[Please Help Me] FreeS-WAN Question (I has had a nervous breakdown..)
Hello List :
I'm trying to get FreeS-WAN working --- so far without success.
i have been already tried it 5 days!!!!!! and i had surveyed many many website about freeswan.....
but my FreeS-SWAN still NOT Working NOW ........
My question is :
1. FreeS-WAN need use iptables or ipchains to forward ipsec package???
2. I dont have any FQDN in my FreeS-WAN server!!!! It doesn't matter???
3. i patched my 2.4.18 kernel for ipsec option !!!! however,i still need to use other kernel option (alike : Networking options ---> <*> IP: tunneling)
4. i "THINK"My ipsec.conf is correct! so that ipsec have been connected between Left-Freeswan and Right-Freeswan server
My VPN Environment :
++++HomeVPN Server+++++++++ ++++School VPN Server++++++
+ 192.168.10.254 ---- 61.220.72.227+............. +61.228.14.226 ---- 192.168.8.66 +
+++++++++++++++++++++++++ ++++++++++++++++++++++++
| |
++++ClientA++++ + +++ClientB++++
+192.168.10.222+ + 192.168.8.200 +
++++++++++++ ++++++++++++
========================================
Home VPN Server :
eth0 => Public IP : 61.220.72.227
eth1 => Private IP : 192.168.10.254
School VPN Server :
ppp0 => Public IP : 61.228.14.226
eth1 => Private IP : 192.168.8.99
ClientA : 192.168.10.222
ClientB : 192.168.8.200
My ISP Gateway is 61.220.72.254 in LEFT
My school Gateway is 61.231.216.254 in RIGHT
=========================================
#####My /etc/ipsec.conf#######
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
conn axahome-vpn2
leftid=@navigation.idv.tw
leftrsasigkey=0sAQN9shuGWaYnFj.............==
left=61.220.72.227
leftsubnet=192.168.10.0/24
leftnexthop=61.220.72.254
rightid=@vpn2.hinet.dail
rightrsasigkey=0sAQNzY2gAwdeDde...........==
right=61.228.14.226
rightsubnet=192.168.8.0/24
rightnexthop=61.231.216.254
auto=start
======================================
when i type " ipsec whack --status" on Home-VPN-Server and School-VPN-Server ! Result as following :
#####Home-VPN-Server######
axanet:/etc# ipsec whack --status
000 interface ipsec0/eth0 61.220.72.227
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1
000
000 "axahome-vpn2": 192.168.10.0/24===61.220.72.227[@navigation.idv.tw]---61.220.72.254...61.231.216.254---61.228.14.226[@vpn2.hinet.dail]===192.168.8.0/24
000 "axahome-vpn2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "axahome-vpn2": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted
000 "axahome-vpn2": newest ISAKMP SA: #4; newest IPsec SA: #2; eroute owner: #2
000 "axahome-vpn2": ESP algorithms wanted: 3/000-1/000, 3/000-2/000,
000 "axahome-vpn2": ESP algorithms loaded: 3/168-1/128, 3/168-2/160,
000
000 #3: "axahome-vpn2" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 273s
000 #2: "axahome-vpn2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 22369s; newest IPSEC; eroute owner
000 #2: "axahome-vpn2" esp.49654542@61.228.14.226 esp.b4eec260@61.220.72.227 tun.1002@61.228.14.226 tun.1001@61.220.72.227
000 #4: "axahome-vpn2" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2165s; newest ISAKMP
#####School-VPN-Server#####
vpn2:~# ipsec whack --status
000 interface ipsec0/ppp0 61.228.14.226
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1
000
000 "axahome-vpn2": 192.168.8.0/24===61.228.14.226[@vpn2.hinet.dail]---61.231.216.254...61.220.72.254---61.220.72.227[@navigation.idv.tw]===192.168.10.0/24
000 "axahome-vpn2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "axahome-vpn2": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: ppp0; erouted
000 "axahome-vpn2": newest ISAKMP SA: #6; newest IPsec SA: #4; eroute owner: #4
000 "axahome-vpn2": ESP algorithms wanted: 3/000-1/000, 3/000-2/000,
000 "axahome-vpn2": ESP algorithms loaded: 3/168-1/128, 3/168-2/160,
000
000 #5: "axahome-vpn2" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 56s
000 #4: "axahome-vpn2" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 22424s; newest IPSEC; eroute owner
