Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to turn NAT on eth0 of both Srvr1 and Srvr2.
So all traffic from the 10.10.10.x/24 network is going to get nated to 192.168.1.1 and sent over the network and all traffic from 11.11.11.x/24 is going to get nat'ed to 192.168.1.2
I want the traffic to get NAT'ed and then to go through the IPSec tunnel
On Srvr1 I set up the following SPDs:
192.168.1.2[any] 192.168.1.1[any] any
in ipsec
esp/tunnel/192.168.1.2-192.168.1.1/require
created: Aug 23 17:29:49 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1568 seq=2 pid=20042
refcnt=1
192.168.1.1[any] 192.168.1.2[any] any
out ipsec
esp/tunnel/192.168.1.1-192.168.1.2/require
created: Aug 23 17:29:49 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1561 seq=1 pid=20042
refcnt=1
192.168.1.2[any] 192.168.1.1[any] any
fwd ipsec
esp/tunnel/192.168.1.2-192.168.1.1/require
created: Aug 23 17:29:49 2005 lastused:
lifetime: 0(s) validtime: 0(s)
spid=1578 seq=0 pid=20042
refcnt=1
So I then try a simple ping from Srvr1:
ping -I eth0 192.168.1.2
I can see IPSec trying to set up the tunnel, but no ISAKMP packets are sent over the network. Why is this? Is it because the 192.168.1.2 is in the Remote Accessible Network list? i.e. it can't send the ISAKMP packet as it needs to set up the IPSec tunnel to do this (ala chicken and the egg style!!!)
Is there any way to force packets through the SPDs and out?
Thanks in advance for your responses,
Paul McDaid.
----------------------
IKE Traffic
To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet established SA (that this packet perhaps is trying to establish), locally originated packets with UDP source port 500 are not processed with SPD. The same way packets with UDP destination port 500 that are to be delivered locally are not processed in incoming policy check.
---------------------
This seems to be the problem that I'm experiencing. Does anyone know of any patches to the IPSec code that will skip over the SPD for ISAKMP packets (port 500)?
When you set up IPSEC you will have a separate interface name for the tunnel.
You will need to set up static routes to say where to find each remote from each source so that packets are routed down the tunnel correctly.
This means you don't need to NAT down the ipsec tunnel interface.
Hi Peter,
The FreeBSD/KAME approach is to use SPD and not static routes to force the traffic down the tunnel. This means that the SPD overrides the routes.
I can use a simpler example where I set the local and remote Accessible networks equal to the endpoint ddresses:
Hi Peter,
The FreeBSD/KAME approach is to use SPD and not static routes to force the traffic down the tunnel. This means that the SPD overrides the routes.
I can use a simpler example where I set the local and remote Accessible networks equal to the endpoint addresses:
On Server 1:
Local Endpoint Address = 192.168.1.1
Remote Endpoint Address = 192.168.1.2
Local Accessible Network = 192.168.1.1/255.255.255.255
Remote Accessible Network = 192.168.1.2/255.255.255.255
Server 2 has the settings swapped.
So if I ping from Server1 to Server2. Server1 tries to set up an IPSec tunnel by trying to send it's first ISAKMP packet. However the ISAKMP packet never gets out as it matches the local/remote accessible network (192.168.1.1/192.168.1.2) so the tunnel never gets established.
This is a common routing problem with VPNs when they have the same subnet at each end..
The long term solution is to change subnet numbers at one site..
A short term solution is to add a second virtual ip number to the pcs receiving the vpn traffic. eg 192.168.3.x at one site & 192.168.4.x at the other..
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.