Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I try to configure VPN but it dont want to work.
This is scheme:
Code:
10.10.1.90 <--> externalIP1 <--> MY external IP
My /etc/ipsec.conf where I type setkey -f
Code:
cat /etc/ipsec.conf
flush;
spdflush;
spdadd MY_EXTERNAL_IP 10.10.1.0/24 any -P out ipsec esp/tunnel/MY_EXTERNAL_IP-EXTERNAL_IP1/require;
spdadd 10.10.1.0/24 MY_EXTERNAL_IP any -P in ipsec esp/tunnel/EXTERNAL_IP1-MY_EXTERNAL_IP/require;
My racoon.conf:
Code:
path include "/usr/local/etc/racoon";
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp MY_EXTERNAL_IP [500];
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
remote EXTERNAL_IP1
{
exchange_mode main, aggressive;
doi ipsec_doi;
my_identifier address;
nonce_size 16;
lifetime time 8 hour; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2 ;
lifetime time 28800 sec;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}
And results:
Code:
$setkey -D
No SAD entries.
$setkey -DP
10.10.1.0/24[any] MY_EXTERNAL_IP/24[any] any
in ipsec
esp/tunnel/EXTERNAL_IP1-MY_EXTERNAL_IP/require
created: Jun 18 11:25:26 2010 lastused: Jun 18 11:25:26 2010
lifetime: 0(s) validtime: 0(s)
spid=16415 seq=1 pid=70379
refcnt=1
MY_EXTERNAL_IP/24[any] 10.10.1.0/24[any] any
out ipsec
esp/tunnel/MY_EXTERNAL_IP-EXTERNAL_IP1/require
created: Jun 18 11:25:26 2010 lastused: Jun 18 11:25:26 2010
lifetime: 0(s) validtime: 0(s)
spid=16414 seq=0 pid=70379
refcnt=1
pings dont show anything - all packets are lost.
And part of racoon.log
Code:
2010-06-18 11:45:00: DEBUG: pk_recv: retry[0] recv()
2010-06-18 11:45:00: DEBUG: get pfkey ACQUIRE message
2010-06-18 11:45:00: DEBUG: suitable outbound SP found: MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out.
2010-06-18 11:45:00: DEBUG: sub:0x7fffffffe450: 10.10.1.0/24[0] 7MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:00: DEBUG: db :0x5a8610: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:00: DEBUG: suitable inbound SP found: 10.10.1.0/24[0] 78.133.158.218/32[0] proto=any dir=in.
2010-06-18 11:45:00: DEBUG: new acquire MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out
2010-06-18 11:45:00: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:00: DEBUG: getsainfo params: loc='MY_EXTERNAL_IP', rmt='10.10.1.0/24', peer='NULL', id=0
2010-06-18 11:45:00: DEBUG: getsainfo pass #2
2010-06-18 11:45:00: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:00: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:00: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2010-06-18 11:45:00: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5)
2010-06-18 11:45:00: DEBUG: in post_acquire
2010-06-18 11:45:00: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:00: INFO: IPsec-SA request for EXTERNAL_IP1 queued due to no phase1 found.
2010-06-18 11:45:00: ERROR: unknown AF: 0
2010-06-18 11:45:00: DEBUG: ===
2010-06-18 11:45:00: INFO: initiate new phase 1 negotiation: MY_EXTERNAL_IP[500]<=>95.130.250.98[500]
2010-06-18 11:45:00: INFO: begin Identity Protection mode.
2010-06-18 11:45:00: DEBUG: new cookie:
1057cf78f6df7c03
2010-06-18 11:45:00: DEBUG: add payload of len 48, next type 13
2010-06-18 11:45:00: DEBUG: add payload of len 16, next type 0
2010-06-18 11:45:00: DEBUG: 100 bytes from MY_EXTERNAL_IP[500] to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG: sockname MY_EXTERNAL_IP[500]
2010-06-18 11:45:00: DEBUG: send packet from MY_EXTERNAL_IP[500]
2010-06-18 11:45:00: DEBUG: send packet to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG: 1 times of 100 bytes message will be sent to EXTERNAL_IP1[500]
2010-06-18 11:45:00: DEBUG:
1057cf78 f6df7c03 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100
2010-06-18 11:45:00: DEBUG: resend phase1 packet 1057cf78f6df7c03:0000000000000000
2010-06-18 11:45:12: DEBUG: pk_recv: retry[0] recv()
2010-06-18 11:45:12: DEBUG: get pfkey ACQUIRE message
2010-06-18 11:45:12: DEBUG: Zombie ph2 found, expiring it
2010-06-18 11:45:12: INFO: phase2 sa expired MY_EXTERNAL_IP-EXTERNAL_IP1
2010-06-18 11:45:12: DEBUG: suitable outbound SP found: MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out.
