Thank you Charles.
After making the RSA right, I restarted the ipsec service on both
side and then I try to ping a machine on 192.168.1.x from 192.168.9.x subnet but the
ping times out and there is nothing in auth.log or syslog suggesting a reason.
Could you please suggest what I should look at now? I am including
the log messages and the config files.
BTW, both ends have dynamic IPs but they do not change for long time.
The left, leftnexthop, right and rightnexthop are extracted from the
file /var/state/dhcp/dhclient.leases
Here is the auth.log after restarting the ipsec service:
#### on 192.168.1.x ############3
Apr 23 12:07:17 router Pluto[18965]: Starting Pluto (FreeS/WAN Version 1.91)
Apr 23 12:07:18 router Pluto[18965]: added connection description "Binh"
Apr 23 12:07:18 router Pluto[18965]: listening for IKE messages
Apr 23 12:07:18 router Pluto[18965]: adding interface ipsec0/eth0 24.76.93.9
Apr 23 12:07:18 router Pluto[18965]: loading secrets from "/etc/ipsec.secrets"
Apr 23 12:07:19 router Pluto[18965]: "Binh" #1: initiating Main Mode
Apr 23 12:07:19 router Pluto[18965]: some IKE message we sent has been rejected with
ECONNREFUSED (kernel supplied no details)
^^^ probably because I started this before the
other end
Apr 23 12:07:58 router Pluto[18965]: "Binh" #2: responding to Main Mode
Apr 23 12:07:59 router Pluto[18965]: "Binh" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA
established
Apr 23 12:07:59 router Pluto[18965]: "Binh" #3: responding to Quick Mode
Apr 23 12:07:59 router Pluto[18965]: "Binh" #3: STATE_QUICK_R2: IPsec SA established
Apr 23 12:08:29 router Pluto[18965]: "Binh" #1: STATE_MAIN_I4: ISAKMP SA established
Apr 23 12:08:29 router Pluto[18965]: "Binh" #4: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS
Apr 23 12:08:29 router Pluto[18965]: "Binh" #4: STATE_QUICK_I2: sent QI2, IPsec SA
established
# On 192.168.9.x
Apr 23 12:07:58 router Pluto[11171]: Starting Pluto (FreeS/WAN Version 1.91)
Apr 23 12:07:58 router Pluto[11171]: added connection description "CuHoi"
Apr 23 12:07:58 router Pluto[11171]: listening for IKE messages
Apr 23 12:07:58 router Pluto[11171]: adding interface ipsec0/eth0 24.83.28.213
Apr 23 12:07:58 router Pluto[11171]: loading secrets from "/etc/ipsec.secrets"
Apr 23 12:07:58 router Pluto[11171]: "CuHoi" #1: initiating Main Mode
Apr 23 12:07:59 router Pluto[11171]: "CuHoi" #1: STATE_MAIN_I4: ISAKMP SA established
Apr 23 12:07:59 router Pluto[11171]: "CuHoi" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS
Apr 23 12:07:59 router Pluto[11171]: "CuHoi" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established
Apr 23 12:08:29 router Pluto[11171]: "CuHoi" #3: responding to Main Mode
Apr 23 12:08:29 router Pluto[11171]: "CuHoi" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA
established
Apr 23 12:08:29 router Pluto[11171]: "CuHoi" #4: responding to Quick Mode
Apr 23 12:08:30 router Pluto[11171]: "CuHoi" #4: STATE_QUICK_R2: IPsec SA established
I also try ipsec look on both sides and saw the following:
########## On 192.168.1.x side
router Tue Apr 23 12:41:00 PDT 2002
192.168.1.0/24 -> 192.168.9.0/24 => [EMAIL PROTECTED]
[EMAIL PROTECTED] (0)
ipsec0->eth0 mtu=16260(1500)->1500
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=24.76.93.9 iv_bits=64bits
iv=0xc6c1541a7d8b3da7 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(14,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=24.83.28.213 iv_bits=64bits
iv=0xe22a68599253e1dc ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(14,0,0)
[EMAIL PROTECTED] IPIP: dir=in src=24.83.28.213 life(c,s,h)=add(14,0,0)
[EMAIL PROTECTED] IPIP: dir=out src=24.76.93.9 life(c,s,h)=add(14,0,0)
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 24.76.92.1 0.0.0.0 UG 0 0 0 eth0
