Betr.: [CentOS] VPN

Tue May 24 13:10:13 UTC 2005
simone <simone72 at email.it>

Hi there. Installed openswan, and followed the instructions :) . It
looks like tunnel is estabilished now:

May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: initiating Main Mode
May 24 14:19:33 fbctestvpn pluto[7063]: | no IKE algorithms for this
connection ---> is this bad....
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
payload [XAUTH]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
payload [Dead Peer Detection]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
payload [Cisco-Unity]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring unknown
Vendor ID payload [xxxxxxxxxxxxxxxxxxxxxxx]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: I did not send a
certificate because I do not have one.
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: Main mode peer ID is
ID_IPV4_ADDR: 'xxx.xxx.xxx.130' --> this being the external ip of the
cisco pix 525
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ISAKMP SA
established
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received and ignored
informational message
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: sent QI2, IPsec SA
established {ESP=>0x6xxx23f <0x07xxxx7}

000 "milan":
192.168.10.0/24===xxx.xxx.xxx.90---xxx.xxx.xxx.65...xxx.xxx.xxx.129---xxx.xxx.xxx.130===192.168.100.0/24; unrouted; eroute owner: #0

192.168.10.3 internal linux box ip (and default gateway for the natted
workstations)
192.168.100.2 internal cisco pix ip (and default gateway for the natted
workstations)

conn milan                       
        left=xxx.xxx.xxx.90    public ip linux box         
        leftnexthop=xxx.xxx.xxx.65    default gateway linux   
        leftsubnet=192.168.10.0/24       
        right=xxx.xxx.xxx.130      public ip cisco 
        rightsubnet=192.168.100.0/24    network behind cisco  
        rightnexthop=xxx.xxx.xxx.129    default gateway cisco
        authby=secret                 
        pfs=no                         
        auto=add                       
        esp=3des-md5-96                

The firewall on the linuxbox is natting the 192.168.10.x network and
accepting anything coming from 192.168.100.x, I added udp port 500 to
INPUT and OUTPUT chains in iptables, but still cannot ping (even from
other workstations) or reach a web page on the other network. Anything
else I am missing or should be looking for? 

>Remember you will need to allow the ipsec interface in your firewall
How do I do this? 

Thanks for all your help, really appreciate this. 

Simone




On Tue, 2005-05-24 at 01:35, Peter Farrow wrote:
> Hi there,  yes it was with a Nortel contivity on a few occassions and
> the other times with a Cisco pix. interstingly enough the Cisco VPNs
> often required updates to the IOS to make them 3Des compliant, 
> 
> As its late here in the UK (past midnight GMT+1)  here is a very quick
> and dirty freeswan guide.
> 
> Needless to say the things that cause the biggest headache for most
> users is the use of RSA keys and opportunistic encryption.  Since this
> is NOT what 99.9% of the masses need or want then there is a quick and
> simple and just as secure alternative setup, but its not that well
> documented.  Opportunistic encryption came in versions 2 and above of
> freeswan by default, this has the effect of clobbering the network
> default route and replacing it down the ipsec interface (what you want
> if you want to encrypt everything, but not really any great use in the
> real world).  Most people want to do site <-> site vpns and these are
> best achieved without opportunistic encryption and by the use of
> preshared keys.
> 
> 1)Make sure you get a version of freeswan suitable for your kernel, if
> you can't find one go to somewhere like rpms.pbone.net and find a
> kernel for which there is a freeswan version.  Many people try and
> hunt a freeswan version to match their kernel,  I do it the otherway
> round, find the latest freeswan compatible kernel you can for your
> architecture, you can always compile it from source but why my life
> harder for yourself.
> 2)get the freeswan module for the kernel you found, and the same
> freeswan-userland version as well. then proceed as follows: after you
> have installed the [from rpm]
> 
> 
> Typically to kill opportunistic encryption add these lines to your
> ipsec.conf file: after the config setup section near the top,
> 
> conn block
>     auto=ignore
> 
> conn private
>     auto=ignore
> 
> conn private-or-clear
>     auto=ignore
> 
> conn clear-or-private
>     auto=ignore
> 
> conn clear
>     auto=ignore
> 
> conn packetdefault
>     auto=ignore
> 
> Doing this stops all the crap you get when ipsec starts and then kicks
> you off the system about 60 seconds later if you're connected remotely
> as this kills the opportunistic setup feature.   Do the same at the
> other end as well.
> Then start the service.
> 
> Then add a section for each tunnel you want to set up.  if you have
> multiple subnets at each site which can't be encapsulated in a single
> subnet declaration, you will need to add a new tunnel defintion for
> each.  Here is an example :
> 
> conn site1-site2                       #this is the connection name
> [tunnel] identifier
>         left=21.21.100.10              #This is the ip address of the
> first linux box
>         leftnexthop=21.21.100.9        #This is usually set to the
> defualt gateway for the first linux box
>         leftsubnet=10.11.2.0/24        #This is the LAN subnet behind
> the first linux box
>         right=21.21.100.178            #This is the IP address of the
> second linux box at the other end of the tunnel
>         rightsubnet=10.11.4.0/24       #This is the LAN subnet behind
> the second linux box
>         rightnexthop=21.21.100.177     #This is the IP address of the
> default gateway setting of the other linux box
>         authby=secret                  #We are going to use a
> "password" or secret to encrypt/auth the link
>         pfs=no                         #Turn off perfect forward
> security, this makes it faster and easier but less secure
>         auto=add                       #Authorise but don't start
>         esp=3des-md5-96                #encapsulating security payload
> setting, encryption used for auth and data
> 
> 
> Now cut and paste this and add it to the ipsec.conf file on the second
> machine completely as is, unmodified.
> 
> Then in you /etc/ipsec.secrets file on each machine you will need to
> add a password [secret] for each each of the tunnels you have
> specified, in the above example we would have:
> 
> 21.21.100.10 21.21.100.178 : PSK "a-passwordin-here-with-the-quotes"
> 
> Add this to the very top of the ipsec secrets file, one entry for each
> pair of machines in this format
> 
> leftmachineip   rightmachineip : PSK "password"
> 
> Then do a service ipsec restart on each machine, bring the link up
> with this command, it only needs to be invoked from either one of the
> ends
> 
> ipsec auto --up site1-site2
> 
> You should get output like this if you did it right:
> ipsec auto --up site1-site2
> 104 "site1-site2" #2086: STATE_MAIN_I1: initiate
> 106 "site1-site2" #2086: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "site1-site2" #2086: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "site1-site2" #2086: STATE_MAIN_I4: ISAKMP SA established
> 112 "site1-site2" #2087: STATE_QUICK_I1: initiate
> 004 "site1-site2" #2087: STATE_QUICK_I2: sent QI2, IPsec SA
> established
> 
> Remember you will need to allow the ipsec interface in your firewall
> and you will need to add lines like this:
> 
> # Accept udp connections to port 500 for ipsec
> $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
> 
> This is just about the quickest way to set up a VPN tunnel with
> Freeswan, it takes minutes.  If you want to make if more secure, you
> can tune the config once you get it running this way!
> 
> Remember the only machines that can't see the full extent of the other
> LAN network are the linux boxes creating the tunnel.  So the left
> linux box will not be able to ping stuff on 10.11.4.0/24 network and
> the right linux box will not be able to ping stuff on 10.11.2.0/24
> network - don't forget this.... its commonly mistaken by some to mean
> the tunnel isn't working, to truly test it end to end you need hosts
> on the LANs at each end to ping each other.
> 
> If you want to make it work through NATing gateways you will need to
> port forward the udp 500 setting above on your firewall.
> 
> Enjoy!
> 
> Pete
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Kennedy Clark wrote:
> > Any chance of getting a quick HOW-TO posted to the group for that? 
> > ;-)  Sounds interesting.
> > 
> > I saw your post about using it with Cisco & Nortel equipment -- I work
> > with both a lot at my current customer.  What types of equipment have
> > you used it with from both vendors (e.g., Cisco: IOS, PIX, VPN3K;
> > Nortel = Contivity)?
> > 
> > Thanks!!
> > Kennedy
> >   
> 
> 
> ______________________________________________________________________
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

 
 
 --
 Email.it, the professional e-mail, gratis per te: http://www.email.it/f
 
 Sponsor:
 Bisogno di liquidità? Non devi spiegare per cosa. Fino a 4.000 € a casa tua
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2291&d=24-5