Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] Need help with IPSEC
  • From: Steffen Dettmer <steffen@xxxxxxx>
  • Date: Mon, 12 Aug 2002 10:36:59 +0200
  • Message-id: <20020812103659.D3105@xxxxxxxxx>
* Wolfgang Schulz (Home) wrote on Sun, Aug 11, 2002 at 22:54 +0200:
> > Von: Steffen Dettmer [mailto:steffen@xxxxxxx]
> > [at this ident level]
> > > * Wolfgang Schulz:
> > > I'm using SuSE 7.0 (with FreeS/WAN 1.4) on a firewall gateway
> > > and SafeNet/Softremote for a WIN2000 machine and want to
> > > configure a road warrior VPN. The road warriod should connect
> > > to a maskeraded net (10.96.1.64/26) behind the firewall. The
> > > problem which makes me cracy is the following: I can establish
> > > an SA - there is a tunnel between the WIN2000 machine and the
> > > firewall. I can ping from the road warrior PC to the internal
> > > address of the firewall (10.96.1.102) but I can't ping or make
> > > a connection to any other machine in that subnet.
> >
> I can only ping the internal interface of the firewall (10.96.1.102) but no
> other address of this subnet. But also with 10.96.1.102 there is something
> not correct because I can't establish a tcp connection e.g. to port 22
> (where sshd is listening).

strange, what tells tcpdump?

> It is my intention to configure the other VPN connection on the same box but
> it is not done at the moment. I only wanted to emphasize with this statement
> that the firewall rules should be ok.

For testing, it's just more simple to turn it off, just to avoid
self-foot-shootings :)

> With established connection I get (I hope I have the first line correctly in
> my mind because I can't currently establisg a connection becasue I'm at
> home):
> fw:~ # netstat -rn
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt
> Iface
> xxx.xxx.xxx.xxx 213.30.70.233 255.255.255.0 U 0 0 0
> ipsec0

xxx is the road warrior IP? Looks good - but the mask is wrong,
isn't it?

A ping -I 10.96.1.myip 10.96.1.12 works also? TCP dump ok?

> I searched in a lot of archives today and found a lot of
> questions where the problems sound similar to me,

At least I think, there are many problems that sound similar :)

> As I stated in my first email: If I start a ping from an internal machine
> (e.g. 10.96.1.116) I see with tcpdump at the ipsec0 interface that there is
> an ICMP packet sent out and there is also an answer arriving. But this
> answer is not forwarded to the internal interface (eth0).

The internal PING should be forwarded back to internal?! If you
ping from internal to the road warrior, you see it on eth0
(intern), ipsec0 and on eth1 (external, but as proto 50 packet
here)? But no response or what?

> I really don't know anymore what to do!

use tcpdump a little :)

oki,

Steffen

--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

< Previous Next >