2010-06-18 11:45:12: DEBUG: sub:0x7fffffffe450: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:12: DEBUG: db :0x5a8610: 10.10.1.0/24[0] MY_EXTERNAL_IP/32[0] proto=any dir=in
2010-06-18 11:45:12: DEBUG: suitable inbound SP found: 10.10.1.0/24[0] 78.133.158.218/32[0] proto=any dir=in.
2010-06-18 11:45:12: DEBUG: new acquire MY_EXTERNAL_IP/32[0] 10.10.1.0/24[0] proto=any dir=out
2010-06-18 11:45:12: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:12: DEBUG: getsainfo params: loc='MY_EXTERNAL_IP', rmt='10.10.1.0/24', peer='NULL', id=0
2010-06-18 11:45:12: DEBUG: getsainfo pass #2
2010-06-18 11:45:12: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:12: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
2010-06-18 11:45:12: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2010-06-18 11:45:12: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-md5)
2010-06-18 11:45:12: DEBUG: in post_acquire
2010-06-18 11:45:12: DEBUG: anonymous configuration selected for EXTERNAL_IP1.
2010-06-18 11:45:12: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
2010-06-18 11:45:13: INFO: phase2 sa deleted MY_EXTERNAL_IP-EXTERNAL_IP1
2010-06-18 11:45:13: DEBUG: an undead schedule has been deleted.
2010-06-18 11:45:20: DEBUG: 100 bytes from MY_EXTERNAL_IP[500] to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG: sockname MY_EXTERNAL_IP[500]
2010-06-18 11:45:20: DEBUG: send packet from MY_EXTERNAL_IP[500]
2010-06-18 11:45:20: DEBUG: send packet to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG: 1 times of 100 bytes message will be sent to EXTERNAL_IP1[500]
2010-06-18 11:45:20: DEBUG:
1057cf78 f6df7c03 00000000 00000000 01100200 00000000 00000064 0d000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080
80010005 80030001 80020001 80040002 00000014 afcad713 68a1f1c9 6b8696fc
77570100
What I do wrong and how can I fix it?
I use FreeBSD 6.3
I've been trying to get this to work for a few weeks (including on pfSense/BSD), and the thing that worked for me (in VMs) is this. For this, assume that network 1 has IP range 192.168.1.x, and network 2 has IP range 192.168.2.x, and the two networks talk to each other through the "Internet", which is on range 192.168.0.x (that is, on a testbench LAN connection):
When openswan installs, say no to opportunistic encryption and do not generate a public key. Then (the SAME on both VPN endpoints, do NOT switch left and right), create these files:
/etc/ipsec.conf (replace ..... with a tab, the indentation is important):
config setup
......charonstart=yes #this line probably not required for IKEv1
......plutostart=yes
conn MyVPN
......left=192.168.0.5 # "public" IP of network 1's router
......leftsubnet=192.168.1.0/24
......right=192.168.0.6 # "public" IP of network 2's router
......rightsubnet=192.168.2.0/24
......auto=start
......authby=secret #manpage says that this is the default, but the behavior of openswan says otherwise
Then run "service ipsec restart" on both boxes. Once this is done, run "ipsec setup --status" to see status. If you are having problems, "ipsec barf" will give loads of information about it.
Please be aware that this configuration is a testbench configuration only, you really need to research x509 certificates and the cipher suites to set it up in a secure manner -- but it is much easier to change one setting at a time once you have something basic working.
If you are using virtual servers be aware that entropy will be a problem (especially if running on a 2.6 kernel) -- I think that timer_entropyd that is the best solution (unless you can get USB or serial passthrough to work and fit a hardware TRNG). Does anyone know how good the entropy from timer_entropyd is?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.