Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Here is my situation.
I have 2 IPCOP 2.1.9 working (both with simple config with a green and red interface) and I (try to) set up a VPN IPESC between the two local network. So far, VPN is shown green (opened) on both IPCOP admin page.
One green network is 192.168.3.0/24 and the one on the other end is 192.168.4.0/24
For the moment, my problem is I can't ping or access web servers (or any other server) from one network to the other.
Something I think is strange is I don't see any route for opposite network in the
"Routing Table Entries"
I don't really understand what can be the problem
Can someone higlight to me what I did wrong (or forget to do ?)
I'm not familiar with IPCOP, and only got my 'feet wet' in regards to IPSec, so I hope I can contribute with some valid information.
I believe it is normal for you not to see any routes in the routing table. When you create an IPSec Security Association (IPSec SA for short, and how is is usually refered to in docs), you define among other settings, the IP addresses of each endpoint, and which networks they connect, or route to.
When your local router receives an IP packet, it checks whether security applies or not, based on several criteria, one being destination address. If security measures apply, then the packet will be processed according to the SA it matched and forwarded to the other endpoint, also defined by the SA. No routing needed.
As you might have guessed, this is a very simplified and superficial description of the process.
Before the IPSec SA is established, the isakmp SA needs to be established, so:
- isakmp SA is established - this is usually called phase one;
- IPSec SA is established - this is called phase two;
- IP traffic flows through the tunnel.
There is a group of settings that govern phase one and another to govern phase two. In each endpoint, they must concur, for the SA's to be established.
Perhaps you should re-visit the configuration interface of each endpoint and review anything that has 'IKE', 'isakmp' and 'IPSec' on it.
My thought was to desable the Ipsec configuration and to make a new different one, as a test.
But for now, I can't access the remote Ipcop, so I will have to move there.
Thing strange is that the IPsec connection is shown green ( status open ).
I tried this first. But for an unknown reason, I couldn't select the option of preshared key in the setup (it was impossible to select it on one of the IPCOP, don't know why) , so I used a certificate setup.
Certificates can be signed by a trusted CA or self-signed (the latter being the do-it-yourself flavour). Some applications won't accept a self-signed certificate, or at least will prompt for acceptance when presented with one. I don't know how IPCOP or IPSec deal with self-signed certificates, and that is why I suggested preshared keys.
Preshared keys should work, so you might want to investigate why the option isn't available in the first place.
In this situation, Certificate were issued by the IPCOP.
But anyway, I deleted the VPN configuration on both side and rebooted both IPCOP.
Then made a simple preshared key configuration.
Again the IPSEC tunnel show up green and open, but no traffic possible through it
Attached is the IPSec log.
For my understanding, the VPN configuration is ok (as it shosw "open") and the problem is somewhere else, but can't figure where
IPSec tunnel is established only when there is traffic, unlike OpenVPN for instance, where you have a local interface, a remote interface, routing and the works.
I suspect that the green you mention only means ready to process packets.
Again: I'm not familiar with IPCOP, but there are a couple of things to check for:
- Traffic whose destination is on the other side of the IPSec tunnel is not to be NAT'ed (in Cisco IOS you have to specify this; don't know about IPCOP);
- You must have firewall rules that'll allow traffic between subnets that are behind each IPSec endpoint, if you're running a firewall (which you must be, since you're using IPCOP);
Are you using fixed IP addresses in both endpoints?
Rules of the IPCOP firewall (as it is "out of the box") are as follow:
Interface GREEN and IPSEC are opened. Default deny action is reject
Interface RED is closed. Default deny action is dropped
I looked at the firewall log.
I can see ICMP traffic from a remote machine (pinging my computer) coming in the Wan-1 interface and the applied rule is IPSEC-RED ACCEPT
In fact, I can see traffic coming in from the remote network. But anyway traffic does not go through.
I think there is a special IPCOP Firewall rule to create for the traffic going through.
Anybody has an idea of what rule I shoud create ?
Thank you,
---------- Post added 05-20-15 at 08:22 PM ----------
Quote:
Originally Posted by bonowax
Are you using fixed IP addresses in both endpoints?
Sorry , yes there are fixed addresses
For the NAT... I have to check but don't really know how...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.