Re: IPSec tunnel problem
Alexey Vatchenko wrote: It's because of: ike passive esp from 192.168.0.0/24 to any local egress dstid [EMAIL PROTECTED] psk xxx Yes, it's because of that. But I'm convinced that you don't need that at all. From what I understand, you just need to give access from some remote network(s) to your office net. Please correct me if you are trying to achieve something else. Again (see last post): Home gateway: ike dynamic esp from HOME_NET to 192.168.0.0/24 peer OFFICE_EXTERNAL_IP psk xxx Office gateway: ike passive esp from HOME_NET to 192.168.0.0/24 psk xxx (if you have more than one external networks, you can put any instead of HOME_NET or repeat the stanza for each network.) krgds /markus
Re: IPSec tunnel problem
On 01.03-00:39, Alexey Vatchenko wrote: [ ... ] No, i don't use same network address for two networks. then you need to alter you settings to specify the actual networks that you're using. for example, you could define the remote network to be 192.168.123.123/32 and then route everything for 192.168.0.0/16 through the tunnel. if you define a home network (like 192.168.123.0/24) then you'll need the bypass rule to avoid routing that through the tunnel. the fact that the tunnel end point moves is irrelevant but you will need to define a local network alias within the home network (i.e. 192.168.123.123 or something) so that the system knows to route that traffice through the tunnel. for routing you only need to define a route to the office gw system (e.g. 192.168.111.111) for the entire 192.168/16 space . note, if your networks don't overlap (i.e. 192.168.123/24 and 192.168.111/24) then you won't need the bypass rule.
Re: IPSec tunnel problem
Markus Wernig wrote: It's because of: ike passive esp from 192.168.0.0/24 to any local egress dstid [EMAIL PROTECTED] psk xxx Yes, it's because of that. But I'm convinced that you don't need that at all. From what I understand, you just need to give access from some remote network(s) to your office net. Please correct me if you are trying to achieve something else. No, i'm trying to connect HOME_GATEWAY to office network. I don't want to connect home network to office network. Again (see last post): Home gateway: ike dynamic esp from HOME_NET to 192.168.0.0/24 peer OFFICE_EXTERNAL_IP psk xxx Office gateway: ike passive esp from HOME_NET to 192.168.0.0/24 psk xxx (if you have more than one external networks, you can put any instead of HOME_NET or repeat the stanza for each network.) Are you sure that the rule for office gateway is correct? I think you mean from 192.168.0.0/24 to HOME_NET. And if i put any instead of network addresses i will get that same issue: all outgoing traffic will flow through my home gateway. -- Alexey Vatchenko http://www.bsdua.org
Re: IPSec tunnel problem (solved)
Office gateway: # cat /etc/ipsec.conf ike passive esp from 192.168.0.0/24 to any local egress dstid [EMAIL PROTECTED] psk xxx Home gateway: # cat /etc/ipsec.conf ike dynamic esp from egress to 192.168.0.0/24 peer OFFICE_GATEWAY srcid [EMAIL PROTECTED] psk xxx So, if on home gateway i specify from any to 192.168.0.0/24, office gateway creates flow: flow esp in from 0.0.0.0/0 to 192.168.0.0/24 ... But if i use from egress to 192.168.0.0/24 then all works as expected: flow esp in from HOME_GATEWAY to 192.168.0.0/24 ... So, making changes in home gateway configuration i can influence on how traffic goes in office network! I think it's not desired behavior. Anyway, thanks to all for the help! -- Alexey Vatchenko http://www.bsdua.org
Re: IPSec tunnel problem
Hi From my point of view the problem is that you use the same network range 192.168.0/24 in your home and office. Off the top of my head I'd say that this should not work. The routing entries look a bit scary, actually. If I had the same setup, I'd try one of the following: - change the home network to something else than 192.168.0/24 - nat all traffic from the home network on the office gateway to its own internal address And I'd start out with the simplest of configurations and build from that: Home gateway: ike dynamic esp from HOME_NET to 192.168.0.0/24 peer OFFICE_EXTERNAL_IP psk xxx Office gateway: ike passive esp from HOME_NET to 192.168.0.0/24 psk xxx krgds /markus Alexey Vatchenko wrote: flow esp from 192.168.0.0/24 to 192.168.0.0/24 type bypass Coming to the office this morning i found out that all office's outgoing traffic goes through my home gateway. It looks like IPSec created default route for hosts in local network.
Re: IPSec tunnel problem
Hi! Thanks for reply! Markus Wernig wrote: From my point of view the problem is that you use the same network range 192.168.0/24 in your home and office. Off the top of my head I'd say that this should not work. The routing entries look a bit scary, actually. If I had the same setup, I'd try one of the following: - change the home network to something else than 192.168.0/24 No, i don't use same network address for two networks. Actually, the problem is here (take a look at flow esp out): office-gw$ sudo ipsecctl -s all FLOWS: flow esp in from 0.0.0.0/0 to 192.168.0.0/24 peer HOME_GATEWAY srcid OFFICE_GATEWAY/32 dstid [EMAIL PROTECTED] type use flow esp out from 192.168.0.0/24 to 0.0.0.0/0 peer HOME_GATEWAY srcid OFFICE_GATEWAY/32 dstid [EMAIL PROTECTED] type require flow esp in from 192.168.0.0/24 to 192.168.0.0/24 type bypass flow esp out from 192.168.0.0/24 to 192.168.0.0/24 type bypass SAD: esp tunnel from HOME_GATEWAY to OFFICE_GATEWAY spi 0x5d3e6f12 auth hmac-sha2-256 enc aes esp tunnel from OFFICE_GATEWAY to HOME_GATEWAY spi 0x7072ca39 auth hmac-sha2-256 enc aes It's because of: ike passive esp from 192.168.0.0/24 to any local egress dstid [EMAIL PROTECTED] psk xxx To any! But what should i use if i don't know peer's address? How ike rule should be specified to create flow with peer's address instead of 0.0.0.0/0? -- Alexey Vatchenko http://www.bsdua.org
Re: IPSec tunnel problem
Hi! Jeff Quast wrote: you need to declare a bypass flow on the side of the network where the router, presumably on 192.168.0.0/24 requires communication to the local network segment also on 192.168.0.0/24. It is probobly trying to send this across the tunneled wire, which won't reach its destination. Create a bypass for flows from 192.168 to 192.168, like so: flow esp from 192.168.0.0/24 to 192.168.0.0/24 type bypass Coming to the office this morning i found out that all office's outgoing traffic goes through my home gateway. It looks like IPSec created default route for hosts in local network. From the `netstat -rn` Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) default0 192.168.0/24 0 0 77.109.17.213/esp/use/in 192.168.0/24 0 default0 0 77.109.17.213/esp/require/out 192.168.0/24 0 192.168.0/24 0 0 none/esp/bypass/in 192.168.0/24 0 192.168.0/24 0 0 none/esp/bypass/out Config file of the office's gateway: flow esp from 192.168.0.0/24 to 192.168.0.0/24 type bypass ike passive esp from 192.168.0.0/24 to any dstid [EMAIL PROTECTED] psk xxx As i understand, the problem is in ``any'' keyword in second line. But what it should be if peers IP is dynamic? -- Alexey Vatchenko http://www.bsdua.org
Re: IPSec tunnel problem
Jeff Quast wrote: you need to declare a bypass flow on the side of the network where the router, presumably on 192.168.0.0/24 requires communication to the local network segment also on 192.168.0.0/24. It is probobly trying to send this across the tunneled wire, which won't reach its destination. Create a bypass for flows from 192.168 to 192.168, like so: flow esp from 192.168.0.0/24 to 192.168.0.0/24 type bypass That's it! Thanks. -- Alexey Vatchenko http://www.bsdua.org
Re: IPSec tunnel problem
Hi What does the ipsec.conf entry on the Office gateway for the Home gateway look like? IP range of Home network? Are you trying to use the Home gateway as a relay to get into the Office net from other locations than from Home network? Do you have any NAT rules involved? ipsecctl -s all on Office and Home gateways before and after connection is established could shed some light. /m Alexey Vatchenko wrote: The problem is when home gateway establishes IPSec tunnel with office gateway, computers from office network cannot connect to office gateway (but they still can get Internet through the gateway). Here is what i do: Office network: 192.168.0.0/24 ipsec.conf: ike passive esp from 192.168.0.0/24 to any local egress dstid [EMAIL PROTECTED] psk xxx Home ipsec.conf: ike dynamic esp from any to 192.168.0.0/24 peer OFFICE_EXTERNAL_IP srcid [EMAIL PROTECTED] psk xxx So, please, shed some light on what i do wrong.
Re: IPSec tunnel problem
On Sat, Feb 23, 2008 at 05:47:18PM +0200, Alexey Vatchenko wrote: Hi guys! I'm trying to configure IPSec tunnel between home gateway and office gateway. Home gateway has dynamic IP, office gateway has static IP. The problem is when home gateway establishes IPSec tunnel with office gateway, computers from office network cannot connect to office gateway (but they still can get Internet through the gateway). Here is what i do: Office network: 192.168.0.0/24 ipsec.conf: ike passive esp from 192.168.0.0/24 to any local egress dstid [EMAIL PROTECTED] psk xxx Home ipsec.conf: ike dynamic esp from any to 192.168.0.0/24 peer OFFICE_EXTERNAL_IP srcid [EMAIL PROTECTED] psk xxx So, please, shed some light on what i do wrong. you need to declare a bypass flow on the side of the network where the router, presumably on 192.168.0.0/24 requires communication to the local network segment also on 192.168.0.0/24. It is probobly trying to send this across the tunneled wire, which won't reach its destination. Create a bypass for flows from 192.168 to 192.168, like so: flow esp from 192.168.0.0/24 to 192.168.0.0/24 type bypass
IPSec tunnel problem
Hi guys! I'm trying to configure IPSec tunnel between home gateway and office gateway. Home gateway has dynamic IP, office gateway has static IP. The problem is when home gateway establishes IPSec tunnel with office gateway, computers from office network cannot connect to office gateway (but they still can get Internet through the gateway). Here is what i do: Office network: 192.168.0.0/24 ipsec.conf: ike passive esp from 192.168.0.0/24 to any local egress dstid [EMAIL PROTECTED] psk xxx Home ipsec.conf: ike dynamic esp from any to 192.168.0.0/24 peer OFFICE_EXTERNAL_IP srcid [EMAIL PROTECTED] psk xxx So, please, shed some light on what i do wrong. -- Alexey Vatchenko http://www.bsdua.org