Mailinglist Archive: opensuse-security (300 mails)
| < Previous | Next > |
Re: [suse-security] IP Tunnel in only one direction possible
- From: Thomas Kerkau <Thomas.Kerkau@xxxxxxxxxxxxxxx>
- Date: Wed, 23 Apr 2003 14:44:22 +0200
- Message-id: <3EA68AA6.4AF407E9@xxxxxxxxxxxxxxx>
Hi Peter,
see coments below....
telest@xxxxxxx wrote:
>
> Thomas:
> I tested several configurations within ipsec.conf: (basically I do the same
> as on GW1)
>
> interfaces=%defaultroute
> interfaces="ipsec0=ppp0"
I think only the first two will work and should be equal (if ppp0 is the
default Interface).
> interfaces="ipsec0=eth0 ipsec1=%defaultroute"
> interfaces="ipsec0=eth0 ipsec1=ppp0"
>
> # basic configuration
>
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces="ipsec0=eth0 ipsec1=ppp0"
interfaces = %defaultroute
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
> overridemtu=1412
>
> conn %default
> keyingtries=0
> disablearrivalcheck=no
> authby=rsasig
>
> conn MUCWIL
> left=tsfwwillich.dyndns.org
older versions had problems to resolve names....as far as I remember
> leftsubnet=192.168.100.0/24
> leftrsasigkey=%cert
> leftcert=gw.wil.cert.pem
> leftid="/C=DE/ST=GER/O=Teleconnect und Service
> GmbH/OU=TSD/CN=GATEWAY VPN WILLICH/Email=info@xxxxxxxxxxxxxxxxxxxxxx"
If you use leftcert dont use leftid and leftrsasigkey, these two are
complementary...dont you get errormessages in var/log/messages on "ipsec
setup start"?
>
> # Right security gateway, subnet behind it, next hop toward left.
> right=tsfwmuenchen.dyndns.org
> rightsubnet=192.168.101.0/24
> rightnexthop=217.5.98.100
> rightcert=gw.muc.cert.pem
> rightid="/C=DE/ST=GER/O=Teleconnect und Service
> GmbH/OU=TSD/CN=GATEWAY VPN WILLICH/Email=info@xxxxxxxxxxxxxxxxxxxxxx"
> rightrsasigkey=%cert
> auto=start
After all I'm a little confused her. I thought your setup was:
NET1 GW1 GW2 NET2
192.168.100.0/24 fixIP DynIP
192.168.101.0/24
for GW1 we have:
interfaces=%defaultroute
or
interfaces="ipsec0=ethX"
con MUCWIL
left=fixIP-GW1
leftcert=GW1.pem
leftnexthop=IP-FOR-DEFAULTROUTE-GW1
leftsubnet=192.168.100.0/24
rightcert=GW2.pem
right=%any
rightnexthop=
rightsubnet=192.168.101.0/24
auto=start
and for GW2:
interfaces=%defaultroute
con MUCWIL
left=fixIP-GW1
leftcert=GW1.pem
leftnexthop=IP-FOR-DEFAULTROUTE-GW1
leftsubnet=192.168.100.0/24
rightcert=GW2.pem
right=%defaultroute
rightnexthop=
rightsubnet=192.168.101.0/24
auto=start
take this and try "ipsec setup restart" and look in /var/log/messages
for Pluto messages while ipsec reads the configuration (tail -f
/var/log/messages | grep Pluto).
>
> Ray:
> How can I verify that forwarding is enabled?
cat /proc/sys/net/ipv4/ip_forward
should give 1 or 0 (1 means on). The switch is set in the Networksetup
at yast2 or by echo "1" > /proc/sys/net/ipv4/ip_forward
Greetings, Thomas
>
> Also, make sure forwarding is turned on for that interface.
>
> On Wed, 2003-04-23 at 13:02, Thomas Kerkau wrote:
> > Hi Peter,
> >
> >
> > > |NET2 pings NET1: GW2(eth0) logs an icmp request ?
> > > on eth0:
> > > 9 7.631138 192.168.101.239 192.168.100.205 ICMP
> Echo
> > > (ping) request
> >
> > the paket is entering GW2.
