Help setting up IPSec, host-to-host encrypted, but can't go farther out.

Help setting up IPSec, host-to-host encrypted, but can't go farther out.

Post by Walter Franci » Sat, 06 Oct 2001 15:49:56



I'm setting up FreeSwan over my wireless connection because WEP is so
insecure.  I'm missing how to do a pretty simple connection between just
my laptop and workstation, but using the workstation as a gateway out
onto the net.  So the secure channel is only needed between the laptop
and workstation to replace the WEP encryption in the wireless card.

Here are some changed relevant parts of my ipsec.conf:

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces="ipsec0=eth1"
....
conn dargon
        # Left security gateway, subnet behind it, next hop toward
right.
        left=192.168.1.6
        leftnexthop=
        # Right security gateway, subnet behind it, next hop toward
left.
        right=192.168.1.9
        rightnexthop=
        # To authorize this connection, but not actually start it, at
startup,
        # uncomment this.
        auto=add

The wireless card in the workstation on this end is eth1, IP is
192.168.1.6.  The other wireless node (my laptop, dargon) is
192.168.1.9.  I have the same setup on it, with left and right
information reversed, etc..  The interfaces on that box is set to eth0,
the interface of the wireless card.

I installed FreeSwan from source (kernel patching, etc..) rebooted,
ipsec0 shows, etc, it seems to be installed okay.  I put KEY entries in
my DNS from the ipsec showhostkey output on each machine, starting ipsec
auto --up psi from the laptop creates a nice secure channel between it
and the workstation, but I can't get out from there.  I've tried all
sorts of silliness with routes on the laptop and workstation but
connections other than to the workstation go no where.

Do I have to add some hops in the config file even though the next hop
is *not* an encrypted one, or have I missed something?

--
Walter Francis
http://theblackmoor.net                  Powered by Red Hat Linux 7.0

 
 
 

Help setting up IPSec, host-to-host encrypted, but can't go farther out.

Post by Dean Thompso » Sat, 06 Oct 2001 16:21:15


Hi!,

Quote:> I'm setting up FreeSwan over my wireless connection because WEP is so
> insecure.  I'm missing how to do a pretty simple connection between just
> my laptop and workstation, but using the workstation as a gateway out
> onto the net.  So the secure channel is only needed between the laptop
> and workstation to replace the WEP encryption in the wireless card.

> Here are some changed relevant parts of my ipsec.conf:

> # basic configuration
> config setup
>         # THIS SETTING MUST BE CORRECT or almost nothing will work;
>         # %defaultroute is okay for most simple cases.
>         interfaces="ipsec0=eth1"
> ....
> conn dargon
>         # Left security gateway, subnet behind it, next hop toward
> right.
>         left=192.168.1.6
>         leftnexthop=
>         # Right security gateway, subnet behind it, next hop toward
> left.
>         right=192.168.1.9
>         rightnexthop=
>         # To authorize this connection, but not actually start it, at
> startup,
>         # uncomment this.
>         auto=add

> The wireless card in the workstation on this end is eth1, IP is
> 192.168.1.6.  The other wireless node (my laptop, dargon) is
> 192.168.1.9.  I have the same setup on it, with left and right
> information reversed, etc..  The interfaces on that box is set to eth0,
> the interface of the wireless card.

> I installed FreeSwan from source (kernel patching, etc..) rebooted,
> ipsec0 shows, etc, it seems to be installed okay.  I put KEY entries in
> my DNS from the ipsec showhostkey output on each machine, starting ipsec
> auto --up psi from the laptop creates a nice secure channel between it
> and the workstation, but I can't get out from there.  I've tried all
> sorts of silliness with routes on the laptop and workstation but
> connections other than to the workstation go no where.

> Do I have to add some hops in the config file even though the next hop
> is *not* an encrypted one, or have I missed something?

Have you taken a look at some of the scenarios which exist on the web page:
                        http://jixen.tripod.com/

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

Help setting up IPSec, host-to-host encrypted, but can't go farther out.

Post by Walter Franci » Sat, 06 Oct 2001 18:05:50



> Have you taken a look at some of the scenarios which exist on the web page:
>                         http://jixen.tripod.com/

Yes, I did, but it doesn't seem to cover (at least that I understand) my
scenario, which can't be that rare!  Perhaps a crude ascii drawing will
help explain my need..

