-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 R.M. Evers said: > i'm having some problems implementing a vpn configuration, and i'm > hoping you guys could help me out here. we are hosting a debian sarge > server for one of our customers, and they need to communicate with this > server over the internet securely. to accomplish this, i want to create > a vpn between the debian server and their network. for my test setup, > this is what i did: > > on the left side of the vpn (debian sarge server): > > - compiled a 2.4.27-8 kernel with the backported KAME IPSec stack and > crypto modules > - installed freeswan and ipsec-tools > - this server has two NIC's: > * eth0 is connected to the internet, and has an external IP, let's > say 1.2.3.4. > * eth1 is _not_ connected, but i assigned an internal IP to it: > 172.27.27.1. > - setup iptables to accept the esp packets and IKE messages (udp/500) > from the right side (9.8.7.6). > - configured freeswan for the vpn: > -- > conn foo-bar > left=1.2.3.4 > leftsubnet=172.27.27.0/24 > leftnexthop=1.2.3.1 > right=9.8.7.6 > rightsubnet=192.168.1.0/24 > authby=secret > auto=start > -- > > on the right side i set up a simple test network behind a netscreen > appliance (9.8.7.6) and configured the vpn.
I'm not really familiar with netscreens, but they should work just fine with freeswan. > now, i can start the vpn and it works when i try to connect from right > to left (let's say, from 192.168.1.33 to 172.27.27.1). tcpdump shows me > esp packets, and everything works fine. So the tunnel is up? You can ping from one side to the other? Have a look at the output of 'ipsec look'. Look at the logs on the left side server. Is the tunnel really up? You should see entries in /var/log/auth.log . Look at logs on the netscreen as well. > now here's the problem: i cannot connect from left to right (i.e., from > the debian server to a machine inside the right network). when i follow > the tcpdump when i nmap a machine in the right network (192.168.1.33), i > can see packets going from 1.2.3.4 to 192.168.1.33. so it's not > travelling the vpn and i don't have a clue why. Are you trying *from* the vpn server? Try connecting from a machine that is *behind* the left server. your config says send packets from 172.27.27.0/24 over the tunnel. When you ping from the debian server, it's using the 1.2.3.4 interface, so it's not going thru the tunnel. You can tell ping to use the other interface by using 'ping -I eth1 192.168.1.x, or connect a box to the eth1 iface and try connecting from there. For freeswan configs, it's pretty normal to use the classic 4 tunnel approach to cover all connections. conn rnet-lnet left=1.2.3.4 leftsubnet=172.27.27.0/24 leftnexthop=1.2.3.1 right=9.8.7.6 rightsubnet=192.168.1.0/24 authby=secret auto=start conn rnet-lserver left=1.2.3.4 leftnexthop=1.2.3.1 right=9.8.7.6 rightsubnet=192.168.1.0/24 authby=secret auto=start conn lnet-rserver leftsubnet=172.27.27.0/24 leftnexthop=1.2.3.1 right=9.8.7.6 authby=secret auto=start conn rserver-lserver left=1.2.3.4 leftnexthop=1.2.3.1 right=9.8.7.6 authby=secret auto=start i'm kind of a n00b at > this stuff, so i was amazed i actually got this far. but does anyone > know what i have to do to have a fully functional bidirectional vpn? or > is my setup just, well, plain stupid?? :-) it must be noted that in the > future it is likely that more parties will have to connect to this > server via an extra vpn. Setting up multiple tunnels with [free|openswan] is no biggie once you get it working. I've got a single server with 45-50 tunnels running and it doesn't break a sweat. With multiple tunnels I suggest looking at using certificates or RSA keys for the connections. Easier than setting up individual secrets and really necessary for connecting endpoints with dynamic ip's. - -- /phil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Public Key: http://www.dyermaker.org/gpgkey iD8DBQFCOZPNGbd/rBLcaFwRAvkWAKCkw4pBRZjAlKL1pc0b+dCBfad+5ACcCZwM DoRo+r+F++ACANwP0UMZAFE= =KXLO -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
