IF you are not stuck to IPSec, you might want to take a look at OpenVPN (www.openvpn.org). I found OpenVPN easier to install than FreeSWAN (an IPSEC VPN) and have setup an OpenVPN solution between my German office and our mainoffice in a matter of hours. Thom van der Boon E-Mail: Thom.van.der.Boon at vdb.nl ==== Thom.H. van der Boon b.v. Havens 563 Jan Evertsenweg 2-4 NL-3115 JA Schiedam Tel.: +31 (0)10 4272727 Fax: +31 (0)10 4736620 E-Mail: info at vdb.nl Home Page: http://www.vdb.nl/>>> simone72 at email.it 23.05.2005 18:18:56 >>>Hi list, I am trying to create a VPN between two different locations. On the first location we have a cisco pix 525 Natting the internal 192.168.100.x network, while on the second location we have a Centos3 box Natting via iptables the internal 192.168.10.x netowrk. My goal is to connect this 2 over the internet via IPsec. I created the IPsec Net2Net via the network configuration graphic tool, and I configured the cisco following the howto http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html . From my understanding, I should have an ipsec0 network device showing up, so that I could route all traffic from 192.168.10.x directed to 192.168.100.x through it. The thing is that when I try to ifup ipsec0 I get the following errors: modprobe: modprobe: Can't locate module ripemd160 modprobe: modprobe: Can't locate module cast128 modprobe: modprobe: Can't locate module lzs modprobe: modprobe: Can't locate module lzjh So, after googling and reading a lot with no success, I would like to ask for advice on this, and successfull story :). I really need to have this VPN running, and I am not tied to this one solution only, linux-to-linux VPN, openVPN or anything else you could suggest would be great. Thanks in advice Simone _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos -------------- next part -------------- A non-text attachment was scrubbed... Name: Thom van der Boon.vcf Type: text/x-vcard Size: 147 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20050523/972fcf33/attachment-0004.vcf>
Thom van der Boon wrote:>IF you are not stuck to IPSec, you might want to take a look at OpenVPN (www.openvpn.org). I found OpenVPN easier to install than FreeSWAN (an IPSEC VPN) and have setup an OpenVPN solution between my German office and our mainoffice in a matter of hours. > > >I have to second (resoundingly) Thom on this one. FreeSWAN is perhaps the most painful tool I have ever dealt with on a linux system, and I would avoid it if you could. OpenVPN is much more user friendly, though ultimately my company ended up using hardware appliances here (turned out to be cheaper than paying the sysadmin regularly to keep things up). J
Hi there, yes it was with a Nortel contivity on a few occassions and
the other times with a Cisco pix. interstingly enough the Cisco VPNs
often required updates to the IOS to make them 3Des compliant,
As its late here in the UK (past midnight GMT+1) here is a very quick
and dirty freeswan guide.
Needless to say the things that cause the biggest headache for most
users is the use of RSA keys and opportunistic encryption. Since this
is NOT what 99.9% of the masses need or want then there is a quick and
simple and just as secure alternative setup, but its not that well
documented. Opportunistic encryption came in versions 2 and above of
freeswan by default, this has the effect of clobbering the network
default route and replacing it down the ipsec interface (what you want
if you want to encrypt everything, but not really any great use in the
real world). Most people want to do site <-> site vpns and these are
best achieved without opportunistic encryption and by the use of
preshared keys.
1)Make sure you get a version of freeswan suitable for your kernel, if
you can't find one go to somewhere like rpms.pbone.net and find a kernel
for which there is a freeswan version. Many people try and hunt a
freeswan version to match their kernel, I do it the otherway round,
find the latest freeswan compatible kernel you can for your
architecture, you can always compile it from source but why my life
harder for yourself.
