Re: FreeS/WAN on PPPOE
Am Mittwoch, 26. Februar 2003 19:49 schrieb Curtis Vaughan:
> Out DSL connection is through a PPPOE connect, unfortunately. Although
> setting up multiple VPNs has generally been no problem, this time for
> this office it has been a pain. The only reason we can think of now is
> because this is first time we've dealt with a PPPOE connection. Has
> anyone experienced similar problems? If so, were you able to overcome
> it? Or, perhaps this isn't the problem at all.
Hi,
we connect several branch offices to our main office using freeswan. That
makes no problems at all. But maybe your pppoe-Lines not comparable to ours
in germany. We have pppoe on adsl lines (768 - 1500 Kbit/s down , 128 - 192
Kbits up) with dynamic IP-Addresses. Our main office has a 2Mbit Leased line
with permanent ip-addresses. We running freeswan on woody and on potato. On
woody we are using the woody-pakage (freeswan 1.96) , on potato we got
freeswan directly from freeswan.org an compiled it ourselves (i think it's
1.92).
Before going to ipsec : pppoe has less usable paketsizes. Are you able to get
big pakets (without vpn) over your pppoe-line at all?
Now ipsec : Maybe you should setup your pppoe - "ipsec.conf" with
%defaultroute - if you've already having it like that.
Have a look at some parts of our ipsec.conf :
(left = branch office / rigth = main office)
Part of ipsec.conf on a pppoe - Gateway :
-----------------------------------------------
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
keyingtries=0
disablearrivalcheck=no
compress=yes
authby=rsasig
auto=start
conn vh.n-lz.n
leftsubnet=192.168.193.0/24
rightsubnet=193.158.106.0/24
also=vh.gw-lz.gw
conn vh.gw-lz.n
rightsubnet=193.158.106.0/24
also = vh.gw-lz.gw
conn vh.n-lz.gw
leftsubnet=192.168.193.0/24
also = vh.gw-lz.gw
# "also" section :
conn vh.gw-lz.gw
left=%defaultroute
leftid=@baum-vh-fw1.baum.de
right=193.158.106.2
rightid=@vpngw-lz.baum.de
rightnexthop=193.158.106.1
leftrsasigkey=0x0103bae5...
rightrsasigkey=0x0103ad9...
--------
Part of ipsec.conf on central gateway :
------------------------------------------------
# basic configuration
config setup
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=1
compress=yes
right=193.158.106.2
rightid=@vpngw-lz.baum.de
rightnexthop=193.158.106.1
authby=rsasig
rightrsasigkey=0x0103a.....
auto=add
#
# Baum-vh-fw1
#
conn vh.n-lz.n
leftsubnet=192.168.193.0/24
rightsubnet=193.158.106.0/24
also=vh.gw-lz.gw
conn vh.gw-lz.n
rightsubnet=193.158.106.0/24
also=vh.gw-lz.gw
conn vh.n-lz.gw
leftsubnet=192.168.193.0/24
also=vh.gw-lz.gw
# "also" section for vh :
conn vh.gw-lz.gw
left=%any
leftid=@baum-vh-fw1.baum.de
leftrsasigkey=0x0103...
-------
I hope this will help you. If not, you'll at least need to post your
ipsec.conf-parts with the general section (cut your keys out) for the
problematic connection.
Maybe you could show the output of "ipsec barf" from both sites after trying
to get a connection. (Thats about >>100K per site...)
You could also have a look to freeswan.org. They have two sites with archives
of their mailinglists. (Maybe that would be the best way, to get your
freeswan-problem solved.)
Willi
Reply to: