This might be useful too: http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html simone wrote: >Hi there. Installed openswan, and followed the instructions :) . It >looks like tunnel is estabilished now: > >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: initiating Main Mode >May 24 14:19:33 fbctestvpn pluto[7063]: | no IKE algorithms for this >connection ---> is this bad.... >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from >state STATE_MAIN_I1 to state STATE_MAIN_I2 >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID >payload [XAUTH] >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID >payload [Dead Peer Detection] >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID >payload [Cisco-Unity] >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring unknown >Vendor ID payload [xxxxxxxxxxxxxxxxxxxxxxx] >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: I did not send a >certificate because I do not have one. >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from >state STATE_MAIN_I2 to state STATE_MAIN_I3 >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: Main mode peer ID is >ID_IPV4_ADDR: 'xxx.xxx.xxx.130' --> this being the external ip of the >cisco pix 525 >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from >state STATE_MAIN_I3 to state STATE_MAIN_I4 >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ISAKMP SA >established >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: initiating Quick >Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1} >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring >informational payload, type IPSEC_INITIAL_CONTACT >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received and ignored >informational message >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: ignoring >informational payload, type IPSEC_RESPONDER_LIFETIME >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: transition from >state STATE_QUICK_I1 to state STATE_QUICK_I2 >May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: sent QI2, IPsec SA >established {ESP=>0x6xxx23f <0x07xxxx7} > >000 "milan": >192.168.10.0/24===xxx.xxx.xxx.90---xxx.xxx.xxx.65...xxx.xxx.xxx.129---xxx.xxx.xxx.130===192.168.100.0/24; unrouted; eroute owner: #0 > >192.168.10.3 internal linux box ip (and default gateway for the natted >workstations) >192.168.100.2 internal cisco pix ip (and default gateway for the natted >workstations) > >conn milan > left=xxx.xxx.xxx.90 public ip linux box > leftnexthop=xxx.xxx.xxx.65 default gateway linux > leftsubnet=192.168.10.0/24 > right=xxx.xxx.xxx.130 public ip cisco > rightsubnet=192.168.100.0/24 network behind cisco > rightnexthop=xxx.xxx.xxx.129 default gateway cisco > authby=secret > pfs=no > auto=add > esp=3des-md5-96 > >The firewall on the linuxbox is natting the 192.168.10.x network and >accepting anything coming from 192.168.100.x, I added udp port 500 to >INPUT and OUTPUT chains in iptables, but still cannot ping (even from >other workstations) or reach a web page on the other network. Anything >else I am missing or should be looking for? > > > >>Remember you will need to allow the ipsec interface in your firewall >> >> >How do I do this? > >Thanks for all your help, really appreciate this. > >Simone > > > > >On Tue, 2005-05-24 at 01:35, Peter Farrow wrote: > > >>Hi there, yes it was with a Nortel contivity on a few occassions and >>the other times with a Cisco pix. interstingly enough the Cisco VPNs >>often required updates to the IOS to make them 3Des compliant, >> >>As its late here in the UK (past midnight GMT+1) here is a very quick >>and dirty freeswan guide. >> >>Needless to say the things that cause the biggest headache for most >>users is the use of RSA keys and opportunistic encryption. Since this >>is NOT what 99.9% of the masses need or want then there is a quick and >>simple and just as secure alternative setup, but its not that well >>documented. Opportunistic encryption came in versions 2 and above of >>freeswan by default, this has the effect of clobbering the network >>default route and replacing it down the ipsec interface (what you want >>if you want to encrypt everything, but not really any great use in the >>real world). Most people want to do site <-> site vpns and these are >>best achieved without opportunistic encryption and by the use of >>preshared keys. >> >>1)Make sure you get a version of freeswan suitable for your kernel, if >>you can't find one go to somewhere like rpms.pbone.net and find a >>kernel for which there is a freeswan version. Many people try and >>hunt a freeswan version to match their kernel, I do it the otherway >>round, find the latest freeswan compatible kernel you can for your >>architecture, you can always compile it from source but why my life >>harder for yourself. >>2)get the freeswan module for the kernel you found, and the same >>freeswan-userland version as well. then proceed as follows: after you >>have installed the [from rpm] >> >> >>Typically to kill opportunistic encryption add these lines to your >>ipsec.conf file: after the config setup section near the