IPsec on Debian Probable Routing Issue in Config File
Hello Fellow Linux Users,
I was hoping someone could help me with a possible routing issue. I have a linux network setup like this: This network Does Work _____________B-------C A------B_____10.0.63.X_______C-------D 10.0.62.X____________________10.0.64.X current route setup example on host C: Destination-- Gateway -- Genmask-- Flags Metric-- Ref Use Iface localnet * 255.255.255.0 U 0 0 0 eth0 10.0.63.0 * 255.255.255.0 U 0 0 0 eth0 10.0.62.0 10.0.63.249 255.255.255.0 UG 0 0 0 eth0 default 10.0.64.1 0.0.0.0 UG 0 0 0 eth0 Its 4 Debian machines on a single switch that is able to communicate via routing and a couple of virtual network interfaces. I have got ipsec and openvpn to work all in basic client to client configurations or client to server. I cannot for the life of me get them to work in network to network configuration. My latest effort consists of ipsec-tools.conf on Host C __________________________________________________________ #!/usr/sbin/setkey -f # # SPD for gateway A (172.16.72.1) # #Security Policy Database Information spdadd 10.0.64.0/24 10.0.62.0/24 any -P out ipsec esp/tunnel/10.0.63.250-10.0.63.249/require ah/tunnel/10.0.63.250-10.0.63.249/require; spdadd 10.0.62.0/24 10.0.64.0/24 any -P in ipsec esp/tunnel/10.0.63.249-10.0.63.250/require ah/tunnel/10.0.63.249-10.0.63.250/require; #Now Create the Kyes to be Used # AH SAD entries with 160 bit keys add 10.0.63.249 10.0.63.250 ah 0x200 -A hmac-sha1 0x46915c30ed7e2465b42861b6ab19f2772813020c; add 10.0.63.250 10.0.63.249 ah 0x300 -A hmac-sha1 0xc4dac594f8228e0b94a54758f7fbf2fdf4e37f3e; # ESP SAD entries with 192 bit keys add 10.0.63.249 10.0.63.250 esp 0x201 -E rijndael-cbc 0xa3993b3dfc41ef0a1aa8d168a8bf2c27e48249ac17b61e09; add 10.0.63.250 10.0.63.249 esp 0x301 -E rijndael-cbc 0x8f6498928ba354bd45cfad147f54c67b3b742896b3bafc02; ________________________________________________________ I have also tried to use: spdadd 10.0.64.0/24 10.0.62.0/24 any -P fwd ipsec instead of out because of my current routing rules. I am pretty confused on this issue. I really believe its my routing thats killing me here. On Host B I have the exact configuration but is mirrored. If someone has any ideas I am all ears!! By the way the main tutorials I have been using are: http://linuxgazette.net/126/pfeiffer.html http://www.ipsec-howto.org/x304.html Thanks, Dan |
IPsec on Debian Probable Routing Issue in Config File
Hello again folks,
I just wanted to post the other ipsec-tools.conf that I have been using. #!/usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; # ESP SAs doing encryption using 192 bit long keys (168 + 24 parity) # and authentication using 128 bit long keys #These are the nodes to be protected "internal LAN Routers" add 10.0.64.250 10.0.62.249 esp 0x201 -m tunnel -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6; #These are the nodes to be protected "internal LAN Routers" add 10.0.62.249 10.0.64.250 esp 0x301 -m tunnel -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b; # Security policies #Packets using these source and destination addresses shall be protected spdadd 10.0.64.0/24 10.0.62.0/24 any -P out ipsec esp/tunnel/10.0.63.250-10.0.63.249/require; #ah/tunnel/10.0.63.250-10.0.63.249/require; spdadd 10.0.62.0/24 10.0.64.0/24 any -P in ipsec esp/tunnel/10.0.63.249-10.0.63.250/require; #ah/tunnel/10.0.63.249-10.0.63.250/require; ~ |
All times are GMT -5. The time now is 06:12 PM. |