192.168.9.0 24.76.92.1 255.255.255.0 UG 0 0 0 ipsec0
24.76.92.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
24.76.92.0 0.0.0.0 255.255.252.0 U 0 0 0 ipsec0
### On 192.168.9.x side
router Tue Apr 23 12:40:24 PDT 2002
192.168.9.0/24 -> 192.168.1.0/24 => [EMAIL PROTECTED]
[EMAIL PROTECTED] (0)
ipsec0->eth0 mtu=16260(1500)->1500
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=in src=24.76.93.9 iv_bits=64bits
iv=0x5d9e98819d25068d ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(106,0,0)
[EMAIL PROTECTED] ESP_3DES_HMAC_MD5: dir=out src=24.83.28.213 iv_bits=64bits
iv=0x603513885b325daf ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=add(106,0,0)
[EMAIL PROTECTED] IPIP: dir=in src=24.76.93.9 life(c,s,h)=add(106,0,0)
[EMAIL PROTECTED] IPIP: dir=out src=24.83.28.213 life(c,s,h)=add(106,0,0)
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 24.83.28.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 24.83.28.1 255.255.255.0 UG 0 0 0 ipsec0
24.83.28.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
24.83.28.0 0.0.0.0 255.255.252.0 U 0 0 0 ipsec0
The ipsec.conf files look like this:
# On 192.168.1.x side
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
conn %default
# one RSA key and one subnet
# protected
#
type=tunnel
auto=start
leftid=24.76.93.9
left=24.76.93.9
leftnexthop=24.76.92.1
leftsubnet=192.168.1.0/24
#leftfirewall=yes
keyexchange=ike
authby=rsasig
leftrsasigkey=0sAQNWUt...
# key lifetime (before automatic rekeying)
keylife=8h
# how persistent to be in (re)keying negotiations (0 means very)
keyingtries=0
# For each tunnel, include its config
# Note that the configs should reside in /etc/ipsec
# subdirectoty
include ipsec/Binh.conf
#### ipsec/Binh.conf
conn Binh
rightid=24.83.28.213
right=24.83.28.213
rightnexthop=24.83.28.1
rightsubnet=192.168.9.0/24
rightrsasigkey=0sAQNg/2...
and on 192.168.9.x (the config setup is same)
conn %default
# one RSA key and one subnet
# protected
#
type=tunnel
auto=start
leftid=24.83.28.213
left=24.83.28.213
leftnexthop=24.83.28.1
leftsubnet=192.168.9.0/24
#leftfirewall=yes
keyexchange=ike
authby=rsasig
leftrsasigkey=0sAQNg/2...
# key lifetime (before automatic rekeying)
keylife=8h
# how persistent to be in (re)keying negotiations (0 means very)
keyingtries=0
# For each tunnel, include its config
# Note that the configs should reside in /etc/ipsec
# subdirectoty
include ipsec/CuHoi.conf
### ipsec/CuHoi.conf
conn CuHoi
#[EMAIL PROTECTED]
rightid=24.76.93.9
right=24.76.93.9
rightnexthop=24.76.92.1
rightsubnet=192.168.1.0/24
rightrsasigkey=0sAQNWUt...
~
---------- Original Message ----------------------------------
From: "Charles Steinkuehler" <[EMAIL PROTECTED]>
Date: Tue, 23 Apr 2002 10:18:17 -0500
>> Thank you very Charles, I will modify the RSA key in the config when I
>> get home.
>>
>> In the network.conf I have
>>
>> EXTERN_PROTO0="50 0/0"
>> EXTERN_PROTO1="51 0/0"
>>
>> and
>>
>> EXTERN_UDP_PORTS="0/0_500"
>>
>> on both sides
>>
>> so I think I do not have to set firewall=yes, right?
>
>You are correct. With the above entries in network.conf, you do not need
>FreeS/WAN to generate firewall holes for the IPSec packets. An additional
>side benifit of using network.conf to create the firewall rules is you can
>modify your firewall rules while running (ie edit network.conf and run "net
>ipfilter reload") without bringing down any VPN tunnels. If you use the
>FreeS/WAN [left|right]firewall=yes to do this, you have to shut down IPSec,
>reload your firewall rules, the re-start ipsec.
>
>Charles Steinkuehler
>http://lrp.steinkuehler.net
>http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
>
>_______________________________________________
>Leaf-user mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/leaf-user
>
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
