On Wednesday, 8. August 2001 18:55, you wrote:
Christoph Egger wrote:
On Wednesday, 8. August 2001 15:21, you wrote:
Christoph Egger wrote:
Hi!
I wanna set up a VPN using FreeS/WAN through two Gateways (both are SuSE Linux 7.2 machines, btw).
[snip]
I got the tunnel. But I can send NOTHING over it. When I enable debugging with "ipsec klipsdebug --set rcv" then I get the message, that I don't use IPSEC packets. As far as I understand the documentation FreeS/WAN should generate IPSEC packets by automatically encapsulating any kind of packets. Enabling debugging with "ipsec klipsdebug --set tunnel-xmit" says, "... no eroute". I know, what that means by reading the docs :), but I don't how to set a appropriate eroute... :-(
Hallo, I think you must use different subnets (192.168.1.0 and 192.168.2.0) for your private networks or use an other netmask like 255.255.255.128 so you have to subnets (0-127 and 128-255 )
to route should be set by _updown for you!
_updown: command not found. /etc/init.d/ipsec {start|stop|status|restart|reload}
Why is it necessary to use different subnets? Does that cause a routing problem? I don't think so, because usually a gateway/router probes all available connections to create an internal routing table...
Its an generally routing problem. If a host let say 192.168.2.1 will talk to 192.168.2.100 and his netmask is 255.255.255.0 he knowns that the host should be in his subnet so he starts an arp request of 192.168.2.100 and normaly the host will repeat with his ethernet adress. Is the destination in an other subnet the host will send the packet to his router (destination ethernet address is the router one, destination internet address is the right destination) which will take futher actions like search for a route (dynamicly if you use routed or gated ). So if you want to connect to subnets to one big you need a brige not an router. There is also brige support in the linux kernel, but I don't know if freeswan can use together with a brige. And when it is possible you should change the _updown script for that.
TNX. I have reconfigured my network. Now it looks like this scheme: Subnet 10.0.1.0 ---------------10.0.1.10 Gateway 62.180.107.61 ^ | tunnel | v 62.180.107.60 Gateway Subnet 192.168.2.91 ------- 192.168.2.0 I have running routed for searching the routes dynamically. But I still can't do anything: no pings, no telnet, no ssh... I have enabled debugging with "ipsec klipsdebug --set tunnel". When I try to ping, then I get the debug-message: "klips_debug:ipsec_tunnel_start_xmit: no eroute!: dropping" When I try to ssh, then I get the debug-message: "klips_debug:ipsec_tunnel_start_xmit: skb_cow failed to allocate buffer, dropping." -- CU, Christoph
Christoph Egger wrote:
On Wednesday, 8. August 2001 18:55, you wrote:
Christoph Egger wrote:
On Wednesday, 8. August 2001 15:21, you wrote:
Christoph Egger wrote:
Hi!
I wanna set up a VPN using FreeS/WAN through two Gateways (both are SuSE Linux 7.2 machines, btw).
[snip]
I got the tunnel. But I can send NOTHING over it. When I enable debugging with "ipsec klipsdebug --set rcv" then I get the message, that I don't use IPSEC packets. As far as I understand the documentation FreeS/WAN should generate IPSEC packets by automatically encapsulating any kind of packets. Enabling debugging with "ipsec klipsdebug --set tunnel-xmit" says, "... no eroute". I know, what that means by reading the docs :), but I don't how to set a appropriate eroute... :-(
Hallo, I think you must use different subnets (192.168.1.0 and 192.168.2.0) for your private networks or use an other netmask like 255.255.255.128 so you have to subnets (0-127 and 128-255 )
to route should be set by _updown for you!
_updown: command not found.
If you use freeswan from SuSE 7.2 i dont know where _updown is located, i have build freeswan from scratch so _updown is in /usr/local/lib/ipsec, but /usr/local is not conform for programms which come with the distribution so may be it is in /usr/lib/ipsec or /opt/ipsec .... try "locate _updown" ...
/etc/init.d/ipsec {start|stop|status|restart|reload}
Why is it necessary to use different subnets? Does that cause a routing problem? I don't think so, because usually a gateway/router probes all available connections to create an internal routing table...
