Re: vpn problem..

To: debian-firewall@lists.debian.org
Subject: Re: vpn problem..
From: David Nicholls <hagakure@nildram.co.uk>
Date: Thu, 17 Mar 2005 14:18:29 +0000
Message-id: <[🔎] 423991B5.2090209@nildram.co.uk>
In-reply-to: <[🔎] 1111054417.9691.4.camel@ws2.abs-ict.com>
References: <[🔎] 1111054417.9691.4.camel@ws2.abs-ict.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

R.M. Evers wrote:
| hello,
|
| i'm having some problems implementing a vpn configuration, and i'm
| hoping you guys could help me out here. we are hosting a debian sarge
| server for one of our customers, and they need to communicate with this
| server over the internet securely. to accomplish this, i want to create
| a vpn between the debian server and their network. for my test setup,
| this is what i did:
|
| on the left side of the vpn (debian sarge server):
|
| - compiled a 2.4.27-8 kernel with the backported KAME IPSec stack and
|   crypto modules
| - installed freeswan and ipsec-tools
| - this server has two NIC's:
|     * eth0 is connected to the internet, and has an external IP, let's
|       say 1.2.3.4.
|     * eth1 is _not_ connected, but i assigned an internal IP to it:
|       172.27.27.1.
| - setup iptables to accept the esp packets and IKE messages (udp/500)
|   from the right side (9.8.7.6).
| - configured freeswan for the vpn:
|     --
|     conn foo-bar
|       left=1.2.3.4
|       leftsubnet=172.27.27.0/24
|       leftnexthop=1.2.3.1
|       right=9.8.7.6
|       rightsubnet=192.168.1.0/24
|       authby=secret
|       auto=start
|     --
|
| on the right side i set up a simple test network behind a netscreen
| appliance (9.8.7.6) and configured the vpn.
|
| now, i can start the vpn and it works when i try to connect from right
| to left (let's say, from 192.168.1.33 to 172.27.27.1). tcpdump shows me
| esp packets, and everything works fine.


Does tcpdump show out-going and returning packets?

|
| now here's the problem: i cannot connect from left to right (i.e., from
| the debian server to a machine inside the right network). when i follow
| the tcpdump when i nmap a machine in the right network (192.168.1.33), i
| can see packets going from 1.2.3.4 to 192.168.1.33. so it's not
| travelling the vpn and i don't have a clue why. i'm kind of a n00b at
| this stuff, so i was amazed i actually got this far. but does anyone
| know what i have to do to have a fully functional bidirectional vpn? or
| is my setup just, well, plain stupid?? :-) it must be noted that in the
| future it is likely that more parties will have to connect to this
| server via an extra vpn.
|

Depending on the answer above, if you are not seeing returning packets,
check netstat -rn on the left server and check the routing table shows
the left-side subnet and that they are being routed through the correct
interface.

hth

Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCOZG162r58u1gKlkRAtHXAKCfGONtb+rQAK0KXbQ2xLhXPeIK2ACgqdu+
PlI5flPuNf1vKDAj2RKid4c=
=XVAF
-----END PGP SIGNATURE-----

Reply to:

References:
- vpn problem..
  - From: "R.M. Evers" <debian@abs-ict.com>

Prev by Date: vpn problem..
Next by Date: Re: vpn problem..
Previous by thread: vpn problem..
Next by thread: Re: vpn problem..
Index(es):
- Date
- Thread