Timothy J. Massey wrote:
Hello!
I'm trying to set up a VPN between a Windows 2000 notebook and a Bering 1.2 LEAF firewall, running SuperFreeS/WAN 1.99.6.2.
On this firewall, I have two tunnels set up. One is a tunnel between two LEAF firewalls bridiging two subnets, and works great. The other is a tunnel designed for road warrior usage. I'm using the Windows 2000 VPN tool (http://vpn.ebootis.de/) on the 2000 notebook to try to connect to my LEAF firewall.
If I connect the notebook directly to the Internet with a real-world IP, it works great. If, however, I put it behind a router (in this case, a Linksys BEFSR41) it does not work. I've made sure that IPsec passthru is turned on in the Linksys, and it is. I can browse the Internet from behind the router, but not connect to the VPN.
Here is the relevant parts of my firewall's ipsec.conf:
config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes
conn %default keyingtries=3
conn RoadWarrior authby=secret left=<FirewallExternalIP> leftsubnet=<InternalNetwork>/22 leftnexthop=<FirewallExternalGateway> leftfirewall=yes right=%any keylife=30m auto=add
Also, here is the Windows computer's ipsec.conf:
conn AmherstOfficeToRoadWarrior left=<FirewallExternalIP> leftsubnet=<InternalNetwork>/255.255.252.0 right=%any presharedkey=<SharedKey> network=lan rekey=1800S/30000K auto=start pfs=yes
Like I said, the VPN works when not behind the router, so I know that the IP's and shared secret are correct.
Here are the errors I get on the LEAF firewall. I'm typing these by hand, so I'm only including what look to be the interesting parts. If you need more, let me know.
"RoadWarrior"[1] <Linksys IP> #3 responding to Main Mode from unknown peer <Linksys External IP>
"RoadWarrior"[1] <Linksys IP> #3 Main mode peer ID is ID_IPV4_ADDR: <Internal IP of notebook behind Linksys>
"RoadWarrior"[1] <Linksys IP> #3 No suitable connection for peer '<Internal IP of notebook behind Linksys>
"RoadWarrior"[1] <Linksys IP> #3 sending notiviation INVALID_ID_INFORMATION to <Linksys External IP>:500
These lines repeat several times.
As you can see, the LEAF firewall sees the packets as coming from the Linksys IP address (because of NAT), but the packets themselves say that the endpoint has the IP address of an internal-to-the-Linksys IP. Obviously, this is not correct.
What do I need to do to make this work? I was told that the IP passthru was supposed to be transparent and just plug-in-and-go. I've *never* found anything related to IPsec plug-in-and-go: why should this be any different? :)
Any suggestions would be *greatly* appreciated! Thank you!
Your problem may have nothing to do with IP addresses. Based on the limited information above, I'd start checking your configuration files on both ends, looking to make sure the peer names match. The linux IPSec implementation is *VERY* picky about how connection names are matched.
The "No suitable connection for peer <whatever>" error typically means IPSec can't find a valid tunnel description in your configuration file that matches what the client's trying to setup, ie: your connection descriptions on each end don't match. Note that the peer ID defaults to the IP address, which can be a bad thing (espeically for road-warrior clients), so I usually assign actual names to the machines in question. Depending on how you're authenticating, this can also allow you to specify unique connection descriptions for different road-warrior clients, despite the fact that you don't know their IP in advance (if you use certs or rsa keys, but not pre-shared-secrets).
An example of setting the peer name on the linux side:
[EMAIL PROTECTED] [EMAIL PROTECTED]
Note the "@" symbol, which prevents ipsec from trying to resolve the domain name and use the IP address as the peer name instead. For details, see the IPSec man pages:
<quote>
leftid
how the left participant should be identified for authentication; defaults to left. Can be an IP address (in any ipsec_ttoaddr(3) syntax) or a fully-qualified domain name preceded by @ (which is used as a literal string and not resolved).
</quote>
You have to have a connection description with matching [left|right]id's, and matching tunnel specifications (ie: subnet-host, host-host, or subnet-subnet, with identical IPs) to avoid the "No suitable connection" error.
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
