Hello! I building up a Freeswan VPN access point for over a week now and have got several questions/problems. Perhaps you can help.
First of all am I able to ping some internal computers (like Developer), some not (File01) and I am able to ping to the internal Gateway of the VPN Server (192.168.0.7). Raodwarrior (XP-Notebook) (LAN 192.168.0.12 external ip changing) | ISDN | V Internet | DSL | V FIREWALL01 with Freeswan and SuSEfirewall2 (External ip changing but reachable via dyndns LAN 192.168.0.7) | v LAN (192.168.0.0/24) | \_______ v v Developer 192.168.0.11 (XP) FILE01 192.168.0.3 (Linux , Samba) The roadwarrior connects to freeswan using the Marcus Mueller-Tool ipsec.exe. My problems and questions: 1. How can I pass through the internal ip address of the roadwarriors (in this case 192.168.0.12) to the intranet? I think, many functions base on an network ip like the network shares (/temp) of the developer computer. I thought, the vpn connection connects the roadwarrior virtually to the intranet in that way, that the roardwarrior seems to be a part of the intranet??? 2. The second questions points into the same direction. I cannot access my private folders on samba. How is that possible? Direct access from the intranet works :-( 3. I cannot ssh from the roadwarrior to the Gateway through vpn. When I disable the XP firewall, a ssh connection works. That is strange, because I throught, vpn tunnels the output and input ports through the internet. Most of the documentations and howtos I found end at the point, where you can ping the intranet. And thats exactly the point, where my problems start :-(( I would be very happy if you could give me some help :-)) Best regards Jens Here are my settings: ============= Freeswan ipsec.conf: ============== config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=1 compress=yes disablearrivalcheck=no authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert leftupdown=/usr/_updown.x509 conn roadwarrior-net leftcert=ipcopCert.pem left=%defaultroute right=%any leftsubnet=192.168.0.0/24 auto=add pfs=yes ============= Roadwarrior ipsec.conf: =============== conn roadwarrior-net left=%any right=edvspp.dnsalias.net rightsubnet=192.168.0.0/24 rightca="C=de,L=ac,O=snackpointplus,CN=ca" network=auto auto=start pfs=yes ============== My iptables (okok, still learning :-) ========================== EXTIF=ppp0 INTIF=eth0 iptables -F # leere alle Chains iptables -t nat -F # === Policy === # iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # === PING / ICMP === # iptables -A INPUT -i $EXTIF -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -i $EXTIF -p icmp -j ACCEPT iptables -A INPUT -i $INTIF -p icmp -j ACCEPT iptables -A OUTPUT -o $INTIF -p icmp -j ACCEPT iptables -A INPUT -i $EXTIF -p icmp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $INTIF -p icmp -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INTIF -p icmp -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-reply -j ACCEPT # === SSH === # # - allgemein - # iptables -A INPUT -p TCP --dport 22 -j ACCEPT iptables -A FORWARD -i $INTIF -o ipsec0 -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -i ipsec0 -o $INTIF -p tcp --dport 22 -j ACCEPT # - intern - # iptables -A INPUT -s 192.168.0.0/24 -p TCP --dport 22 -j ACCEPT iptables -A INPUT -i $INTIF -p tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $INTIF -p tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT # - extern - # iptables -A INPUT -i $EXTIF -p TCP --dport 22 -j ACCEPT iptables -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT # - ipsec - # iptables -A INPUT -i ipsec0 -p tcp --dport 22 -j ACCEPT # === HTTP SQUID === # iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128 # = WICHTIG = # iptables -A INPUT -i $INTIF -p tcp --dport 3128 -j ACCEPT # = WICHTIG! = # iptables -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT # === VPN === # iptables -A INPUT -i $EXTIF -p udp --sport 500 --dport 500 -j ACCEPT iptables -A INPUT -i $EXTIF -p 50 -j ACCEPT iptables -A INPUT -i ipsec0 -j ACCEPT iptables -A OUTPUT -o ipsec0 -j ACCEPT # === established === # iptables -A INPUT -i $INTIF -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i ipsec0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ______________________________________________________________________________ ComputerBild 15-03 bestaetigt: Den besten Spam-Schutz gibt es bei WEB.DE FreeMail - Deutschlands beste E-Mail - http://s.web.de/?mc=021121