Its an generally routing problem. If a host let say 192.168.2.1 will talk to 192.168.2.100 and his netmask is 255.255.255.0 he knowns that the host should be in his subnet so he starts an arp request of 192.168.2.100 and normaly the host will repeat with his ethernet adress. Is the destination in an other subnet the host will send the packet to his router (destination ethernet address is the router one, destination internet address is the right destination) which will take futher actions like search for a route (dynamicly if you use routed or gated ). So if you want to connect to subnets to one big you need a brige not an router. There is also brige support in the linux kernel, but I don't know if freeswan can use together with a brige. And when it is possible you should change the _updown script for that.
TNX. I have reconfigured my network. Now it looks like this scheme:
Subnet 10.0.1.0 ---------------10.0.1.10 Gateway 62.180.107.61 ^ | tunnel | v 62.180.107.60 Gateway Subnet 192.168.2.91 ------- 192.168.2.0
I have running routed for searching the routes dynamically. But I still can't do anything: no pings, no telnet, no ssh...
I have enabled debugging with "ipsec klipsdebug --set tunnel". When I try to ping, then I get the debug-message:
"klips_debug:ipsec_tunnel_start_xmit: no eroute!: dropping"
When I try to ssh, then I get the debug-message:
"klips_debug:ipsec_tunnel_start_xmit: skb_cow failed to allocate buffer, dropping."
routed should not help, you should need bridging support .... But I think the easyest way is using to different subnets Bye Thomas
-- CU, Christoph
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Thursday, 9. August 2001 14:05, you wrote:
Christoph Egger wrote:
On Wednesday, 8. August 2001 18:55, you wrote:
Christoph Egger wrote:
On Wednesday, 8. August 2001 15:21, you wrote:
Christoph Egger wrote:
Hi!
I wanna set up a VPN using FreeS/WAN through two Gateways (both are SuSE Linux 7.2 machines, btw).
[snip]
I got the tunnel. But I can send NOTHING over it. When I enable debugging with "ipsec klipsdebug --set rcv" then I get the message, that I don't use IPSEC packets. As far as I understand the documentation FreeS/WAN should generate IPSEC packets by automatically encapsulating any kind of packets. Enabling debugging with "ipsec klipsdebug --set tunnel-xmit" says, "... no eroute". I know, what that means by reading the docs :), but I don't how to set a appropriate eroute... :-(
Hallo, I think you must use different subnets (192.168.1.0 and 192.168.2.0) for your private networks or use an other netmask like 255.255.255.128 so you have to subnets (0-127 and 128-255 )
to route should be set by _updown for you!
_updown: command not found.
If you use freeswan from SuSE 7.2 i dont know where _updown is located, i have build freeswan from scratch so _updown is in /usr/local/lib/ipsec, but /usr/local is not conform for programms which come with the distribution so may be it is in /usr/lib/ipsec or /opt/ipsec .... try "locate _updown" ...
I found it is in /usr/lib/ipsec. Calling it, gives me the error "unkown interface version `'
Why is it necessary to use different subnets? Does that cause a routing problem? I don't think so, because usually a gateway/router probes all available connections to create an internal routing table...
Its an generally routing problem. If a host let say 192.168.2.1 will talk to 192.168.2.100 and his netmask is 255.255.255.0 he knowns that the host should be in his subnet so he starts an arp request of 192.168.2.100 and normaly the host will repeat with his ethernet adress. Is the destination in an other subnet the host will send the packet to his router (destination ethernet address is the router one, destination internet address is the right destination) which will take futher actions like search for a route (dynamicly if you use routed or gated ). So if you want to connect to subnets to one big you need a brige not an router. There is also brige support in the linux kernel, but I don't know if freeswan can use together with a brige. And when it is possible you should change the _updown script for that.
TNX. I have reconfigured my network. Now it looks like this scheme:
Subnet 10.0.1.0 ---------------10.0.1.10 Gateway 62.180.107.61 ^
tunnel
v 62.180.107.60 Gateway Subnet 192.168.2.91 ------- 192.168.2.0
I have running routed for searching the routes dynamically. But I still can't do anything: no pings, no telnet, no ssh...
I have enabled debugging with "ipsec klipsdebug --set tunnel". When I try to ping, then I get the debug-message:
"klips_debug:ipsec_tunnel_start_xmit: no eroute!: dropping"
When I try to ssh, then I get the debug-message:
"klips_debug:ipsec_tunnel_start_xmit: skb_cow failed to allocate buffer, dropping."
routed should not help, you should need bridging support .... But I think the easyest way is using to different subnets
Is 10.0.1.0/16 and 192.168.2.0/24 not different enough? -- CU, Christoph
participants (2)
-
Christoph Egger -
Thomas Nowak