ipsec problem
Hello !
I am in trouble with a VPN - Connection not working as suspecetd. I want to connect to PC`s with each other. PC A => Standing in our DMZ PC B => Standing in a Partner net As I can not use the IP/Netmask because the IP/Netmask is allready in use at our partners net I need to use an other IP. So my PC A has IP (1) on the eth3 and I also configured IP (2) at eth3:0 so I can use that IP in the ipsec.conf. The PC A is not connected to the Internet directly, so I need to use a gateway inbetween. Quote:
What to do now ? |
Try to sniff traffic via interface ispecX. Check iptables rule.
Please, post here your Code:
ipsec eroute |
answer
So here are the results:
Quote:
Quote:
I would like to ping : Quote:
As I have 2 Nic`s one real one virtuall I think there is the Problem. If have eth3 with ip A and eth3:0 with ip B and ip B should be used for ping, but i get a desination unreachable for ip A. So this seems to be the problem. |
If you want to use ipsec as tunnel mode(aka KLIPs), then you need to make ipsec module for your kernel. NETKEY does not support tunnel mode, transport only.
|
sure?
Well i am not sure if I really need tunnel mode, do i ?
|
NETKEYS Does work in Tunnel Mode
NETKEYS does work in tunnel mode.
I am not sure if it did two or three years ago, but it does now. I am updating this to let people know. I came to this thread after some google search and it threw me for a loop. That is why I am updating the thread with new information. I currently have a Openswan server running ipsec with net keys that it running in tunnel mode. Linux Openswan U2.6.33/K2.6.35.4-rscloud (netkey) See `ipsec --copyright' for copyright information. Another thing to note is that you will not see updates to routes in the routing table when your ipsec connection is setup. ipsec eroute /usr/libexec/ipsec/eroute: NETKEY does not support eroute table. you cannot use ipsec eroute to view the routes with NETKEYS you have to use ipsec auto --status Below I describe how to view the routing info. To check to see if your check is running successful you can run these commands if your using NETKEYS. ip xfrm state src x.x.x.x dst x.x.x.x proto esp spi 0x6b45f2b6 reqid 16385 mode tunnel replay-window 32 flag af-unspec auth hmac(md5) 0x43c54d2252491f17f8da43b95ea060a0 enc cbc(des3_ede) 0x5f0b577eaeadac2db339d7902fb51653a31458c99c3aed37 src x.x.x.x dst x.x.x.x proto esp spi 0x05e766f0 reqid 16385 mode tunnel replay-window 32 flag af-unspec auth hmac(md5) 0x53d089046efd4b925467f906a0c4f76d enc cbc(des3_ede) 0x8fd871f284ae53d10c0d46c0cb6d997f150c7cae7d2c9de3 ipsec auto --status 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,3072} attrs={0,2,2048} 000 000 "net-to-net": 172.x.x.0/24===x.x.x.x<x.x.x.x>[+S=C]...x.x.x.x<x.x.x.x>[+S=C]===10.x.x.0/24; erouted; eroute owner: #2 000 "net-to-net": myip=unset; hisip=unset; 000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "net-to-net": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0; 000 "net-to-net": newest ISAKMP SA: #3; newest IPsec SA: #2; 000 "net-to-net": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 000 "net-to-net": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; flags=-strict 000 "net-to-net": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128 000 "net-to-net": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A> 000 000 #3: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2176s; newest ISAKMP; lastdpd=10s(seq in:0 out:0); idle; import:admin initiate 000 #2: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 24979s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "net-to-net" esp.5e766f0@x.x.x.x esp.6b45f2b6@x.x.x.x tun.0@x.x.x.x tun.0@x.x.x.x ref=0 refhim=4294901761 000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 531s; lastdpd=3s(seq in:0 out:0); idle; import:admin initiate this part defines that routing between the two different subnets on each side. 000 "net-to-net": 172.x.x.0/24===x.x.x.x<x.x.x.x>[+S=C]...x.x.x.x<x.x.x.x>[+S=C]===10.x.x.0/24; erouted; eroute owner: #2 |
All times are GMT -5. The time now is 04:02 PM. |