IPSec: net-to-net config not working

Hi all!

I've problem with IPSec (kernel 2.6.12, ipsec-tools 5.2).
I'm trying to setup the simplest possible ipsec net-to-net
configuration, and it doeasn't want to work.
If I'm pinging from ipsec host to another isec host, it works, I can see
that tunnel has been established, but with net-to-net configuration
ipsec hosts, don't even try to establish tunnel.
The configuration is the simplest one from ipsec-tools.org,
with sainfo anonymous.


best regards
Jarek

hi,

couldnt you give a bit more infos? configs - ips - the scenario...?

I wonder if you trying to do some impossible, e.g. pjnging from
ipsec-gateway to ipsec-gateway via a tunnel - thast wont work AFAIK.

greetings


lasseboo

lasseboo wrote:
> hi,
>
> couldnt you give a bit more infos? configs - ips - the scenario...?
>
> I wonder if you trying to do some impossible, e.g. pjnging from
> ipsec-gateway to ipsec-gateway via a tunnel - thast wont work AFAIK.

Why ? It works for me (requires separate spdadd-s, not described in this
config).

This is my configuration (the part for net-to-net configuration only):

NET1:192.168.20.0/24
|
[192.168.20.1:ipsecgateway:192.168.10.2]
|
[192.168.10.1:ipsecgateway:192.168.1.1]
|
NET2:192.168.1.0/24

setkey:
================================================== =======
flush;
spdflush;
spdadd 192.168.20.0/24 192.168.1.0/24 any -P out ipsec
esp/tunnel/192.168.10.2-192.168.10.1/require;
spdadd 192.168.1.0/24 192.168.20.0/24 any -P in ipsec
esp/tunnel/192.168.10.1-192.168.10.2/require;
spdadd 192.168.20.0/24 192.168.1.0/24 any -P fwd ipsec
esp/tunnel/192.168.10.2-192.168.10.1/require;
================================================== =======
racoon:
================================================== =======
path certificate "/var/ssl/certs";
listen {
isakmp 192.168.10.2;
}
remote 192.168.10.1 {
exchange_mode main;
certificate_type x509 "VPN2.cert" "VPN2.pem";
verify_cert on;
my_identifier asn1dn;
peers_identifier asn1dn;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo anonymous {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
================================================== =====
Second side has opposite ip addresses.
All the settings regarding authorization are OK. But ping from any
machine in NET1 to NET2 or opposite doesn't start IPSec tunnel (ipsec
gateways, are default gateways for machines in those networks).
There is nothing in the logs, (even with -v -ddd).
Do I need some additional route settings in ipsec gateway ?

Jarek.

Nothing in the logs is bad - means Racoon hasn't seen even the first
incoming packet. Try checking if packets are flowing at all via
Ethereal, and see where the "buck stops".

On the other hand, it looks like IPsec is dead, much to my
disappointment. For example, I cannot set an IPsec pipe between a Win XP
and a Linux machines (both are NAT-ted) despite hours of effort - while
SSH works straight out-of-box (and is easier to configure). I used to
think that SSL/TLS VPNs were a stupid idea. Now I learned...

Jarek wrote:

