Thomas: I tested several configurations within ipsec.conf: (basically I do the same as on GW1)
interfaces=%defaultroute interfaces="ipsec0=ppp0" interfaces="ipsec0=eth0 ipsec1=%defaultroute" interfaces="ipsec0=eth0 ipsec1=ppp0"
And the only thing I see is (dropped packets): ipsec1 Link encap:IPIP Tunnel HWaddr inet addr:217.235.200.173 Mask:255.255.255.255 UP RUNNING NOARP MTU:1412 Metric:1 RX packets:34 errors:0 dropped:0 overruns:0 frame:0 TX packets:32 errors:0 dropped:32 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:2395 (2.3 Kb) TX bytes:3440 (3.3 Kb)
I also test with a wide open Firewall without sucess.... :( Here is my basic configuration: # basic configuration
config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces="ipsec0=eth0 ipsec1=ppp0" klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes overridemtu=1412
conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig
conn MUCWIL left=tsfwwillich.dyndns.org leftsubnet=192.168.100.0/24 leftrsasigkey=%cert leftcert=gw.wil.cert.pem leftid="/C=DE/ST=GER/O=Teleconnect und Service GmbH/OU=TSD/CN=GATEWAY VPN WILLICH/Email=info@teleconnect-service.de"
# Right security gateway, subnet behind it, next hop toward left. right=tsfwmuenchen.dyndns.org rightsubnet=192.168.101.0/24 rightnexthop=217.5.98.100 rightcert=gw.muc.cert.pem rightid="/C=DE/ST=GER/O=Teleconnect und Service GmbH/OU=TSD/CN=GATEWAY VPN WILLICH/Email=info@teleconnect-service.de" rightrsasigkey=%cert auto=start
Ray: How can I verify that forwarding is enabled?
Also, make sure forwarding is turned on for that interface.
On Wed, 2003-04-23 at 13:02, Thomas Kerkau wrote:
Hi Peter,
|NET2 pings NET1: GW2(eth0) logs an icmp request ? on eth0: 9 7.631138 192.168.101.239 192.168.100.205 ICMP
Echo
(ping) request
the paket is entering GW2.
192.168.101.0/24 ist net2 internal 192.168.100.0/24 ist net1 internal
on ipsec0: 3 1.694921 217.235.199.35 192.168.100.205 ICMP Echo (ping) request
the paket is leaving ipsec0
on eth1: nothing--
on ppp0 nothing--
but not forwarded to ppp0/eth1. Just checked this on a 7.3, you will see ESP-pakets on both. hopfully this was not changed. Is ipsec0 bound to eth1/ppp0 (interfaces directive in ipsec.conf)?
Yes I forgot to paste int the reply. :) but basically ipsec0 looks differnent on both machines
GW2:|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo GW1:|> 08:51:05.057368 unknown ip 0
Are you shure that these entries are correlated? Do you see ESP-pakets on the external interface of GW1?
My feeling at this point is that GW2 doesn't send any paket to GW1. Check if "ipsec eroute" and "ipsec auto --status" shows the correct connections, and check "route".
Greetings, Thomas
-- www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI -> CyberOne Award -> Winner Crossroads A-List Award USA -> IBM Solution Excellence Award winner for Hot Java Solution -> European Information Society Technologies Prize Winner -> Made with ArcStyler: http://www.io-software.com/customers -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
----- < iO > --------------------------------------------------------- Interactive Objects Software GmbH mailto:Thomas.Kerkau@io-software.com http://www.io-software.com Basler Strasse 65, D-79100 Freiburg, Germany Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
Hi Peter,
see coments below....
telest@gmx.net wrote:
Thomas: I tested several configurations within ipsec.conf: (basically I do the same as on GW1)
interfaces=%defaultroute interfaces="ipsec0=ppp0"
I think only the first two will work and should be equal (if ppp0 is the default Interface).
interfaces="ipsec0=eth0 ipsec1=%defaultroute" interfaces="ipsec0=eth0 ipsec1=ppp0"# basic configuration
config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces="ipsec0=eth0 ipsec1=ppp0"
interfaces = %defaultroute
klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes overridemtu=1412conn %default keyingtries=0 disablearrivalcheck=no authby=rsasig
conn MUCWIL left=tsfwwillich.dyndns.org
older versions had problems to resolve names....as far as I remember
leftsubnet=192.168.100.0/24
leftrsasigkey=%cert leftcert=gw.wil.cert.pem leftid="/C=DE/ST=GER/O=Teleconnect und ServiceGmbH/OU=TSD/CN=GATEWAY VPN WILLICH/Email=info@teleconnect-service.de"
If you use leftcert dont use leftid and leftrsasigkey, these two are complementary...dont you get errormessages in var/log/messages on "ipsec setup start"?