> >
> > >
> > > 192.168.101.0/24 ist net2 internal
> > > 192.168.100.0/24 ist net1 internal
> > >
> > > on ipsec0:
> > > 3 1.694921 217.235.199.35 192.168.100.205 ICMP
> > > Echo (ping) request
> >
> > the paket is leaving ipsec0
> >
> > >
> > > on eth1:
> > > nothing--
> > >
> > > on ppp0
> > > nothing--
> >
> > but not forwarded to ppp0/eth1. Just checked this on a 7.3, you will see
> > ESP-pakets on both. hopfully this was not changed. Is ipsec0 bound to
> > eth1/ppp0 (interfaces directive in ipsec.conf)?
> >
> > > Yes I forgot to paste int the reply. :)
> > > but basically ipsec0 looks differnent on both machines
> > >
> > > GW2:|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo
> > > GW1:|> 08:51:05.057368 unknown ip 0
> >
> > Are you shure that these entries are correlated? Do you see ESP-pakets
> > on the external interface of GW1?
> >
> > My feeling at this point is that GW2 doesn't send any paket to GW1.
> > Check if "ipsec eroute" and "ipsec auto --status" shows the correct
> > connections, and check "route".
> >
> > Greetings, Thomas
> >
> >
> > --
> > www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
> > -> CyberOne Award
> > -> Winner Crossroads A-List Award USA
> > -> IBM Solution Excellence Award winner for Hot Java Solution
> > -> European Information Society Technologies Prize Winner
> > -> Made with ArcStyler: http://www.io-software.com/customers
> > -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
> >
> > ----- < iO > ---------------------------------------------------------
> > Interactive Objects Software GmbH
> > mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx
> > http://www.io-software.com
> > Basler Strasse 65, D-79100 Freiburg, Germany
> > Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
> > ----------------------------------------------------------------------
>
> --
> +++ GMX - Mail, Messaging & more http://www.gmx.net +++
> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
--
www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
-> CyberOne Award
-> Winner Crossroads A-List Award USA
-> IBM Solution Excellence Award winner for Hot Java Solution
-> European Information Society Technologies Prize Winner
-> Made with ArcStyler: http://www.io-software.com/customers
-> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
----- < iO > ---------------------------------------------------------
Interactive Objects Software GmbH
mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx
http://www.io-software.com
Basler Strasse 65, D-79100 Freiburg, Germany
Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
----------------------------------------------------------------------
see coments below....
telest@xxxxxxx wrote:
>
> Thomas:
> I tested several configurations within ipsec.conf: (basically I do the same
> as on GW1)
>
> interfaces=%defaultroute
> interfaces="ipsec0=ppp0"
I think only the first two will work and should be equal (if ppp0 is the
default Interface).
> interfaces="ipsec0=eth0 ipsec1=%defaultroute"
> interfaces="ipsec0=eth0 ipsec1=ppp0"
>
> # basic configuration
>
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces="ipsec0=eth0 ipsec1=ppp0"
interfaces = %defaultroute
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
> uniqueids=yes
> overridemtu=1412
>
> conn %default
> keyingtries=0
> disablearrivalcheck=no
> authby=rsasig
>
> conn MUCWIL
> left=tsfwwillich.dyndns.org
older versions had problems to resolve names....as far as I remember
> leftsubnet=192.168.100.0/24
> leftrsasigkey=%cert
> leftcert=gw.wil.cert.pem
> leftid="/C=DE/ST=GER/O=Teleconnect und Service
> GmbH/OU=TSD/CN=GATEWAY VPN WILLICH/Email=info@xxxxxxxxxxxxxxxxxxxxxx"
If you use leftcert dont use leftid and leftrsasigkey, these two are
complementary...dont you get errormessages in var/log/messages on "ipsec
setup start"?
>
> # Right security gateway, subnet behind it, next hop toward left.
