Re: vpn problem..
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
R.M. Evers said:
> i'm having some problems implementing a vpn configuration, and i'm
> hoping you guys could help me out here. we are hosting a debian sarge
> server for one of our customers, and they need to communicate with this
> server over the internet securely. to accomplish this, i want to create
> a vpn between the debian server and their network. for my test setup,
> this is what i did:
>
> on the left side of the vpn (debian sarge server):
>
> - compiled a 2.4.27-8 kernel with the backported KAME IPSec stack and
> crypto modules
> - installed freeswan and ipsec-tools
> - this server has two NIC's:
> * eth0 is connected to the internet, and has an external IP, let's
> say 1.2.3.4.
> * eth1 is _not_ connected, but i assigned an internal IP to it:
> 172.27.27.1.
> - setup iptables to accept the esp packets and IKE messages (udp/500)
> from the right side (9.8.7.6).
> - configured freeswan for the vpn:
> --
> conn foo-bar
> left=1.2.3.4
> leftsubnet=172.27.27.0/24
> leftnexthop=1.2.3.1
> right=9.8.7.6
> rightsubnet=192.168.1.0/24
> authby=secret
> auto=start
> --
>
> on the right side i set up a simple test network behind a netscreen
> appliance (9.8.7.6) and configured the vpn.
I'm not really familiar with netscreens, but they should work just fine
with freeswan.
> now, i can start the vpn and it works when i try to connect from right
> to left (let's say, from 192.168.1.33 to 172.27.27.1). tcpdump shows me
> esp packets, and everything works fine.
So the tunnel is up? You can ping from one side to the other? Have a
look at the output of 'ipsec look'. Look at the logs on the left side
server. Is the tunnel really up? You should see entries in
/var/log/auth.log . Look at logs on the netscreen as well.
> now here's the problem: i cannot connect from left to right (i.e., from
> the debian server to a machine inside the right network). when i follow
> the tcpdump when i nmap a machine in the right network (192.168.1.33), i
> can see packets going from 1.2.3.4 to 192.168.1.33. so it's not
> travelling the vpn and i don't have a clue why.
Are you trying *from* the vpn server? Try connecting from a machine
that is *behind* the left server. your config says send packets from
172.27.27.0/24 over the tunnel. When you ping from the debian server,
it's using the 1.2.3.4 interface, so it's not going thru the tunnel. You
can tell ping to use the other interface by using 'ping -I eth1
192.168.1.x, or connect a box to the eth1 iface and try connecting from
there.
For freeswan configs, it's pretty normal to use the classic 4 tunnel
approach to cover all connections.
conn rnet-lnet
left=1.2.3.4
leftsubnet=172.27.27.0/24
leftnexthop=1.2.3.1
right=9.8.7.6
rightsubnet=192.168.1.0/24
authby=secret
auto=start
conn rnet-lserver
left=1.2.3.4
leftnexthop=1.2.3.1
right=9.8.7.6
rightsubnet=192.168.1.0/24
authby=secret
auto=start
conn lnet-rserver
leftsubnet=172.27.27.0/24
leftnexthop=1.2.3.1
right=9.8.7.6
authby=secret
auto=start
conn rserver-lserver
left=1.2.3.4
leftnexthop=1.2.3.1
right=9.8.7.6
authby=secret
auto=start
i'm kind of a n00b at
> this stuff, so i was amazed i actually got this far. but does anyone
> know what i have to do to have a fully functional bidirectional vpn? or
> is my setup just, well, plain stupid?? :-) it must be noted that in the
> future it is likely that more parties will have to connect to this
> server via an extra vpn.
Setting up multiple tunnels with [free|openswan] is no biggie once you
get it working. I've got a single server with 45-50 tunnels running and
it doesn't break a sweat. With multiple tunnels I suggest looking at
using certificates or RSA keys for the connections. Easier than setting
up individual secrets and really necessary for connecting endpoints with
dynamic ip's.
- --
/phil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Public Key: http://www.dyermaker.org/gpgkey
iD8DBQFCOZPNGbd/rBLcaFwRAvkWAKCkw4pBRZjAlKL1pc0b+dCBfad+5ACcCZwM
DoRo+r+F++ACANwP0UMZAFE=
=KXLO
-----END PGP SIGNATURE-----
Reply to: