LQ Newbie
Registered: Mar 2006
Posts: 2
Rep:
|
IPSEC Error using PPPoE
Hi,
Trying to open a VPN IPSEC tunnel (using built-in FreesWan) between 2 standard SLES-9 SP3 Servers, using ADSL, via the internet. On each server, eth0 is the Private LAN, eth1 is the "Public/External" I/f.
If we use an external NAT/Router box at both ends, between the server and the ADSL line, we can open the tunnels between eth1-eth1, eth0-eth0, eth1-eth0 and eth0-eth1. In these cases, the exchange of packets includes:
- a few short packets at the start
- then the certs are exchanged
- then the client sends a packet of 444 bytes (approx) to the server
- the server responds with 356-byte (approx) poacket
- the client sends a 50-byte (approx) packet
- the tunnel is complete.
If we change the config at, say, the Client end, to use an ADSL PPPoE modem, and change the IPSEC files, and a few YaST parameters, the above sequence proceeds normally, but the client does not respond with the final 50-byte packet. Then, the server re-sends the 356-byte packet, and both servers re-send..., and re-try... etc. The tunnel is never completed.
At the point when the client should send the packet, the log file shows "RTNETLINK Answers: Network is unreachable". However, this message also appears at the start of the log file, just after the client has validated the local cert, but before it has exchanged anything with the server. The PLUTO "route-client" command is failing with that message, and status=2. The PLUTO parameters are identical to the setup with NAT/Routers at both ends (apart from the local IPs/Masks), yet the error does not arise with the NAT/routers.
We've tried many minor tweaks to the IPSEC files, and tried enabling and disabling the firewall on the Server (SuSEFirewall2), (the firewall runs on dsl0 on the client, and cannot be disabled), etc, etc... "Default-Gateway" in YaST is blank - we tried other values also. Perhaps we missed the "important" combination; or maybe we've missed out on some basic "Routing" matters.
ANY pointers, hints, suggestions, are MOST welcome!
- Mike
---------- Setup (with a few zzz's inserted!)
192.168.3.x/24 LAN
I
I
192.168.3.8 (eth0)
SuSE "Server"
192.168.2.4 (eth1)
I
I
192.168.2.3
NAT/Router/ADSL-Modem
83.zzz.zzz.19 (Static, from ISP)
X
?
? (Gateway 159.zzz.zzz.21
?
X
86.zzz.zzz.98 (Static IP, from ISP)
ADSL-Modem (only)
I
I
86.zzz.zzz.98 (eth1; same IP as above)
SuSE "Client"
192.168.4.3 (eth0)
I
I
192.168.4.0/24 LAN
---------- IPSEC at Server end (LEFT = Local, RIGHT = Remote)
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=eth1"
klipsdebug=all
plutodebug=all
nat_traversal=no #???
strictcrlpolicy=no
conn %default
leftrsasigkey=%cert
rightrsasigkey=%cert
authby=rsasig
auto=add
esp=aes,3des
keyingtries=3
pfs=yes
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
conn Host2Client
left=192.168.2.4
leftsubnet=192.168.2.0/24
leftnexthop=192.168.2.3
#leftfirewall=no #tried yes, no, and commented
leftcert=/etc/ipsec.d/certs/cert_01.pem
leftid=host@zzz.com
leftrsasigkey=%cert
right=86.zzz.zzz.98
rightsubnet=86.zzz.zzz.98/31 #and tried /32, and commented
#rightfirewall=no #tried yes, no, and commented
rightnexthop=159.zzz.zzz.21 #tried with/without comments
rightid=client@zzz.com
rightrsasigkey=%cert
type=tunnel
---------- IPSEC at Client end (LEFT = Local, RIGHT = Remote)
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=ppp0" #tried these 2
#interfaces=%defaultroute
klipsdebug=all
plutodebug=all
nat_traversal=no #"yes" does not work with NAT/routers at both ends
strictcrlpolicy=no
conn %default
leftrsasigkey=%cert
rightrsasigkey=%cert
authby=rsasig
auto=start
esp=aes,3des
keyingtries=3
pfs=yes
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
conn Client2Host
left=86.zzz.zzz.98 #Static IP from the ISP
leftsubnet=86.zzz.zzz.98/31 #and /32, and with this line commented
leftnexthop=159.zzz.zzz.21 #ISP Gateway, tried commented also
#leftfirewall=no #Tried yes, no, and commended
leftcert=/etc/ipsec.d/certs/cert_01.pem
leftid=client@zzz.com
leftrsasigkey=%cert
right=83.zzz.zzz.19 #Static IP from ISP
rightsubnet=192.168.2.0/24 #and as a comment
rightnexthop=192.168.2.3 #internal IP of NAT/Router
#rightfirewall=no #tried Yes, No, and Comment
rightid=host@zzz.com
rightrsasigkey=%cert
auto=start
type=tunnel
---------- Extract from the LOG file at the client end
Aug 30 15:17:21 Serverzzz pluto[12240]: | executing route-client: 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION='Client2Host' PLUTO_NEXT_HOP='159.zzz.zzz.21' PLUTO_INTERFACE='eth1' PLUTO_ME='86.zzz.zzz.98' PLUTO_MY_ID='client@zzz.com' PLUTO_MY_CLIENT='86.zzz.zzz.98/31' PLUTO_MY_CLIENT_NET='86.zzz.zzz.98' PLUTO_MY_CLIENT_MASK='255.255.255.254' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='83.70.178.19' PLUTO_PEER_ID='host@zzz.com' PLUTO_PEER_CLIENT='192.168.2.0/24' PLUTO_PEER_CLIENT_NET='192.168.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' ipsec _updown ipfwadm
Aug 30 15:17:21 Serverzzz pluto[12240]: "Client2Host": route-client output: RTNETLINK answers: Network is unreachable
[end]
|