LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   ipsec problem (https://www.linuxquestions.org/questions/linux-networking-3/ipsec-problem-689062/)

saavik 12-08-2008 04:26 AM
ipsec problem
 
Hello !

I am in trouble with a VPN - Connection not working as suspecetd.

I want to connect to PC`s with each other.

PC A => Standing in our DMZ
PC B => Standing in a Partner net

As I can not use the IP/Netmask because the IP/Netmask is allready in use at our partners net I need to use an other IP.

So my PC A has IP (1) on the eth3 and I also configured IP (2) at eth3:0 so I can use that IP in the ipsec.conf.

The PC A is not connected to the Internet directly, so I need to use a gateway inbetween.

Quote:
version 2.0

# basic configuration
config setup
plutodebug=all
nat_traversal = yes

conn which-does-not-work
authby=secret
leftid=PC-A-IP(2)
left=PC-A-IP(2)
leftnexthop=GATEWAY
rightid=PARTNER-PC
right=PARTNER-PC
rightsubnet=PARTNER-NET
ike=3des-md5-modp1024
esp=aes128-sha1
pfs=no
auto=add


include /etc/ipsec.d/examples/no_oe.conf
Now the VPN-Connection comes up perfectly but I am not able to Ping the PC B which I could befor the VPN was running.

What to do now ?

vnick 12-08-2008 03:09 PM
Try to sniff traffic via interface ispecX. Check iptables rule.
Please, post here your
Code:
ipsec eroute
ipsec verify
or
ipsec barf

saavik 12-09-2008 02:11 AM
answer
 
So here are the results:

Quote:
# ipsec eroute
/usr/lib64/ipsec/eroute: NETKEY does not support eroute table.
Quote:
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.16.60-0.33-smp (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]
Now the VPN is up but I have the feeling that my pings do not enter the VPN-Tunnel.

I would like to ping :

Quote:
ping -I 192.181.X.X 149.XX.XX.XX
But I cannot see anything passing my Gateway.

As I have 2 Nic`s one real one virtuall I think there is the Problem.

If have eth3 with ip A and eth3:0 with ip B and ip B should be used for ping, but i get a desination unreachable for ip A. So this seems to be the problem.

vnick 12-09-2008 11:54 AM
If you want to use ipsec as tunnel mode(aka KLIPs), then you need to make ipsec module for your kernel. NETKEY does not support tunnel mode, transport only.

saavik 12-10-2008 01:42 AM
sure?
 
Well i am not sure if I really need tunnel mode, do i ?

Nemus 03-08-2012 03:29 PM
NETKEYS Does work in Tunnel Mode
 
NETKEYS does work in tunnel mode.
I am not sure if it did two or three years ago, but it does now.

I am updating this to let people know.

I came to this thread after some google search and it threw me for a loop.

That is why I am updating the thread with new information.

I currently have a Openswan server running ipsec with net keys that it running in tunnel mode.

Linux Openswan U2.6.33/K2.6.35.4-rscloud (netkey)
See `ipsec --copyright' for copyright information.

Another thing to note is that you will not see updates to routes in the routing table when your ipsec connection is setup.

ipsec eroute
/usr/libexec/ipsec/eroute: NETKEY does not support eroute table.

you cannot use ipsec eroute to view the routes with NETKEYS you have to use

ipsec auto --status

Below I describe how to view the routing info.


To check to see if your check is running successful you can run these commands if your using NETKEYS.

ip xfrm state
src x.x.x.x dst x.x.x.x
proto esp spi 0x6b45f2b6 reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth hmac(md5) 0x43c54d2252491f17f8da43b95ea060a0
enc cbc(des3_ede) 0x5f0b577eaeadac2db339d7902fb51653a31458c99c3aed37
src x.x.x.x dst x.x.x.x
proto esp spi 0x05e766f0 reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth hmac(md5) 0x53d089046efd4b925467f906a0c4f76d
enc cbc(des3_ede) 0x8fd871f284ae53d10c0d46c0cb6d997f150c7cae7d2c9de3

ipsec auto --status

000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,3072} attrs={0,2,2048}
000
000 "net-to-net": 172.x.x.0/24===x.x.x.x<x.x.x.x>[+S=C]...x.x.x.x<x.x.x.x>[+S=C]===10.x.x.0/24; erouted; eroute owner: #2
000 "net-to-net": myip=unset; hisip=unset;
000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0;
000 "net-to-net": newest ISAKMP SA: #3; newest IPsec SA: #2;
000 "net-to-net": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "net-to-net": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; flags=-strict
000 "net-to-net": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "net-to-net": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000
000 #3: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2176s; newest ISAKMP; lastdpd=10s(seq in:0 out:0); idle; import:admin initiate
000 #2: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 24979s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "net-to-net" esp.5e766f0@x.x.x.x esp.6b45f2b6@x.x.x.x tun.0@x.x.x.x tun.0@x.x.x.x ref=0 refhim=4294901761
000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 531s; lastdpd=3s(seq in:0 out:0); idle; import:admin initiate

this part defines that routing between the two different subnets on each side.
000 "net-to-net": 172.x.x.0/24===x.x.x.x<x.x.x.x>[+S=C]...x.x.x.x<x.x.x.x>[+S=C]===10.x.x.0/24; erouted; eroute owner: #2


All times are GMT -5. The time now is 04:02 PM.