LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-24-2014, 01:08 AM   #1
cyberdeath
LQ Newbie
 
Registered: Mar 2007
Location: 127.0.0.1, Virginia, USA
Distribution: OpenSuSE & Gentoo (Primarily)
Posts: 15

Rep: Reputation: 2
Question Troubleshooting INET Routing - Linux IPsec (Racoon) HQ to Cisco Router Remote Site


I have two devices. I have a Cisco 29xx series router with datak9 and securityk9 enabled. I also have a Linux machine acting as a server at the main location running shorewall.

I am trying to configure the remote location (with the Cisco router) to connect to the Linux server in order to communicate across the two LAN segments. I also would like to have all internet traffic routed from the remote location through the main location and through a firewall.

I modified /etc/iproute2/rt_tables and added a separate line with: 1002 IPsec and configured an IP route and ip rules for this new table so that the IPsec traffic should use it.

Code:
#Configure IP Rules for Remote
ip rule add from 192.168.5.0/24 table 1002

#Configure IP Routes for Remote
ip route add default via 192.168.3.1 dev eth0 table 1002
I am seeing the traffic go from the 192.168.5.0/24 network through the tunnel, out to the HQ router and out to the internet, but when I do a tcpdump -i any, I see duplicate packets with the same sequence number. I can also ping and traceroute, but I can not get internet traffic working. If I set up the Linux server to NAT the traffic out of its eth1 interface, internet works, but with a lot of latency due to a bunch of RESET packets being sent.

Basic Topology Diagram: VPN_Connection.pdf

racoon.conf:
Code:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.key";
log notify; # log verbosity and set to 'notify' when debug complete and use debug2 for debug

padding
{
    maximum_length 20;
    randomize   off;
    strict_check off;
    exclusive_tail off;
}

timer
{
    counter 5;
    interval 20 sec;
    persend 1;
    #natt_keep 15 sec;
    phase1      30 sec;
    phase2      15 sec;
}

listen
{
    isakmp      10.195.10.5[500];
    #strict_address;
}

remote 10.44.10.32
{
    exchange_mode       aggressive,main;
    my_identifier address 10.195.10.5;
    peers_identifier address 10.44.10.32;
    nat_traversal off;
    initial_contact on;
    #script "/etc/racoon/phase1-up.sh" phase1_up;
    #script "/etc/racoon/phase1-down.sh" phase1_down;
    # Phase 1
    proposal {
        encryption_algorithm aes256;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

#phase 2

sainfo anonymous
{
        pfs_group 2;
        lifetime time 3600 sec;
        encryption_algorithm aes256;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}
psk.key:
Code:
10.44.10.32  SecretKeyHere
setkey.conf:
Code:
#!/sbin/setkey -f
flush;
spdflush;

#Exception - HQ Internet IP Range
spdadd 192.168.5.0/24 10.195.10.0/24 any -P in none;
spdadd 10.195.10.0/24 192.168.5.0/24 any -P out none;

#Exception - Remote Internet IP Range
spdadd 192.168.5.0/24 10.44.10.0/24 any -P in none;
spdadd 10.44.10.0/24 192.168.5.0/24 any -P out none;

#Exception - Remote Subnet IP Range
spdadd 192.168.5.0/24 192.168.5.0/24 any -P in none;
spdadd 192.168.5.0/24 192.168.5.0/24 any -P out none;

#Default Route - To HQ
spdadd 192.168.5.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/10.44.10.32-10.195.10.7/require;
spdadd 0.0.0.0/0 192.168.5.0/24 any -P out ipsec esp/tunnel/10.195.10.7-10.44.10.32/require;
What further troubleshooting steps should I take? Is there anything specific that would cause this type of behavior?
 
  


Reply

Tags
cisco, internet connection, ipsec, routing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
site to site vpn racoon with cisco asa 5505 routing issues wastingtime Linux - Networking 1 04-02-2010 12:26 PM
Linux to cisco IPsec problems using Racoon. robalba Linux - Networking 2 12-05-2008 03:43 PM
Remote Access VPN with Racoon to Cisco ASA kuksi Linux - Security 1 07-19-2008 12:27 AM
linux routing VS cisco router shoot2kill Linux - Networking 5 07-01-2002 10:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration