Betr.: [CentOS] VPN
Peter Farrow
peter at farrows.org
Tue May 24 13:19:50 UTC 2005
This might be useful too:
http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html
simone wrote:
>Hi there. Installed openswan, and followed the instructions :) . It
>looks like tunnel is estabilished now:
>
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: initiating Main Mode
>May 24 14:19:33 fbctestvpn pluto[7063]: | no IKE algorithms for this
>connection ---> is this bad....
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
>state STATE_MAIN_I1 to state STATE_MAIN_I2
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
>payload [XAUTH]
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
>payload [Dead Peer Detection]
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
>payload [Cisco-Unity]
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring unknown
>Vendor ID payload [xxxxxxxxxxxxxxxxxxxxxxx]
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: I did not send a
>certificate because I do not have one.
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
>state STATE_MAIN_I2 to state STATE_MAIN_I3
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: Main mode peer ID is
>ID_IPV4_ADDR: 'xxx.xxx.xxx.130' --> this being the external ip of the
>cisco pix 525
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
>state STATE_MAIN_I3 to state STATE_MAIN_I4
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ISAKMP SA
>established
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: initiating Quick
>Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring
>informational payload, type IPSEC_INITIAL_CONTACT
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received and ignored
>informational message
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: ignoring
>informational payload, type IPSEC_RESPONDER_LIFETIME
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: transition from
>state STATE_QUICK_I1 to state STATE_QUICK_I2
>May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: sent QI2, IPsec SA
>established {ESP=>0x6xxx23f <0x07xxxx7}
>
>000 "milan":
>192.168.10.0/24===xxx.xxx.xxx.90---xxx.xxx.xxx.65...xxx.xxx.xxx.129---xxx.xxx.xxx.130===192.168.100.0/24; unrouted; eroute owner: #0
>
>192.168.10.3 internal linux box ip (and default gateway for the natted
>workstations)
>192.168.100.2 internal cisco pix ip (and default gateway for the natted
>workstations)
>
>conn milan
> left=xxx.xxx.xxx.90 public ip linux box
> leftnexthop=xxx.xxx.xxx.65 default gateway linux
> leftsubnet=192.168.10.0/24
> right=xxx.xxx.xxx.130 public ip cisco
> rightsubnet=192.168.100.0/24 network behind cisco
> rightnexthop=xxx.xxx.xxx.129 default gateway cisco
> authby=secret
> pfs=no
> auto=add
> esp=3des-md5-96
>
>The firewall on the linuxbox is natting the 192.168.10.x network and
>accepting anything coming from 192.168.100.x, I added udp port 500 to
>INPUT and OUTPUT chains in iptables, but still cannot ping (even from
>other workstations) or reach a web page on the other network. Anything
>else I am missing or should be looking for?
>
>
>
>>Remember you will need to allow the ipsec interface in your firewall
>>
>>
>How do I do this?
>
>Thanks for all your help, really appreciate this.
>
>Simone
>
>
>
>
>On Tue, 2005-05-24 at 01:35, Peter Farrow wrote:
>
>
>>Hi there, yes it was with a Nortel contivity on a few occassions and
>>the other times with a Cisco pix. interstingly enough the Cisco VPNs
>>often required updates to the IOS to make them 3Des compliant,
>>
>>As its late here in the UK (past midnight GMT+1) here is a very quick
>>and dirty freeswan guide.
>>
>>Needless to say the things that cause the biggest headache for most
>>users is the use of RSA keys and opportunistic encryption. Since this
>>is NOT what 99.9% of the masses need or want then there is a quick and
>>simple and just as secure alternative setup, but its not that well
>>documented. Opportunistic encryption came in versions 2 and above of
>>freeswan by default, this has the effect of clobbering the network
>>default route and replacing it down the ipsec interface (what you want
>>if you want to encrypt everything, but not really any great use in the
>>real world). Most people want to do site <-> site vpns and these are
>>best achieved without opportunistic encryption and by the use of
>>preshared keys.
>>
>>1)Make sure you get a version of freeswan suitable for your kernel, if
>>you can't find one go to somewhere like rpms.pbone.net and find a
>>kernel for which there is a freeswan version. Many people try and
>>hunt a freeswan version to match their kernel, I do it the otherway
>>round, find the latest freeswan compatible kernel you can for your
>>architecture, you can always compile it from source but why my life
>>harder for yourself.
>>2)get the freeswan module for the kernel you found, and the same
>>freeswan-userland version as well. then proceed as follows: after you
>>have installed the [from rpm]
>>
>>
>>Typically to kill opportunistic encryption add these lines to your
>>ipsec.conf file: after the config setup section near the top,
>>
>>conn block
>> auto=ignore
>>
>>conn private
>> auto=ignore
>>
>>conn private-or-clear
>> auto=ignore
>>
>>conn clear-or-private
>> auto=ignore
>>
>>conn clear
>> auto=ignore
>>
>>conn packetdefault
>> auto=ignore
>>
>>Doing this stops all the crap you get when ipsec starts and then kicks
>>you off the system about 60 seconds later if you're connected remotely
>>as this kills the opportunistic setup feature. Do the same at the
>>other end as well.
>>Then start the service.
>>
>>Then add a section for each tunnel you want to set up. if you have
>>multiple subnets at each site which can't be encapsulated in a single
>>subnet declaration, you will need to add a new tunnel defintion for
>>each. Here is an example :
>>
>>conn site1-site2 #this is the connection name
>>[tunnel] identifier
>> left=21.21.100.10 #This is the ip address of the
>>first linux box
>> leftnexthop=21.21.100.9 #This is usually set to the
>>defualt gateway for the first linux box
>> leftsubnet=10.11.2.0/24 #This is the LAN subnet behind
>>the first linux box
>> right=21.21.100.178 #This is the IP address of the
>>second linux box at the other end of the tunnel
>> rightsubnet=10.11.4.0/24 #This is the LAN subnet behind
>>the second linux box
>> rightnexthop=21.21.100.177 #This is the IP address of the
>>default gateway setting of the other linux box
>> authby=secret #We are going to use a
>>"password" or secret to encrypt/auth the link
>> pfs=no #Turn off perfect forward
>>security, this makes it faster and easier but less secure
>> auto=add #Authorise but don't start
>> esp=3des-md5-96 #encapsulating security payload
>>setting, encryption used for auth and data
>>
>>
>>Now cut and paste this and add it to the ipsec.conf file on the second
>>machine completely as is, unmodified.
>>
>>Then in you /etc/ipsec.secrets file on each machine you will need to
>>add a password [secret] for each each of the tunnels you have
>>specified, in the above example we would have:
>>
>>21.21.100.10 21.21.100.178 : PSK "a-passwordin-here-with-the-quotes"
>>
>>Add this to the very top of the ipsec secrets file, one entry for each
>>pair of machines in this format
>>
>>leftmachineip rightmachineip : PSK "password"
>>
>>Then do a service ipsec restart on each machine, bring the link up
>>with this command, it only needs to be invoked from either one of the
>>ends
>>
>>ipsec auto --up site1-site2
>>
>>You should get output like this if you did it right:
>>ipsec auto --up site1-site2
>>104 "site1-site2" #2086: STATE_MAIN_I1: initiate
>>106 "site1-site2" #2086: STATE_MAIN_I2: sent MI2, expecting MR2
>>108 "site1-site2" #2086: STATE_MAIN_I3: sent MI3, expecting MR3
>>004 "site1-site2" #2086: STATE_MAIN_I4: ISAKMP SA established
>>112 "site1-site2" #2087: STATE_QUICK_I1: initiate
>>004 "site1-site2" #2087: STATE_QUICK_I2: sent QI2, IPsec SA
>>established
>>
>>Remember you will need to allow the ipsec interface in your firewall
>>and you will need to add lines like this:
>>
>># Accept udp connections to port 500 for ipsec
>>$IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
>>$IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>>
>>This is just about the quickest way to set up a VPN tunnel with
>>Freeswan, it takes minutes. If you want to make if more secure, you
>>can tune the config once you get it running this way!
>>
>>Remember the only machines that can't see the full extent of the other
>>LAN network are the linux boxes creating the tunnel. So the left
>>linux box will not be able to ping stuff on 10.11.4.0/24 network and
>>the right linux box will not be able to ping stuff on 10.11.2.0/24
>>network - don't forget this.... its commonly mistaken by some to mean
>>the tunnel isn't working, to truly test it end to end you need hosts
>>on the LANs at each end to ping each other.
>>
>>If you want to make it work through NATing gateways you will need to
>>port forward the udp 500 setting above on your firewall.
>>
>>Enjoy!
>>
>>Pete
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>Kennedy Clark wrote:
>>
>>
>>>Any chance of getting a quick HOW-TO posted to the group for that?
>>>;-) Sounds interesting.
>>>
>>>I saw your post about using it with Cisco & Nortel equipment -- I work
>>>with both a lot at my current customer. What types of equipment have
>>>you used it with from both vendors (e.g., Cisco: IOS, PIX, VPN3K;
>>>Nortel = Contivity)?
>>>
>>>Thanks!!
>>>Kennedy
>>>
>>>
>>>
>>______________________________________________________________________
>>_______________________________________________
>>CentOS mailing list
>>CentOS at centos.org
>>http://lists.centos.org/mailman/listinfo/centos
>>
>>
>
>
>
> --
> Email.it, the professional e-mail, gratis per te: http://www.email.it/f
>
> Sponsor:
> Bisogno di liquidità? Non devi spiegare per cosa. Fino a 4.000 EUR a casa tua
> Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2291&d=24-5
>_______________________________________________
>CentOS mailing list
>CentOS at centos.org
>http://lists.centos.org/mailman/listinfo/centos
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20050524/3528b5fd/attachment.html>
More information about the CentOS
mailing list