[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: vpn problem..

phil, thanks for your help.

> So the tunnel is up? You can ping from one side to the other? Have a
> look at the output of 'ipsec look'. Look at the logs on the left side
> server. Is the tunnel really up? You should see entries in
> /var/log/auth.log . Look at logs on the netscreen as well.

yes, the tunnel is up. auth.log shows "IPsec SA established" and the
netscreen logs show the same. i can only use the vpn from right to left
though (behind netscreen -> eth1 ip from debian server). tcpdump clearly
shows ESP packets when i do this.

'ipsec look' looks like this:

  cat: /proc/net/ipsec_spigrp: No such file or directory
  cat: /proc/net/ipsec_eroute: No such file or directory
  grep: /proc/net/ipsec_tncfg: No such file or directory
  sort: open failed: /proc/net/ipsec_spi: No such file or directory
  Destination  Gateway  Genmask        Flags  MSS  Window  irtt  Iface        UG       0  0          0  eth0  UG       0  0          0  eth0  U        0  0          0  eth0

i believe the errors are because of the fact that i'm using the native
linux ipsec stack instead of the kernel-patch-freeswan modules.

>  Are you trying *from* the vpn server? Try connecting from a machine
> that is *behind* the left server.

yes, i'm trying *from* the debian server. there is *no* network behind
the debian server. i'm only trying to accomplish a vpn from the right
network to the debian server so they can connect to each other using
internal IP's. that's why i gave the eth1 NIC an internal IP to fake an
internal network. eth1 is not connected in any way, so maybe that's the

> your config says send packets from
> over the tunnel. When you ping from the debian server,
> it's using the interface, so it's not going thru the tunnel. You
> can tell ping to use the other interface by using 'ping -I eth1
> 192.168.1.x, or connect a box to the eth1 iface and try connecting from
> there.

ok, when i ping from eth1, i get a "bad interface address 'eth1'" error,
probably because eth1 is not connected..

> For freeswan configs, it's pretty normal to use the classic 4 tunnel
> approach to cover all connections.

thanks, didn't know this approach. but i don't think it will help in
this case, since there is no 'real' left subnet :-)

> Setting up multiple tunnels with [free|openswan] is no biggie once you
> get it working. I've got a single server with 45-50 tunnels running and
> it doesn't break a sweat. With multiple tunnels I suggest looking at
> using certificates or RSA keys for the connections. Easier than setting
> up individual secrets and really necessary for connecting endpoints with
> dynamic ip's.
> - --
> /phil

thanks for the tips! if you can think of anything that might help, or
maybe a configuration that better suits my needs, please let me know.


Reply to: