Re: vpn problem..
--- Phil Dyer <phil.dyer@cox.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> R.M. Evers said:
> > i'm having some problems implementing a vpn configuration, and i'm
> > hoping you guys could help me out here. we are hosting a debian
> sarge
> > server for one of our customers, and they need to communicate with
> this
> > server over the internet securely. to accomplish this, i want to
> create
> > a vpn between the debian server and their network. for my test
> setup,
> > this is what i did:
> >
> > on the left side of the vpn (debian sarge server):
> >
> > - compiled a 2.4.27-8 kernel with the backported KAME IPSec stack
> and
> > crypto modules
> > - installed freeswan and ipsec-tools
> > - this server has two NIC's:
> > * eth0 is connected to the internet, and has an external IP,
> let's
> > say 1.2.3.4.
> > * eth1 is _not_ connected, but i assigned an internal IP to it:
> > 172.27.27.1.
> > - setup iptables to accept the esp packets and IKE messages
> (udp/500)
> > from the right side (9.8.7.6).
> > - configured freeswan for the vpn:
> > --
> > conn foo-bar
> > left=1.2.3.4
> > leftsubnet=172.27.27.0/24
> > leftnexthop=1.2.3.1
> > right=9.8.7.6
> > rightsubnet=192.168.1.0/24
> > authby=secret
> > auto=start
> > --
> >
> > on the right side i set up a simple test network behind a netscreen
> > appliance (9.8.7.6) and configured the vpn.
>
> I'm not really familiar with netscreens, but they should work just
> fine
> with freeswan.
>
> > now, i can start the vpn and it works when i try to connect from
> right
> > to left (let's say, from 192.168.1.33 to 172.27.27.1). tcpdump shows
> me
> > esp packets, and everything works fine.
>
> So the tunnel is up? You can ping from one side to the other? Have a
> look at the output of 'ipsec look'. Look at the logs on the left side
> server. Is the tunnel really up? You should see entries in
> /var/log/auth.log . Look at logs on the netscreen as well.
>
> > now here's the problem: i cannot connect from left to right (i.e.,
> from
> > the debian server to a machine inside the right network). when i
> follow
> > the tcpdump when i nmap a machine in the right network
> (192.168.1.33), i
> > can see packets going from 1.2.3.4 to 192.168.1.33. so it's not
> > travelling the vpn and i don't have a clue why.
>
> Are you trying *from* the vpn server? Try connecting from a machine
> that is *behind* the left server. your config says send packets from
> 172.27.27.0/24 over the tunnel. When you ping from the debian server,
> it's using the 1.2.3.4 interface, so it's not going thru the tunnel.
> You
> can tell ping to use the other interface by using 'ping -I eth1
> 192.168.1.x, or connect a box to the eth1 iface and try connecting
> from
> there.
>
> For freeswan configs, it's pretty normal to use the classic 4 tunnel
> approach to cover all connections.
>
> conn rnet-lnet
> left=1.2.3.4
> leftsubnet=172.27.27.0/24
> leftnexthop=1.2.3.1
> right=9.8.7.6
> rightsubnet=192.168.1.0/24
> authby=secret
> auto=start
Yes, this workes.
> conn rnet-lserver
> left=1.2.3.4
> leftnexthop=1.2.3.1
> right=9.8.7.6
> rightsubnet=192.168.1.0/24
> authby=secret
> auto=start
Instead...
route add 9.8.7.6 192.168.1.X
This route will use the rnet-lnet VPN to access the 1.2 address of
the(any) router on that net, should be added on the 1.2.3.4 host. From
there the pkts will be sent *directly* to the correct computer.
> conn lnet-rserver
> leftsubnet=172.27.27.0/24
> leftnexthop=1.2.3.1
> right=9.8.7.6
> authby=secret
> auto=start
route add 1.2.3.4 gw 172.27.27.X
Use this on the rserver server.
> conn rserver-lserver
> left=1.2.3.4
> leftnexthop=1.2.3.1
> right=9.8.7.6
> authby=secret
> auto=start
No more routes needed.
>
> i'm kind of a n00b at
> > this stuff, so i was amazed i actually got this far. but does anyone
> > know what i have to do to have a fully functional bidirectional vpn?
> or
> > is my setup just, well, plain stupid?? :-) it must be noted that in
> the
> > future it is likely that more parties will have to connect to this
> > server via an extra vpn.
>
> Setting up multiple tunnels with [free|openswan] is no biggie once you
> get it working. I've got a single server with 45-50 tunnels running
> and
> it doesn't break a sweat. With multiple tunnels I suggest looking at
> using certificates or RSA keys for the connections. Easier than
> setting
> up individual secrets and really necessary for connecting endpoints
> with
> dynamic ip's.
>
> - --
>
> /phil
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
> Comment: Public Key: http://www.dyermaker.org/gpgkey
>
> iD8DBQFCOZPNGbd/rBLcaFwRAvkWAKCkw4pBRZjAlKL1pc0b+dCBfad+5ACcCZwM
> DoRo+r+F++ACANwP0UMZAFE=
> =KXLO
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Reply to: