Package: iptables
Version: 1.2.11-10
Severity: normal
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages iptables depends on:
ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an
-- no debconf information
In cases where one VPN is shared among two SPDs, depending on the order
in which the conections, one link will fail.
The problem can be seen in a situation as the following:
Internet Link
1.2.3.0/24 -> Debian_1 <---------------> Debian_2 ---->4.5.6.0/24
| tunnel VPN | |
V | |--------->7.0.0.0/8
Dynamic PPP V
Static IP
In this schematic, the 1.2.3.0/24 network needs to access networks
4.5.6.0/24 and 7.0.0.0/8, which are behind the Debian_2 box. Debian_2
accesses all networks through 1 netword card (eth0). All connections
from 1.2.3.0/24 to 4.5.6.0/24 and 7.0.0.0/8 are MASQUERADEd by the
Debian_2 box.
Since Debian_1 connects to Internet via a PPP link, the SPDs are
configured with the script "/etc/ppp/ip-up.d/ipsec" and racoon with
"racoon.conf" as shown at the end of the file.
Now if I ask from 1.2.3.0/24 for an IP in 7.0.0.0, the VPN comes alive
and it works fine. I can then initiate a connection to 4.5.6.0/24 and
I'll get an answer.
If on the other hand I initiate the VPN with a call for a 4.5.6.0/24
address and *afterwards* for a 7.0.0.0/8, then the 7.0.0.0/8 net does
not reply. Basically the Debian_2 box seems not to apply the "-j
MASQUERADE" option on the packets it receives through the VPN.
Changing the order of the SPDs in the /etc/ppp/ip-up.d/ipsec file,
simply moves the problem to the other network.
/etc/ppp/ip-up.d/ipsec:
--------------------------------------------
#!/bin/sh
/etc/init.d/racoon restart
/usr/sbin/setkey -c <<EOF
flush;
spdflush;
spdadd 1.2.3.0/24 4.5.6.0/24 any
-P out ipsec esp/tunnel/${PPP_LOCAL}-10.0.0.1/require;
spdadd 4.5.6.0/24 1.2.3.0/24 any
-P in ipsec esp/tunnel/10.0.0.1-${PPP_LOCAL}/require;
spdadd 1.2.3.0/24 7.0.0.0/8 any
-P out ipsec esp/tunnel/${PPP_LOCAL}-10.0.0.1/require;
spdadd 7.0.0.0/8 1.2.3.0/24 any
-P in ipsec esp/tunnel/10.0.0.1-${PPP_LOCAL}/require;
EOF
--------------------------------------------
racoon.conf (Debian_1):
--------------------------------------------
path pre_shared_key "/etc/racoon/psk.txt";
remote 10.0.0.1 {
exchange_mode aggressive,main;
my_identifier user_fqdn "[EMAIL PROTECTED]";
peers_identifier user_fqdn "[EMAIL PROTECTED]";
verify_identifier on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous {
pfs_group modp768;
encryption_algorithm rijndael, 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 180 min;
}
--------------------------------------------
On Debian_2 the only difference is the "generate_policy on" option and
the "remote" is "anonymous" also.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
