Re: vpn problem..
phil, thanks for your help.
> So the tunnel is up? You can ping from one side to the other? Have a
> look at the output of 'ipsec look'. Look at the logs on the left side
> server. Is the tunnel really up? You should see entries in
> /var/log/auth.log . Look at logs on the netscreen as well.
yes, the tunnel is up. auth.log shows "IPsec SA established" and the
netscreen logs show the same. i can only use the vpn from right to left
though (behind netscreen -> eth1 ip from debian server). tcpdump clearly
shows ESP packets when i do this.
'ipsec look' looks like this:
cat: /proc/net/ipsec_spigrp: No such file or directory
cat: /proc/net/ipsec_eroute: No such file or directory
grep: /proc/net/ipsec_tncfg: No such file or directory
sort: open failed: /proc/net/ipsec_spi: No such file or directory
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 1.2.3.1 255.255.255.0 UG 0 0 0 eth0
1.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
i believe the errors are because of the fact that i'm using the native
linux ipsec stack instead of the kernel-patch-freeswan modules.
> Are you trying *from* the vpn server? Try connecting from a machine
> that is *behind* the left server.
yes, i'm trying *from* the debian server. there is *no* network behind
the debian server. i'm only trying to accomplish a vpn from the right
network to the debian server so they can connect to each other using
internal IP's. that's why i gave the eth1 NIC an internal IP to fake an
internal network. eth1 is not connected in any way, so maybe that's the
problem..
> your config says send packets from
> 172.27.27.0/24 over the tunnel. When you ping from the debian server,
> it's using the 1.2.3.4 interface, so it's not going thru the tunnel. You
> can tell ping to use the other interface by using 'ping -I eth1
> 192.168.1.x, or connect a box to the eth1 iface and try connecting from
> there.
ok, when i ping from eth1, i get a "bad interface address 'eth1'" error,
probably because eth1 is not connected..
> For freeswan configs, it's pretty normal to use the classic 4 tunnel
> approach to cover all connections.
thanks, didn't know this approach. but i don't think it will help in
this case, since there is no 'real' left subnet :-)
> Setting up multiple tunnels with [free|openswan] is no biggie once you
> get it working. I've got a single server with 45-50 tunnels running and
> it doesn't break a sweat. With multiple tunnels I suggest looking at
> using certificates or RSA keys for the connections. Easier than setting
> up individual secrets and really necessary for connecting endpoints with
> dynamic ip's.
> - --
>
> /phil
thanks for the tips! if you can think of anything that might help, or
maybe a configuration that better suits my needs, please let me know.
regards,
-rodi.
Reply to: