IPSec: net-to-net config not working

IPSec: net-to-net config not working

Post by Jare » Fri, 05 Aug 2005 14:56:13



Hi all!

        I've problem with IPSec (kernel 2.6.12, ipsec-tools 5.2).
I'm trying to setup the simplest possible ipsec net-to-net
configuration, and it doeasn't want to work.
If I'm pinging from ipsec host to another isec host, it works, I can see
that tunnel has been established, but with net-to-net configuration
ipsec hosts, don't even try to establish tunnel.
The configuration is the simplest one from ipsec-tools.org,
with sainfo anonymous.

best regards
Jarek

 
 
 

IPSec: net-to-net config not working

Post by lassebo » Fri, 05 Aug 2005 16:37:46


hi,

couldnt you give a bit more infos?  configs - ips - the scenario...?

I wonder if you trying to do some impossible, e.g. pjnging from
ipsec-gateway to ipsec-gateway via a tunnel - thast wont work AFAIK.

greetings

lasseboo

 
 
 

IPSec: net-to-net config not working

Post by Jare » Fri, 05 Aug 2005 17:38:39



> hi,

> couldnt you give a bit more infos?  configs - ips - the scenario...?

> I wonder if you trying to do some impossible, e.g. pjnging from
> ipsec-gateway to ipsec-gateway via a tunnel - thast wont work AFAIK.

Why ? It works for me (requires separate spdadd-s, not described in this
config).

This is my configuration (the part for net-to-net configuration only):

   NET1:192.168.20.0/24
             |
[192.168.20.1:ipsecgateway:192.168.10.2]
             |
[192.168.10.1:ipsecgateway:192.168.1.1]
             |
   NET2:192.168.1.0/24

setkey:
=========================================================
flush;
spdflush;
spdadd 192.168.20.0/24 192.168.1.0/24 any -P out ipsec
         esp/tunnel/192.168.10.2-192.168.10.1/require;
spdadd 192.168.1.0/24 192.168.20.0/24 any -P in ipsec
         esp/tunnel/192.168.10.1-192.168.10.2/require;
spdadd 192.168.20.0/24 192.168.1.0/24 any -P fwd ipsec
         esp/tunnel/192.168.10.2-192.168.10.1/require;
=========================================================
racoon:
=========================================================
path certificate "/var/ssl/certs";
listen {
         isakmp 192.168.10.2;

Quote:}

remote 192.168.10.1 {
         exchange_mode main;
         certificate_type x509 "VPN2.cert" "VPN2.pem";
         verify_cert on;
         my_identifier asn1dn;
         peers_identifier asn1dn;
         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm sha1;
                 authentication_method rsasig;
                 dh_group modp1024;
         }
Quote:}

sainfo anonymous {
         pfs_group modp768;
         encryption_algorithm 3des;
         authentication_algorithm hmac_md5;
         compression_algorithm deflate;
Quote:}

=======================================================
Second side has opposite ip addresses.
All the settings regarding authorization are OK. But ping from any
machine in NET1 to NET2 or opposite doesn't start IPSec tunnel (ipsec
gateways, are default gateways for machines in those networks).
There is nothing in the logs, (even with -v -ddd).
Do I need some additional route settings in ipsec gateway ?

Jarek.

 
 
 

IPSec: net-to-net config not working

Post by Mous » Sat, 13 Aug 2005 21:30:11


Nothing in the logs is bad - means Racoon hasn't seen even the first  
incoming packet. Try checking if packets are flowing at all via
Ethereal, and see where the "buck stops".

On the other hand, it looks like IPsec is dead, much to my
disappointment. For example, I cannot set an IPsec pipe between a Win XP
and a Linux machines (both are NAT-ted) despite hours of effort - while
SSH works straight out-of-box (and is easier to configure). I used to
think that SSL/TLS VPNs were a stupid idea. Now I learned...



>> hi,

>> couldnt you give a bit more infos?  configs - ips - the scenario...?

>> I wonder if you trying to do some impossible, e.g. pjnging from
>> ipsec-gateway to ipsec-gateway via a tunnel - thast wont work AFAIK.

> Why ? It works for me (requires separate spdadd-s, not described in
> this config).

> This is my configuration (the part for net-to-net configuration only):

>   NET1:192.168.20.0/24
>             |
> [192.168.20.1:ipsecgateway:192.168.10.2]
>             |
> [192.168.10.1:ipsecgateway:192.168.1.1]
>             |
>   NET2:192.168.1.0/24

> setkey:
> =========================================================
> flush;
> spdflush;
> spdadd 192.168.20.0/24 192.168.1.0/24 any -P out ipsec
>         esp/tunnel/192.168.10.2-192.168.10.1/require;
> spdadd 192.168.1.0/24 192.168.20.0/24 any -P in ipsec
>         esp/tunnel/192.168.10.1-192.168.10.2/require;
> spdadd 192.168.20.0/24 192.168.1.0/24 any -P fwd ipsec
>         esp/tunnel/192.168.10.2-192.168.10.1/require;
> =========================================================
> racoon:
> =========================================================
> path certificate "/var/ssl/certs";
> listen {
>         isakmp 192.168.10.2;
> }
> remote 192.168.10.1 {
>         exchange_mode main;
>         certificate_type x509 "VPN2.cert" "VPN2.pem";
>         verify_cert on;
>         my_identifier asn1dn;
>         peers_identifier asn1dn;
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm sha1;
>                 authentication_method rsasig;
>                 dh_group modp1024;
>         }
> }
> sainfo anonymous {
>         pfs_group modp768;
>         encryption_algorithm 3des;
>         authentication_algorithm hmac_md5;
>         compression_algorithm deflate;
> }
> =======================================================
> Second side has opposite ip addresses.
> All the settings regarding authorization are OK. But ping from any
> machine in NET1 to NET2 or opposite doesn't start IPSec tunnel (ipsec
> gateways, are default gateways for machines in those networks).
> There is nothing in the logs, (even with -v -ddd).
> Do I need some additional route settings in ipsec gateway ?

> Jarek.

  urimobile.vcf
2K Download
 
 
 

IPSec: net-to-net config not working

Post by M Dase » Tue, 30 Aug 2005 16:33:26




>> hi,

>> couldnt you give a bit more infos?  configs - ips - the scenario...?

>> I wonder if you trying to do some impossible, e.g. pjnging from
>> ipsec-gateway to ipsec-gateway via a tunnel - thast wont work AFAIK.

> Why ? It works for me (requires separate spdadd-s, not described in this
> config).

> This is my configuration (the part for net-to-net configuration only):

>   NET1:192.168.20.0/24
>             |
> [192.168.20.1:ipsecgateway:192.168.10.2]
>             |
> [192.168.10.1:ipsecgateway:192.168.1.1]
>             |
>   NET2:192.168.1.0/24

> setkey:
> =========================================================
> flush;
> spdflush;
> spdadd 192.168.20.0/24 192.168.1.0/24 any -P out ipsec
>         esp/tunnel/192.168.10.2-192.168.10.1/require;
> spdadd 192.168.1.0/24 192.168.20.0/24 any -P in ipsec
>         esp/tunnel/192.168.10.1-192.168.10.2/require;
> spdadd 192.168.20.0/24 192.168.1.0/24 any -P fwd ipsec
>         esp/tunnel/192.168.10.2-192.168.10.1/require;
> =========================================================
> racoon:
> =========================================================
> path certificate "/var/ssl/certs";
> listen {
>         isakmp 192.168.10.2;
> }
> remote 192.168.10.1 {
>         exchange_mode main;
>         certificate_type x509 "VPN2.cert" "VPN2.pem";
>         verify_cert on;
>         my_identifier asn1dn;
>         peers_identifier asn1dn;
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm sha1;
>                 authentication_method rsasig;
>                 dh_group modp1024;
>         }
> }
> sainfo anonymous {
>         pfs_group modp768;
>         encryption_algorithm 3des;
>         authentication_algorithm hmac_md5;
>         compression_algorithm deflate;
> }
> =======================================================
> Second side has opposite ip addresses.
> All the settings regarding authorization are OK. But ping from any
> machine in NET1 to NET2 or opposite doesn't start IPSec tunnel (ipsec
> gateways, are default gateways for machines in those networks).
> There is nothing in the logs, (even with -v -ddd).
> Do I need some additional route settings in ipsec gateway ?

> Jarek.

Hello Jarek,
did you solve your problem already?

As you can ping from gateway to gateway and you set up tunnel mode
everything looks fine ...

Just a stupid question: did you anable IP forwarding in the kernel? I
mean does the whole setup work if you switch off IPsec at all (just to
verify).

-- Martin

 
 
 

1. LINUX IP Masquerading works on dsl.net, not ameritech.net?

Hello,

I'm using a PIII machine running RedHat Linux 7.1 as a firewall and
gateway to a DSL connection.  I have recompiled the kernel to use IP
masquerading, and I have setup IP masquerading for the internal
network using iptables with the specifications published in the linux
HOWTOs.

The machine belongs to a coworker, who has SBC ameritech.net dsl
service at home.  He has connected the linux machine to the service,
and he can access the internet from the linux machine itself.  When he
connects his internal network to the other network card in the linux
machine, the internal network can see the linux machine (I have samba
running on the linux machine), but the internal network cannot see the
internet.

We have DSL.net service at my office, and I connected the linux
machine to the DSL.net service and everything worked fine - both the
linux machine and the internal network connected to the linux machine
could see the internet.

So, I'm not sure where else to turn.  Could there be some limitation
in the ameritech.net service that makes it more difficult or
impossible to run a network?  The ameritech.net service is ADSL, and
the connection is made through PPPOE.  The DSL.net service is SDSL,
and the connection is just plain old TCP/IP ethernet networking.
Those are the only differences apparent to me.

Any help is appreciated,
KS

2. What Linux needs to gain popularity (really)

3. Perl5 NET packages missing "NET::Config"

4. curses & 'vi' or 'more' -- argh.

5. nmap from net a to net B, don't work, but ping yes

6. Gnome2 without Nautilus - how to?

7. samba: 'net view \\server' works, 'net view' fails

8. Basic Authentication with Groups and Large User Count

9. error : module net-pf-4 and net-pf-5 not found????

10. HELP: can not load module net-pf-4 and net-pf-5

11. netatalk net not in net-range???

12. error : module net-pf-4 and net-pf-5 not found????

13. ?Got "net-pf-4", "net-pf-5" not found, while booting