> right=tsfwmuenchen.dyndns.org
> rightsubnet=192.168.101.0/24
> rightnexthop=217.5.98.100
> rightcert=gw.muc.cert.pem
> rightid="/C=DE/ST=GER/O=Teleconnect und Service
> GmbH/OU=TSD/CN=GATEWAY VPN WILLICH/Email=info@xxxxxxxxxxxxxxxxxxxxxx"
> rightrsasigkey=%cert
> auto=start
After all I'm a little confused her. I thought your setup was:
NET1 GW1 GW2 NET2
192.168.100.0/24 fixIP DynIP
192.168.101.0/24
for GW1 we have:
interfaces=%defaultroute
or
interfaces="ipsec0=ethX"
con MUCWIL
left=fixIP-GW1
leftcert=GW1.pem
leftnexthop=IP-FOR-DEFAULTROUTE-GW1
leftsubnet=192.168.100.0/24
rightcert=GW2.pem
right=%any
rightnexthop=
rightsubnet=192.168.101.0/24
auto=start
and for GW2:
interfaces=%defaultroute
con MUCWIL
left=fixIP-GW1
leftcert=GW1.pem
leftnexthop=IP-FOR-DEFAULTROUTE-GW1
leftsubnet=192.168.100.0/24
rightcert=GW2.pem
right=%defaultroute
rightnexthop=
rightsubnet=192.168.101.0/24
auto=start
take this and try "ipsec setup restart" and look in /var/log/messages
for Pluto messages while ipsec reads the configuration (tail -f
/var/log/messages | grep Pluto).
>
> Ray:
> How can I verify that forwarding is enabled?
cat /proc/sys/net/ipv4/ip_forward
should give 1 or 0 (1 means on). The switch is set in the Networksetup
at yast2 or by echo "1" > /proc/sys/net/ipv4/ip_forward
Greetings, Thomas
>
> Also, make sure forwarding is turned on for that interface.
>
> On Wed, 2003-04-23 at 13:02, Thomas Kerkau wrote:
> > Hi Peter,
> >
> >
> > > |NET2 pings NET1: GW2(eth0) logs an icmp request ?
> > > on eth0:
> > > 9 7.631138 192.168.101.239 192.168.100.205 ICMP
> Echo
> > > (ping) request
> >
> > the paket is entering GW2.
> >
> > >
> > > 192.168.101.0/24 ist net2 internal
> > > 192.168.100.0/24 ist net1 internal
> > >
> > > on ipsec0:
> > > 3 1.694921 217.235.199.35 192.168.100.205 ICMP
> > > Echo (ping) request
> >
> > the paket is leaving ipsec0
> >
> > >
> > > on eth1:
> > > nothing--
> > >
> > > on ppp0
> > > nothing--
> >
> > but not forwarded to ppp0/eth1. Just checked this on a 7.3, you will see
> > ESP-pakets on both. hopfully this was not changed. Is ipsec0 bound to
> > eth1/ppp0 (interfaces directive in ipsec.conf)?
> >
> > > Yes I forgot to paste int the reply. :)
> > > but basically ipsec0 looks differnent on both machines
> > >
> > > GW2:|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo
> > > GW1:|> 08:51:05.057368 unknown ip 0
> >
> > Are you shure that these entries are correlated? Do you see ESP-pakets
> > on the external interface of GW1?
> >
> > My feeling at this point is that GW2 doesn't send any paket to GW1.
> > Check if "ipsec eroute" and "ipsec auto --status" shows the correct
> > connections, and check "route".
> >
> > Greetings, Thomas
> >
> >
> > --
> > www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
> > -> CyberOne Award
> > -> Winner Crossroads A-List Award USA
> > -> IBM Solution Excellence Award winner for Hot Java Solution
> > -> European Information Society Technologies Prize Winner
> > -> Made with ArcStyler: http://www.io-software.com/customers
> > -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
> >
> > ----- < iO > ---------------------------------------------------------
> > Interactive Objects Software GmbH
> > mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx
> > http://www.io-software.com
> > Basler Strasse 65, D-79100 Freiburg, Germany
> > Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
> > ----------------------------------------------------------------------
>
> --
> +++ GMX - Mail, Messaging & more http://www.gmx.net +++
> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
--
www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
-> CyberOne Award
-> Winner Crossroads A-List Award USA
-> IBM Solution Excellence Award winner for Hot Java Solution
-> European Information Society Technologies Prize Winner
-> Made with ArcStyler: http://www.io-software.com/customers
-> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
----- < iO > ---------------------------------------------------------
Interactive Objects Software GmbH
mailto:Thomas.Kerkau@xxxxxxxxxxxxxxx
http://www.io-software.com
Basler Strasse 65, D-79100 Freiburg, Germany
Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
----------------------------------------------------------------------
| < Previous | Next > |