Re: vpn problem..
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
R.M. Evers wrote:
| hello,
|
| i'm having some problems implementing a vpn configuration, and i'm
| hoping you guys could help me out here. we are hosting a debian sarge
| server for one of our customers, and they need to communicate with this
| server over the internet securely. to accomplish this, i want to create
| a vpn between the debian server and their network. for my test setup,
| this is what i did:
|
| on the left side of the vpn (debian sarge server):
|
| - compiled a 2.4.27-8 kernel with the backported KAME IPSec stack and
| crypto modules
| - installed freeswan and ipsec-tools
| - this server has two NIC's:
| * eth0 is connected to the internet, and has an external IP, let's
| say 1.2.3.4.
| * eth1 is _not_ connected, but i assigned an internal IP to it:
| 172.27.27.1.
| - setup iptables to accept the esp packets and IKE messages (udp/500)
| from the right side (9.8.7.6).
| - configured freeswan for the vpn:
| --
| conn foo-bar
| left=1.2.3.4
| leftsubnet=172.27.27.0/24
| leftnexthop=1.2.3.1
| right=9.8.7.6
| rightsubnet=192.168.1.0/24
| authby=secret
| auto=start
| --
|
| on the right side i set up a simple test network behind a netscreen
| appliance (9.8.7.6) and configured the vpn.
|
| now, i can start the vpn and it works when i try to connect from right
| to left (let's say, from 192.168.1.33 to 172.27.27.1). tcpdump shows me
| esp packets, and everything works fine.
Does tcpdump show out-going and returning packets?
|
| now here's the problem: i cannot connect from left to right (i.e., from
| the debian server to a machine inside the right network). when i follow
| the tcpdump when i nmap a machine in the right network (192.168.1.33), i
| can see packets going from 1.2.3.4 to 192.168.1.33. so it's not
| travelling the vpn and i don't have a clue why. i'm kind of a n00b at
| this stuff, so i was amazed i actually got this far. but does anyone
| know what i have to do to have a fully functional bidirectional vpn? or
| is my setup just, well, plain stupid?? :-) it must be noted that in the
| future it is likely that more parties will have to connect to this
| server via an extra vpn.
|
Depending on the answer above, if you are not seeing returning packets,
check netstat -rn on the left server and check the routing table shows
the left-side subnet and that they are being routed through the correct
interface.
hth
Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCOZG162r58u1gKlkRAtHXAKCfGONtb+rQAK0KXbQ2xLhXPeIK2ACgqdu+
PlI5flPuNf1vKDAj2RKid4c=
=XVAF
-----END PGP SIGNATURE-----
Reply to: