Re: [suse-security] IP Tunnel in only one direction possible - openSUSE Security

23 Apr 2003


      Hi Thomas ,
thanks for your help, you can get a beer from me (if you like).
The problem was the NAT.
I tested your recommendations below and it does the same result as before.
But during my research I look at the NAT table. (I assume I was blind).
The System does also NAT for VPN Connection. After switching this of it
works fine (without NAT and your confirugation suggestions below)
SO AGAIN,
thanks to you and and Ray,
have a nice evening,
Peter
|-----Ursprüngliche Nachricht-----
|Von: Thomas Kerkau [mailto:Thomas.Kerkau@io-software.com]
|Gesendet: Mittwoch, 23. April 2003 14:44
|An: telest@gmx.net
|Cc: suse-security@suse.com
|Betreff: Re: [suse-security] IP Tunnel in only one direction possible
|
|
|Hi Peter,
|
|see coments below....
|
|telest@gmx.net wrote:
|> 
|> Thomas:
|> I tested several configurations within ipsec.conf: 
|(basically I do the same
|> as on GW1)
|> 
|>         interfaces=%defaultroute
|>         interfaces="ipsec0=ppp0"
|
|I think only the first two will work and should be equal (if 
|ppp0 is the
|default Interface).
|
|>         interfaces="ipsec0=eth0 ipsec1=%defaultroute"
|>         interfaces="ipsec0=eth0 ipsec1=ppp0"
|> 
|> # basic configuration
|> 
|> config setup
|>         # THIS SETTING MUST BE CORRECT or almost nothing will work;
|>         # %defaultroute is okay for most simple cases.
|>        interfaces="ipsec0=eth0 ipsec1=ppp0"
|
|interfaces = %defaultroute
|
|>         klipsdebug=none
|>         plutodebug=none
|>         plutoload=%search
|>         plutostart=%search
|>         uniqueids=yes
|>         overridemtu=1412
|> 
|> conn %default
|>         keyingtries=0
|>         disablearrivalcheck=no
|>         authby=rsasig
|> 
|> conn MUCWIL
|>         left=tsfwwillich.dyndns.org
|
|older versions had problems to resolve names....as far as I remember 
|
|>         leftsubnet=192.168.100.0/24
|
|>         leftrsasigkey=%cert
|>         leftcert=gw.wil.cert.pem
|>         leftid="/C=DE/ST=GER/O=Teleconnect und Service
|> GmbH/OU=TSD/CN=GATEWAY VPN WILLICH/Email=info@teleconnect-service.de"
|
|If you use leftcert dont use leftid and leftrsasigkey, these two are
|complementary...dont you get errormessages in var/log/messages 
|on "ipsec
|setup start"?
|
|> 
|>         # Right security gateway, subnet behind it, next hop 
|toward left.
|>         right=tsfwmuenchen.dyndns.org
|>         rightsubnet=192.168.101.0/24
|>         rightnexthop=217.5.98.100
|>         rightcert=gw.muc.cert.pem
|>         rightid="/C=DE/ST=GER/O=Teleconnect und Service
|> GmbH/OU=TSD/CN=GATEWAY VPN WILLICH/Email=info@teleconnect-service.de"
|>         rightrsasigkey=%cert
|>         auto=start
|
|After all I'm a little confused her. I thought your setup was:
|
|NET1                GW1                                GW2        NET2
|
|192.168.100.0/24   fixIP                               DynIP    
|192.168.101.0/24
|
|for GW1 we have:
|
|        interfaces=%defaultroute
|        or
|        interfaces="ipsec0=ethX" 
|
|con MUCWIL
|        left=fixIP-GW1
|        leftcert=GW1.pem
|        leftnexthop=IP-FOR-DEFAULTROUTE-GW1
|        leftsubnet=192.168.100.0/24
|        rightcert=GW2.pem
|        right=%any
|        rightnexthop=
|        rightsubnet=192.168.101.0/24
|        auto=start
|
|
|and for GW2:
|
|        interfaces=%defaultroute
|
|con MUCWIL
| 
|        left=fixIP-GW1
|        leftcert=GW1.pem
|        leftnexthop=IP-FOR-DEFAULTROUTE-GW1
|        leftsubnet=192.168.100.0/24
|        rightcert=GW2.pem
|        right=%defaultroute
|        rightnexthop=
|        rightsubnet=192.168.101.0/24
|        auto=start
|
|take this and try "ipsec setup restart" and look in /var/log/messages
|for Pluto messages while ipsec reads the configuration (tail -f
|/var/log/messages | grep Pluto).