top, >> >>conn block >> auto=ignore >> >>conn private >> auto=ignore >> >>conn private-or-clear >> auto=ignore >> >>conn clear-or-private >> auto=ignore >> >>conn clear >> auto=ignore >> >>conn packetdefault >> auto=ignore >> >>Doing this stops all the crap you get when ipsec starts and then kicks >>you off the system about 60 seconds later if you're connected remotely >>as this kills the opportunistic setup feature. Do the same at the >>other end as well. >>Then start the service. >> >>Then add a section for each tunnel you want to set up. if you have >>multiple subnets at each site which can't be encapsulated in a single >>subnet declaration, you will need to add a new tunnel defintion for >>each. Here is an example : >> >>conn site1-site2 #this is the connection name >>[tunnel] identifier >> left=21.21.100.10 #This is the ip address of the >>first linux box >> leftnexthop=21.21.100.9 #This is usually set to the >>defualt gateway for the first linux box >> leftsubnet=10.11.2.0/24 #This is the LAN subnet behind >>the first linux box >> right=21.21.100.178 #This is the IP address of the >>second linux box at the other end of the tunnel >> rightsubnet=10.11.4.0/24 #This is the LAN subnet behind >>the second linux box >> rightnexthop=21.21.100.177 #This is the IP address of the >>default gateway setting of the other linux box >> authby=secret #We are going to use a >>"password" or secret to encrypt/auth the link >> pfs=no #Turn off perfect forward >>security, this makes it faster and easier but less secure >> auto=add #Authorise but don't start >> esp=3des-md5-96 #encapsulating security payload >>setting, encryption used for auth and data >> >> >>Now cut and paste this and add it to the ipsec.conf file on the second >>machine completely as is, unmodified. >> >>Then in you /etc/ipsec.secrets file on each machine you will need to >>add a password [secret] for each each of the tunnels you have >>specified, in the above example we would have: >> >>21.21.100.10 21.21.100.178 : PSK "a-passwordin-here-with-the-quotes" >> >>Add this to the very top of the ipsec secrets file, one entry for each >>pair of machines in this format >> >>leftmachineip rightmachineip : PSK "password" >> >>Then do a service ipsec restart on each machine, bring the link up >>with this command, it only needs to be invoked from either one of the >>ends >> >>ipsec auto --up site1-site2 >> >>You should get output like this if you did it right: >>ipsec auto --up site1-site2 >>104 "site1-site2" #2086: STATE_MAIN_I1: initiate >>106 "site1-site2" #2086: STATE_MAIN_I2: sent MI2, expecting MR2 >>108 "site1-site2" #2086: STATE_MAIN_I3: sent MI3, expecting MR3 >>004 "site1-site2" #2086: STATE_MAIN_I4: ISAKMP SA established >>112 "site1-site2" #2087: STATE_QUICK_I1: initiate >>004 "site1-site2" #2087: STATE_QUICK_I2: sent QI2, IPsec SA >>established >> >>Remember you will need to allow the ipsec interface in your firewall >>and you will need to add lines like this: >> >># Accept udp connections to port 500 for ipsec >>$IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT >>$IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT >> >>This is just about the quickest way to set up a VPN tunnel with >>Freeswan, it takes minutes. If you want to make if more secure, you >>can tune the config once you get it running this way! >> >>Remember the only machines that can't see the full extent of the other >>LAN network are the linux boxes creating the tunnel. So the left >>linux box will not be able to ping stuff on 10.11.4.0/24 network and >>the right linux box will not be able to ping stuff on 10.11.2.0/24 >>network - don't forget this.... its commonly mistaken by some to mean >>the tunnel isn't working, to truly test it end to end you need hosts >>on the LANs at each end to ping each other. >> >>If you want to make it work through NATing gateways you will need to >>port forward the udp 500 setting above on your firewall. >> >>Enjoy! >> >>Pete >> >> >> >> >> >> >> >> >> >> >> >> >>Kennedy Clark wrote: >> >> >>>Any chance of getting a quick HOW-TO posted to the group for that? >>>;-) Sounds interesting. >>> >>>I saw your post about using it with Cisco & Nortel equipment -- I work >>>with both a lot at my current customer. What types of equipment have >>>you used it with from both vendors (e.g., Cisco: IOS, PIX, VPN3K; >>>Nortel = Contivity)? >>> >>>Thanks!! >>>Kennedy >>> >>> >>> >>______________________________________________________________________ >>_______________________________________________ >>CentOS mailing list >>CentOS at centos.org >>http://lists.centos.org/mailman/listinfo/centos >> >> > > > > -- > Email.it, the professional e-mail, gratis per te: http://www.email.it/f > > Sponsor: > Bisogno di liquidità? Non devi spiegare per cosa. Fino a 4.000 EUR a casa tua > Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2291&d=24-5 >_______________________________________________ >CentOS mailing list >CentOS at centos.org >http://lists.centos.org/mailman/listinfo/centos > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20050524/3528b5fd/attachment-0005.html>