> lasseboo wrote:
>
>> hi,
>>
>> couldnt you give a bit more infos? configs - ips - the scenario...?
>>
>> I wonder if you trying to do some impossible, e.g. pjnging from
>> ipsec-gateway to ipsec-gateway via a tunnel - thast wont work AFAIK.
>
>
> Why ? It works for me (requires separate spdadd-s, not described in
> this config).
>
> This is my configuration (the part for net-to-net configuration only):
>
> NET1:192.168.20.0/24
> |
> [192.168.20.1:ipsecgateway:192.168.10.2]
> |
> [192.168.10.1:ipsecgateway:192.168.1.1]
> |
> NET2:192.168.1.0/24
>
> setkey:
> ================================================== =======
> flush;
> spdflush;
> spdadd 192.168.20.0/24 192.168.1.0/24 any -P out ipsec
> esp/tunnel/192.168.10.2-192.168.10.1/require;
> spdadd 192.168.1.0/24 192.168.20.0/24 any -P in ipsec
> esp/tunnel/192.168.10.1-192.168.10.2/require;
> spdadd 192.168.20.0/24 192.168.1.0/24 any -P fwd ipsec
> esp/tunnel/192.168.10.2-192.168.10.1/require;
> ================================================== =======
> racoon:
> ================================================== =======
> path certificate "/var/ssl/certs";
> listen {
> isakmp 192.168.10.2;
> }
> remote 192.168.10.1 {
> exchange_mode main;
> certificate_type x509 "VPN2.cert" "VPN2.pem";
> verify_cert on;
> my_identifier asn1dn;
> peers_identifier asn1dn;
> proposal {
> encryption_algorithm 3des;
> hash_algorithm sha1;
> authentication_method rsasig;
> dh_group modp1024;
> }
> }
> sainfo anonymous {
> pfs_group modp768;
> encryption_algorithm 3des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> }
> ================================================== =====
> Second side has opposite ip addresses.
> All the settings regarding authorization are OK. But ping from any
> machine in NET1 to NET2 or opposite doesn't start IPSec tunnel (ipsec
> gateways, are default gateways for machines in those networks).
> There is nothing in the logs, (even with -v -ddd).
> Do I need some additional route settings in ipsec gateway ?
>
> Jarek.

Jarek wrote:
> lasseboo wrote:
>
>> hi,
>>
>> couldnt you give a bit more infos? configs - ips - the scenario...?
>>
>> I wonder if you trying to do some impossible, e.g. pjnging from
>> ipsec-gateway to ipsec-gateway via a tunnel - thast wont work AFAIK.
>
>
> Why ? It works for me (requires separate spdadd-s, not described in this
> config).
>
> This is my configuration (the part for net-to-net configuration only):
>
> NET1:192.168.20.0/24
> |
> [192.168.20.1:ipsecgateway:192.168.10.2]
> |
> [192.168.10.1:ipsecgateway:192.168.1.1]
> |
> NET2:192.168.1.0/24
>
> setkey:
> ================================================== =======
> flush;
> spdflush;
> spdadd 192.168.20.0/24 192.168.1.0/24 any -P out ipsec
> esp/tunnel/192.168.10.2-192.168.10.1/require;
> spdadd 192.168.1.0/24 192.168.20.0/24 any -P in ipsec
> esp/tunnel/192.168.10.1-192.168.10.2/require;
> spdadd 192.168.20.0/24 192.168.1.0/24 any -P fwd ipsec
> esp/tunnel/192.168.10.2-192.168.10.1/require;
> ================================================== =======
> racoon:
> ================================================== =======
> path certificate "/var/ssl/certs";
> listen {
> isakmp 192.168.10.2;
> }
> remote 192.168.10.1 {
> exchange_mode main;
> certificate_type x509 "VPN2.cert" "VPN2.pem";
> verify_cert on;
> my_identifier asn1dn;
> peers_identifier asn1dn;
> proposal {
> encryption_algorithm 3des;
> hash_algorithm sha1;
> authentication_method rsasig;
> dh_group modp1024;
> }
> }
> sainfo anonymous {
> pfs_group modp768;
> encryption_algorithm 3des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> }
> ================================================== =====
> Second side has opposite ip addresses.
> All the settings regarding authorization are OK. But ping from any
> machine in NET1 to NET2 or opposite doesn't start IPSec tunnel (ipsec
> gateways, are default gateways for machines in those networks).
> There is nothing in the logs, (even with -v -ddd).
> Do I need some additional route settings in ipsec gateway ?
>
> Jarek.

Hello Jarek,
did you solve your problem already?

As you can ping from gateway to gateway and you set up tunnel mode
everything looks fine ...

Just a stupid question: did you anable IP forwarding in the kernel? I
mean does the whole setup work if you switch off IPsec at all (just to
verify).

-- Martin