| View previous topic :: View next topic |
| Author |
Message |
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
|
| Back to top |
|
 |
dtmf
Tux's lil' helper
Joined: 18 Jan 2005
Posts: 124
|
 Posted: Thu Nov 03, 2005 8:06 pm Post subject: |
 |
|
| How would I go about downgrading or getting the patchs. The patchs sound like the best option, any help would be great. |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Thu Nov 03, 2005 9:01 pm Post subject: |
|
|
if you are not sure how to patch just do this for now..
| Code: | | emerge =sys-apps/gawk-3.1.3-r2 |
_________________
write quit bang |
|
| Back to top |
|
|
dtmf
Tux's lil' helper
Joined: 18 Jan 2005
Posts: 124
|
| Posted: Fri Nov 04, 2005 12:54 am Post subject: |
|
|
That worked now I have a new problem. Not sure how to fix it. | Code: | Nov 3 18:48:42 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Nov 3 18:48:42 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized
Nov 3 18:48:45 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Nov 3 18:48:45 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized
Nov 3 18:48:48 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Nov 3 18:48:48 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized
Nov 3 18:48:51 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Nov 3 18:48:51 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized
Nov 3 18:48:54 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Nov 3 18:48:54 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized
Nov 3 18:48:57 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Nov 3 18:48:57 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized
Nov 3 18:49:00 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Nov 3 18:49:00 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized
Nov 3 18:49:03 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Nov 3 18:49:03 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized
Nov 3 18:49:06 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Nov 3 18:49:06 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized
Nov 3 18:49:09 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Nov 3 18:49:09 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized
Nov 3 18:49:12 superserver pluto[30018]: packet from 10.69.69.98:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike]
Nov 3 18:49:12 superserver pluto[30018]: packet from 10.69.69.98:500: initial Main Mode message received on 10.69.69.254:500 but no connection has been authorized
|
|
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Tue Nov 08, 2005 3:45 pm Post subject: |
|
|
post your ipsec.conf
_________________
write quit bang |
|
| Back to top |
|
|
dtmf
Tux's lil' helper
Joined: 18 Jan 2005
Posts: 124
|
| Posted: Wed Nov 09, 2005 1:22 am Post subject: |
|
|
| Code: | # /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
overridemtu=1410
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
conn roadwarrior-net
leftsubnet=192.168.1.0/24
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
pfs=no
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
|
|
|
| Back to top |
|
|
Henning Rogge
Apprentice
Joined: 20 Sep 2002
Posts: 178
|
| Posted: Wed Nov 09, 2005 12:00 pm Post subject: |
|
|
| Can I use this documentation without a fixed IP ? |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Wed Nov 09, 2005 1:57 pm Post subject: |
|
|
Try to take out the following..
| Code: | conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior |
And in your ipsec.secrets what are you using for an ip? Your internal or external? do you have %any ?
@ Henning
I assume you have dhcp from your isp? If so this may work however you would need to change the secrets file each time your ip changed.. worth a try anyways.
_________________
write quit bang |
|
| Back to top |
|
|
dtmf
Tux's lil' helper
Joined: 18 Jan 2005
Posts: 124
|
| Posted: Wed Nov 09, 2005 4:35 pm Post subject: |
|
|
for the ipsec.sercets file I have | Code: | | 0.0.0.0 %any: PSK "mysercet" |
After I have made the changes it's still giving me the same error in the messages log. Also when I restart the ipsec i get the following | Code: | * Stopping IPSEC ... ...
ipsec_setup: Stopping Openswan IPsec... [ ok ]
* Starting IPSEC ... ...
ipsec_setup: Starting Openswan IPsec U2.3.1/K2.6.13-gentoo-r5...
ipsec_setup: WARNING: overridemtu= is ignored when using the NETKEY stack [ ok ] |
|
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Wed Nov 09, 2005 5:07 pm Post subject: |
|
|
try your external ip instead of 0.0.0.0
_________________
write quit bang |
|
| Back to top |
|
|
dtmf
Tux's lil' helper
Joined: 18 Jan 2005
Posts: 124
|
| Posted: Wed Nov 09, 2005 5:23 pm Post subject: |
|
|
| I tried it with my internal ip address then tried to connect from in side my network. Still have the same problem. |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Wed Nov 09, 2005 5:28 pm Post subject: |
|
|
you can not do that. The virtual private lines says not to allow that. This is needed. You need to test externaly.
| Code: | virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24
|
That says allow those ip ranges execpt 192.168.1.0/24
What is your internal net?
