Re: vpn problem..

To: debian-firewall@lists.debian.org
Subject: Re: vpn problem..
From: "R.M. Evers" <debian@abs-ict.com>
Date: Thu, 17 Mar 2005 16:59:10 +0100
Message-id: <[🔎] 1111075151.1773.19.camel@ws2.abs-ict.com>
In-reply-to: <[🔎] 423993CD.1070202@cox.net>
References: <[🔎] 1111054417.9691.4.camel@ws2.abs-ict.com> <[🔎] 423993CD.1070202@cox.net>

phil, thanks for your help.

> So the tunnel is up? You can ping from one side to the other? Have a
> look at the output of 'ipsec look'. Look at the logs on the left side
> server. Is the tunnel really up? You should see entries in
> /var/log/auth.log . Look at logs on the netscreen as well.

yes, the tunnel is up. auth.log shows "IPsec SA established" and the
netscreen logs show the same. i can only use the vpn from right to left
though (behind netscreen -> eth1 ip from debian server). tcpdump clearly
shows ESP packets when i do this.

'ipsec look' looks like this:

  cat: /proc/net/ipsec_spigrp: No such file or directory
  cat: /proc/net/ipsec_eroute: No such file or directory
  grep: /proc/net/ipsec_tncfg: No such file or directory
  sort: open failed: /proc/net/ipsec_spi: No such file or directory
  Destination  Gateway  Genmask        Flags  MSS  Window  irtt  Iface
  0.0.0.0      1.2.3.1  0.0.0.0        UG       0  0          0  eth0
  192.168.1.0  1.2.3.1  255.255.255.0  UG       0  0          0  eth0
  1.2.3.0      0.0.0.0  255.255.255.0  U        0  0          0  eth0

i believe the errors are because of the fact that i'm using the native
linux ipsec stack instead of the kernel-patch-freeswan modules.

>  Are you trying *from* the vpn server? Try connecting from a machine
> that is *behind* the left server.

yes, i'm trying *from* the debian server. there is *no* network behind
the debian server. i'm only trying to accomplish a vpn from the right
network to the debian server so they can connect to each other using
internal IP's. that's why i gave the eth1 NIC an internal IP to fake an
internal network. eth1 is not connected in any way, so maybe that's the
problem..

> your config says send packets from
> 172.27.27.0/24 over the tunnel. When you ping from the debian server,
> it's using the 1.2.3.4 interface, so it's not going thru the tunnel. You
> can tell ping to use the other interface by using 'ping -I eth1
> 192.168.1.x, or connect a box to the eth1 iface and try connecting from
> there.

ok, when i ping from eth1, i get a "bad interface address 'eth1'" error,
probably because eth1 is not connected..

> For freeswan configs, it's pretty normal to use the classic 4 tunnel
> approach to cover all connections.

thanks, didn't know this approach. but i don't think it will help in
this case, since there is no 'real' left subnet :-)

> Setting up multiple tunnels with [free|openswan] is no biggie once you
> get it working. I've got a single server with 45-50 tunnels running and
> it doesn't break a sweat. With multiple tunnels I suggest looking at
> using certificates or RSA keys for the connections. Easier than setting
> up individual secrets and really necessary for connecting endpoints with
> dynamic ip's.
> - --
> 
> /phil

thanks for the tips! if you can think of anything that might help, or
maybe a configuration that better suits my needs, please let me know.

regards,
-rodi.

Reply to:

Follow-Ups:
- Re: vpn problem..
  - From: Phil Dyer <phil.dyer@cox.net>
- Re: vpn problem..
  - From: Phil Dyer <phil.dyer@cox.net>

References:
- vpn problem..
  - From: "R.M. Evers" <debian@abs-ict.com>
- Re: vpn problem..
  - From: Phil Dyer <phil.dyer@cox.net>

Prev by Date: Re: vpn problem..
Next by Date: Re: vpn problem..
Previous by thread: Re: vpn problem..
Next by thread: Re: vpn problem..
Index(es):
- Date
- Thread