I'm trying to set up IPsec communication between clients on my wireless LAN
and a Zyxel Prestige 312 (now known as a Zywall10). My access point doesn't do
IPSec, so I'm trying to terminate the IPSec vpn at the firewall, to pass
unencrypted traffic to either the internet or to my wired LAN.
My intention is to prevent unauthorized wireless clients from getting
access to my LAN (wired or wireless) or to my WAN connection. Wireless LAN
clients would need access to hosts on the wired LAN, as well as access to
the internet. No traffic origininating on the WAN needs inbound access
to the wireless LAN. Non-IPSec traffic to and from the access point
(172.16.1.2) will be permitted by the firewall rules.
---------------------------------------------------------------------------
{internet}-----[cable modem]--+
| DHCP-assigned IP
|
[zyxel 312]
172.25.1.1 | 172.16.1.1
("real" IP) | (alias IP)
|
|
|
[ hub ]
| |
| +------[WLAN AP]- - - - -{wireless LAN}
| 172.16.1.2 172.16.1.0/24
|
{wired LAN}
172.25.1.0/24
---------------------------------------------------------------------------
Environment:
Zyxel Prestige 312
------------------
ZyNOS F/W Version: V3.52(WA.4)
wired lan (gateway address): 172.25.1.1/24
wireless lan, as an "IP Alias": 172.16.1.1/24
----------------------------------
Firewall rules, Packet Direction: Lan to Lan/Zywall
Rule Src Dest Proto/port Policy
1 0.0.0.0 172.16.1.2 any/any forward
2 172.16.1.2 0.0.0.0 any/any forward
3 172.16.1.3-255 0.0.0.0 50,51,IKE forward
4 0.0.0.0 172.16.1.3-255 50,51,IKE forward
5 172.16.1.0/24 0.0.0.0 any/any drop
----------------------------------
Zyxel VPN configuration:
Index #= 1 Name= wlan
Active= Yes Keep Alive= Yes Nat Traversal= No
Local ID type= IP Content=
My IP Addr= 0.0.0.0
Peer ID type= IP Content= 172.16.1.101
Secure Gateway Address= 172.16.1.101
Protocol= 0
Local: Addr Type= SINGLE
IP Addr Start= 172.16.1.1 End/Subnet Mask= N/A
Port Start= 0 End= N/A
Remote: Addr Type= RANGE
IP Addr Start= 172.16.1.100 End/Subnet Mask= 172.16.1.255
Port Start= 0 End= N/A
Enable Replay Detection= No
Key Management= IKE
Phase 1
Negotiation Mode= Main
PSK= my-secret-key-goes-right-here
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Key Group= DH2
Phase 2
Active Protocol= ESP
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Encapsulation= Tunnel
Perfect Forward Secrecy (PFS)= None
Wireless client:
----------------
Linux: RH9, 2.4.24
Kernel compiled with Crypto options
Freeswan 2.04
no iptables/pf/ipchains rules
eth0:1 (ipsec0): 172.16.1.100/24
/etc/ipsec.conf:
config setup
interfaces="ipsec0=eth0:1"
klipsdebug=none
plutodebug=all
conn %default
keyingtries=8
conn wlan
left=172.16.1.101
right=172.16.1.1
rightsubnet=0.0.0.0/0
pfs=no
auto=start
authby=secret
auth=esp
esp=3des-md5-96
When I attempt to start ipsec on the wireless client, I get the following
messages:
ipsec_setup: Starting FreeS/WAN IPsec 2.04...
ipsec_setup: Using /lib/modules/2.4.24/kernel/ipsec.o
kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 2.04
/etc/hotplug/net.agent: invoke ifup ipsec0
/etc/hotplug/net.agent: invoke ifup ipsec1
/etc/hotplug/net.agent: invoke ifup ipsec2
ipsec_setup: KLIPS debug `none'
kernel:
/etc/hotplug/net.agent: invoke ifup ipsec3
ipsec_setup: KLIPS ipsec0 on eth0:1 172.16.1.101/255.255.255.0 broadcast 172.16.255.255
ipsec_setup: ...FreeS/WAN IPsec started
ipsec__plutorun: 104 "wlan" #1: STATE_MAIN_I1: initiate
ipsec__plutorun: ...could not start conn "wlan"
If I sniff traffic, I see ISAKMP "Identity Protection", "Quick Mode",
and "Informational" messages being exchanged between the client
(172.16.1.101) and the 172.16.1.1 IP of the router (ipsec-gw), however
the SA is never formed. I suspect that the problem is actually with
the router configuration--it's not clear to me what values I should be
entering for each field, particularly since the router will be the end
point of a VPN on it's own LAN.
Ethereal packet trace:
No. Source Destination Protocol Info
16 172.16.1.101 ipsec-gw ISAKMP Identity Protection (Main Mode)
17 ipsec-gw 172.16.1.101 ISAKMP Identity Protection (Main Mode)
18 172.16.1.101 ipsec-gw ISAKMP Identity Protection (Main Mode)
19 ipsec-gw 172.16.1.101 ISAKMP Identity Protection (Main Mode)
20 172.16.1.101 ipsec-gw ISAKMP Identity Protection (Main Mode)
21 ipsec-gw 172.16.1.101 ISAKMP Identity Protection (Main Mode)
22 172.16.1.101 ipsec-gw ISAKMP Quick Mode
23 ipsec-gw 172.16.1.101 ISAKMP Informational
24 ipsec-gw 172.16.1.101 ISAKMP Informational
25 172.16.1.101 ipsec-gw ISAKMP Informational
26 172.16.1.101 ipsec-gw ISAKMP Quick Mode
The router logs show:
Source IP |Destination IP |Note
172.16.1.101 |172.16.1.1 |IKE Recv Main Mode request from [172.16.1.101]
172.16.1.101 |172.16.1.1 |IKE Recv:[SA]
172.16.1.1 |172.16.1.101 |IKE Send:[SA][VID]
172.16.1.101 |172.16.1.1 |IKE Recv:[KE][NONCE]
172.16.1.1 |172.16.1.101 |IKE Send:[KE][NONCE]
172.16.1.101 |172.16.1.1 |IKE Recv:[ID][HASH]
172.16.1.101 |172.16.1.1 |IKE Build Phase 1 ID
172.16.1.1 |172.16.1.101 |IKE Send:[ID][HASH][NOTFY:INIT_CONT
172.16.1.101 |172.16.1.1 |IKE Recv:[HASH][SA][NONCE][ID][ID]
172.16.1.101 |172.16.1.1 |IKE Start Phase 2: Quick Mode
172.16.1.101 |172.16.1.1 |IKE !! Verifying Remote ID failed:
172.16.1.101 |172.16.1.1 |IKE Recv ID: SUBNET, [172.16.1.101]-[255.255.255.255]
172.16.1.101 |172.16.1.1 |IKE vs. My Remote [172.16.1.100]-[172.16.1.255]
172.16.1.1 |172.16.1.101 |IKE Send:[HASH][NOTFY:ERR_ID_INFO]
172.16.1.1 |172.16.1.101 |IKE Send:[HASH][DEL]
I'd be happy to send more information--including the barf output--either to
the newsgroup or directly. I'd really appreciate any suggestions.
************************************************** *
**** E-mail replies preferred. I will summarize. **
************************************************** *
Thanks,
Mark
|
Similar Threads
Linear Mode