2)get the freeswan module for the kernel you found, and the same
freeswan-userland version as well. then proceed as follows: after you
have installed the [from rpm]
Typically to kill opportunistic encryption add these lines to your
ipsec.conf file: after the config setup section near the top,
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
Doing this stops all the crap you get when ipsec starts and then kicks
you off the system about 60 seconds later if you're connected remotely
as this kills the opportunistic setup feature. Do the same at the
other end as well.
Then start the service.
Then add a section for each tunnel you want to set up. if you have
multiple subnets at each site which can't be encapsulated in a single
subnet declaration, you will need to add a new tunnel defintion for
each. Here is an example :
conn site1-site2 #this is the connection name
[tunnel] identifier
left=21.21.100.10 #This is the ip address of the
first linux box
leftnexthop=21.21.100.9 #This is usually set to the
defualt gateway for the first linux box
leftsubnet=10.11.2.0/24 #This is the LAN subnet behind
the first linux box
right=21.21.100.178 #This is the IP address of the
second linux box at the other end of the tunnel
rightsubnet=10.11.4.0/24 #This is the LAN subnet behind
the second linux box
rightnexthop=21.21.100.177 #This is the IP address of the
default gateway setting of the other linux box
authby=secret #We are going to use a
"password"
or secret to encrypt/auth the link
pfs=no #Turn off perfect forward
security, this makes it faster and easier but less secure
auto=add #Authorise but don't start
esp=3des-md5-96 #encapsulating security payload
setting, encryption used for auth and data
Now cut and paste this and add it to the ipsec.conf file on the second
machine completely as is, unmodified.
Then in you /etc/ipsec.secrets file on each machine you will need to add
a password [secret] for each each of the tunnels you have specified, in
the above example we would have:
21.21.100.10 21.21.100.178 : PSK "a-passwordin-here-with-the-quotes"
Add this to the very top of the ipsec secrets file, one entry for each
pair of machines in this format
leftmachineip rightmachineip : PSK "password"
Then do a service ipsec restart on each machine, bring the link up with
this command, it only needs to be invoked from either one of the ends
ipsec auto --up site1-site2
You should get output like this if you did it right:
ipsec auto --up site1-site2
104 "site1-site2" #2086: STATE_MAIN_I1: initiate
106 "site1-site2" #2086: STATE_MAIN_I2: sent MI2, expecting MR2
108 "site1-site2" #2086: STATE_MAIN_I3: sent MI3, expecting MR3
004 "site1-site2" #2086: STATE_MAIN_I4: ISAKMP SA established
112 "site1-site2" #2087: STATE_QUICK_I1: initiate
004 "site1-site2" #2087: STATE_QUICK_I2: sent QI2, IPsec SA
established
Remember you will need to allow the ipsec interface in your firewall and
you will need to add lines like this:
# Accept udp connections to port 500 for ipsec
$IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
This is just about the quickest way to set up a VPN tunnel with
Freeswan, it takes minutes. If you want to make if more secure, you can
tune the config once you get it running this way!
Remember the only machines that can't see the full extent of the other
LAN network are the linux boxes creating the tunnel. So the left linux
box will not be able to ping stuff on 10.11.4.0/24 network and the right
linux box will not be able to ping stuff on 10.11.2.0/24 network - don't
forget this.... its commonly mistaken by some to mean the tunnel isn't
working, to truly test it end to end you need hosts on the LANs at each
end to ping each other.
If you want to make it work through NATing gateways you will need to
port forward the udp 500 setting above on your firewall.
Enjoy!
Pete
Kennedy Clark wrote:
>Any chance of getting a quick HOW-TO posted to the group for that?
>;-) Sounds interesting.
>
>I saw your post about using it with Cisco & Nortel equipment -- I work
>with both a lot at my current customer. What types of equipment have
>you used it with from both vendors (e.g., Cisco: IOS, PIX, VPN3K;
>Nortel = Contivity)?
>
>Thanks!!
>Kennedy
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20050524/08100c29/attachment-0004.html>
Hi there. Installed openswan, and followed the instructions :) . It
looks like tunnel is estabilished now:
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: initiating Main
Mode
May 24 14:19:33 fbctestvpn pluto[7063]: | no IKE algorithms for this
connection ---> is this bad....
