Use this one I made a single changes here......
Note:
I using the Linux:/# as the linux command prompt below
IPSec with FreeSWan as the server and SSH Sentinel 1.31 as the windows
client
Here is a working config for road warrior:
1.) I used PSK (or Pre-Shared Secret)
2.) Suse Linux 8.0 PRo
This is my LAB IPSec setup:
Windows 2000 Pro
Ip address 192.168.0.50 or private address , I have SSH Sentinel loaded on
my Win2K
Linux Box (Suse) Freeswan 1.96 complied (two nic)
Ip address 192.168.0.45 255.255.255.0 eth0
Ip address 10.1.1.1 255.255.255.0 eth1 (10.1.1.0/255.255.255.0)
Windows 98se Computer sitting on the eth1 segment
ip address 10.1.1.2 255.255.255.0
Gateway 10.1.1.1
I had to setup routing on my Linux box, I used this(note you can't have
ipchains running
at the same time as iptables, you can only run one or another)
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -j ACCEPT
-------------------------------------------------------
Firewall out on my eth0 or my so called WAN interface...is also works
iptables -I INPUT -i eth0 -p tcp --sport 1024: --dport 1723 -j ACCEPT
iptables -I INPUT -i eth0 -p udp --sport 67 --dport 68 -j ACCEPT
iptables -I INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I INPUT -i eth0 -p udp --dport 5050 -j ACCEPT
iptables -I INPUT -i eth0 -p esp -j ACCEPT
iptables -I INPUT -i eth0 -p ah -j ACCEPT
iptables -I INPUT -i eth0 -p 47 -j ACCEPT
iptables -P INPUT DROP
----------------------------------------------------------------------------
---
I was now able to ping from 10.1.1.2 to 192.168.0.50 when I brought up the
tunnel.
----------------------------------------------------------------------------
-
Here is my IPSec config
config setup
interfaces="%defaultroute" or "ipsec0=eth0" or "ipsec0=ppp0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=1
authby=secret
conn tunnel-one
type=tunnel
left=192.168.0.45 or "%defaultroute" ---> ( my eth0 interface)
leftnexthop=
leftsubnet=10.1.1.0/255.255.255.0 --> (this is my eth1 segment)
right= %any ---> (this is my windows 2000 pro box, with SSH Sentinel)
keyexchange =ike
ikelifetime= 240m
pfs = yes
keylife = 1h
#rightsubnet = /255.255.255.0
rightnexthop =
compress = no
auto = add
------------------------------------------
Here is my ipsec.secrets config
192.168.0.45 %any: PSK "junk"
-------------------------------------------
Here is a map of my network
Win2KPro -----------> Linux (Ipsec)
192.168.0.50 192.168.0.45 eth0 (left)
road warrior 10.1.1.1 eth1
(right) (10.1.1.0) (leftsubnet) ------> window98se
(10.1.1.2) gateway 10.1.1.1
192.168.0.50 could be a DHCP or a private address , I just use that address
in my lab.
I used a ethernet crossover cable between my W2K pro and my Linux box.
Remember that you must use
the same pre-shared key "junk" when you configure SSH Sentinel. There is a
section at the SSH Sentinel site
that shows you how configure SSH Sentinel for pre-share key.
-------------------------------------------------------------
Installing FressSWAN
I would complete these steps from Xwindows, you will need to run ,make
config (command line only)
or make xconfig (which is a gui way of selecting the kernel options)
1.) Install Kernel source code first (2.4.18)
2.) Install FreeSwan from the Suse Cd
3.) cd/usr/src/ [enter]
4.) cd kernel-modules [enter]
5.) cd zz_freeswan [enter]
6.) make menugo [enter] The screen should start scrolling with kernel info
7.) then cd into this directory, cd/usr/src/linux then run make xconfig
you should see the Liunx Kernel Configuration screen.
8.) Click under networking options
9.) Scroll to the bottom, you should see right after the Network testing all
the IPSec section,if
you don't, you will need to step back to option 5 and repeat 5,6,7.
10.)I use the default options(IPsec section) check, I would not change
anything here
11.) once everything looks good in the kernel config , then click your wany
back using the main menu button.
12.) Click save and exit button
13.)Then a box will appear Kernel build instructions and click OK
14.)The Menu box will disapear and drop you the command line.
15.)now do a, make dep [enter] (should take a few mins)
16.)now do a, make clean [enter] (should take a few seconds)
17.)now do a, make bzImage [enter] ( this could take awhile)
18.)now do a, make modules [enter] (this will take a long time,I have a 800
mhz with 512 megs of
Ram and it takes me about 1 hours)
19.)now do a, make modules_install ( few seconds )
20.)now copy the bzImage file which is in this directory
/usr/src/arch/i386/boot and copy it
to /boot
Linux:/#cd /
Linux:/#cp /usr/src/arch/i386/boot/bzImage /boot/bzImage [enter] (note the
letter I is captial and the
rest is lowercase.
21.) Please verify the bzImage image with the date of when you complied the
new kernel.
(my size kernel is about 980,000 kb, about a meg in size)
Linux:/#ls -la [enter]
22.) you will need to enter this directory /etc
Linux:/#cd / (root)
Linux:/#cd /etc
23.) from the # type in
Linux:/#pico lilo.conf [enter]
you will need to add another section at the bottom of this config.
image = /boot/bzImage
label = IPSEC
initrd = /boot/initrd.suse
then save your chages by doing a [alt][x] and say yes
24.)then you need to run one more command, lilo [enter]
Linux:/#lilo [enter]
Then re-boot and select IPSec as your kernel option.
----------------------------------------------------------------------------
----
starting IPSec:
Linux:#cd/ (change to root)
Linux:#cd/usr/lib/ipsec
Linux:# ./setup start ( to start IPSec)
Linux:# ./setup restart (to restart the sevice)
Linux:# ./setup stop (to stop ipsec)
____________________________________________________________________________
__________
Note: make sure from the # and type in ifconfig [enter]
Linux:/#ifconfig
You should see an interface called ipsec0 (tunnel) and it should have the ip
address of either the eth0
in my case or the ppp0 (DSL) interface. every case will differ.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
