Betr.: [CentOS] VPN
simone
simone72 at email.it
Tue May 24 13:10:13 UTC 2005
Hi there. Installed openswan, and followed the instructions :) . It
looks like tunnel is estabilished now:
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: initiating Main Mode
May 24 14:19:33 fbctestvpn pluto[7063]: | no IKE algorithms for this
connection ---> is this bad....
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
payload [XAUTH]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
payload [Dead Peer Detection]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
payload [Cisco-Unity]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring unknown
Vendor ID payload [xxxxxxxxxxxxxxxxxxxxxxx]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: I did not send a
certificate because I do not have one.
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: Main mode peer ID is
ID_IPV4_ADDR: 'xxx.xxx.xxx.130' --> this being the external ip of the
cisco pix 525
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ISAKMP SA
established
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received and ignored
informational message
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: sent QI2, IPsec SA
established {ESP=>0x6xxx23f <0x07xxxx7}
000 "milan":
192.168.10.0/24===xxx.xxx.xxx.90---xxx.xxx.xxx.65...xxx.xxx.xxx.129---xxx.xxx.xxx.130===192.168.100.0/24; unrouted; eroute owner: #0
192.168.10.3 internal linux box ip (and default gateway for the natted
workstations)
192.168.100.2 internal cisco pix ip (and default gateway for the natted
workstations)
conn milan
left=xxx.xxx.xxx.90 public ip linux box
leftnexthop=xxx.xxx.xxx.65 default gateway linux
leftsubnet=192.168.10.0/24
right=xxx.xxx.xxx.130 public ip cisco
rightsubnet=192.168.100.0/24 network behind cisco
rightnexthop=xxx.xxx.xxx.129 default gateway cisco
authby=secret
pfs=no
auto=add
esp=3des-md5-96
The firewall on the linuxbox is natting the 192.168.10.x network and
accepting anything coming from 192.168.100.x, I added udp port 500 to
INPUT and OUTPUT chains in iptables, but still cannot ping (even from
other workstations) or reach a web page on the other network. Anything
else I am missing or should be looking for?
>Remember you will need to allow the ipsec interface in your firewall
How do I do this?
Thanks for all your help, really appreciate this.
Simone
On Tue, 2005-05-24 at 01:35, Peter Farrow wrote:
> Hi there, yes it was with a Nortel contivity on a few occassions and
> the other times with a Cisco pix. interstingly enough the Cisco VPNs
> often required updates to the IOS to make them 3Des compliant,
>
> As its late here in the UK (past midnight GMT+1) here is a very quick
> and dirty freeswan guide.
>
> Needless to say the things that cause the biggest headache for most
> users is the use of RSA keys and opportunistic encryption. Since this
> is NOT what 99.9% of the masses need or want then there is a quick and
> simple and just as secure alternative setup, but its not that well
> documented. Opportunistic encryption came in versions 2 and above of
> freeswan by default, this has the effect of clobbering the network
> default route and replacing it down the ipsec interface (what you want
> if you want to encrypt everything, but not really any great use in the
> real world). Most people want to do site <-> site vpns and these are
> best achieved without opportunistic encryption and by the use of
> preshared keys.
>
> 1)Make sure you get a version of freeswan suitable for your kernel, if
> you can't find one go to somewhere like rpms.pbone.net and find a
> kernel for which there is a freeswan version. Many people try and
> hunt a freeswan version to match their kernel, I do it the otherway
> round, find the latest freeswan compatible kernel you can for your
> architecture, you can always compile it from source but why my life
> harder for yourself.
> 2)get the freeswan module for the kernel you found, and the same
> freeswan-userland version as well. then proceed as follows: after you
> have installed the [from rpm]
>
>
> Typically to kill opportunistic encryption add these lines to your
> ipsec.conf file: after the config setup section near the top,
>
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> Doing this stops all the crap you get when ipsec starts and then kicks
> you off the system about 60 seconds later if you're connected remotely
> as this kills the opportunistic setup feature. Do the same at the
> other end as well.
> Then start the service.
>
> Then add a section for each tunnel you want to set up. if you have
> multiple subnets at each site which can't be encapsulated in a single
> subnet declaration, you will need to add a new tunnel defintion for
> each. Here is an example :
>
> conn site1-site2 #this is the connection name
> [tunnel] identifier
> left=21.21.100.10 #This is the ip address of the
> first linux box
> leftnexthop=21.21.100.9 #This is usually set to the
> defualt gateway for the first linux box
> leftsubnet=10.11.2.0/24 #This is the LAN subnet behind
> the first linux box
> right=21.21.100.178 #This is the IP address of the
> second linux box at the other end of the tunnel
> rightsubnet=10.11.4.0/24 #This is the LAN subnet behind
> the second linux box
> rightnexthop=21.21.100.177 #This is the IP address of the
> default gateway setting of the other linux box
> authby=secret #We are going to use a
> "password" or secret to encrypt/auth the link
> pfs=no #Turn off perfect forward
> security, this makes it faster and easier but less secure
> auto=add #Authorise but don't start
> esp=3des-md5-96 #encapsulating security payload
> setting, encryption used for auth and data
>
>
> Now cut and paste this and add it to the ipsec.conf file on the second
> machine completely as is, unmodified.
>
> Then in you /etc/ipsec.secrets file on each machine you will need to
> add a password [secret] for each each of the tunnels you have
> specified, in the above example we would have:
>
> 21.21.100.10 21.21.100.178 : PSK "a-passwordin-here-with-the-quotes"
>
> Add this to the very top of the ipsec secrets file, one entry for each
> pair of machines in this format
>
> leftmachineip rightmachineip : PSK "password"
>
> Then do a service ipsec restart on each machine, bring the link up
> with this command, it only needs to be invoked from either one of the
> ends
>
> ipsec auto --up site1-site2
>
> You should get output like this if you did it right:
> ipsec auto --up site1-site2
> 104 "site1-site2" #2086: STATE_MAIN_I1: initiate
> 106 "site1-site2" #2086: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "site1-site2" #2086: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "site1-site2" #2086: STATE_MAIN_I4: ISAKMP SA established
> 112 "site1-site2" #2087: STATE_QUICK_I1: initiate
> 004 "site1-site2" #2087: STATE_QUICK_I2: sent QI2, IPsec SA
> established
>
> Remember you will need to allow the ipsec interface in your firewall
> and you will need to add lines like this:
>
> # Accept udp connections to port 500 for ipsec
> $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>
> This is just about the quickest way to set up a VPN tunnel with
> Freeswan, it takes minutes. If you want to make if more secure, you
> can tune the config once you get it running this way!
>
> Remember the only machines that can't see the full extent of the other
> LAN network are the linux boxes creating the tunnel. So the left
> linux box will not be able to ping stuff on 10.11.4.0/24 network and
> the right linux box will not be able to ping stuff on 10.11.2.0/24
> network - don't forget this.... its commonly mistaken by some to mean
> the tunnel isn't working, to truly test it end to end you need hosts
> on the LANs at each end to ping each other.
>
> If you want to make it work through NATing gateways you will need to
> port forward the udp 500 setting above on your firewall.
>
> Enjoy!
>
> Pete
>
>
>
>
>
>
>
>
>
>
>
>
> Kennedy Clark wrote:
> > Any chance of getting a quick HOW-TO posted to the group for that?
> > ;-) Sounds interesting.
> >
> > I saw your post about using it with Cisco & Nortel equipment -- I work
> > with both a lot at my current customer. What types of equipment have
> > you used it with from both vendors (e.g., Cisco: IOS, PIX, VPN3K;
> > Nortel = Contivity)?
> >
> > Thanks!!
> > Kennedy
> >
>
>
> ______________________________________________________________________
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
Bisogno di liquidità? Non devi spiegare per cosa. Fino a 4.000 € a casa tua
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2291&d=24-5
More information about the CentOS
mailing list