Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Set the configuration of interfaces for IPSec-tunnels
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
unax
n00b
n00b


Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)

PostPosted: Fri Dec 03, 2010 3:36 am    Post subject: Set the configuration of interfaces for IPSec-tunnels Reply with quote

Hello, comrades! I have a tiny question.
Suppose, create a tunnel between two addresses 100.111.222.1 and 100.111.222.2 uses (net-firewall/ipsec-tools-0.7.3-r1 USE="iconv ipv6 nat pam readline -hybrid -idea -kerberos -ldap -rc5 (-selinux)")
In first server have the configuration like this: (in /etc/racoon/racoon.conf)
Code:
path pre_shared_key "/etc/racoon/psk.txt"
remote 100.111.222.2[500]
{
    exchange_mode aggressive,main;
    doi ipsec_doi;
    situation identity_only;
    my_identifier address;
    initial_contact on;
    proposal_check obey;
    proposal {
            encryption_algorithm 3des;
            hash_algorithm sha1;
            authentication_method pre_shared_key;
            dh_group 5;
            }
}

sainfo anonymous
{
    pfs_group 2;
    lfetime time 12 hour ;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}


in /etc/racoon/ipsec.conf
Code:
spdadd 100.111.222.2/32 100.111.222.1/32 ipencap -P in ipsec
esp/tunnel/100.111.222.2-100.111.222.1/require;
spdadd 100.111.222.1/32 100.111.222.2/32 ipencap -P out ipsec
esp/tunnel/100.111.222.1-100.111.222.2/require;

and in /etc/racoon/psk.txt
Code:
100.111.222.1 keykeykeykeykeykey

similar to the second server of tunnel..
And finaly, how to create virtual interfaces in /etc/conf.d/net ?? needed to set local addreses of tunnel and names of virtual interfaces. This needed for iptables and routing settings.

In FreeBSD this is simply. in /etc/rc.conf declare interfaces... For example:
Code:
gifconfig_gif3="100.111.222.1 100.111.222.2"
ifconfig_gif3="inet 10.10.1.1 10.10.2.1 netmask 255.255.255.255"

How i can to declare virtual interfaces and to set his configuration for tunnel?
Waiting for your advice.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 438

PostPosted: Fri Dec 03, 2010 8:00 pm    Post subject: Reply with quote

Unlike FreeBSD, Linux does not use separate interface for ipsec, rather the ipsec policies define what gets tunneled and how.
Back to top
View user's profile Send private message
unax
n00b
n00b


Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)

PostPosted: Sun Dec 05, 2010 4:38 pm    Post subject: Reply with quote

salahx wrote:
Unlike FreeBSD, Linux does not use separate interface for ipsec, rather the ipsec policies define what gets tunneled and how.

hmm.. then I can declare ip-addresses and names of interfaces in configuration files of racoon.. still not known, how its done...
Anybody can share their experiences? what to write? :oops:
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 438

PostPosted: Sun Dec 05, 2010 8:07 pm    Post subject: Reply with quote

Well, I'm not exactly sure how you've got your network configured, but given that you are using tunnel model it sounds like you a probably trying to connect 2 networks at different sites.

So using the IP you gave: 100.111.222.1 and 100.111.222.2, lets presume 100.111.222.1 has a 192.168.1.0/24 behind it, and 100.111.222.2 has a 192.168.2.0/24 behind it.

So, for the router on 100.111.222.1, the ipsec.conf would be as follows
Code:

#!/usr/sbin/setkey

spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
    esp/tunnel/100.111.222.1-100.111.222.2/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
    esp/tunnel/100.111.222.1-100.111.222.2/require;
#spdadd 192.168.2.0/24 192.168.1.0/24 any -P fwd ipsec
#   esp/tunnel/100.111.222.1-100.111.222.2/require;


For the other router, the rules are similar, except the source and destination rules are reversed (under Linux, the "fwd" rule is implied by the "in" rule so I commented it out)

And that's it. Any traffic from 192.168.1.0/24 going to 192.168.2.0/24 will be transparently tunneled from 100.111.222.1 to 100.111.222.2 and appear on the other side as though it came from 192.168.1.0/24.

So that means on 100.111.222.2 interface, packets will be appearing on it from 192.168.1.0/24. You'll need to setup ip forwarding and setup a route from 192.168.1.0/24 to 192.168.2.0/24 via whatever interface 100.111.222.2 is on. Note that this means you'll be legitimately getting private IP's from an interface with a public IP. Make sure you're not blocking all 192.168.0.0/16 packets on the 100.111.222.2 interface via iptables (you can use iptables to set the ones in the tunnel though while blocking non-tunneled ones).
Back to top
View user's profile Send private message
unax
n00b
n00b


Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)

PostPosted: Mon Dec 06, 2010 10:33 am    Post subject: Reply with quote

salahx wrote:
*

thanks for all! i made as you advised..
But, today i try to create the tunnels between 2 servers in my home lan. And has a problem :cry:
i think, working configuration now in test's servers, but don't understand, why tunnel is no created. Even servers without firewall! (ACCEPT default policy uses on ipitables) I hope someone can help me understand the error... :roll:
Configurations:
test server 1:
Code:
config_eth0=( "10.0.11.26 netmask 255.255.255.0" )
config_eth1=( "192.168.1.1 netmask 255.255.255.0" )

eth1 eth0 real interfaces and they working.
/etc/racoon/racoon.conf
Code:
path include "/etc/racoon";
log debug;
path pre_shared_key "/etc/racoon/psk.txt";
padding
{
    maximum_length 20;   
    randomize off;       
    strict_check off;   
    exclusive_tail off;   
}
listen
{
    isakmp 10.0.11.26 [500];
}
timer
{
    counter 5;       
    interval 20 sec;   
    persend 1;       
    phase1 30 sec;
    phase2 15 sec;
}
remote 10.0.11.20[500]
{
    my_identifier address 10.0.11.26;
    exchange_mode aggressive,main;
    initial_contact off;
    doi ipsec_doi;
    lifetime time 24 hour;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
    }
}
sainfo anonymous
{
    pfs_group 2;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    lifetime time 3600 sec;
}

here /etc/racoon/ipsec.conf
Code:
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P fwd ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in  ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P fwd ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require;

/etc/racoon/psk.txt consist one line: 10.0.11.20 gentoothebest
more.. server 2 has configurations:
net..
Code:
config_eth0=( "10.0.11.20 netmask 255.255.255.0" )
vlans_eth0="1"
vconfig_eth0=( "set_name_type VLAN_PLUS_VID_NO_PAD" )
vconfig_vlan1=( "set_flag 1" "set_egress_map 2 6" )

for test i use virtual interface, to him ping exist from localhost.
file /etc/racoon/racoon.conf like as test server 1, differs only ip-addresses
/etc/racoon/ipsec.conf
Code:
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P fwd ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P in  ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P fwd ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require;


10.0.11.26 gentoothebest in /etc/racoon/psk.txt finaly.
so... test_server1#/etc/init.d/racoon start
test_server2#/etc/init.d/racoon start
and see..
#setkey -DP
Code:
(per-socket policy)
        Policy:[Invalid direciton]
        created: Dec  6 15:08:39 2010  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=716 seq=1 pid=24704
        refcnt=1
(per-socket policy)
        Policy:[Invalid direciton]
        created: Dec  6 15:08:39 2010  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=707 seq=2 pid=24704
        refcnt=1
192.168.2.0/24[any] 192.168.1.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/10.0.11.20-10.0.11.26/require
        created: Dec  6 15:08:39 2010  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=698 seq=3 pid=24704
        refcnt=1
192.168.2.0/24[any] 192.168.1.0/24[any] any
        in prio def ipsec
        esp/tunnel/10.0.11.20-10.0.11.26/require
        created: Dec  6 15:08:39 2010  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=688 seq=4 pid=24704
        refcnt=1
192.168.1.0/24[any] 192.168.2.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/10.0.11.26-10.0.11.20/require
        created: Dec  6 15:08:39 2010  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=682 seq=5 pid=24704
        refcnt=1
192.168.1.0/24[any] 192.168.2.0/24[any] any
        out prio def ipsec
        esp/tunnel/10.0.11.26-10.0.11.20/require
        created: Dec  6 15:08:39 2010  lastused:                     
        lifetime: 0(s) validtime: 0(s)
        spid=673 seq=0 pid=24704
        refcnt=1

Nothing :cry:
and most incomprehensible to me...
#tcpdump -i eth0 port 500 or host 10.0.11.20 (in any server)
NOTHING!! O_o no try to connect, but the network without restrictions!
see logs...
Code:
2010-12-06 15:08:39: INFO: 10.0.11.26[500] used as isakmp port (fd=6)
2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv()
2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message
2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv()
2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2010-12-06 15:08:39: DEBUG: db :0x97b8d00: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=fwd
2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv()
2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=fwd
2010-12-06 15:08:39: DEBUG: db :0x97b8d00: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=fwd
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=fwd
2010-12-06 15:08:39: DEBUG: db :0x97b8f48: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv()
2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
2010-12-06 15:08:39: DEBUG: db :0x97b8d00: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=fwd
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
2010-12-06 15:08:39: DEBUG: db :0x97b8f48: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
2010-12-06 15:08:39: DEBUG: db :0x97b9190: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=fwd

no errors no warrnings... 8O
Tunnels still down.. What happens...
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 438

PostPosted: Mon Dec 06, 2010 4:55 pm    Post subject: Reply with quote

Ok, if server1 has an extrnal IP of 10.0.11.26 and an internal IP of 192.168.1.1 (with a 192.168.1.0/24 behind it) and server2 ha an external IP of 10.0.11.20 and an internal IP for 192.168.2.1 (with a 192.168.2.0/24 behind it), then it should go something like this:

for server1 /etc/ipsec.conf:
Code:

#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
     esp/tunnel/10.0.11.26-10.0.11.20/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
     esp/tunnel/10.0.11.26-10.0.11.20/require;


for server2 /etc/ipsec.conf:
Code:

flush;
spdflush;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec
     esp/tunnel/10.0.11.20-10.0.11.26/require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec
     esp/tunnel/10.0.11.20-10.0.11.26/require;


Now, from server1, ping 192.168.2.1 . You should see it go over the tunnel. Note, however, with this setup, any traffic going directly from 10.0.11.26 to 10.0.11.20 (or vice versa) does NOT go over the tunnel, only stuff from 192.168.1.0/24 to 192.168.2.0/24 (or vice versa). So "ping 10.0.11.20" from 10.0.11.26 does NOT go over the ipsec tunnel with these rules, but if you want it to, adding a rule to do that is simple.
Back to top
View user's profile Send private message
unax
n00b
n00b


Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)

PostPosted: Tue Dec 07, 2010 2:45 am    Post subject: Reply with quote

salahx wrote:

Now, from server1, ping 192.168.2.1 . You should see it go over the tunnel.

All the problem is that the tunnel is not created :( I have already written to many variants of different configuration... and still don't see my error..
I got the impression that the whole server does not try to establish a connection...
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 438

PostPosted: Tue Dec 07, 2010 7:44 am    Post subject: Reply with quote

Maybe something is wrong with /etc/racoon/racoon.conf. There a lot of extraneous stuff in there.

I suspect this ought to work (unfortunately while experimenting with this I killed the other machine and have no physical access to it right now)

For 10.0.11.26:
Code:

path pre_shared_key "/etc/racoon/psk.txt";
path script "/etc/racoon/scripts";

remote 10.0.11.20 {
        exchange_mode main;
        my_identifier address 10.0.11.26;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 14;
        }
}

sainfo subnet 192.168.1.0/24 any address 192.168.2.0/24 any {
        pfs_group 2;
        encryption_algorithm aes, 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

sainfo address 10.0.11.20 any address 10.0.11.26 any {
        pfs_group 2;
        encryption_algorithm aes, 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}


For 10.0.11.20:
Code:

path pre_shared_key "/etc/racoon/psk.txt";
path script "/etc/racoon/scripts";

remote 10.0.11.26 {
        exchange_mode main;
        my_identifier address 10.0.11.20;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 14;
        }
}

sainfo subnet 192.168.2.0/24 any address 192.168.1.0/24 any {
        pfs_group 2;
        encryption_algorithm aes, 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

sainfo address 10.0.11.26 any address 10.0.11.20 any {
        pfs_group 2;
        encryption_algorithm aes, 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}


You probably don't need both sainfo statement, but I'm not sure which one is correct, having both won't do any harm.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 438

PostPosted: Wed Dec 08, 2010 7:38 am    Post subject: Reply with quote

Ok, after some test, this ought to do it I've tested between 2 machines and packets flow though the tunnel.

For 10.0.11.26 raccon.conf:
Code:

path pre_shared_key "/etc/racoon/psk.txt";
path script "/etc/racoon/scripts";

remote 10.0.11.20 {
        exchange_mode main;
        my_identifier address 10.0.11.26;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 14;
        }
}

sainfo subnet 192.168.1.0/24 any address 192.168.2.0/24 any {
        pfs_group 2;
        encryption_algorithm aes, 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

For 10.0.11.26 ipsec.conf:
Code:

#!/usr/sbin/setkey -f

flush;
spdflush;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
     esp/tunnel/10.0.11.26-10.0.11.20/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
     esp/tunnel/10.0.11.20-10.0.11.26/require;

For 10.0.11.20 racoon.conf:
Code:

path pre_shared_key "/etc/racoon/psk.txt";
path script "/etc/racoon/scripts";

remote 10.0.11.26 {
        exchange_mode main;
        my_identifier address 10.0.11.20;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 14;
        }
}

sainfo subnet 192.168.2.0/24 any address 192.168.1.0/24 any {
        pfs_group 2;
        encryption_algorithm aes, 3des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

For 10.0.11.20 ipsec.conf:
Code:

#!/usr/sbin/setkey -f

flush;
spdflush;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec
     esp/tunnel/10.0.11.20-10.0.11.26/require;
spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec
     esp/tunnel/10.0.11.26-10.0.11.20/require;

Now, on 10.0.11.26:
Code:
ping -I eth1 192.168.2.1

This will cause the tunnel to be established, and encrypted packets will start flying over the link (you may not get a reply from the ping, that's OK, we don't have routes set up yet)
You can see it with:
Code:
tcpdump -i eth0 ip proto 50

You'll need to create the required routes:
On 10.0.11.26:
Code:
ip route add 192.168.2.0/24 via 10.0.11.20

On 10.0.11.20:
Code:
ip route add 192.168.1.0/24 via 10.0.11.26

One other thing: On my machine, to get this to work. I had to disable reverse path filtering over the interface the packets were being tunneled (in your case, that'll be eth0).

So you may need something like this on each machine
Code:
echo -n 2 >/proc/sys/net/ipv4/conf/eth0/rp_filter
Back to top
View user's profile Send private message
unax
n00b
n00b


Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)

PostPosted: Mon Dec 13, 2010 1:52 pm    Post subject: Reply with quote

hm... how options of kernel "Network device support -> Universal TUN/TAP device driver support" affects on the racoon works?This option required for IPsec tunnels?
now i use the OpenVPN, i like it :) but setup the racoon too
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 438

PostPosted: Mon Dec 13, 2010 8:11 pm    Post subject: Reply with quote

You don't need tap/tun support for IPsec (you do for openvpn, however).

The config files above should establish the tunnel. Remember though, make sure when testing the applications are being to the right interface - in particular, most program bind to the interface which the default gateway
So use something like this:
Code:

tcpdump -I eth0 ip proto 50 or 51
ping -I eth1 192.168.2.1
traceroute -s 192.168.1.1 192.168.1.1

You should ESP packets flowing. Then the tricky part is setting up the routing, in my case, it got complicated because in the testbed I was using (2 computer connect via openvpn), neither was the default gateway (or even a router, so I had to turn on ip forwarding on both and convert them to routers) and both external connection were on the same subnet.
Back to top
View user's profile Send private message
unax
n00b
n00b


Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)

PostPosted: Wed Dec 22, 2010 5:44 pm    Post subject: Reply with quote

I decided to continue experimenting, getting closer to solving the... salahx my great thanks.
But all very strange stell.
in general, the main task in setting up tunnels gentoo<===>freebsd.
At now exist server with freebsd, and he has several working tunnels.. on server i create a new tunnel, like other in this server
Main FreeBSD server name "Server F" and his ip = xx.xx.xx.xx, localnet = 10.10.1.0/24
One of my Gentoo server has ip = yy.yy.yy.yy, localnet = 10.10.5.1/24 name = "Server G"
Server G: net-firewall/ipsec-tools-0.7.3-r1 USE="iconv ipv6 nat pam rc5 readline -hybrid -idea -kerberos -ldap (-selinux)"
in /etc/racoon/racoon.conf
Code:
path pre_shared_key "/etc/racoon/psk.txt";
remote xx.xx.xx.xx {
        exchange_mode main;
        my_identifier address yy.yy.yy.yy;

proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
        }
}
sainfo subnet 10.10.5.0/24 any address 10.10.1.0/24 any
{
    pfs_group 2;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
}


Code:
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 10.10.5.0/24 10.10.1.0/24 any -P out ipsec esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/require;
spdadd 10.10.1.0/24 10.10.5.0/24 any -P in ipsec esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/require;


/etc/conf.d/racoon
Code:
ACOON_OPTS=" -l /var/log/racoon.log -v"
RACOON_CONF="/etc/racoon/racoon.conf"
RACOON_PSK_FILE="/etc/racoon/psk.txt"
SETKEY_CONF="/etc/ipsec.conf"
RACOON_RESET_TABLES="true"


/etc/racoon/psk.txt exist to..

firewall has true configuration (iptables and ipfw)
1) # /etc/init.d/ipsec start
Code:
 * Starting IPSEC ... ...
ipsec_setup: Starting Openswan IPsec 2.4.15... 

and for a long long time thinking... Then I press Ctrl+C... It is unclear why not start correctly О_о
more.. time to try started racoon
2) /etc/init.d/racoon start, ps ax said: /usr/sbin/racoon -f /etc/racoon/racoon.conf -l /var/log/racoon.log -v
Look in the log file in the Server F, looking attempt to connect.. And nothing about tunnel from ServerG!
ОК, look in fileon G server...
Code:
2010-12-23 05:49:12: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
2010-12-23 05:49:12: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
2010-12-23 05:49:12: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2010-12-23 05:49:13: ERROR: failed to bind to address 127.0.0.1[500] (Address already in use).  <= x_X
2010-12-23 05:49:13: ERROR: failed to bind to address 10.10.5.1[500] (Address already in use).
2010-12-23 05:49:13: ERROR: failed to bind to address yy.yy.yy.yy[500] (Address already in use).   
2010-12-23 05:49:13: ERROR: failed to bind to address ::1[500] (Address already in use).
2010-12-23 05:49:13: INFO: fe80::2e0:4cff:fea0:8bbf%eth0[500] used as isakmp port (fd=6)
2010-12-23 05:49:13: INFO: fe80::4e00:10ff:fea1:95b9%eth1[500] used as isakmp port (fd=7)
2010-12-23 06:27:17: INFO: caught signal 15


"addres in use" in use for wat O_o What does this mean... And what ipsec start problem mean... :(
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 438

PostPosted: Wed Dec 22, 2010 9:58 pm    Post subject: Reply with quote

"Address in use" means something already listing on that port. If you're trying to run both Openswan and racoon on the same machine, don't, as they both do the same thing and will conflict with one another.
Back to top
View user's profile Send private message
unax
n00b
n00b


Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)

PostPosted: Thu Dec 23, 2010 3:37 pm    Post subject: Reply with quote

Ok.. now start without ipsec (to avoid any conflict)
log in Server G:
Code:
2010-12-24 04:21:26: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
2010-12-24 04:21:26: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)
2010-12-24 04:21:26: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2010-12-24 04:21:26: INFO: 127.0.0.1[500] used as isakmp port (fd=6)
2010-12-24 04:21:26: INFO: 127.0.0.1[500] used for NAT-T
2010-12-24 04:21:26: INFO: 10.10.5.1[500] used as isakmp port (fd=7)
2010-12-24 04:21:26: INFO: 10.10.5.1[500] used for NAT-T
2010-12-24 04:21:26: INFO: yy.yy.yy.yy[500] used as isakmp port (fd=8)
2010-12-24 04:21:26: INFO: yy.yy.yy.yy[500] used for NAT-T
2010-12-24 04:21:26: INFO: ::1[500] used as isakmp port (fd=9)
2010-12-24 04:21:26: INFO: fe80::2e0:4cff:fea0:8bbf%eth0[500] used as isakmp port (fd=10)
2010-12-24 04:21:26: INFO: fe80::4e00:10ff:fea1:95b9%eth1[500] used as isakmp port (fd=11)

and looking on Server F logs: nothing again! no logs about try to connect from server G
Obsalyutno not understand, why he was not trying to connection with Server F >_<
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 438

PostPosted: Fri Dec 24, 2010 1:55 am    Post subject: Reply with quote

racoon won't bring up the tunnel until something actually needs it. So do:
Code:
ping -I eth1 10.10.1.0

(where eth1 the the interface connected to your INTERNAL network). You should see the tunnel get established.
Back to top
View user's profile Send private message
unax
n00b
n00b


Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)

PostPosted: Sat Dec 25, 2010 6:59 pm    Post subject: Reply with quote

:D Yes it work! I just forget something roles for firewall, but tcpdump fix my problems with iptables)
p.s.
Maybe someone will be helpful.. Something about a firewall for client-server (remote office)
this example of iptables roles apply only for work local network of offices
Code:
 
LOCAL_NET=10.10.5.0/24  # office network
LAN_IP=10.10.5.1  # ip office gateway
WAN_IP=yy.yy.yy.yy   # ip ppp0
REMOTE_LAN=10.0.10.0/24 # remote lan
IPSEC_SERVER=xx.xx.xx.xx # server of main office
IINTERFACE=eth1 # LAN office
OINTERFACE=eth0 # for pppoe
VINTERFACE=ppp0 # pppoe iface

  $IPTABLES -A INPUT -i $IINTERFACE -s $REMOTE_LAN -j ACCEPT
  $IPTABLES -A INPUT -i lo -s $REMOTE_LAN -j ACCEPT

  $IPTABLES -A INPUT -p udp -s $IPSEC_SERVER -d $WAN_IP --dport 500 -j ACCEPT
  $IPTABLES -A INPUT -p udp -s $IPSEC_SERVER -d $WAN_IP --dport 4500 -j ACCEPT
  $IPTABLES -A INPUT -p esp -s $IPSEC_SERVER -d $WAN_IP -j ACCEPT
  $IPTABLES -A INPUT -p ah  -s $IPSEC_SERVER -d $WAN_IP -j ACCEPT
  $IPTABLES -A INPUT -p gre -s $IPSEC_SERVER -d $WAN_IP -j ACCEPT

  inet=`cat /etc/firewall/IP_FULL_ACCEESS_LIST | grep -v "#"` # ip list of office LAN for full intrnet access

  $IPTABLES -A FORWARD -i $IINTERFACE  -o $VINTERFACE -d $REMOTE_LAN -s $LOCAL_NET -j ACCEPT
  $IPTABLES -A FORWARD -i $VINTERFACE  -o $IINTERFACE -s $REMOTE_LAN -d $LOCAL_NET -j ACCEPT

  $IPTABLES -A FORWARD -i $VINTERFACE -o $IINTERFACE ! --source $REMOTE_LAN --destination $LOCAL_NET --match state --state ESTABLISHED -j ACCEPT
    for ip in $inet
    {
      $IPTABLES -A FORWARD -i $IINTERFACE  -o $VINTERFACE --source $ip ! --destination $REMOTE_LAN --match state --state NEW,ESTABLISHED -j ACCEPT
    }

 $IPTABLES -t nat -A POSTROUTING -s $LOCAL_NET ! -d $REMOTE_LAN -o $VINTERFACE -p ALL -j SNAT --to-source $WAN_IP
Back to top
View user's profile Send private message
unax
n00b
n00b


Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)

PostPosted: Thu Jan 27, 2011 8:31 am    Post subject: Reply with quote

:)
i have tiny question..
If I specify interface, the traffic goes into the tunnel.
Quote:
ping -I eth1 10.100.1.100

When 10.100.1.0/24 is remote subnet.
How configurate routing for direct access... (just ping 10.100.1.10)
if set new route
Quote:
route add -net 10.100.1.0/24 dev eth0

access to remote subnet is not.. Perhaps this can be done by iptables, but I do not know what to write exactly :oops:
Back to top
View user's profile Send private message
unax
n00b
n00b


Joined: 04 May 2010
Posts: 20
Location: Russia, Novokuznetsk (Siberia)

PostPosted: Fri Jan 28, 2011 4:05 am    Post subject: Reply with quote

so.. One route decided my problem :roll:
#ip route add -net <remote lan> via <global ip of router> src <local ip of router>
everything is fine :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum