Jim
I have a number of ipsec boxes running on Bering 1.0 and 1.2. I must admit the complexity of your ascii art puzzled me at first.
Basically I understood the following.
You have 2 Bering boxes in Network 10.0.0.0/24 serving as IPSEC gateways for the networks 192.168.0.0/24 and 192.168.1.0/24
There are a few things in your setup which are noticeable, comments inline....
At 22:46 04.06.2004, Jim Walters wrote:
... Configuration Data (tried to do it like the support page said):
# uname -a Linux fw_left 2.4.24 #18 Sat Apr 24 10:07:53 CEST 2004 i586 unknown
# ip addr show 2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 08:00:06:25:bc:d2 brd ff:ff:ff:ff:ff:ff inet 10.0.0.4/24 brd 10.0.0.255 scope global eth0 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:c9:39:13:c2 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 5: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10 link/ether 08:00:06:25:bc:d2 brd ff:ff:ff:ff:ff:ff inet 10.0.0.4/24 brd 10.0.0.255 scope global ipsec0 6: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 7: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 8: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip
# ip route show 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.4 10.0.0.0/24 dev ipsec0 proto kernel scope link src 10.0.0.4 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1 default via 10.0.0.1 dev eth0
Obviously, ipsec is started, but your tunnel is not up, therefore no route to the remote subnet...
Lots removed ......................... Configuration Files:
Here are some of my configuration files. I deleted the standard shorewall comments, but left the default items in place so that the syntax of the files are complete.
<contents of interfaces> # # Shorewall 1.4 -- Interfaces File # # /etc/shorewall/interfaces # ############################################################################ ## #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect loc eth1 detect vpn ipsec0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
<contents of policy> # # Shorewall 1.4 -- Policy File # # /etc/shorewall/policy # ############################################################################ ### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc net ACCEPT net all DROP ULOG # If you want open access to the Internet from your Firewall # remove the comment from the following line. #fw net ACCEPT loc vpn ACCEPT vpn loc ACCEPT # # THE FOLLOWING POLICY MUST BE LAST # all all REJECT ULOG #LAST LINE -- DO NOT REMOVE
<contents of tunnels> # # Shorewall 1.4 - /etc/shorewall/tunnels # # TYPE ZONE GATEWAY GATEWAY # ZONE ipsec net 10.0.0.3 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
<contents of zones> # # Shorewall 1.4 /etc/shorewall/zones # #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks vpn VPN Remote Subnet #dmz DMZ Demilitarized zone #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
<contents of rules>
#
# Shorewall version 1.4 - Rules File
#
# /etc/shorewall/rules
#
############################################################################
########################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER
# PORT PORT(S) DEST LIMIT
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
#
# jwalters 20040604
# added rules to allow IPSec VPN
No need for these, /etc/shorewall/tunnels should take care of that.
# ACCEPT net fw tcp 50 ACCEPT net fw udp 50 ACCEPT net fw tcp 51 ACCEPT net fw udp 51 ACCEPT fw net tcp 50 ACCEPT fw net udp 50 ACCEPT fw net tcp 51 ACCEPT fw net udp 51 ACCEPT net fw udp 500 ACCEPT fw net udp 500 # # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
<contents of ipsec.conf>
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions conn vpn_jim # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret left=10.0.0.4 leftsubnet=192.168.1.0/24 right=10.0.0.3 rightsubnet=192.168.0.0/24 auto=add
One of the gateways should have auto=start
<contents of ipsec.secrets> # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". #: RSA { # -- Create your own RSA key with "ipsec rsasigkey" # } # do not change the indenting of that "}"
10.0.0.4 %any : PSK "jwalters"
I never got %any to work
I guess you should do an ipsec barf and post the output
Oh, by the way, the network runs without IPSEC started?
cheers Erich
THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16
------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html