_________________
write quit bang |
|
| Back to top |
|
|
dtmf
Tux's lil' helper
Joined: 18 Jan 2005
Posts: 124
|
| Posted: Wed Nov 09, 2005 6:02 pm Post subject: |
|
|
| Oh ok. I will have to test then when I am on a internet connection out side of my network. I will let u know how that goes when I do that. |
|
| Back to top |
|
|
Henning Rogge
Apprentice
Joined: 20 Sep 2002
Posts: 178
|
| Posted: Mon Nov 14, 2005 10:56 am Post subject: |
|
|
| dashnu wrote: | | I assume you have dhcp from your isp? If so this may work however you would need to change the secrets file each time your ip changed.. worth a try anyways. |
Not good... 
Hmm, I'm using dyndns, can I place an adress like mydns.dyndns.org into my secrets file ? |
|
| Back to top |
|
|
Overpeer
Apprentice
Joined: 17 Mar 2004
Posts: 200
Location: Valencia
|
| Posted: Wed Dec 07, 2005 9:36 am Post subject: |
|
|
Hi!!
I'm trying to config a VPN with this great HOWTO.
I have :
|MyWinClient@192.168.15.102|---192.168.15.X/24 ---|Router|---81.202.x.x---|Internet|---80.33.x.x---|Router|---192.168.1.x/24---|GentooBox@192.168.1.88|---10.0.0.0/24(SecureNetwork)
I can conect to VPN on Gentoo Box from 192.168.1.9 and access to secure net 10.0.0.0 without problems, but... i can´t connect from MyWinClient with same configuration 
I modified de registry value for NAT-T, and indicate NAT-T in my ipsec.conf. I maped the ports 500,4500 and 1701 to my gentoo box.
| Code: |
Aug 26 16:41:27 localhost pluto[6722]: packet from 81.202.x.x:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 26 16:41:27 localhost pluto[6722]: packet from 81.202.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
Aug 26 16:41:27 localhost pluto[6722]: packet from 81.202.x.x:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Aug 26 16:41:27 localhost pluto[6722]: packet from 81.202.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 26 16:41:27 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: responding to Main Mode from unknown peer 81.202.x.x
Aug 26 16:41:27 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 26 16:41:27 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 26 16:41:28 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Aug 26 16:41:28 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 26 16:41:28 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[3] 81.202.x.x #3: Main mode peer ID is ID_FQDN: '@catarroj-y69axu'
Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: deleting connection "Usuario-VPN" instance with peer 81.202.x.x {isakmp=#0/ipsec=#0}
Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: I did not send a certificate because I do not have one.
Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 26 16:41:29 localhost pluto[6722]: | NAT-T: new mapping 81.202.x.x:500/4500)
Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: cannot respond to IPsec SA request because no connection is known for 80.33.x.x/32===192.168.1.88:17/1701...81.202.x.x[@catarroj-y69axu]:17/1701
Aug 26 16:41:29 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_ID_INFORMATION to 81.202.x.x:4500
Aug 26 16:41:30 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2dbbdb18 (perhaps this is a duplicated packet)
Aug 26 16:41:30 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_MESSAGE_ID to 81.202.x.x:4500
Aug 26 16:41:32 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2dbbdb18 (perhaps this is a duplicated packet)
Aug 26 16:41:32 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_MESSAGE_ID to 81.202.x.x:4500
Aug 26 16:41:36 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2dbbdb18 (perhaps this is a duplicated packet)
Aug 26 16:41:36 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_MESSAGE_ID to 81.202.2.36:4500
Aug 26 16:41:45 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2dbbdb18 (perhaps this is a duplicated packet)
Aug 26 16:41:45 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_MESSAGE_ID to 81.202.x.x:4500
Aug 26 16:42:01 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2dbbdb18 (perhaps this is a duplicated packet)
Aug 26 16:42:01 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: sending encrypted notification INVALID_MESSAGE_ID to 81.202.x.x:4500
Aug 26 16:42:33 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x #3: received Delete SA payload: deleting ISAKMP State #3
Aug 26 16:42:33 localhost pluto[6722]: "Usuario-VPN"[4] 81.202.x.x: deleting connection "Usuario-VPN" instance with peer 81.202.x.x {isakmp=#0/ipsec=#0}
Aug 26 16:42:33 localhost pluto[6722]: packet from 81.202.x.x:4500: received and ignored informational message
|
My ipsec.conf :
| Code: |
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
nat_traversal=yes
virtual_private=%v4:182.0.20.0/24,%v4:192.168.1.0/24,%v4:0.0.0.0/0
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
ikelifetime=240m
keylife=60m
conn Usuario-VPN
pfs=no
left=%defaultroute
leftprotoport=17/1701
rightprotoport=17/1701
rightid=0.0.0.0
#leftid=
right=%any
rightsubnet=vhost:%no,%priv
auto=add
include /etc/ipsec.d/examples/no_oe.conf
|
My ipsec.secrets:
| Code: |
192.168.1.88 %any: PSK "secret1"
192.168.1.88 : PSK "secret2"
%any %any: PSK "secret1"
|
And my versions:
| Code: |
sys-apps/gawk-3.1.3-r2
net-misc/openswan-2.4.4
net-dialup/l2tpd-0.70_pre20031121
net-firewall/ipsec-tools-0.6.2-r1
|
I know that the problem is in the ipsec.conf because i didn'd study good this file ¿some good explanation of ipsec.conf?  ... or ... some main help?? I'm crazy with this theme.