|
|> 
|> Ray:
|
|> How can I verify that forwarding is enabled?
|
|cat /proc/sys/net/ipv4/ip_forward
|should give 1 or 0 (1 means on). The switch is set in the Networksetup
|at yast2 or by echo "1" > /proc/sys/net/ipv4/ip_forward
|
|
|Greetings, Thomas
|
|
|> 
|> Also, make sure forwarding is turned on for that interface.
|> 
|> On Wed, 2003-04-23 at 13:02, Thomas Kerkau wrote:
|> > Hi Peter,
|> >
|> >
|> > > |NET2 pings NET1: GW2(eth0) logs an icmp request ?
|> > > on eth0:
|> > >   9 7.631138    192.168.101.239       192.168.100.205       ICMP
|> Echo
|> > > (ping) request
|> >
|> > the paket is entering GW2.
|> >
|> > >
|> > > 192.168.101.0/24 ist net2 internal
|> > > 192.168.100.0/24 ist net1 internal
|> > >
|> > > on ipsec0:
|> > >       3  1.694921    217.235.199.35        
|192.168.100.205       ICMP
|> > > Echo (ping) request
|> >
|> > the paket is leaving ipsec0
|> >
|> > >
|> > > on eth1:
|> > > nothing--
|> > >
|> > > on ppp0
|> > > nothing--
|> >
|> > but not forwarded to ppp0/eth1. Just checked this on a 
|7.3, you will see
|> > ESP-pakets on both. hopfully this was not changed. Is 
|ipsec0 bound to
|> > eth1/ppp0 (interfaces directive in ipsec.conf)?
|> >
|> > > Yes I forgot to paste int the reply. :)
|> > > but basically ipsec0 looks differnent on both machines
|> > >
|> > > GW2:|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: 
|icmp: echo
|> > > GW1:|> 08:51:05.057368 unknown ip 0
|> >
|> > Are you shure that these entries are correlated? Do you 
|see ESP-pakets
|> > on the external interface of GW1?
|> >
|> > My feeling at this point is that GW2 doesn't send any paket to GW1.
|> > Check if "ipsec eroute" and "ipsec auto --status" shows the correct
|> > connections, and check "route".
|> >
|> > Greetings, Thomas
|> >
|> >
|> > --
|> > www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
|> >   -> CyberOne Award
|> >   -> Winner Crossroads A-List Award USA
|> >   -> IBM Solution Excellence Award winner for Hot Java Solution
|> >   -> European Information Society Technologies Prize Winner
|> >   -> Made with ArcStyler: http://www.io-software.com/customers
|> >   -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
|> >
|> > ----- < iO > 
|---------------------------------------------------------
|> > Interactive Objects Software GmbH
|> > mailto:Thomas.Kerkau@io-software.com
|> > http://www.io-software.com
|> > Basler Strasse 65, D-79100 Freiburg, Germany
|> > Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
|> > 
|----------------------------------------------------------------------
|> 
|> --
|> +++ GMX - Mail, Messaging & more  http://www.gmx.net +++
|> Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
|
|--
|www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI
|  -> CyberOne Award
|  -> Winner Crossroads A-List Award USA
|  -> IBM Solution Excellence Award winner for Hot Java Solution
|  -> European Information Society Technologies Prize Winner
|  -> Made with ArcStyler: http://www.io-software.com/customers
|  -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
|
|----- < iO > ---------------------------------------------------------
|Interactive Objects Software GmbH
|mailto:Thomas.Kerkau@io-software.com
|http://www.io-software.com
|Basler Strasse 65, D-79100 Freiburg, Germany
|Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
|----------------------------------------------------------------------
|
-- 
+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!