[Help] Please Help me about FreeS/WAN question........Thanks
Hello list :
i had tried to implement FreeS/WAN to protect my network , but i got some of problem.
My Network diagram as follow :
▲Diagram :
## INTERNET ##===== eth1[Home] eth0===============eth0[MIS]eth1===========[Windows2000 road-warrior Clients]
204.204.10.2 192.168.3.33 192.168.3.254 192.168.10.254 (Dynamic IP:192.168.10.X) eg:192.168.10.223
▲Description:
[Home]
OS : Debian Woody
FreeS/WAN : 1.96v
Authentication : X.509
eth0 : 192.168.3.33
eth1 : 204.204.10.2 (Public IP)
[MIS]
OS : Debian Woody
FreeS/WAN : 1.96v
Authentication : X.509
eth0 : 192.168.3.254
eth1 : 192.168.10.254
[Windows2000 road-warrior Clients]
All of client OS is Windows 2000 sp3 and using dynamic IP, My testing machine IP is ' 192.168.10.223 '
▲Configuration
‧All of Windows2000 clients Default Gateway is 192.168.10.254
‧All of Windows2000 clients has already established ipsec tunnel to [MIS]
‧There has already a IPSEC tunnel between the [MIS] and the [Home]
################################
### [MIS] /etc/ipsec.conf as follow : #
###############################
config setup
interfaces="ipsec0=eth0 ipsec1=eth1"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
#---- LAN ----#
conn roadwarrior
also=roadwarrior-net
conn roadwarrior-net
right=%any
left=192.168.10.235
leftcert=vpn@lanmu.ezplay.tv.pem
auto=start
pfs=yes
#---- MIS TO HOME ----#
conn home
also=home-mis
conn home-mis
left=192.168.3.254
leftcert=vpn@lanmu.ezplay.tv.pem
right=192.168.3.33
rightcert=vpn@bala.ezplay.tv.pem
auto=start
##################################
### [Home] /etc/ipsec.conf as follow : #
##################################
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
#---- HOME TO MIS ----#
conn home
also=home-mis
conn home-mis
left=192.168.3.254
leftcert=vpn@lanmu.ezplay.tv.pem
right=192.168.3.33
rightcert=vpn@bala.ezplay.tv.pem
auto=start
‧NO any iptables rules to filter packets in [Home] and [MIS] !
JUST MASQ rules in [MIS] as follow :
###BEGIN--- iptables MASQUERADE rules ###
iptables -t nat -A POSTROUTING -s 192.168.10.0/255.255.248.0 -j MASQUERADE
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 192.168.10.0/255.255.248.0 -j ACCEPT
iptables -A OUTPUT -d 192.168.10.0/255.255.248.0 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.10.0/255.255.248.0 -j ACCEPT
iptables -A INPUT -s 192.168.3.33 -j ACCEPT
iptables -A OUTPUT -s 192.168.3.33 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.3.33 -j ACCEPT
###END--- iptables MASQUERADE rules ###
▲My Steps:
1. In [Windows2000 Clinet], start ipsec , i am very sure Windows2000 ipsec is working correctly ; )
2. In [MIS] /etc/init.d/ipsec restart , then Windows2000 client ping 192.168.3.254 is OK but not any respond from 192.168.3.33!!!!!
Negotiating IP Security
Reply from 192.168.3.254: bytes=32 time=3ms TTL=64
Reply from 192.168.3.254: bytes=32 time=3ms TTL=64
3. In [HOME] /etc/init.d/ipsec restart to establish ipsec tunnel between [MIS] and [HOME] , then
Windows client ping 192.168.3.254 and 192.168.3.33 are OK!!!
Negotiating IP Security
Reply from 192.168.3.254: bytes=32 time=3ms TTL=64
Reply from 192.168.3.254: bytes=32 time=3ms TTL=64
Reply from 192.168.3.33: bytes=32 time=3ms TTL=64
Reply from 192.168.3.33: bytes=32 time=3ms TTL=64
4. Using ' tcpdump ' command to sniff packet in 192.168.3.254 and 192.168.3.33 interface , i have already got 'ESP' packets!
5. Using ' tcpdump ' command to sniff packet in Windows2000 client (192.168.10.223) , i CAN NOT got 'ESP' packets!
All packet transfer to [Home] are ' CLEAR' packets -___-
6. Now, I restart 'ipsec' command again in Windows2000
7. However, I am using ping command to ping 192.168.10.254 , i got ESP packet respond!!!!!
Unfortunately, i CAN NOT ping 192.168.3.254[MIS] and 192.168.3.33[HOME] now......Its very strange..... @_____@
▲My Question:
1. How do i let Windows2000 Clients using ipsec tunnel to connect to [HOME] ??????
2. I need any patch ????? FreeS/WAN patch??? or iptables patch???? i using Debian Woody official .deb to install FreeS/WAN
i didnt use FreeS/WAN source to re-compile!!!
3. Does anyone knows where to find useful Document/Howto that is conform with My Diagram/Environment????
i had already read http://jixen.tripod.com/ and http://www.thing.dyndns.org/debian/wifivpn.htm
4. Any questions about my question , please feel free to let me know. i would explain for u ... :-)
Very Very Thanks..........
--
Trust & Unique ...
axacheng <axanet@ms32.hinet.net>
Reply to: