Hmm...must be the day for VPN questions :)
> I'm trying to get two different subnets (behind two different IP
> Masq'ing LRP boxes) to talk over IPSec. I am using a Sentinel 1.3
> client on one side {"right" machine}, and am using it's diagnostics to
> try to make the connection on the IPSec gateway {"left"}. I have turned
> off my packet filter on the "right" machine, and am using
>
> ipchains -I input -j ACCEPT -p udp -s [right/32] -d [left/32] 500
>
> on the IPSec GW machine ("left"). I am getting the following error in
> auth.log on "left":
>
> [DATE] Pluto[1840]: packet from from [remote gw]:64484: initial Main
> Mode message recieved on [IPSec gw]:500 but no connection has been
> authorized
>
> After googling, I have found that Pluto insists on matching up the
> source & dest port #, which the IPMasq'ing is mangling on the "right"
> machine. Any ideas?
It sounds like you have an LRP box running as a VPN gateway on one end
(public IP on the box running FreeS/WAN), with a masquerading IPSec
connection on the other end (LRP box masquerading packets between your SSH
Sentinel client and the internet). The VPN gateway end is probably OK, as
long as your kernel includes the IPSec patches required for FreeS/WAN to
work (FreeS/WAN will be very vocal about this if you don't have the right
kernel loaded, and will generally refuse to do anything remotely resembling
establishing a connection, so it's pretty easy to tell if you kernel is OK
or not).
You *CAN* run an IPSec link behind a masqueraded connection, but you need to
set a few things up for it to work correctly, including:
- Make sure you're *NOT* running a kernel that supports KLIPS (the FreeS/WAN
kernel IPSec code...the Dachstein CD has this enabled by default, and it
conflicts with the ip_masq_ipsec module, below)
- Load the ip_masq_ipsec module
- port-forward UDP port 500 traffic.
I think this is all you need to setup, but I could be missing something.
Take a look at the VPN-Masquerade-HOWTO for linux. There are also several
folks on-list who have setup masqueraded VPN connections through their LRP
firewalls who can probably help if you run into a specific problem.
NOTE: Due to current limitation with how FreeS/WAN is implemented, you
CANNOT use the same kernel to run both a VPN gateway *AND* masquerade IPSec
traffic. This means you'll need to replace the kernel at one end of your
VPN network. If you're using the standard Dachstein floppy distribution,
you'll have to replace the kernel at the VPN gateway end (the floppy version
includes a kernel setup for IPSec masquerading). If you're using the CD-ROM
version of Dachstein, you'll have to replace the kernel at the SSH Sentinel
end (the CD contains a VPN Gateway kernel, and will not properly masquerade
IPSec packets).
Good Luck!
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
