--- Phil Dyer <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > R.M. Evers said: > > i'm having some problems implementing a vpn configuration, and i'm > > hoping you guys could help me out here. we are hosting a debian > sarge > > server for one of our customers, and they need to communicate with > this > > server over the internet securely. to accomplish this, i want to > create > > a vpn between the debian server and their network. for my test > setup, > > this is what i did: > > > > on the left side of the vpn (debian sarge server): > > > > - compiled a 2.4.27-8 kernel with the backported KAME IPSec stack > and > > crypto modules > > - installed freeswan and ipsec-tools > > - this server has two NIC's: > > * eth0 is connected to the internet, and has an external IP, > let's > > say 1.2.3.4. > > * eth1 is _not_ connected, but i assigned an internal IP to it: > > 172.27.27.1. > > - setup iptables to accept the esp packets and IKE messages > (udp/500) > > from the right side (9.8.7.6). > > - configured freeswan for the vpn: > > -- > > conn foo-bar > > left=1.2.3.4 > > leftsubnet=172.27.27.0/24 > > leftnexthop=1.2.3.1 > > right=9.8.7.6 > > rightsubnet=192.168.1.0/24 > > authby=secret > > auto=start > > -- > > > > on the right side i set up a simple test network behind a netscreen > > appliance (9.8.7.6) and configured the vpn. > > I'm not really familiar with netscreens, but they should work just > fine > with freeswan. > > > now, i can start the vpn and it works when i try to connect from > right > > to left (let's say, from 192.168.1.33 to 172.27.27.1). tcpdump shows > me > > esp packets, and everything works fine. > > So the tunnel is up? You can ping from one side to the other? Have a > look at the output of 'ipsec look'. Look at the logs on the left side > server. Is the tunnel really up? You should see entries in > /var/log/auth.log . Look at logs on the netscreen as well. > > > now here's the problem: i cannot connect from left to right (i.e., > from > > the debian server to a machine inside the right network). when i > follow > > the tcpdump when i nmap a machine in the right network > (192.168.1.33), i > > can see packets going from 1.2.3.4 to 192.168.1.33. so it's not > > travelling the vpn and i don't have a clue why. > > Are you trying *from* the vpn server? Try connecting from a machine > that is *behind* the left server. your config says send packets from > 172.27.27.0/24 over the tunnel. When you ping from the debian server, > it's using the 1.2.3.4 interface, so it's not going thru the tunnel. > You > can tell ping to use the other interface by using 'ping -I eth1 > 192.168.1.x, or connect a box to the eth1 iface and try connecting > from > there. > > For freeswan configs, it's pretty normal to use the classic 4 tunnel > approach to cover all connections. > > conn rnet-lnet > left=1.2.3.4 > leftsubnet=172.27.27.0/24 > leftnexthop=1.2.3.1 > right=9.8.7.6 > rightsubnet=192.168.1.0/24 > authby=secret > auto=start Yes, this workes.
> conn rnet-lserver > left=1.2.3.4 > leftnexthop=1.2.3.1 > right=9.8.7.6 > rightsubnet=192.168.1.0/24 > authby=secret > auto=start Instead... route add 9.8.7.6 192.168.1.X This route will use the rnet-lnet VPN to access the 1.2 address of the(any) router on that net, should be added on the 1.2.3.4 host. From there the pkts will be sent *directly* to the correct computer. > conn lnet-rserver > leftsubnet=172.27.27.0/24 > leftnexthop=1.2.3.1 > right=9.8.7.6 > authby=secret > auto=start route add 1.2.3.4 gw 172.27.27.X Use this on the rserver server. > conn rserver-lserver > left=1.2.3.4 > leftnexthop=1.2.3.1 > right=9.8.7.6 > authby=secret > auto=start No more routes needed. > > i'm kind of a n00b at > > this stuff, so i was amazed i actually got this far. but does anyone > > know what i have to do to have a fully functional bidirectional vpn? > or > > is my setup just, well, plain stupid?? :-) it must be noted that in > the > > future it is likely that more parties will have to connect to this > > server via an extra vpn. > > Setting up multiple tunnels with [free|openswan] is no biggie once you > get it working. I've got a single server with 45-50 tunnels running > and > it doesn't break a sweat. With multiple tunnels I suggest looking at > using certificates or RSA keys for the connections. Easier than > setting > up individual secrets and really necessary for connecting endpoints > with > dynamic ip's. > > - -- > > /phil > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.0 (MingW32) > Comment: Public Key: http://www.dyermaker.org/gpgkey > > iD8DBQFCOZPNGbd/rBLcaFwRAvkWAKCkw4pBRZjAlKL1pc0b+dCBfad+5ACcCZwM > DoRo+r+F++ACANwP0UMZAFE= > =KXLO > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
