ipsec rouing problem
in [Linux Networking]
|
Prev: PPTPD connection tracking
Next: dziwne pakiety
From: Marco on 25 Nov 2006 06:44 Hi all, I have 3 linux box that I want to connect by a ipsec vpn: I mean fw1 connects with fw2 and fw1 connects with fw3. Here ipsec.conf of fw1: version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup #Debug-logging controls: all #e" for (almost) none, "all" for lots. klipsdebug=all plutodebug=all # "control parsing" nat_traversal=yes conn fw1fw2 left=217.57.85.18 leftsubnet=217.57.85.16/255.255.255.248 leftrsasigkey=0sAQP0UhWiH... leftnexthop=217.57.85.17 right=88.51.97.34 rightsubnet=88.51.97.32/255.255.255.248 rightrsasigkey=0sAQNxXhUNwUKfNH.... rightnexthop=88.51.97.33 # correct in many situations auto=add conn fw1fw3 left=217.57.85.18 leftsubnet=217.57.85.16/255.255.255.248 leftrsasigkey=0sAQP0UhWiHm... leftnexthop=217.57.85.17 right=88.46.243.74 rightsubnet=88.46.243.72/255.255.255.248 rightrsasigkey=0sAQNZwcN5mfKB6lctl... rightnexthop=88.46.243.73 # correct in many situations auto=add # authorizes but doesn't start include /etc/ipsec.d/*.conf include file is no_oe.conf So If I start the first connection I get: [root(a)fw1 ~]# ipsec auto --verbose --up fw1fw2 002 "fw1fw2" #1: initiating Main Mode 104 "fw1fw2" #1: STATE_MAIN_I1: initiate 003 "fw1fw2" #1: received Vendor ID payload [Openswan (this version) 2.4.5 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR] 003 "fw1fw2" #1: received Vendor ID payload [Dead Peer Detection] 002 "fw1fw2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 106 "fw1fw2" #1: STATE_MAIN_I2: sent MI2, expecting MR2 002 "fw1fw2" #1: I did not send a certificate because I do not have one. 002 "fw1fw2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 108 "fw1fw2" #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "fw1fw2" #1: Main mode peer ID is ID_IPV4_ADDR: '88.51.97.34' 002 "fw1fw2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 004 "fw1fw2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536} 002 "fw1fw2" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} 117 "fw1fw2" #2: STATE_QUICK_I1: initiate 002 "fw1fw2" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "fw1fw2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x84f7df29 <0x2052a452 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none} It seems ok but if I try to ping from 192.168.1.1 to 192.168.2.250 I get: [root(a)192.168.1.1 ~]# ping 192.168.2.250 PING 192.168.2.250 (192.168.2.250) 56(84) bytes of data. >From 82.186.69.157 icmp_seq=1 Packet filtered >From 82.186.69.157 icmp_seq=2 Packet filtered >From 82.186.69.157 icmp_seq=3 Packet filtered and also: [root(a)192.168.1.1 ~]# telnet 192.168.2.250 5900 Trying 192.168.2.250... telnet: connect to address 192.168.2.250: No route to host Why? do you have any suggestion? Here is status: [root(a)fw1 ~]# ipsec auto --verbose --status 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 217.57.85.18 000 interface eth1/eth1 192.168.1.254 000 %myid = (none) 000 debug none 000 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 000 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "fw1fw2": 217.57.85.16/29===217.57.85.18---217.57.85.17...88.51.97.33---88.51.97.34===88.51.97.32/29; ero uted; eroute owner: #2 000 "fw1fw2": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "fw1fw2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "fw1fw2": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 29,29; interface: eth0; 000 "fw1fw2": newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "fw1fw2": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536 000 "fw1fw3": 217.57.85.16/29===217.57.85.18---217.57.85.17...88.46.243.73---88.46.243.74===88.46.243.72/29; unrouted; eroute owner: #0 000 "fw1fw3": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; 000 "fw1fw3": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "fw1fw3": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 29,29; interface: eth0; 000 "fw1fw3": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 #2: "fw1fw2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27376s; newest IPSE C; eroute owner 000 #2: "fw1fw2" esp.84f7df29(a)88.51.97.34 esp.2052a452(a)217.57.85.18 tun.0(a)88.51.97.34 tun.0(a)217.57.85.18 000 #1: "fw1fw2":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2180s; newest ISAKMP; lastdpd =-1s(seq in:0 out:0) 000
From: Jeroen Geilman on 25 Nov 2006 15:11 Marco wrote: > Hi all, I have 3 linux box that I want to connect by a ipsec vpn: I > mean fw1 connects with fw2 and fw1 connects with fw3. Here ipsec.conf > [root(a)192.168.1.1 ~]# telnet 192.168.2.250 5900 > Trying 192.168.2.250... > telnet: connect to address 192.168.2.250: No route to host > > Why? do you have any suggestion? Yes: run route -n and enlighten yourself with your routing table. The above means exactly nothing without knowing what your network looks like. -- All your bits are belong to us.
|
Pages: 1 Prev: PPTPD connection tracking Next: dziwne pakiety |