Re: Merging 2 ADSL lines
Sajith a icrit : Hi its Sajith Is it possible for Merging 2 ADSL lines yep i do this for my company with 2 ADSL line in load balancing it is working like a charm : pf.conf ( a part of ...) # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to \ { ($ext_if0 $ext_gw), ($ext_if1 $ext_gw) } round-robin \ proto tcp from LAN to any flags S/SA modulate state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to \ { ($ext_if0 $ext_gw), ($ext_if1 $ext_gw) } round-robin \ proto { udp, icmp } from LAN to any keep state # general pass out rules for external interfaces pass out on $ext_if0 proto tcp from any to any flags S/SA modulate state pass out on $ext_if0 proto { udp, icmp } from any to any keep state pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out on $ext_if1 proto { udp, icmp } from any to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if0 route-to ($ext_if1 $ext_gw) from $ext_if1 to any pass out on $ext_if1 route-to ($ext_if0 $ext_gw) from $ext_if0 to any and ppp.conf default: set log Phase Chat IPCP CCP tun command set redial 15 0 set reconnect 15 1 disable acfcomp protocomp deny acfcomp set mtu max 1492 set mru max 1492 set speed sync enable lqr set lqrperiod 5 set dial set login set timeout 0 enable mssfixup disable ipv6cp pppoe-0: set device !/usr/sbin/pppoe -i re0 set authname xx set authkey xxx add! default HISADDR pppoe-1: set device !/usr/sbin/pppoe -i re1 set authname set authkey add! default HISADDR hope it's help jc -- - * ~ Jean-christophe ROIRON ~ * * Conseil Giniral Haute-Loire * * ~~ * * Service Informatique * * Responsable Technique * * * * Tel : 04-71-07-42-24 * * Mail : [EMAIL PROTECTED]* -
ipsec vpn netgear DG834 : openbsd 4.2 (SOLVED !)
So by the way .. the problem was link with pf.conf.. In fact there is something i did not put on my last mail, it is the fact i'am using TWO adsl pppoe link on the same PC. i'm doing load balancing for the web access it's working like a charm So there is TWO tun interfaces : tun0 link with rl0 an rl1 link with tun1... But ONLY ONE enc0 ... and here is the problem, i try to connect my VPN through the tun1 interface But enc0 is linked with tun0 ! (bad luck .. bad choice.. but then i learn something new . :-) ) So thanks to the tcpdump output (thanks Christoph Leser ..) i see that the inbound traffic came on tun1 but the outside one go through tun0 !!! and that's enough to blow away all the process.. So i just change my ipsec pf settings to listen on tun0 and then the VPN came up ! so thanks every one out there for your help. PS : is it possbile to start another enc interface on the other tun interface ? like enc1 i mean ? thanks jc
ipsec vpn netgear DG834 : openbsd 4.2 (new thread)
New thread .. after some new test.. And stiill the same ... shit ! Here is the LAn/WAn network 192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A) | ---WEB--- | Openbsd 4.2 (ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan) Here are the conf : netgear : local lan : 192.168.0.0/24 remote lan : 10.7.22.0/24 IKE : direction : initiator respond mode : main diffie-Hellman : Groupe 2 (1024) local id : IP wan remote id: IP Params Crypto algo : 3DES Algo auth : SHA-1 pre shared key : 123456789 SA life time : 36000 Openbsd : ipsec.conf ike passive esp tunnel from IP_A to IP_B \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des psk 123456789 ike dynamic esp tunnel from 192.168.0.0/24 to 10.7.22.0/24 peer IP_A \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des psk 123456789 i have tried passive dynamic for ike esp .. it's the same isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY pf.conf pass in on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500} pass out on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500} pass in on $IP_B proto esp from $IP_A to $IP_B pass out on $IP_B proto esp from $IP_B to $IP_A pass in on enc0 proto ipencap from $IP_A to $IP_B keep state (if-bound) pass out on enc0 proto ipencap from $IP_B to $IP_A keep state (if-bound) pass in on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state (if-bound) pass out on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state (if-bound) i have a rule for nat on $IP_B enc0 is up and running i start my vpn with isakmpd -dv -D 8=99 And Finally here is the Trouble , i got this on isakmpd console 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 0 ok 151330.400933 Negt 20 ike_phase_1_validate_prop: success 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded 151357.435134 Default transport_send_messages: giving up on exchange peer-IP_A, no response from peer IP_A:500 And this on the DG834 Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will wait 20s for response Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will wait 40s for response Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached STATE_MAIN_I1. No acceptable response to our first IKE message and finally ( As wanted for those who try to help me .. thanks) echo p on /var/run/isakmpd.fif and tcpdump -r /var/run/isakmpd.pcap -vvn tcpdump: WARNING: snaplen raised from 96 to 65536 11:40:31.600710 IP_A.500 IP_B.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: cb79617a4b409a8f- msgid: len: 100 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 128) 11:40:31.601712 IP_B.500 IP_A.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: cb79617a4b409a8f-76316a628a99ce2b msgid: len: 180 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 208) And then nothing it is not related to my FAI i have tried with 2 different.. it is the same For me it is around pf.conf .. but i can't find where jc
ipsec vpn openbsd 4.2 / netgear DG834
Ok . here i go i have red the misc list upside/down and right to left , but i can't find a solution to my problhme Here is the LAn/WAn network 192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A) | ---WEB--- | Openbsd 4.2 (ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan) Very simple : lan to lan VPN between 2 GW (DH834 Obsd) Here are the conf : netgear : local lan : 192.168.0.0/24 remote lan : 10.7.22.0/24 IKE : direction : initiator respond mode : main diffie-Hellman : Groupe 2 (1024) local id : IP wan remote id: IP Params Crypto algo : 3DES Algo auth : SHA-1 pre shared key : 123456789 SA life time : 36000 active PFS Openbsd : ipsec.conf ike dynamic esp tunnel from IP_B to IP_A \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk 123456789 ike dynamic esp tunnel from 10.7.22.0/24 to 192.168.0.0/24 peer IP_A \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk 123456789 i have tried passive dynamic for ike esp .. it's the same isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY pf.conf pass in quick on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500} pass out quick on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500} pass in quick on $IP_B proto esp from $IP_A to $IP_B pass out quick on $IP_B proto esp from $IP_B to $IP_A pass in quick on enc0 proto ipencap from $IP_A to $IP_B keep state (if-bound) pass out quick on enc0 proto ipencap from $IP_B to $IP_A keep state (if-bound) pass in quick on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state (if-bound) pass out quick on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state (if-bound) i have a rule for nat on $IP_B enc0 is up and running i start my vpn with isakmpd -dv -D 8=99 And Finally here is the Trouble , i got this on isakmpd console 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 0 ok 151330.400933 Negt 20 ike_phase_1_validate_prop: success 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded 151357.435134 Default transport_send_messages: giving up on exchange peer-IP_A, no response from peer IP_A:500 And this on the DG834 Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will wait 20s for response Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will wait 40s for response Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached STATE_MAIN_I1. No acceptable response to our first IKE message and then i have this sequence always and always I can't find where is the trouble i have tried with tcpdump... with : echo p on /var/run/isakmpd.fif and tcpdump -r /var/run/isakmpd.pcap -vvn But i find nothing revelant... HELP would be welcome ! I can give the TCPdump ouput ... but this mail is long enough for the moment JC
ipsec vpn : OpenBSD 4.2 -- Netgear DG834
Ok . here i go i have red the misc list upside/down and right to left , but i can't find a solution to my problhme Here is the LAn/WAn network 192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A) | ---WEB--- | Openbsd 4.2 (ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan) Very simple : lan to lan VPN between 2 GW (DH834 Obsd) Here are the conf : netgear : local lan : 192.168.0.0/24 remote lan : 10.7.22.0/24 IKE : direction : initiator respond mode : main diffie-Hellman : Groupe 2 (1024) local id : IP wan remote id: IP Params Crypto algo : 3DES Algo auth : SHA-1 pre shared key : 123456789 SA life time : 36000 active PFS Openbsd : ipsec.conf ike dynamic esp tunnel from IP_B to IP_A \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk 123456789 ike dynamic esp tunnel from 10.7.22.0/24 to 192.168.0.0/24 peer IP_A \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk 123456789 i have tried passive dynamic