# Right security gateway, subnet behind it, next hop toward left. right=tsfwmuenchen.dyndns.org rightsubnet=192.168.101.0/24 rightnexthop=217.5.98.100 rightcert=gw.muc.cert.pem rightid="/C=DE/ST=GER/O=Teleconnect und ServiceGmbH/OU=TSD/CN=GATEWAY VPN WILLICH/Email=info@teleconnect-service.de" rightrsasigkey=%cert auto=start
After all I'm a little confused her. I thought your setup was:
NET1 GW1 GW2 NET2
192.168.100.0/24 fixIP DynIP 192.168.101.0/24
for GW1 we have:
interfaces=%defaultroute or interfaces="ipsec0=ethX"
con MUCWIL left=fixIP-GW1 leftcert=GW1.pem leftnexthop=IP-FOR-DEFAULTROUTE-GW1 leftsubnet=192.168.100.0/24 rightcert=GW2.pem right=%any rightnexthop= rightsubnet=192.168.101.0/24 auto=start
and for GW2:
interfaces=%defaultroute
con MUCWIL
left=fixIP-GW1 leftcert=GW1.pem leftnexthop=IP-FOR-DEFAULTROUTE-GW1 leftsubnet=192.168.100.0/24 rightcert=GW2.pem right=%defaultroute rightnexthop= rightsubnet=192.168.101.0/24 auto=start
take this and try "ipsec setup restart" and look in /var/log/messages for Pluto messages while ipsec reads the configuration (tail -f /var/log/messages | grep Pluto).
Ray:
How can I verify that forwarding is enabled?
cat /proc/sys/net/ipv4/ip_forward should give 1 or 0 (1 means on). The switch is set in the Networksetup at yast2 or by echo "1" > /proc/sys/net/ipv4/ip_forward
Greetings, Thomas
Also, make sure forwarding is turned on for that interface.
On Wed, 2003-04-23 at 13:02, Thomas Kerkau wrote:
Hi Peter,
|NET2 pings NET1: GW2(eth0) logs an icmp request ? on eth0: 9 7.631138 192.168.101.239 192.168.100.205 ICMP
Echo
(ping) request
the paket is entering GW2.
192.168.101.0/24 ist net2 internal 192.168.100.0/24 ist net1 internal
on ipsec0: 3 1.694921 217.235.199.35 192.168.100.205 ICMP Echo (ping) request
the paket is leaving ipsec0
on eth1: nothing--
on ppp0 nothing--
but not forwarded to ppp0/eth1. Just checked this on a 7.3, you will see ESP-pakets on both. hopfully this was not changed. Is ipsec0 bound to eth1/ppp0 (interfaces directive in ipsec.conf)?
Yes I forgot to paste int the reply. :) but basically ipsec0 looks differnent on both machines
GW2:|> 10:21:04.305584 192.168.101.239 > 192.168.100.1: icmp: echo GW1:|> 08:51:05.057368 unknown ip 0
Are you shure that these entries are correlated? Do you see ESP-pakets on the external interface of GW1?
My feeling at this point is that GW2 doesn't send any paket to GW1. Check if "ipsec eroute" and "ipsec auto --status" shows the correct connections, and check "route".
Greetings, Thomas
-- www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI -> CyberOne Award -> Winner Crossroads A-List Award USA -> IBM Solution Excellence Award winner for Hot Java Solution -> European Information Society Technologies Prize Winner -> Made with ArcStyler: http://www.io-software.com/customers -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
----- < iO > --------------------------------------------------------- Interactive Objects Software GmbH mailto:Thomas.Kerkau@io-software.com http://www.io-software.com Basler Strasse 65, D-79100 Freiburg, Germany Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73
-- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!
-- www.ArcStyler.com - the Architectural IDE for MDA:J2EE/.NET/EAI -> CyberOne Award -> Winner Crossroads A-List Award USA -> IBM Solution Excellence Award winner for Hot Java Solution -> European Information Society Technologies Prize Winner -> Made with ArcStyler: http://www.io-software.com/customers -> OMG Press, John Wiley 2002 www.ConvergentArchitecture.com
----- < iO > --------------------------------------------------------- Interactive Objects Software GmbH mailto:Thomas.Kerkau@io-software.com http://www.io-software.com Basler Strasse 65, D-79100 Freiburg, Germany Tel: [+49]-761-40073-0, Fax: [+49]-761-40073-73 ----------------------------------------------------------------------
-
telest@gmx.net -
Thomas Kerkau