A greeting. |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Mon Dec 12, 2005 5:02 pm Post subject: |
|
|
Change your virtual private line add your internal subnet with a "!". Mine is 192.168.1.0/24 so I have a
| Code: | | %v4:!192.168.1.0/24 |
at the end of the line.
Also in your ipsec.secrets test with a single entry first. It should also be the External IP of the VPN Server. So use the first line in your ipsec.secrets and change that to your external ip.
_________________
write quit bang |
|
| Back to top |
|
|
Overpeer
Apprentice
Joined: 17 Mar 2004
Posts: 200
Location: Valencia
|
| Posted: Mon Dec 26, 2005 1:47 pm Post subject: |
|
|
| Thanks, now try. |
|
| Back to top |
|
|
khuongdp
n00b
Joined: 09 Nov 2003
Posts: 73
|
| Posted: Fri Mar 10, 2006 9:37 pm Post subject: |
|
|
I follow the tutorial and got it working in some way. My network is like this
client(192.168.0.4)<-->(192.168.0.1)Router(x.x.x.x)<-->Internet<-->(x.x.x.x)Router(192.168.0.1)<-->(192.168.0.2)Firewall/dhcp(192.168.10.1)
<----->(192.168.10.2)Client1
<----->(192.168.10.3)Client2
<----->(192.168.10.4)Client3
Both the client and server is behind nat.
I can connect to the vpn and ping/ssh to my firewall/dhcp machine. But when I try to ping/ssh Client1-3 I get a timeout. I am fine ping/ssh to client1-3 through my Firewall/dhcp machine.
I think it's somthing wrong with my iptables rules
| Code: | # vpn
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -m tcp -p tcp --dport 4500 -j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT
iptables -A FORWARD -i ppp+ -j ACCEPT
iptables -A FORWARD -o ppp+ -j ACCEPT
iptables -A OUTPUT -o ppp+ -j ACCEPT
# ---------------------------------------------------------------------------------
# ESP encryption and authentication
# Allow ESP Traffic from/to Gateway
iptables -A INPUT -i $WAN_MIC -p esp -j ACCEPT
iptables -A OUTPUT -o $WAN_MIC -p esp -j ACCEPT
# Tag Incoming IPSec Traffic. 'mark' sticks after processing.
iptables -t mangle -A PREROUTING -i $WAN_MIC -p esp -j MARK --set-mark 1
# Forward Authenticated Traffic to LAN.
iptables -A FORWARD -i $WAN_MIC -m mark --mark 1 -d $PERSONAL_LAN_IP_NET -j ACCEPT
# SRC nat everything apart from esp traffic.
iptables -t nat -A POSTROUTING -o $WAN_MIC -p ! esp -j SNAT --to-source $WAN_IP |
|
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Fri Apr 07, 2006 6:46 pm Post subject: |
|
|
My chains. (I use a DROP all f-wall and create special rules for my vpn users.)
INPUT extif
| Code: |
$IPT -A external-vpn-traffic -i $EXTIF -m mark --mark 1 -j ACCEPT
$IPT -A external-vpn-traffic -d $EXTIP -p udp -m udp --dport 4500 \
-j ACCEPT
$IPT -A external-vpn-traffic -d $EXTIP -p udp -m udp --dport 500 \
-j ACCEPT
$IPT -A external-vpn-traffic -p esp -j ACCEPT
|
OUTPUT
| Code: |
$IPT -A allow-l2tp-traffic-out -s $EXTIP -p udp -m udp --sport 1701 \
-j ACCEPT
$IPT -A allow-vpn-traffic-out -s $EXTIP -p udp -m udp --dport 500 \
-j ACCEPT
$IPT -A allow-esp-traffic-out -p esp -j ACCEPT
|
A PPP rule.
| Code: | | $IPT -A allow-www-traffic-out -o $VPN -p tcp --dport http -j ACCEPT |
PREROUTING
| Code: | | $IPT -t mangle -A PREROUTING -i $EXTIF -p esp -j MARK --set-mark 1 |
Sorry I did not get back to you sooner. This post seemed to vanish of my "your posts list"
_________________
write quit bang |
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Thu Jun 08, 2006 8:59 am Post subject: |
|
|
Does anyone know howto setup a vpn using this protocol, l2tp/ipsec, but with 2 machines working on linux, gentoo ofcourse  .
Thk |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Thu Jun 08, 2006 12:44 pm Post subject: |
|
|
be more specific, run ipsec on a machine l2tpd on another?? no idea what you mean.
_________________
write quit bang |
|
| Back to top |
|
|
johnny_martins00
Apprentice
Joined: 01 Jun 2006
Posts: 293
|
| Posted: Thu Jun 08, 2006 1:29 pm Post subject: |
|
|
using the protocol ipsec/l2tp, on 2 unix machines. usually its the server machine unix and the client side windows, but i was wonder if its possible to apply the protocol on 2 unix machines??
Thk |
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Thu Jun 08, 2006 1:35 pm Post subject: |
|
|
I think it is possible to do that but why? Just use a straight ipsec conn using RSA keys. Tons of Documents on the web for that.
_________________
write quit bang |
|
| Back to top |
|
|
Lex_Brugman
n00b
Joined: 28 Mar 2004
Posts: 43
Location: Netherlands
|
| Posted: Wed Jul 12, 2006 1:21 pm Post subject: |
|
|
I've got a gentoo box directly connected to the internet running shorewall as router, my internal network is in the 10.0.0.0 range and my gentoo box has 10.0.0.1 as his internal ip, the external ip will be referred to as 123.123.123.123 and the client as 321.321.321.321.
But if i try to connect with a winxp client after following this guide /var/log/messages reports the following:
| Code: | Jul 5 23:47:12 server pluto[28628]: packet from 321.321.321.321:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jul 5 23:47:12 server pluto[28628]: packet from 321.321.321.321:500: ignoring Vendor ID payload [FRAGMENTATION]
Jul 5 23:47:12 server pluto[28628]: packet from 321.321.321.321:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jul 5 23:47:12 server pluto[28628]: packet from 321.321.321.321:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: responding to Main Mode from unknown peer 321.321.321.321
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: Main mode peer ID is ID_IPV4_ADDR: '321.321.321.321'
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: I did not send a certificate because I do not have one.
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=o
akley_3des_cbc_192 prf=oakley_sha group=modp2048}
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #2: responding to Quick Mode {msgid:b3182fba}
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 5 23:47:12 server Shorewall:INPUT:REJECT:IN=eth1 OUT= MAC=00:11:d8:42:7b:3c:00:0e:a6:c4:77:e6:08:00 SRC=321.321.321.321 DST=123.123.123.123 LEN=127 TOS=0x00 PRE
C=0x00 TTL=128 ID=24651 PROTO=UDP SPT=1701 DPT=1701 LEN=107
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 5 23:47:12 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0xfcc245c6 <0x6d27ab20 xfrm=3DES_0-HMAC
_MD5 NATD=321.321.321.321:500 DPD=none}
Jul 5 23:47:13 server Shorewall:INPUT:REJECT:IN=eth1 OUT= MAC=00:11:d8:42:7b:3c:00:0e:a6:c4:77:e6:08:00 SRC=321.321.321.321 DST=123.123.123.123 LEN=127 TOS=0x00 PRE
C=0x00 TTL=128 ID=24657 PROTO=UDP SPT=1701 DPT=1701 LEN=107
Jul 5 23:47:15 server Shorewall:INPUT:REJECT:IN=eth1 OUT= MAC=00:11:d8:42:7b:3c:00:0e:a6:c4:77:e6:08:00 SRC=321.321.321.321 DST=123.123.123.123 LEN=127 TOS=0x00 PRE
C=0x00 TTL=128 ID=24659 PROTO=UDP SPT=1701 DPT=1701 LEN=107
Jul 5 23:47:19 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: received Delete SA(0xfcc245c6) payload: deleting IPSEC State #2
Jul 5 23:47:19 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: received and ignored informational message
Jul 5 23:47:19 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321 #1: received Delete SA payload: deleting ISAKMP State #1
Jul 5 23:47:19 server pluto[28628]: "roadwarrior-l2tp"[1] 321.321.321.321: deleting connection "roadwarrior-l2tp" instance with peer 321.321.321.321 {isakmp=#0/ipsec
=#0}
Jul 5 23:47:19 server pluto[28628]: packet from 321.321.321.321:500: received and ignored informational message |
It looks like shorewall blocks the l2tp traffic, while shorewall should not block anything from the vpn interface?
These are all the relevant configs:
/etc/shorewall/interfaces:
| Code: | #ZONE INTERFACE BROADCAST OPTIONS
loc eth0 detect dhcp
vpn ppp+ detect dhcp
net eth1 detect dhcp,routefilter,logmartians,norfc1918,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE |
/etc/shorewall/zones:
| Code: | #ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
loc ipv4
vpn ipsec
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE |
/etc/shorewall/tunnels:
| Code: | #TYPE ZONE GATEWAY GATEWAY
# ZONE
ipsecnat net 0.0.0.0/0 vpn
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE |
/etc/shorewall/policy:
| Code: | #SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
#Source net
net all DROP info
#Source loc:
loc net ACCEPT
loc vpn ACCEPT
loc fw ACCEPT
#Source vpn:
vpn loc ACCEPT
vpn net ACCEPT
vpn fw ACCEPT
#Source fw:
fw net ACCEPT
fw vpn ACCEPT
fw loc ACCEPT
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
#LAST LINE -- DO NOT REMOVE |
/etc/ipsec/ipsec.conf:
| Code: | version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
overridemtu=1410
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=3
compress=yes
disablearrivalcheck=no
authby=secret
type=tunnel
keyexchange=ike
ikelifetime=240m
keylife=60m
conn roadwarrior-net
leftsubnet=10.0.0.0/24
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-l2tp
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior
pfs=no
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf |
/etc/ipsec/ipsec.secrets:
| Code: | | 123.123.123.123 %any: PSK "abcdabcdabcdabcdabcdabcdabcdabcdabcd" |
/etc/ppp/options.l2tpd:
| Code: | ipcp-accept-local
ipcp-accept-remote
ms-dns 10.0.0.1
ms-wins 10.0.0.1
noccp
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
lock
debug
proxyarp
connect-delay 5000
silent |
/etc/ppp/chap-secrets:
| Code: | # Secrets for authentication using CHAP
# client server secret IP addresses
lex * "password" 10.0.0.0/24
* lex "password" 10.0.0.0/24 |
/etc/l2tpd/l2tpd.conf:
| Code: | [global]
port = 1701
[lns default]
ip range = 10.0.0.200-10.0.0.254
local ip = 10.0.0.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes |
|
|
| Back to top |
|
|
dashnu
l33t
Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
|
| Posted: Thu Jul 20, 2006 9:14 pm Post subject: |
|
|
I do not use shorewall but it looks to me as if you are blocking 1701udp which is l2tpd.
also in you virtual_private line you want to exclude your network.
local ip = 10.0.0.1 in l2tpd.conf should be changed to an unused IP address that your l2tpd can claim.
You could trim down you ipsec.conf also.
| Code: |
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/openswan-2.4.4/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
overridemtu=1410
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
conn %default
keyingtries=3
compress=no
disablearrivalcheck=no
keyexchange=ike
ikelifetime=240m
keylife=60m
conn roadwarrior-osx-xp
leftprotoport=17/1701
rightprotoport=17/%any
rekey=no
also=roadwarrior
conn roadwarrior
authby=secret
pfs=no
type=tunnel
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf |
This will work for Windows and OSX.
I am working on a howto on my site but it is coming along slower then I would like..
_________________
write quit bang |
|
| Back to top |
|
|
|
Networking & Security