for ike esp .. it's the same isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY pf.conf pass in quick on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500} pass out quick on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500} pass in quick on $IP_B proto esp from $IP_A to $IP_B pass out quick on $IP_B proto esp from $IP_B to $IP_A pass in quick on enc0 proto ipencap from $IP_A to $IP_B keep state (if-bound) pass out quick on enc0 proto ipencap from $IP_B to $IP_A keep state (if-bound) pass in quick on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state (if-bound) pass out quick on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state (if-bound) i have a rule for nat on $IP_B enc0 is up and running i start my vpn with isakmpd -dv -D 8=99 And Finally here is the Trouble , i got this on isakmpd console 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 0 ok 151330.400933 Negt 20 ike_phase_1_validate_prop: success 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded 151357.435134 Default transport_send_messages: giving up on exchange peer-IP_A, no response from peer IP_A:500 And this on the DG834 Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will wait 20s for response Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will wait 40s for response Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached STATE_MAIN_I1. No acceptable response to our first IKE message and then i have this sequence always and always I can't find where is the trouble i have tried with tcpdump... with : echo p on /var/run/isakmpd.fif and tcpdump -r /var/run/isakmpd.pcap -vvn But i find nothing revelant... HELP would be welcome ! I can give the TCPdump ouput ... but this mail is long enough for the moment JC -- - * ~ Jean-christophe ROIRON ~ * * Conseil Giniral Haute-Loire * * ~~ * * Service Informatique * * Responsable Technique * * * * Tel : 04-71-07-42-24 * * Mail : [EMAIL PROTECTED]* -
ipsec vpn openbsd 4.2 / netgear DG834
k . here i go i have red the misc list upside/down and right to left , but i can't find a solution to my problhme Here is the LAn/WAn network 192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A) | ---WEB--- | Openbsd 4.2 (ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan) Very simple : lan to lan VPN between 2 GW (DH834 Obsd) Here are the conf : netgear : local lan : 192.168.0.0/24 remote lan : 10.7.22.0/24 IKE : direction : initiator respond mode : main diffie-Hellman : Groupe 2 (1024) local id : IP wan remote id: IP Params Crypto algo : 3DES Algo auth : SHA-1 pre shared key : 123456789 SA life time : 36000 active PFS Openbsd : ipsec.conf ike dynamic esp tunnel from IP_B to IP_A \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk 123456789 ike dynamic esp tunnel from 10.7.22.0/24 to 192.168.0.0/24 peer IP_A \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk 123456789 i have tried passive dynamic for ike esp .. it's the same isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY pf.conf pass in quick on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500} pass out quick on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500} pass in quick on $IP_B proto esp from $IP_A to $IP_B pass out quick on $IP_B proto esp from $IP_B to $IP_A pass in quick on enc0 proto ipencap from $IP_A to $IP_B keep state (if-bound) pass out quick on enc0 proto ipencap from $IP_B to $IP_A keep state (if-bound) pass in quick on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state (if-bound) pass out quick on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state (if-bound) i have a rule for nat on $IP_B enc0 is up and running i start my vpn with isakmpd -dv -D 8=99 And Finally here is the Trouble , i got this on isakmpd console 151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 0 ok 151330.400933 Negt 20 ike_phase_1_validate_prop: success 151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded 151357.435134 Default transport_send_messages: giving up on exchange peer-IP_A, no response from peer IP_A:500 And this on the DG834 Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will wait 20s for response Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will wait 40s for response Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached STATE_MAIN_I1. No acceptable response to our first IKE message and then i have this sequence always and always I can't find where is the trouble i have tried with tcpdump... with : echo p on /var/run/isakmpd.fif and tcpdump -r /var/run/isakmpd.pcap -vvn But i find nothing revelant... HELP would be welcome ! I can give the TCPdump ouput ... but this mail is long enough for the moment JC