Thanks Charles - fortunately the non-IPSec router is not Dachstein. I
am really impressed by your work on Dachstein, and was especially glad
to see the inclusion and improvements to the multiple disk option.
- Jon
Charles Steinkuehler wrote:
>
> Hmm...must be the day for VPN questions :)
>
> > I'm trying to get two different subnets (behind two different IP
> > Masq'ing LRP boxes) to talk over IPSec. I am using a Sentinel 1.3
> > client on one side {"right" machine}, and am using it's diagnostics to
> > try to make the connection on the IPSec gateway {"left"}. I have turned
> > off my packet filter on the "right" machine, and am using
> >
> > ipchains -I input -j ACCEPT -p udp -s [right/32] -d [left/32] 500
> >
> > on the IPSec GW machine ("left"). I am getting the following error in
> > auth.log on "left":
> >
> > [DATE] Pluto[1840]: packet from from [remote gw]:64484: initial Main
> > Mode message recieved on [IPSec gw]:500 but no connection has been
> > authorized
> >
> > After googling, I have found that Pluto insists on matching up the
> > source & dest port #, which the IPMasq'ing is mangling on the "right"
> > machine. Any ideas?
>
> It sounds like you have an LRP box running as a VPN gateway on one end
> (public IP on the box running FreeS/WAN), with a masquerading IPSec
> connection on the other end (LRP box masquerading packets between your SSH
> Sentinel client and the internet). The VPN gateway end is probably OK, as
> long as your kernel includes the IPSec patches required for FreeS/WAN to
> work (FreeS/WAN will be very vocal about this if you don't have the right
> kernel loaded, and will generally refuse to do anything remotely resembling
> establishing a connection, so it's pretty easy to tell if you kernel is OK
> or not).
>
> You *CAN* run an IPSec link behind a masqueraded connection, but you need to
> set a few things up for it to work correctly, including:
>
> - Make sure you're *NOT* running a kernel that supports KLIPS (the FreeS/WAN
> kernel IPSec code...the Dachstein CD has this enabled by default, and it
> conflicts with the ip_masq_ipsec module, below)
> - Load the ip_masq_ipsec module
> - port-forward UDP port 500 traffic.
>
> I think this is all you need to setup, but I could be missing something.
> Take a look at the VPN-Masquerade-HOWTO for linux. There are also several
> folks on-list who have setup masqueraded VPN connections through their LRP
> firewalls who can probably help if you run into a specific problem.
>
> NOTE: Due to current limitation with how FreeS/WAN is implemented, you
> CANNOT use the same kernel to run both a VPN gateway *AND* masquerade IPSec
> traffic. This means you'll need to replace the kernel at one end of your
> VPN network. If you're using the standard Dachstein floppy distribution,
> you'll have to replace the kernel at the VPN gateway end (the floppy version
> includes a kernel setup for IPSec masquerading). If you're using the CD-ROM
> version of Dachstein, you'll have to replace the kernel at the SSH Sentinel
> end (the CD contains a VPN Gateway kernel, and will not properly masquerade
> IPSec packets).
>
> Good Luck!
>
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
