Hi, I need to build a VPN connection to a win nt based partner network. If i'm right this could be done with cipe and freeswan. Which package is recommendet? Who do I havce to configure firewall.rc.config? My System Kernel 2.2.18 ipchains 1.3.9-217 SuSEfirewall 4.3-3 Thanks in advance Thom - ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
I've done some research into various vpn solution for linux, here's my take: CIPE is great for one machine to one machine connections, especially if they are not gateways (i.e. encrypted connectiong for host A to host B). Cipe also works reasonable well on gateway servers but you will need to add various routes and make sure your firewalling doesn't block anything (can be tricky depending on exact configuration). I would not use CIPE for more then 3 or so machines as key management/etc becomes a real hassle. SSH solutions (PPPD, etc) are about the same as above. IPSec is the "Real" solution IMNHO, other advantages are that IPSec clients on say Windows can be used as well. It's more work but in the long run it will pay off. FreeSwan is not the best IPSec product from a management point of view however. Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net
Hi, I need to build a VPN connection to a win nt based partner network.
If i'm right this could be done with cipe and freeswan. Which package is recommendet? Who do I havce to configure firewall.rc.config?
My System
Kernel 2.2.18 ipchains 1.3.9-217 SuSEfirewall 4.3-3
Thanks in advance
Thom
Kurt Seifried wrote: [...]
IPSec is the "Real" solution IMNHO, other advantages are that IPSec clients on say Windows can be used as well. It's more work but in the long run it will pay off. FreeSwan is not the best IPSec product from a management point of view however.
Are there further ipsec solutions?
Hi, I need to build a VPN connection to a win nt based partner network.
If i'm right this could be done with cipe and freeswan. Which package is recommendet? Who do I havce to configure firewall.rc.config?
My System
Kernel 2.2.18 ipchains 1.3.9-217 SuSEfirewall 4.3-3
Do you have any hints concerning the firewall-setup? /etc/rc.d/ipsec reports: ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work the same for eth0 What about section 22 in /etc/rc.config.d/firewall.rc.config? Do I have to set FW_SERVICES_EXTERNAL_IP, FW_SERVICES_DMZ_IP, FW_SERVICES_INTERNAL_IP, FW_SERVICES_TRUSTED_IP and FW_FORWARD_IP ? Thanks Thom __ -- ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
Hello Thorsten,
Do you have any hints concerning the firewall-setup? /etc/rc.d/ipsec reports:
ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work
the same for eth0
the next line in log tells you the solution: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0) In /etc/rc.d/ipsec you can found the lines for this message. You can insert echo "0" > $rpf for route filtering turning off and it works fine. Frank Thorsten Marquardt wrote:
Kurt Seifried wrote: [...]
IPSec is the "Real" solution IMNHO, other advantages are that IPSec clients on say Windows can be used as well. It's more work but in the long run it will pay off. FreeSwan is not the best IPSec product from a management point of view however.
Are there further ipsec solutions?
Hi, I need to build a VPN connection to a win nt based partner network.
If i'm right this could be done with cipe and freeswan. Which package is recommendet? Who do I havce to configure firewall.rc.config?
My System
Kernel 2.2.18 ipchains 1.3.9-217 SuSEfirewall 4.3-3
Do you have any hints concerning the firewall-setup? /etc/rc.d/ipsec reports:
ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work
the same for eth0
What about section 22 in /etc/rc.config.d/firewall.rc.config? Do I have to set FW_SERVICES_EXTERNAL_IP, FW_SERVICES_DMZ_IP, FW_SERVICES_INTERNAL_IP, FW_SERVICES_TRUSTED_IP and FW_FORWARD_IP ?
Thanks
Thom
__
--
------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Frank wrote,
Hello Thorsten,
Do you have any hints concerning the firewall-setup? /etc/rc.d/ipsec reports:
ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work
the same for eth0
the next line in log tells you the solution: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0)
In /etc/rc.d/ipsec you can found the lines for this message. You can insert
echo "0" > $rpf
for route filtering turning off and it works fine.
Thanks so far. But I encounter further errors: ipsec_setup: whack error: ""tt-thom" illegal (non-DNS-name) character in "%any" ipsec-setup: 030 truncated message from whack: got 378 bytes; expected 2440. Message ignored. ipsec-setup: 030 truncated message from whack: got 370 bytes; expected 2440. Message ignored. ipsec_setup: 030 truncated message from whack: got 366 bytes; expected 2440. Message ignored. And should filtering be turned on while stopping ipsec? Thom -- ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
it seems your freeswan config is wrong concerning your selection for keying. Could it be you select left/rightrsasig=%dns for your road warrior config? It should'nt work, you need to exchange your keys and put it in the ipsec.config. Please read the config.html, there are examples for road warrior configuration. good luck, Frank Thorsten Marquardt wrote:
Frank wrote,
Hello Thorsten,
Do you have any hints concerning the firewall-setup? /etc/rc.d/ipsec reports:
ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work
the same for eth0
the next line in log tells you the solution: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0)
In /etc/rc.d/ipsec you can found the lines for this message. You can insert
echo "0" > $rpf
for route filtering turning off and it works fine.
Thanks so far. But I encounter further errors:
ipsec_setup: whack error: ""tt-thom" illegal (non-DNS-name) character in "%any" ipsec-setup: 030 truncated message from whack: got 378 bytes; expected 2440. Message ignored. ipsec-setup: 030 truncated message from whack: got 370 bytes; expected 2440. Message ignored. ipsec_setup: 030 truncated message from whack: got 366 bytes; expected 2440. Message ignored.
And should filtering be turned on while stopping ipsec?
Thom
--
------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://kaupp.chemie.uni-oldenburg.de/pzt -------------------------------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hallo Frank, Am 23-Apr-01 schriebst Du:
it seems your freeswan config is wrong concerning your selection for keying. Could it be you select left/rightrsasig=%dns for your road warrior config?
No. This is my (crippled) ipsec.conf: # /etc/ipsec.conf - FreeS/WAN IPSEC configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file. # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # Parameters for manual-keying testing (DON'T USE OPERATIONALLY). # Note: only one test connection at a time can use these parameters! spi=0x200 esp=3des-md5-96 espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0 espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf # RSA authentication with keys from DNS. authby=rsasig #leftrsasigkey=%dns #rightrsasigkey=%dns # sample connection #conn sample # Left security gateway, subnet behind it, next hop toward right. #left=10.0.0.1 #leftsubnet=172.16.0.0/24 #leftnexthop=10.22.33.44 # Right security gateway, subnet behind it, next hop toward left. #right=10.12.12.1 #rightnexthop=10.101.102.103 # To authorize this connection, but not actually start it, at startup, # uncomment this. #auto=add # Verbindung von TT zu thom's Server conn ttthom # leftid=@sec.my-office.de leftrsasigkey=0x01038c4517d9b78bbb652d9dfffe6b[...]fc95f6a94f0068347bb9 # Der Security Gateway left=a.b.c.d # offical ip leftsubnet=a.b.c.0/24 # rightid=@home.my-office.de rightrsasigkey=0x0103cdd2c64ef05c3c09d4a6141a7[...]025ccea73e73e256afb3 right=%any auto=add keyingtries=1
It should'nt work, you need to exchange your keys and put it in the ipsec.config. Please read the config.html, there are examples for road warrior configuration. good luck,
Thank You :) Mit freundlichem Gruss, Thom -- Anyone can make mistakes, but only an idiot persists in his error. -- Cicero ------------------------------------------------------------------- bye bye (c) by Thom | Thorsten Marquardt | EMail: THOM@kaupp.chemie.uni-oldenburg.de | Member of the pzt project. | http://www.pzt.de -------------------------------------------------------------------
* Thorsten Marquardt wrote on Mon, Apr 23, 2001 at 13:48 +0000:
ipsec_setup: whack error: ""tt-thom" illegal (non-DNS-name) character in "%any"
try "0.0.0.0" as value/placeholder for roadwarriors. Try it first with shared secrets (more simple config file). Make *sure* routing ist ok. Double-check firewalling. trace with tcpdump on eth0 _and_ ipsec0 and understand(!) what you see. Refer online docs for examples. Your first tries should be done with static IPs. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Are there further ipsec solutions?
Yes, FW-1 for example, but that costs "Real money" as they say.
Do you have any hints concerning the firewall-setup? /etc/rc.d/ipsec reports:
ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not work
the same for eth0
Your firewalling may be breaking something (default deny?). You may have some weird kernel option set via proc that is breaking it.. etc. Ahh.. as far as using a firewall script you'll probably need to create your own since this is way more complex then what most firewall scripts can handle. -Kurt
participants (5)
-
Frank Stuehmer
-
Kurt Seifried
-
Steffen Dettmer
-
Thorsten Marquardt
-
Thorsten Marquardt