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
payload [XAUTH]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
payload [Dead Peer Detection]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received Vendor ID
payload [Cisco-Unity]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring unknown
Vendor ID payload [xxxxxxxxxxxxxxxxxxxxxxx]
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: I did not send a
certificate because I do not have one.
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: Main mode peer ID
is
ID_IPV4_ADDR: 'xxx.xxx.xxx.130' --> this being the external ip of the
cisco pix 525
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ISAKMP SA
established
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #1: received and
ignored
informational message
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
May 24 14:19:33 fbctestvpn pluto[7063]: "milan" #2: sent QI2, IPsec SA
established {ESP=>0x6xxx23f <0x07xxxx7}
000 "milan":
192.168.10.0/24===xxx.xxx.xxx.90---xxx.xxx.xxx.65...xxx.xxx.xxx.129---xxx.xxx.xxx.130===192.168.100.0/24;
unrouted; eroute owner: #0
192.168.10.3 internal linux box ip (and default gateway for the natted
workstations)
192.168.100.2 internal cisco pix ip (and default gateway for the natted
workstations)
conn milan
left=xxx.xxx.xxx.90 public ip linux box
leftnexthop=xxx.xxx.xxx.65 default gateway linux
leftsubnet=192.168.10.0/24
right=xxx.xxx.xxx.130 public ip cisco
rightsubnet=192.168.100.0/24 network behind cisco
rightnexthop=xxx.xxx.xxx.129 default gateway cisco
authby=secret
pfs=no
auto=add
esp=3des-md5-96
The firewall on the linuxbox is natting the 192.168.10.x network and
accepting anything coming from 192.168.100.x, I added udp port 500 to
INPUT and OUTPUT chains in iptables, but still cannot ping (even from
other workstations) or reach a web page on the other network. Anything
else I am missing or should be looking for?
>Remember you will need to allow the ipsec interface in your firewall
How do I do this?
Thanks for all your help, really appreciate this.
Simone
On Tue, 2005-05-24 at 01:35, Peter Farrow wrote:> Hi there, yes it was with a Nortel contivity on a few occassions and
> the other times with a Cisco pix. interstingly enough the Cisco VPNs
> often required updates to the IOS to make them 3Des compliant,
>
> As its late here in the UK (past midnight GMT+1) here is a very quick
> and dirty freeswan guide.
>
> Needless to say the things that cause the biggest headache for most
> users is the use of RSA keys and opportunistic encryption. Since this
> is NOT what 99.9% of the masses need or want then there is a quick and
> simple and just as secure alternative setup, but its not that well
> documented. Opportunistic encryption came in versions 2 and above of
> freeswan by default, this has the effect of clobbering the network
> default route and replacing it down the ipsec interface (what you want
> if you want to encrypt everything, but not really any great use in the
> real world). Most people want to do site <-> site vpns and these are
> best achieved without opportunistic encryption and by the use of
> preshared keys.
>
> 1)Make sure you get a version of freeswan suitable for your kernel, if
> you can't find one go to somewhere like rpms.pbone.net and find a
> kernel for which there is a freeswan version. Many people try and
> hunt a freeswan version to match their kernel, I do it the otherway
> round, find the latest freeswan compatible kernel you can for your
> architecture, you can always compile it from source but why my life
> harder for yourself.
> 2)get the freeswan module for the kernel you found, and the same
> freeswan-userland version as well. then proceed as follows: after you
> have installed the [from rpm]
>
>
> Typically to kill opportunistic encryption add these lines to your
> ipsec.conf file: after the config setup section near the top,
>
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> Doing this stops all the crap you get when ipsec starts and then kicks
> you off the system about 60 seconds later if you're connected remotely
> as this kills the opportunistic setup feature. Do the same at the
> other end as well.
> Then start the service.
>
> Then add a section for each tunnel you want to set up. if you have
> multiple subnets at each site which can't be encapsulated in a single
> subnet declaration, you will need to add a new tunnel defintion for
> each. Here is an example :
>
> conn site1-site2 #this is the connection name
> [tunnel] identifier
> left=21.21.100.10 #This is the ip address of the
> first linux box
> leftnexthop=21.21.100.9 #This is usually set to the
> defualt gateway for the first linux box
> leftsubnet=10.11.2.0/24 #This is the LAN subnet behind
> the first linux box
> right=21.21.100.178 #This is the IP address of the
> second linux box at the other end of the tunnel
> rightsubnet=10.11.4.0/24 #This is the LAN subnet behind
> the second linux box
> rightnexthop=21.21.100.177 #This is the IP address of the
> default gateway setting of the other linux box
> authby=secret #We are going to use a
> "password" or secret to encrypt/auth the link
> pfs=no #Turn off perfect forward
> security, this makes it faster and easier but less secure
> auto=add #Authorise but don't start
> esp=3des-md5-96 #encapsulating security payload
> setting, encryption used for auth and data
>
>
> Now cut and paste this and add it to the ipsec.conf file on the second
> machine completely as is, unmodified.
>
> Then in you /etc/ipsec.secrets file on each machine you will need to
> add a password [secret] for each each of the tunnels you have
> specified, in the above example we would have:
>
> 21.21.100.10 21.21.100.178 : PSK
"a-passwordin-here-with-the-quotes"
>
> Add this to the very top of the ipsec secrets file, one entry for each
> pair of machines in this format
>
> leftmachineip rightmachineip : PSK "password"
>
> Then do a service ipsec restart on each machine, bring the link up
> with this command, it only needs to be invoked from either one of the
> ends
>
> ipsec auto --up site1-site2
>
> You should get output like this if you did it right:
> ipsec auto --up site1-site2
> 104 "site1-site2" #2086: STATE_MAIN_I1: initiate
> 106 "site1-site2" #2086: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "site1-site2" #2086: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "site1-site2" #2086: STATE_MAIN_I4: ISAKMP SA established
> 112 "site1-site2" #2087: STATE_QUICK_I1: initiate
> 004 "site1-site2" #2087: STATE_QUICK_I2: sent QI2, IPsec SA
> established
>
> Remember you will need to allow the ipsec interface in your firewall
> and you will need to add lines like this:
>
> # Accept udp connections to port 500 for ipsec
> $IPTABLES -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> $IPTABLES -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>
> This is just about the quickest way to set up a VPN tunnel with
> Freeswan, it takes minutes. If you want to make if more secure, you
> can tune the config once you get it running this way!
>
> Remember the only machines that can't see the full extent of the other
> LAN network are the linux boxes creating the tunnel. So the left
> linux box will not be able to ping stuff on 10.11.4.0/24 network and
> the right linux box will not be able to ping stuff on 10.11.2.0/24
> network - don't forget this.... its commonly mistaken by some to mean
> the tunnel isn't working, to truly test it end to end you need hosts
> on the LANs at each end to ping each other.
>
> If you want to make it work through NATing gateways you will need to
> port forward the udp 500 setting above on your firewall.
>
> Enjoy!
>
> Pete
>
>
>
>
>
>
>
>
>
>
>
>
> Kennedy Clark wrote:
> > Any chance of getting a quick HOW-TO posted to the group for that?
> > ;-) Sounds interesting.
> >
> > I saw your post about using it with Cisco & Nortel equipment -- I
work
> > with both a lot at my current customer. What types of equipment have
> > you used it with from both vendors (e.g., Cisco: IOS, PIX, VPN3K;
> > Nortel = Contivity)?
> >
> > Thanks!!
> > Kennedy
> >
>
>
> ______________________________________________________________________
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
Bisogno di liquidit?? Non devi spiegare per cosa. Fino a 4.000 ? a casa tua
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=2291&d=24-5