Re: vpn problem..
--- Phil Dyer <firstname.lastname@example.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> R.M. Evers said:
> > i'm having some problems implementing a vpn configuration, and i'm
> > hoping you guys could help me out here. we are hosting a debian
> > server for one of our customers, and they need to communicate with
> > server over the internet securely. to accomplish this, i want to
> > a vpn between the debian server and their network. for my test
> > this is what i did:
> > on the left side of the vpn (debian sarge server):
> > - compiled a 2.4.27-8 kernel with the backported KAME IPSec stack
> > crypto modules
> > - installed freeswan and ipsec-tools
> > - this server has two NIC's:
> > * eth0 is connected to the internet, and has an external IP,
> > say 126.96.36.199.
> > * eth1 is _not_ connected, but i assigned an internal IP to it:
> > 172.27.27.1.
> > - setup iptables to accept the esp packets and IKE messages
> > from the right side (188.8.131.52).
> > - configured freeswan for the vpn:
> > --
> > conn foo-bar
> > left=184.108.40.206
> > leftsubnet=172.27.27.0/24
> > leftnexthop=220.127.116.11
> > right=18.104.22.168
> > rightsubnet=192.168.1.0/24
> > authby=secret
> > auto=start
> > --
> > on the right side i set up a simple test network behind a netscreen
> > appliance (22.214.171.124) and configured the vpn.
> I'm not really familiar with netscreens, but they should work just
> with freeswan.
> > now, i can start the vpn and it works when i try to connect from
> > to left (let's say, from 192.168.1.33 to 172.27.27.1). tcpdump shows
> > esp packets, and everything works fine.
> So the tunnel is up? You can ping from one side to the other? Have a
> look at the output of 'ipsec look'. Look at the logs on the left side
> server. Is the tunnel really up? You should see entries in
> /var/log/auth.log . Look at logs on the netscreen as well.
> > now here's the problem: i cannot connect from left to right (i.e.,
> > the debian server to a machine inside the right network). when i
> > the tcpdump when i nmap a machine in the right network
> (192.168.1.33), i
> > can see packets going from 126.96.36.199 to 192.168.1.33. so it's not
> > travelling the vpn and i don't have a clue why.
> Are you trying *from* the vpn server? Try connecting from a machine
> that is *behind* the left server. your config says send packets from
> 172.27.27.0/24 over the tunnel. When you ping from the debian server,
> it's using the 188.8.131.52 interface, so it's not going thru the tunnel.
> can tell ping to use the other interface by using 'ping -I eth1
> 192.168.1.x, or connect a box to the eth1 iface and try connecting
> For freeswan configs, it's pretty normal to use the classic 4 tunnel
> approach to cover all connections.
> conn rnet-lnet
Yes, this workes.
> conn rnet-lserver
route add 184.108.40.206 192.168.1.X
This route will use the rnet-lnet VPN to access the 1.2 address of
the(any) router on that net, should be added on the 220.127.116.11 host. From
there the pkts will be sent *directly* to the correct computer.
> conn lnet-rserver
route add 18.104.22.168 gw 172.27.27.X
Use this on the rserver server.
> conn rserver-lserver
No more routes needed.
> i'm kind of a n00b at
> > this stuff, so i was amazed i actually got this far. but does anyone
> > know what i have to do to have a fully functional bidirectional vpn?
> > is my setup just, well, plain stupid?? :-) it must be noted that in
> > future it is likely that more parties will have to connect to this
> > server via an extra vpn.
> Setting up multiple tunnels with [free|openswan] is no biggie once you
> get it working. I've got a single server with 45-50 tunnels running
> it doesn't break a sweat. With multiple tunnels I suggest looking at
> using certificates or RSA keys for the connections. Easier than
> up individual secrets and really necessary for connecting endpoints
> dynamic ip's.
> - --
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
> Comment: Public Key: http://www.dyermaker.org/gpgkey
> -----END PGP SIGNATURE-----
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around