I have two devices. I have a Cisco 29xx series router with datak9 and securityk9 enabled. I also have a Linux machine acting as a server at the main location running shorewall.
I am trying to configure the remote location (with the Cisco router) to connect to the Linux server in order to communicate across the two LAN segments. I also would like to have all internet traffic routed from the remote location through the main location and through a firewall.
I modified /etc/iproute2/rt_tables and added a separate line with: 1002 IPsec and configured an IP route and ip rules for this new table so that the IPsec traffic should use it.
Code:
#Configure IP Rules for Remote
ip rule add from 192.168.5.0/24 table 1002
#Configure IP Routes for Remote
ip route add default via 192.168.3.1 dev eth0 table 1002
I am seeing the traffic go from the 192.168.5.0/24 network through the tunnel, out to the HQ router and out to the internet, but when I do a tcpdump -i any, I see duplicate packets with the same sequence number. I can also ping and traceroute, but I can not get internet traffic working. If I set up the Linux server to NAT the traffic out of its eth1 interface, internet works, but with a lot of latency due to a bunch of RESET packets being sent.
Basic Topology Diagram:
VPN_Connection.pdf
racoon.conf:
Code:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.key";
log notify; # log verbosity and set to 'notify' when debug complete and use debug2 for debug
padding
{
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
timer
{
counter 5;
interval 20 sec;
persend 1;
#natt_keep 15 sec;
phase1 30 sec;
phase2 15 sec;
}
listen
{
isakmp 10.195.10.5[500];
#strict_address;
}
remote 10.44.10.32
{
exchange_mode aggressive,main;
my_identifier address 10.195.10.5;
peers_identifier address 10.44.10.32;
nat_traversal off;
initial_contact on;
#script "/etc/racoon/phase1-up.sh" phase1_up;
#script "/etc/racoon/phase1-down.sh" phase1_down;
# Phase 1
proposal {
encryption_algorithm aes256;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
#phase 2
sainfo anonymous
{
pfs_group 2;
lifetime time 3600 sec;
encryption_algorithm aes256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
psk.key:
Code:
10.44.10.32 SecretKeyHere
setkey.conf:
Code:
#!/sbin/setkey -f
flush;
spdflush;
#Exception - HQ Internet IP Range
spdadd 192.168.5.0/24 10.195.10.0/24 any -P in none;
spdadd 10.195.10.0/24 192.168.5.0/24 any -P out none;
#Exception - Remote Internet IP Range
spdadd 192.168.5.0/24 10.44.10.0/24 any -P in none;
spdadd 10.44.10.0/24 192.168.5.0/24 any -P out none;
#Exception - Remote Subnet IP Range
spdadd 192.168.5.0/24 192.168.5.0/24 any -P in none;
spdadd 192.168.5.0/24 192.168.5.0/24 any -P out none;
#Default Route - To HQ
spdadd 192.168.5.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/10.44.10.32-10.195.10.7/require;
spdadd 0.0.0.0/0 192.168.5.0/24 any -P out ipsec esp/tunnel/10.195.10.7-10.44.10.32/require;
What further troubleshooting steps should I take? Is there anything specific that would cause this type of behavior?
Troubleshooting INET Routing - Linux IPsec (Racoon) HQ to Cisco Router Remote Site
