Re: Merging 2 ADSL lines
Sajith a icrit :
Hi its Sajith
Is it possible for Merging 2 ADSL lines
yep i do this for my company with 2 ADSL line in load balancing
it is working like a charm :
pf.conf ( a part of ...)
# load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to \
{ ($ext_if0 $ext_gw), ($ext_if1 $ext_gw) } round-robin \
proto tcp from LAN to any flags S/SA modulate state
# load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to \
{ ($ext_if0 $ext_gw), ($ext_if1 $ext_gw) } round-robin \
proto { udp, icmp } from LAN to any keep state
# general pass out rules for external interfaces
pass out on $ext_if0 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if0 proto { udp, icmp } from any to any keep state
pass out on $ext_if1 proto tcp from any to any flags S/SA modulate state
pass out on $ext_if1 proto { udp, icmp } from any to any keep state
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
# $ext_if2 and $ext_gw2
pass out on $ext_if0 route-to ($ext_if1 $ext_gw) from $ext_if1 to any
pass out on $ext_if1 route-to ($ext_if0 $ext_gw) from $ext_if0 to any
and ppp.conf
default:
set log Phase Chat IPCP CCP tun command
set redial 15 0
set reconnect 15 1
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set mru max 1492
set speed sync
enable lqr
set lqrperiod 5
set dial
set login
set timeout 0
enable mssfixup
disable ipv6cp
pppoe-0:
set device !/usr/sbin/pppoe -i re0
set authname xx
set authkey xxx
add! default HISADDR
pppoe-1:
set device !/usr/sbin/pppoe -i re1
set authname
set authkey
add! default HISADDR
hope it's help
jc
--
-
* ~ Jean-christophe ROIRON ~ *
* Conseil Giniral Haute-Loire *
* ~~ *
* Service Informatique *
* Responsable Technique *
* *
* Tel : 04-71-07-42-24 *
* Mail : [EMAIL PROTECTED]*
-
ipsec vpn netgear DG834 : openbsd 4.2 (SOLVED !)
So by the way .. the problem was link with pf.conf.. In fact there is something i did not put on my last mail, it is the fact i'am using TWO adsl pppoe link on the same PC. i'm doing load balancing for the web access it's working like a charm So there is TWO tun interfaces : tun0 link with rl0 an rl1 link with tun1... But ONLY ONE enc0 ... and here is the problem, i try to connect my VPN through the tun1 interface But enc0 is linked with tun0 ! (bad luck .. bad choice.. but then i learn something new . :-) ) So thanks to the tcpdump output (thanks Christoph Leser ..) i see that the inbound traffic came on tun1 but the outside one go through tun0 !!! and that's enough to blow away all the process.. So i just change my ipsec pf settings to listen on tun0 and then the VPN came up ! so thanks every one out there for your help. PS : is it possbile to start another enc interface on the other tun interface ? like enc1 i mean ? thanks jc
ipsec vpn netgear DG834 : openbsd 4.2 (new thread)
New thread .. after some new test..
And stiill the same ... shit !
Here is the LAn/WAn network
192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A)
|
---WEB---
|
Openbsd 4.2
(ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan)
Here are the conf :
netgear :
local lan : 192.168.0.0/24
remote lan : 10.7.22.0/24
IKE :
direction : initiator respond
mode : main
diffie-Hellman : Groupe 2 (1024)
local id : IP wan
remote id: IP
Params
Crypto algo : 3DES
Algo auth : SHA-1
pre shared key : 123456789
SA life time : 36000
Openbsd :
ipsec.conf
ike passive esp tunnel from IP_A to IP_B \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des psk 123456789
ike dynamic esp tunnel from 192.168.0.0/24 to 10.7.22.0/24 peer IP_A \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des psk 123456789
i have tried passive dynamic for ike esp .. it's the same
isakmpd.policy
KeyNote-Version: 2
Authorizer: POLICY
pf.conf
pass in on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500}
pass out on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500}
pass in on $IP_B proto esp from $IP_A to $IP_B
pass out on $IP_B proto esp from $IP_B to $IP_A
pass in on enc0 proto ipencap from $IP_A to $IP_B keep state (if-bound)
pass out on enc0 proto ipencap from $IP_B to $IP_A keep state (if-bound)
pass in on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state (if-bound)
pass out on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state (if-bound)
i have a rule for nat on $IP_B
enc0 is up and running
i start my vpn with
isakmpd -dv -D 8=99
And Finally here is the Trouble , i got this on isakmpd console
151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal
0 ok
151330.400933 Negt 20 ike_phase_1_validate_prop: success
151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded
151357.435134 Default transport_send_messages: giving up on exchange
peer-IP_A, no response from peer IP_A:500
And this on the DG834
Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode
Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will
wait 20s for response
Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will
wait 40s for response
Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached
STATE_MAIN_I1. No acceptable response to our first IKE message
and finally ( As wanted for those who try to help me .. thanks)
echo p on /var/run/isakmpd.fif and tcpdump -r /var/run/isakmpd.pcap
-vvn
tcpdump: WARNING: snaplen raised from 96 to 65536
11:40:31.600710 IP_A.500 IP_B.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
cookie: cb79617a4b409a8f- msgid: len: 100
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 128)
11:40:31.601712 IP_B.500 IP_A.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
cookie: cb79617a4b409a8f-76316a628a99ce2b msgid: len: 180
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 0 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
payload: VENDOR len: 20 (supports OpenBSD-4.0)
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 208)
And then nothing
it is not related to my FAI i have tried with 2 different.. it is the same
For me it is around pf.conf .. but i can't find where
jc
ipsec vpn openbsd 4.2 / netgear DG834
Ok .
here i go
i have red the misc list upside/down and right to left , but i can't
find a solution to my problhme
Here is the LAn/WAn network
192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A)
|
---WEB---
|
Openbsd 4.2
(ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan)
Very simple : lan to lan VPN between 2 GW (DH834 Obsd)
Here are the conf :
netgear :
local lan : 192.168.0.0/24
remote lan : 10.7.22.0/24
IKE :
direction : initiator respond
mode : main
diffie-Hellman : Groupe 2 (1024)
local id : IP wan
remote id: IP
Params
Crypto algo : 3DES
Algo auth : SHA-1
pre shared key : 123456789
SA life time : 36000
active PFS
Openbsd :
ipsec.conf
ike dynamic esp tunnel from IP_B to IP_A \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk 123456789
ike dynamic esp tunnel from 10.7.22.0/24 to 192.168.0.0/24 peer IP_A \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk 123456789
i have tried passive dynamic for ike esp .. it's the same
isakmpd.policy
KeyNote-Version: 2
Authorizer: POLICY
pf.conf
pass in quick on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500}
pass out quick on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500}
pass in quick on $IP_B proto esp from $IP_A to $IP_B
pass out quick on $IP_B proto esp from $IP_B to $IP_A
pass in quick on enc0 proto ipencap from $IP_A to $IP_B keep state
(if-bound)
pass out quick on enc0 proto ipencap from $IP_B to $IP_A keep state
(if-bound)
pass in quick on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state
(if-bound)
pass out quick on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state
(if-bound)
i have a rule for nat on $IP_B
enc0 is up and running
i start my vpn with
isakmpd -dv -D 8=99
And Finally here is the Trouble , i got this on isakmpd console
151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal
0 ok
151330.400933 Negt 20 ike_phase_1_validate_prop: success
151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded
151357.435134 Default transport_send_messages: giving up on exchange
peer-IP_A, no response from peer IP_A:500
And this on the DG834
Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode
Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will
wait 20s for response
Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will
wait 40s for response
Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached
STATE_MAIN_I1. No acceptable response to our first IKE message
and then i have this sequence always and always
I can't find where is the trouble
i have tried with tcpdump... with : echo p on /var/run/isakmpd.fif
and tcpdump -r /var/run/isakmpd.pcap -vvn
But i find nothing revelant...
HELP would be welcome !
I can give the TCPdump ouput ... but this mail is long enough for the
moment
JC
ipsec vpn : OpenBSD 4.2 -- Netgear DG834
Ok .
here i go
i have red the misc list upside/down and right to left , but i can't
find a solution to my problhme
Here is the LAn/WAn network
192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A)
|
---WEB---
|
Openbsd 4.2
(ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan)
Very simple : lan to lan VPN between 2 GW (DH834 Obsd)
Here are the conf :
netgear :
local lan : 192.168.0.0/24
remote lan : 10.7.22.0/24
IKE :
direction : initiator respond
mode : main
diffie-Hellman : Groupe 2 (1024)
local id : IP wan
remote id: IP
Params
Crypto algo : 3DES
Algo auth : SHA-1
pre shared key : 123456789
SA life time : 36000
active PFS
Openbsd :
ipsec.conf
ike dynamic esp tunnel from IP_B to IP_A \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk 123456789
ike dynamic esp tunnel from 10.7.22.0/24 to 192.168.0.0/24 peer IP_A \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk 123456789
i have tried passive dynamic for ike esp .. it's the same
isakmpd.policy
KeyNote-Version: 2
Authorizer: POLICY
pf.conf
pass in quick on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500}
pass out quick on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500}
pass in quick on $IP_B proto esp from $IP_A to $IP_B
pass out quick on $IP_B proto esp from $IP_B to $IP_A
pass in quick on enc0 proto ipencap from $IP_A to $IP_B keep state
(if-bound)
pass out quick on enc0 proto ipencap from $IP_B to $IP_A keep state
(if-bound)
pass in quick on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state
(if-bound)
pass out quick on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state
(if-bound)
i have a rule for nat on $IP_B
enc0 is up and running
i start my vpn with
isakmpd -dv -D 8=99
And Finally here is the Trouble , i got this on isakmpd console
151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal
0 ok
151330.400933 Negt 20 ike_phase_1_validate_prop: success
151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded
151357.435134 Default transport_send_messages: giving up on exchange
peer-IP_A, no response from peer IP_A:500
And this on the DG834
Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode
Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will
wait 20s for response
Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will
wait 40s for response
Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached
STATE_MAIN_I1. No acceptable response to our first IKE message
and then i have this sequence always and always
I can't find where is the trouble
i have tried with tcpdump... with : echo p on /var/run/isakmpd.fif
and tcpdump -r /var/run/isakmpd.pcap -vvn
But i find nothing revelant...
HELP would be welcome !
I can give the TCPdump ouput ... but this mail is long enough for the
moment
JC
--
-
* ~ Jean-christophe ROIRON ~ *
* Conseil Giniral Haute-Loire *
* ~~ *
* Service Informatique *
* Responsable Technique *
* *
* Tel : 04-71-07-42-24 *
* Mail : [EMAIL PROTECTED]*
-
ipsec vpn openbsd 4.2 / netgear DG834
k .
here i go
i have red the misc list upside/down and right to left , but i can't
find a solution to my problhme
Here is the LAn/WAn network
192.168.0/24(lan)--Netgear DG 834 (adsl + NAT + ipsec +ip fix A)
|
---WEB---
|
Openbsd 4.2
(ipsec.conf+isakmpd.policy+ip fix B+ NAT) -- 10.7.22.0/24(lan)
Very simple : lan to lan VPN between 2 GW (DH834 Obsd)
Here are the conf :
netgear :
local lan : 192.168.0.0/24
remote lan : 10.7.22.0/24
IKE :
direction : initiator respond
mode : main
diffie-Hellman : Groupe 2 (1024)
local id : IP wan
remote id: IP
Params
Crypto algo : 3DES
Algo auth : SHA-1
pre shared key : 123456789
SA life time : 36000
active PFS
Openbsd :
ipsec.conf
ike dynamic esp tunnel from IP_B to IP_A \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk 123456789
ike dynamic esp tunnel from 10.7.22.0/24 to 192.168.0.0/24 peer IP_A \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group modp1024 \
psk 123456789
i have tried passive dynamic for ike esp .. it's the same
isakmpd.policy
KeyNote-Version: 2
Authorizer: POLICY
pf.conf
pass in quick on $ext_if1 proto udp from $IP_A to $IP_B port {500,4500}
pass out quick on $ext_if1 proto udp from $IP_B to $IP_A port {500,4500}
pass in quick on $IP_B proto esp from $IP_A to $IP_B
pass out quick on $IP_B proto esp from $IP_B to $IP_A
pass in quick on enc0 proto ipencap from $IP_A to $IP_B keep state
(if-bound)
pass out quick on enc0 proto ipencap from $IP_B to $IP_A keep state
(if-bound)
pass in quick on enc0 from 192.168.0.0/24 to 10.7.22.0/24 keep state
(if-bound)
pass out quick on enc0 from 10.7.22.0/24 to 192.168.0.0/24 keep state
(if-bound)
i have a rule for nat on $IP_B
enc0 is up and running
i start my vpn with
isakmpd -dv -D 8=99
And Finally here is the Trouble , i got this on isakmpd console
151330.400513 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal
0 ok
151330.400933 Negt 20 ike_phase_1_validate_prop: success
151330.401046 Negt 30 message_negotiate_sa: proposal 0 succeeded
151357.435134 Default transport_send_messages: giving up on exchange
peer-IP_A, no response from peer IP_A:500
And this on the DG834
Fri, 2007-11-23 14:13:30 - [idle] initiating Main Mode
Fri, 2007-11-23 14:13:40 - [idle] STATE_MAIN_I1: retransmission; will
wait 20s for response
Fri, 2007-11-23 14:14:00 - [idle] STATE_MAIN_I1: retransmission; will
wait 40s for response
Fri, 2007-11-23 14:14:40 - [idle] max number of retransmissions reached
STATE_MAIN_I1. No acceptable response to our first IKE message
and then i have this sequence always and always
I can't find where is the trouble
i have tried with tcpdump... with : echo p on /var/run/isakmpd.fif
and tcpdump -r /var/run/isakmpd.pcap -vvn
But i find nothing revelant...
HELP would be welcome !
I can give the TCPdump ouput ... but this mail is long enough for the
moment
JC
