IPSec: net-to-net config not working

Discussion in 'Linux Networking' started by Jarek, Aug 4, 2005.

  1. Jarek

    Jarek Guest

    Hi all!

    I've problem with IPSec (kernel 2.6.12, ipsec-tools 5.2).
    I'm trying to setup the simplest possible ipsec net-to-net
    configuration, and it doeasn't want to work.
    If I'm pinging from ipsec host to another isec host, it works, I can see
    that tunnel has been established, but with net-to-net configuration
    ipsec hosts, don't even try to establish tunnel.
    The configuration is the simplest one from ipsec-tools.org,
    with sainfo anonymous.


    best regards
    Jarek
     
    Jarek, Aug 4, 2005
    #1
    1. Advertisements

  2. Jarek

    lasseboo Guest

    hi,

    couldnt you give a bit more infos? configs - ips - the scenario...?

    I wonder if you trying to do some impossible, e.g. pjnging from
    ipsec-gateway to ipsec-gateway via a tunnel - thast wont work AFAIK.

    greetings


    lasseboo
     
    lasseboo, Aug 4, 2005
    #2
    1. Advertisements

  3. Jarek

    Jarek Guest

    Why ? It works for me (requires separate spdadd-s, not described in this
    config).

    This is my configuration (the part for net-to-net configuration only):

    NET1:192.168.20.0/24
    |
    [192.168.20.1:ipsecgateway:192.168.10.2]
    |
    [192.168.10.1:ipsecgateway:192.168.1.1]
    |
    NET2:192.168.1.0/24

    setkey:
    =========================================================
    flush;
    spdflush;
    spdadd 192.168.20.0/24 192.168.1.0/24 any -P out ipsec
    esp/tunnel/192.168.10.2-192.168.10.1/require;
    spdadd 192.168.1.0/24 192.168.20.0/24 any -P in ipsec
    esp/tunnel/192.168.10.1-192.168.10.2/require;
    spdadd 192.168.20.0/24 192.168.1.0/24 any -P fwd ipsec
    esp/tunnel/192.168.10.2-192.168.10.1/require;
    =========================================================
    racoon:
    =========================================================
    path certificate "/var/ssl/certs";
    listen {
    isakmp 192.168.10.2;
    }
    remote 192.168.10.1 {
    exchange_mode main;
    certificate_type x509 "VPN2.cert" "VPN2.pem";
    verify_cert on;
    my_identifier asn1dn;
    peers_identifier asn1dn;
    proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method rsasig;
    dh_group modp1024;
    }
    }
    sainfo anonymous {
    pfs_group modp768;
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    }
    =======================================================
    Second side has opposite ip addresses.
    All the settings regarding authorization are OK. But ping from any
    machine in NET1 to NET2 or opposite doesn't start IPSec tunnel (ipsec
    gateways, are default gateways for machines in those networks).
    There is nothing in the logs, (even with -v -ddd).
    Do I need some additional route settings in ipsec gateway ?

    Jarek.
     
    Jarek, Aug 4, 2005
    #3
  4. Jarek

    Mouse Guest

    Nothing in the logs is bad - means Racoon hasn't seen even the first
    incoming packet. Try checking if packets are flowing at all via
    Ethereal, and see where the "buck stops".

    On the other hand, it looks like IPsec is dead, much to my
    disappointment. For example, I cannot set an IPsec pipe between a Win XP
    and a Linux machines (both are NAT-ted) despite hours of effort - while
    SSH works straight out-of-box (and is easier to configure). I used to
    think that SSL/TLS VPNs were a stupid idea. Now I learned...
     
    Mouse, Aug 12, 2005
    #4
  5. Jarek

    M Daser Guest

    Hello Jarek,
    did you solve your problem already?

    As you can ping from gateway to gateway and you set up tunnel mode
    everything looks fine ...

    Just a stupid question: did you anable IP forwarding in the kernel? I
    mean does the whole setup work if you switch off IPsec at all (just to
    verify).

    -- Martin
     
    M Daser, Aug 29, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.