192.168.1.9=======192.168.1.6--------192.168.0.5---internet
 ________        _____________        ________     __________
|        |      |             |      |        |   |          |
| laptop |======| workstation |------| server |---| internet |
|________|      |_____________}      |________}   |__________|

==== is an IPSEC secured connection while ----- is an unencrypted
connection.

Tinkering with the subnet settings I was able to flip-flop the subnet I
was able to hit, either 192.168.1.0 or 192.168.0.0.  Like right now
(without IPSEC) my routes are going through 192.168.1.6 on eth0 as a
default gateway, and that gw forwards packets to the server which
forwards them on, etc, etc..  but I can't figure out how to set up IPSEC
to pass off the packets to the workstation when it receives them from
the laptop to go on to the server, or through it to the internet, etc,
like a normal packet.

Is it simply a route I need to add on the workstation, or something in
IPSEC?

To condense the problem, using IPSEC I can connect to the workstation
with one configuration, or I can connect to the server with the other,
but neither configuration can I get past the server onto the
internet.  It's all rather confusing.

--
Walter Francis
http://theblackmoor.net                  Powered by Red Hat Linux 7.0

 
 
 

Help setting up IPSec, host-to-host encrypted, but can't go farther out.

Post by Dean Thompso » Sat, 06 Oct 2001 22:14:08


Hi!,

Quote:

> 192.168.1.9=======192.168.1.6--------192.168.0.5---internet
>  ________        _____________        ________     __________
> |        |      |             |      |        |   |          |
> | laptop |======| workstation |------| server |---| internet |
> |________|      |_____________}      |________}   |__________|

> ==== is an IPSEC secured connection while ----- is an unencrypted
> connection.

> Tinkering with the subnet settings I was able to flip-flop the subnet I
> was able to hit, either 192.168.1.0 or 192.168.0.0.  Like right now
> (without IPSEC) my routes are going through 192.168.1.6 on eth0 as a
> default gateway, and that gw forwards packets to the server which
> forwards them on, etc, etc..  but I can't figure out how to set up IPSEC
> to pass off the packets to the workstation when it receives them from
> the laptop to go on to the server, or through it to the internet, etc,
> like a normal packet.

> Is it simply a route I need to add on the workstation, or something in
> IPSEC?

Okay, I presume you have IP forwarding enabled on all the machines which are
forwarding packets.  In this case, it would be the workstation and the server
machine.  Additionally, there would also be in some cases a need to MASQ the
packets which I presume is handled by the server which connects to the
workstation.

Is does sound like a routing problem.  If you issue a traceroute you should
see how far the packet goes before it gets stuck.  The first thing would be to
ensure that the default gateway for the laptop points to the workstation
(ipsec should take care of this one), that a default route exists on the
workstation to point all traffic to the server and the server to point to the
internet.  It is also important to make sure that there are route entries for
the way back.  You might have your packets flowing one way in your network but
not back again.

Is it possible to see the routing tables of the workstation and server and
possibly any IP masq'ing/forwarding chains that you have in place to MASQ the
traffic ?

See Ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

Help setting up IPSec, host-to-host encrypted, but can't go farther out.

Post by Steve Cowle » Sat, 06 Oct 2001 22:58:58




> > Have you taken a look at some of the scenarios which exist on the web
page:
> >                         http://jixen.tripod.com/

> Yes, I did, but it doesn't seem to cover (at least that I understand) my
> scenario, which can't be that rare!  Perhaps a crude ascii drawing will
> help explain my need..

> 192.168.1.9=======192.168.1.6--------192.168.0.5---internet
>  ________        _____________        ________     __________
> |        |      |             |      |        |   |          |
> | laptop |======| workstation |------| server |---| internet |
> |________|      |_____________}      |________}   |__________|

> ==== is an IPSEC secured connection while ----- is an unencrypted
> connection.

> Tinkering with the subnet settings I was able to flip-flop the subnet I
> was able to hit, either 192.168.1.0 or 192.168.0.0.  Like right now
> (without IPSEC) my routes are going through 192.168.1.6 on eth0 as a
> default gateway, and that gw forwards packets to the server which
> forwards them on, etc, etc..  but I can't figure out how to set up IPSEC
> to pass off the packets to the workstation when it receives them from
> the laptop to go on to the server, or through it to the internet, etc,
> like a normal packet.

> Is it simply a route I need to add on the workstation, or something in
> IPSEC?

Personally, I have not yet tried to establish an ipsec tunnel across a
wireless link, so I cannot answer your question directly. But the freeswan
list server has many posts that address the problems (and success) in
setting up an ipsec tunnel across the wireless link. So maybe one of the
freeswan list server posts will help point out a solution to your problem. I
searched for "wireless" In fact, I would be interested in how you resolve
this problem.

FWIW: For my ipsec based roadwarriors (non wireless), I have to modify the
ipsec _updown script to deal with special routing/firewall issues.

Steve Cowles

 
 
 

Help setting up IPSec, host-to-host encrypted, but can't go farther out.

Post by Henry_Bart » Sun, 14 Oct 2001 13:43:01



> [...] Perhaps a crude ascii drawing will
> help explain my need..
> 192.168.1.9=======192.168.1.6--------192.168.0.5---internet
>  ________        _____________        ________     __________
> |        |      |             |      |        |   |          |
> | laptop |======| workstation |------| server |---| internet |
> |________|      |_____________}      |________}   |__________|
> ==== is an IPSEC secured connection while ----- is an unencrypted
> connection.

    Did you have this working before you tried the IPsec connection?
    The reason I ask is that I have a similar setting (except that
    I have other hosts on the 192.168.0 segment.) My 'server' is
    running 2.2.17 with ipchains anbd masquerading. I never could
    get it to route packets to the 192.168.1 segment. I could get
    any other host on that segment to do that (including a Solaris
    host) but between the masquerading and ipchains, I could not
    figure out what would be the right routing. (I did not work to
    hard to resolve this, since I ran a 'junkbuster' proxy on
    'workstation' to allow me to surfthe web and I would just telnet
    to 'workstation' for anything I wanted to do from a telnet
    session.)

    I'm *real* interested in your solution, since I'm about to try
    the same thing (IPsec over the Wireless LAN) for exactly the
    same reasons you stated.

Quote:> Tinkering with the subnet settings I was able to flip-flop the subnet I
> was able to hit, either 192.168.1.0 or 192.168.0.0.  Like right now
> (without IPSEC) my routes are going through 192.168.1.6 on eth0 as a
> default gateway, and that gw forwards packets to the server which
> forwards them on, etc, etc..  but I can't figure out how to set up IPSEC
> to pass off the packets to the workstation when it receives them from
> the laptop to go on to the server, or through it to the internet, etc,
> like a normal packet.
> Is it simply a route I need to add on the workstation, or something in
> IPSEC?

    I haven't looked into IPsec yet. Does it give you another
    'network device' that you configure as if it was an ethernet
    port? If so, I would think that from the latop, you would set
    the network configured on the IPsec device as your default
    route. Then AFAIK, all other hosts on the 192.168.0 segment
    have to route through the 'workstation' as a gateway to 192.168.1
    segment. (I don't recall the exact route statements, but can
    dig them up if necessary.)

    Please someone confirm that what I've described is right (I
    don't want to mislead anyone.) If wrong, please point out what
    *should* be done.

    thanks,
    hank

--
Hank Barta                            White Oak Software Inc.

                Beautiful Sunny Winfield, Illinois

 
 
 

Help setting up IPSec, host-to-host encrypted, but can't go farther out.

Post by buck » Mon, 15 Oct 2001 14:18:03





>> [...] Perhaps a crude ascii drawing will
>> help explain my need..

>> 192.168.1.9=======192.168.1.6--------192.168.0.5---internet
>>  ________        _____________        ________     __________
>> |        |      |             |      |        |   |          |
>> | laptop |======| workstation |------| server |---| internet |
>> |________|      |_____________}      |________}   |__________|

>> ==== is an IPSEC secured connection while ----- is an unencrypted
>> connection.

>    Did you have this working before you tried the IPsec connection?
>    The reason I ask is that I have a similar setting (except that
>    I have other hosts on the 192.168.0 segment.) My 'server' is
>    running 2.2.17 with ipchains anbd masquerading. I never could
>    get it to route packets to the 192.168.1 segment. I could get
>    any other host on that segment to do that (including a Solaris
>    host) but between the masquerading and ipchains, I could not
>    figure out what would be the right routing. (I did not work to
>    hard to resolve this, since I ran a 'junkbuster' proxy on
>    'workstation' to allow me to surfthe web and I would just telnet
>    to 'workstation' for anything I wanted to do from a telnet
>    session.)

Maybe a look at a solution I just found will help.  Then again, maybe
not...  But I do have a working FreeS/WAN VPN that sees the
192.168.223.0/24 and 192.168.1.0/24 subnets on each side.

Frankly, I'm not sure if enabling an ipchains output rule fixed it or
setting [left|right]firewall=yes did it, but who cares as long as it
works!

Warning:  This is a pair of 'ipsec barf's which are pretty long,
largely because my ipchains rules are, well, MANY.  Be prepared to
print condensed or spend a while reading...  Please don't ask
questions; I don't know any more than you do.  Maybe I'm just more
persistent.  (NOT!  I _had_ to make this work for my customer.)

http://andthatsjazz.org/swan.html

mirrored at  http://www.chsoft.com/swan.html

buck

 
 
 

Help setting up IPSec, host-to-host encrypted, but can't go farther out.

Post by Dmitr » Thu, 25 Oct 2001 00:48:41


I have similar
setup:(laptop)192.168.0.2====(linux+iptablesMASQ+IPSEC)192.168.0.1:dinamicpp
p-----------internet
ipsec.conf is similar to yours. When pining internet from laptop, tcpdump
shows that packets leave ppp BUT THEY HAVE SOURCE ADDRESS 192.168.0.2! So
masquareding is bypassed with IPSEC enabled. I tried to put
rightsubnet=0.0.0.0/0, that is internet, but couldn't even initiate ipsec
connection at al. Please let me know if you get an answer.

Dmitri


> > Have you taken a look at some of the scenarios which exist on the web
page:
> >                         http://jixen.tripod.com/

> Yes, I did, but it doesn't seem to cover (at least that I understand) my
> scenario, which can't be that rare!  Perhaps a crude ascii drawing will
> help explain my need..

> 192.168.1.9=======192.168.1.6--------192.168.0.5---internet
>  ________        _____________        ________     __________
> |        |      |             |      |        |   |          |
> | laptop |======| workstation |------| server |---| internet |
> |________|      |_____________}      |________}   |__________|

> ==== is an IPSEC secured connection while ----- is an unencrypted
> connection.

> Tinkering with the subnet settings I was able to flip-flop the subnet I
> was able to hit, either 192.168.1.0 or 192.168.0.0.  Like right now
> (without IPSEC) my routes are going through 192.168.1.6 on eth0 as a
> default gateway, and that gw forwards packets to the server which
> forwards them on, etc, etc..  but I can't figure out how to set up IPSEC
> to pass off the packets to the workstation when it receives them from
> the laptop to go on to the server, or through it to the internet, etc,
> like a normal packet.

> Is it simply a route I need to add on the workstation, or something in
> IPSEC?

> To condense the problem, using IPSEC I can connect to the workstation
> with one configuration, or I can connect to the server with the other,
> but neither configuration can I get past the server onto the
> internet.  It's all rather confusing.

> --
> Walter Francis
> http://theblackmoor.net                  Powered by Red Hat Linux 7.0

 
 
 

1. Can't ping the host name or host IP address from host.

Hello there,
I have the unusual problem of not being able to ping the machines host name
or host IP address from the host.
I've checkout the network settings and I can't seem to find any problems.  I
am able to ping & telnet to the machine
from the network.  Seems quite strange.

Any help would be really appreciated.

thanks,

Owen.

Here is output from ifconfig


lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Bcast:127.255.255.255  Mask:255.0.0.0
          BROADCAST LOOPBACK  MTU:3584  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0

eth0      Link encap:Ethernet  HWaddr 00:60:08:83:28:08
          inet addr:10.0.0.100  Bcast:10.0.0.255  Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:41411 errors:0 dropped:0 overruns:0 frame:0
          TX packets:259 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0
          Interrupt:3 Base address:0x300



PING penguin (10.0.0.100): 56 data bytes
ping: sendto: Network is unreachable
ping: wrote penguin 64 chars, ret=-1

--- penguin ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss


PING 10.0.0.100 (10.0.0.100): 56 data bytes
ping: sendto: Network is unreachable
ping: wrote 10.0.0.100 64 chars, ret=-1

--- 10.0.0.100 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

2. auto-tailing messages file for PPP?

3. can't ping host or host IP from host ?

4. Dec Alpha - Big or Little Endian??

5. How to configure hosts.allow /host.deny for IPSEC ??

6. NCR 53c810 problem with kernel 1.2.0 & NEC CD-ROM

7. 'host' command not using /etc/hosts?

8. Recovery linux from a backup tape

9. Get 'cannot connect to host', yet can ping remote host!!

10. Scsi host time outs -- help

11. /etc/hosts (or NIS host map): official-host-name vs nicknames

12. please help me with this 'hosts' setting problem...

13. Apache 1.3b2: Default Host and all virtual hosts serve only first virtual hosts pages?