Re: [suse-security] IPSEC - SuSE 9.1 - Shorewall 2.x
Hey Philipp
From: philipp.rusch@rusch-edv.de To: suse-security@suse.com
Hi all,
I use the same setup in production with Suse 8.1 / 8.2 and 9.0, IPSEC-VPN with Freeswan and Shorewall as firewall. ipsec.conf is modified for this new setup, main difference is the kernel 2.6.x
what happens: - I don't see an interface "ipsec0" or similar anymore when I startup IPSEC
Native IPsec doesn't have a virtual interface anymore, you only get this with KLIPS.
- I get errors in firewall logs about connection attempts from my road- warriors on port 4500 (???) what's this ?
UDP port 4500 is the ESP-Protocoll, I guess thats why your Roadwarriors are acting strange, too. Best Regards Thomas
Hi Thomas, first, thanks for your fast reply :-) next, I get errors when booting about interface "sit0", has this something to do with the new ipsec / Freeswan 2.04 versions ? With SuSE 9.0 this was no problem at all, whats wrong here ? I mean what IS differnet ?) Regards, Philipp t.henneberger@hcs-computer.de schrieb:
Hey Philipp
From: philipp.rusch@rusch-edv.de To: suse-security@suse.com
Hi all,
I use the same setup in production with Suse 8.1 / 8.2 and 9.0, IPSEC-VPN with Freeswan and Shorewall as firewall. ipsec.conf is modified for this new setup, main difference is the kernel 2.6.x
what happens: - I don't see an interface "ipsec0" or similar anymore when I startup IPSEC
Native IPsec doesn't have a virtual interface anymore, you only get this with KLIPS.
- I get errors in firewall logs about connection attempts from my road- warriors on port 4500 (???) what's this ?
UDP port 4500 is the ESP-Protocoll, I guess thats why your Roadwarriors are acting strange, too.
Best Regards Thomas
I got one step nearer to my goals: ISAKMP SA is established, so key-exchange seems to work and encryption is not the reason. But pluto complains, that he cannot find a connection for that SA, although everything else is *exactly* like on 9.0 before. I did define my roadwarriors like that: # /etc/ipsec.conf - FreeS/WAN IPsec configuration file version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup interfaces=%defaultroute klipsdebug=all plutodebug=all nat_traversal=yes # default settings for connections conn %default leftrsasigkey=%cert rightrsasigkey=%cert # OE policy groups are disabled by default conn block auto=ignore conn clear auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn packetdefault auto=ignore # VPN connection Roadwarrior 1 conn Road1 left=%defaultroute leftcert=/etc/ipsec.d/gateway-cert.der leftsubnet=192.168.2.0/24 leftnexthop=217.19.x.y right=%any rightcert=/etc/ipsec.d/certs/username@domain.de-cert.der auto=add pfs=yes I also added rightid= .... to my conf, but nothing changed ! Any hint appreciated, Philipp Philipp Rusch schrieb:
Hi Thomas,
first, thanks for your fast reply :-)
next, I get errors when booting about interface "sit0", has this something to do with the new ipsec / Freeswan 2.04 versions ? With SuSE 9.0 this was no problem at all, whats wrong here ? I mean what IS differnet ?)
Regards, Philipp
t.henneberger@hcs-computer.de schrieb:
Hey Philipp
From: philipp.rusch@rusch-edv.de To: suse-security@suse.com
Hi all,
I use the same setup in production with Suse 8.1 / 8.2 and 9.0, IPSEC-VPN with Freeswan and Shorewall as firewall. ipsec.conf is modified for this new setup, main difference is the kernel 2.6.x
what happens: - I don't see an interface "ipsec0" or similar anymore when I startup IPSEC
Native IPsec doesn't have a virtual interface anymore, you only get this with KLIPS.
- I get errors in firewall logs about connection attempts from my road- warriors on port 4500 (???) what's this ?
UDP port 4500 is the ESP-Protocoll, I guess thats why your Roadwarriors are acting strange, too.
Best Regards Thomas
participants (2)
-
Philipp Rusch
-
t.henneberger@hcs-computer.de