2.6 IPSEC Tunnel mode gateway
I am having trouble getting traffic through an ipsec gateway in tunnel
mode. I have a client on a private net connecting to a 2.6 gateway
running iptables and ipsec. What I would like to happen is all traffic
from the client is encrypted and sent down the tunnel to the gateway
where it is decrypted then sent off to the Internet then back. This is
being done on a wired net now for testing but the ultimate goal is to
replace WEP with ipsec for my wireless clients.I am able to pass
traffic through the gateway when the security policy is disabled. I
can also establish a tunnel and pass traffic between the gateway and
the client but no further.
** Note the iptables script is overly simple to avoid confusion but
it works for now.
I am using the KAME tools in userland, here are the configs.
The gateway is 10.0.0.1
The client is 10.0.0.99
########################
#
#Client Configuration
#
########################
linux-2.6.2
#############
ipsec.conf
#############
#!/usr/local/sbin/setkey -f
flush;
spdflush;
spdadd 10.0.0.99/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/10.0.0.99-10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.99/32 any -P in ipsec
esp/tunnel/10.0.0.1-10.0.0.1/require;
###########
racoon.conf
############
path pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp 10.0.0.99;
}
remote anonymous {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
#lifetime time 2 min;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
########################
#
#Gateway Configuration
#
########################
linux-2.6.0
###########
ipsec.conf
###########
#!/usr/local/sbin/setkey -f
flush;
spdflush;
spdadd 10.0.0.99/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.0.0.99-10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.99/32 any -P out ipsec
esp/tunnel/10.0.0.1-10.0.0.99/require;
############
racoon.conf
############
path pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp 10.0.0.1;
}
remote anonymous {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
#lifetime time 2 min;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
##################
ip tables script
##################
#!/bin/sh
EXT="eth0"
LAN="10.0.0.0/24"
#Set up tables
/usr/sbin/iptables -F FORWARD
/usr/sbin/iptables -F INPUT
/usr/sbin/iptables -F OUTPUT
#allow all
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
#NAT On
/usr/sbin/iptables -t nat -F POSTROUTING
/usr/sbin/iptables -t nat -A POSTROUTING -d ! $LAN -j MASQUERADE
/usr/sbin/iptables -A FORWARD -s $LAN -j ACCEPT
/usr/sbin/iptables -A FORWARD -d $LAN -j ACCEPT
|