000 #4: "axahome-vpn2" esp.b4eec260@61.220.72.227 esp.49654542@61.228.14.226 tun.1004@61.220.72.227 tun.1003@61.228.14.226
000 #6: "axahome-vpn2" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2584s; newest ISAKMP
000 #2: "axahome-vpn2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 21866s
000 #2: "axahome-vpn2" esp.13a32d99@61.220.72.227 esp.49654541@61.228.14.226 tun.1002@61.220.72.227 tun.1001@61.228.14.226
===========================================================================
when i type " ipsec look" on Home-VPN-Server and School-VPN-Server ! Result as following :
######Home-VPN-Server######
axanet:/etc# ipsec look
axanet Wed Aug 14 01:47:27 CST 2002
192.168.10.0/24 -> 192.168.8.0/24 => tun0x1002@61.228.14.226 esp0x49654542@61.228.14.226 (0)
ipsec0->eth0 mtu=16260(1500)->1500
esp0x49654542@61.228.14.226 ESP_3DES_HMAC_MD5: dir=out src=61.220.72.227 iv_bits=64bits iv=0xefb5347086538fc6 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(15,0,0)
esp0xb4eec260@61.220.72.227 ESP_3DES_HMAC_MD5: dir=in src=61.228.14.226 iv_bits=64bits iv=0xc7afbffa387d075d ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(15,0,0)
tun0x1001@61.220.72.227 IPIP: dir=in src=61.228.14.226 policy=192.168.8.0/24->192.168.10.0/24 flags=0x8<> life(c,s,h)=addtime(15,0,0)
tun0x1002@61.228.14.226 IPIP: dir=out src=61.220.72.227 life(c,s,h)=addtime(15,0,0)
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 61.220.72.254 0.0.0.0 UG 40 0 0 eth0
192.168.8.0 61.220.72.254 255.255.255.0 UG 40 0 0 ipsec0
61.220.72.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
61.220.72.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0
#####School-VPN-Server#####
vpn2:/# ipsec look
vpn2 Wed Aug 14 01:50:11 CST 2002
192.168.8.0/24 -> 192.168.10.0/24 => tun0x1004@61.220.72.227 esp0xb4eec260@61.220.72.227 (0)
ipsec0->ppp0 mtu=16260(1492)->1492
esp0x13a32d99@61.220.72.227 ESP_3DES_HMAC_MD5: dir=out src=61.228.14.226 iv_bits=64bits iv=0x0e71780ff5cba10a ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(15114,0,0)
esp0x49654541@61.228.14.226 ESP_3DES_HMAC_MD5: dir=in src=61.220.72.227 iv_bits=64bits iv=0x536166d476f7744c ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(15114,0,0)
esp0x49654542@61.228.14.226 ESP_3DES_HMAC_MD5: dir=in src=61.220.72.227 iv_bits=64bits iv=0xf8a89acee79c0767 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(15369,0,0)
esp0xb4eec260@61.220.72.227 ESP_3DES_HMAC_MD5: dir=out src=61.228.14.226 iv_bits=64bits iv=0xe2aae253f39ac516 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(15369,0,0)
tun0x1001@61.228.14.226 IPIP: dir=in src=61.220.72.227 policy=192.168.10.0/24->192.168.8.0/24 flags=0x8<> life(c,s,h)=addtime(15114,0,0)
tun0x1002@61.220.72.227 IPIP: dir=out src=61.228.14.226 life(c,s,h)=addtime(15114,0,0)
tun0x1003@61.228.14.226 IPIP: dir=in src=61.220.72.227 policy=192.168.10.0/24->192.168.8.0/24 flags=0x8<> life(c,s,h)=addtime(15369,0,0)
tun0x1004@61.220.72.227 IPIP: dir=out src=61.228.14.226 life(c,s,h)=addtime(15369,0,0)
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 61.231.216.254 0.0.0.0 UG 40 0 0 ppp0
192.168.10.0 61.231.216.254 255.255.255.0 UG 40 0 0 ipsec0
61.231.216.254 0.0.0.0 255.255.255.255 UH 40 0 0 ipsec0
61.231.216.254 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0
Everything is smooth ! NOT any error show up when i type "ipsec whack --status" and "ipsec look"
BUT!!!!!!BUT when i use SSH connect from 192.168.10.222 to 192.168.8.200!!!!! IT IS NOT WORKING!!!!!
I dont know why?! because its not ANY error or warning show up !!!! and its not record any ERROR in /var/log/syslog and /var/log/auth
so that , i CAN NOT debug it......
Anyone got ideas as to the nature/solution of this problem? y_y
Oooo My God!!!!Please,Please Help me.....
--
Trust & Unique ...
Axacheng's PGP Public Key http://www.navigation.idv.tw/pgpkey
Reply to: