Frees/wan setup problems

Kenneth E. Lussier ken.lussier at zuken.com
Wed Feb 26 11:21:33 EST 2003 

On Wed, 2003-02-26 at 09:08, Cole Tuininga wrote:
> 
> Ok - here's the situation.  I'm looking doing some work from home, so I
> want to VPN my home network with my lab network at work.  Here's the
> setup:
> 
> Both networks are basically the same in setup.  They look like:
> 
> linux workstations <--> linux masqing box <--> internet

Can you get from one gateway to another? IOW, can the internal interface
on one side ping the internal interface on the other? What about
traceroutes from the gateway as well as from the internal machines?

> On the home network, I use an internal class C network: 192.168.2.0/24
> and at work we use 192.168.1.0/24.
> 
> My ipsec.conf on each side looks like the following:
> 
> config setup
>     interfaces="ipsec0=eth1"
>     klipsdebug=none
>     plutodebug=none
>     plutoload=%search
>     plutostart=%search
>     uniqueids=yes
> 
> conn %default
>     keyingtries=0
>     disablearrivalcheck=yes
>     authby=rsasig
> 
> conn panam-cole
>     left = 63.127.199.26
>     leftsubnet = 192.168.2.0/24
>     leftnexthop = 63.127.199.25
>     leftrsasigkey = 0sAQNkta3 [snipped for brevity]
>     right = 209.187.117.100
>     rightsubnet = 192.168.1.0/24
>     rightnexthop = 209.187.117.65
>     rightrsasigkey=0sAQPBb4 [snipped for brevity]
>     auto = start

It's not essential, but you might want to a gateway-to-gateway conn
section :

conn workgateway-homegateway
	left = 63.127.199.26
	leftnexthop = 63.127.199.25
	leftrsasigkey = 0sAQNkta3 
	right = 209.187.117.100
        rightnexthop = 209.187.117.65
        rightrsasigkey=0sAQPBb4 [snipped for brevity]
        auto = start


> One thing I should mention is that the kernel patches I'm using are for
> freeswan 1.96 and freeswan itself is 1.99.  Before anybody jumps on me
> TOO much about that, I'll say this.  It was working.  8)

That shouldn't really be a big deal. However, for the sake of
continuity, you might want to grab the latest kernel patches.

> Both machines that are VPNs are also NATing for their internal
> networks.  I'm making sure that it is not NATing for the private
> networks by adding a -d ! 192.168.0.0/16 into the nat rule.  I'm using
> kernel 2.4.18 with iptables.

Are the routing tables set up to send 192.168.1/2.0/24 traffic out 
ipsec0?
 
> Like I said before, it's rather peculiar because it *was* working.  I
> had to finish assembling the box here at Pan Am so I took it down.  When
> it came back up, the logs claim that the ipsec connection is active, and
> if I turn on klipsdebug to all I can see that "something is happening",
> but my pings and ssh's don't make it through.

Are they not making it out, or are they not making it back? 

> Any thoughts on what could be wrong?  Or even what to do as a next
> diagnostic step?

Thought's on what could be wrong:

Any one of a million things ;-)

Diagnostic steps:

traceroute to see where the packets are actually going/coming from.
Routing is a common problem with ipsec where the traffic comes in the
ipsec tunnel, but the return traffic ends up going out the default
gateway via the internet. 

C-Ya,
Kenny

-- 
----------------------------------------------------------------------------
"Tact is just *not* saying true stuff" -- Cordelia Chase

Kenneth E. Lussier
Sr. Systems Administrator
Zuken, USA
PGP KeyID CB254DD0 
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xCB254DD0

More information about the gnhlug-discuss mailing list