LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-18-2004, 01:24 PM   #1
mhiggins
Member
 
Registered: Feb 2004
Posts: 140

Rep: Reputation: 15
2.6 IPSEC Tunnel mode gateway


I am having trouble getting traffic through an ipsec gateway in tunnel
mode. I have a client on a private net connecting to a 2.6 gateway
running iptables and ipsec. What I would like to happen is all traffic
from the client is encrypted and sent down the tunnel to the gateway
where it is decrypted then sent off to the Internet then back. This is
being done on a wired net now for testing but the ultimate goal is to
replace WEP with ipsec for my wireless clients.I am able to pass
traffic through the gateway when the security policy is disabled. I
can also establish a tunnel and pass traffic between the gateway and
the client but no further.

** Note the iptables script is overly simple to avoid confusion but
it works for now.

I am using the KAME tools in userland, here are the configs.


The gateway is 10.0.0.1
The client is 10.0.0.99

########################
#
#Client Configuration
#
########################
linux-2.6.2
#############
ipsec.conf
#############
#!/usr/local/sbin/setkey -f
flush;
spdflush;

spdadd 10.0.0.99/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/10.0.0.99-10.0.0.1/require;

spdadd 0.0.0.0/0 10.0.0.99/32 any -P in ipsec
esp/tunnel/10.0.0.1-10.0.0.1/require;


###########
racoon.conf
############
path pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp 10.0.0.99;
}


remote anonymous {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
#lifetime time 2 min;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

########################
#
#Gateway Configuration
#
########################
linux-2.6.0
###########
ipsec.conf
###########
#!/usr/local/sbin/setkey -f
flush;
spdflush;
spdadd 10.0.0.99/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.0.0.99-10.0.0.1/require;

spdadd 0.0.0.0/0 10.0.0.99/32 any -P out ipsec
esp/tunnel/10.0.0.1-10.0.0.99/require;

############
racoon.conf
############
path pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp 10.0.0.1;
}


remote anonymous {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
#lifetime time 2 min;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

##################
ip tables script
##################
#!/bin/sh
EXT="eth0"
LAN="10.0.0.0/24"


#Set up tables
/usr/sbin/iptables -F FORWARD
/usr/sbin/iptables -F INPUT
/usr/sbin/iptables -F OUTPUT

#allow all
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT

#NAT On
/usr/sbin/iptables -t nat -F POSTROUTING
/usr/sbin/iptables -t nat -A POSTROUTING -d ! $LAN -j MASQUERADE
/usr/sbin/iptables -A FORWARD -s $LAN -j ACCEPT
/usr/sbin/iptables -A FORWARD -d $LAN -j ACCEPT
 
Old 02-28-2004, 01:50 PM   #2
mhiggins
Member
 
Registered: Feb 2004
Posts: 140

Original Poster
Rep: Reputation: 15
Problem solved ! Upgrade! I installed 2.6.3 and got the cvs version of ipsec-tools and BLAMO it works .. Still working out how to talk with other clients on the same subnet! With the above config all traffic is encrypted sent down the tunnel to the gateway. When I figure it out I will post a reply .. unless someone beats me to it.

-Matt
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPsec fails to open tunnel KaMakani Linux - Networking 0 10-12-2005 11:54 PM
IPSec tunnel over multiple interfaces tylerl Linux - Networking 0 07-21-2005 05:07 PM
Problems after IPsec tunnel establishment bkankur Linux - Security 1 03-24-2005 05:42 AM
Configuring IPSEC Tunnel on FC3 kernel 2.6 asndp Linux - Security 0 01-08-2005 06:17 AM
IPSEC Tunnel behind NAT pssst_yeah_you Linux - Networking 0 06-23-2004 04:54 PM


All times are GMT -5. The time now is 05:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration