/arrives on ipsec0. Your rules may be blocking the packets.
In the beginning you may want to just allow everything coming and going on the
ipsec0 interface (watch the sequence of the rules) until it works. Then tighten
slowly until happy.
g) Use tcpdump -i (outside_if,inside_if, or ipsec0) to watch packets on both
sides to see how far the packets get. The "host' option can help restrict the
output, but can also hide things if your logic is faulty. Do packets leave on
ipsec0 or eth0? Does the source address NAT? Destination? Do the packets make it
to the far side but the replies don't return? Do the replies leave via ipsec0
interface or eth0? Do they come in ipsec0 but not leave the inside interface?
Also try using:
iptables -I INPUT/FORWARD/and OUTPUT -j LOG to log all packets, then look
through your logs for clues.
h) FreeS/Wan has a very good mailing list with lots of smart people. Search
their archives or Google first though. Often times the answer is there already.
i) Below is my config file for a very similar setup. Left is my home on a
dynamic cable connection, right is T1 with static address.
Best 'o luck,
bryan
--
Some people just don't know how to drive...I call these
people "Everybody But Me".
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=4
# RSA authentication with keys from DNS.
#authby=rsasig
#leftrsasigkey=%dns
#rightrsasigkey=%dns
# Work VPN connection
conn me-work
# Left security gateway, subnet behind it, next hop toward right.
left=123.456.789.188
leftsubnet=192.168.9.0/24
leftnexthop=123.456.789.1
# Right security gateway, subnet behind it, next hop toward left.
right=111.222.333.50
rightsubnet=192.168.0.0/24
rightnexthop=111.222.333.49
authby=rsasig
leftid=@my.dns.name.com
rightid=@work.dnsname.com
leftrsasigkey=<snip>
rightrsasigkey=<snip>
# To authorize this connection, but not actually start it, at startup,
# uncomment this.
auto=start
- Next message: Allen Kistler: "Re: ssh2"
- Previous message: Icky The Poo: "/proc/net/tcp and /proc/net/udp"
- In reply to: Nicola Pedrozzi: "Re: Freeswan IPsec routing problem... ;^("
- Next in thread: nikita: "Re: Freeswan IPsec routing problem... ;^("
- Reply: nikita: "Re: Freeswan IPsec routing problem... ;^("
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
