#I have got my two linux ipsec gateways to communicate and connect with each
other but i can''t get any data through or even ping the other computers
#Here''s ipsec Saying it''s connected to the right gateway...
ipsec_setup: ipsec ipsec_3des ipsec_md5 ipsec_sha1
ipsec_setup:
done
104 "cpb" #1: STATE_MAIN_I1: initiate
106 "cpb" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "cpb" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "cpb" #1: STATE_MAIN_I4: ISAKMP SA established
112 "cpb" #3: STATE_QUICK_I1: initiate
004 "cpb" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
Done.
#Now, i have a bit of an odd setup. It is as follows
==========================================================Clients 192.168.7.0/24
- (what i''ll call left)
----------
{}
----------
Linux IPSec Gateway - Eth0 192.168.2.3, Eth1 192.168.7.3, Def. Gw
192.168.2.1
----------
{}
----------
SMC Router/Gateway 192.168.2.1 internal, 68.99.210.125 Outside aka
clubpeb.no-ip.info
----------
{}
===========================================================INTERNET
=========================================================== {}
----------
Linksys Router/Gateway 192.168.10.1 internal, 68.2.65.111 Outside aka
taylord.no-ip.info
----------
{}
----------
Linux IPSec Gateway - Eth0 192.168.10.3, Eth1 192.168.1.3, Def. Gw
192.168.10.1
----------
{}
----------
Clients 192.168.1.0/24 - (what i''ll call Right)
===========================================================
#Here is my ipsec.conf conn for the "left" side
conn cpb
left=taylord.no-ip.info
leftsubnet=192.168.1.0/24
leftnexthop=192.168.10.1
right=%defaultroute
rightsubnet=192.168.7.0/24
rightnexthop auto=start
authby=rsasig
leftid=@taylord.no-ip.info
rightid=@clubpeb.no-ip.info
leftrsasigkey=0sAQNK/WVyOrSz...
rightrsasigkey=0sAQNK/WVyOrSz...
#And here is the ipsec.conf for the "Right" side
conn cpb
left=clubpeb.no-ip.info
leftsubnet=192.168.7.0/24
leftnexthop=192.168.2.1
right=%defaultroute
rightsubnet=192.168.1.0/24
rightnexthop auto=start
authby=rsasig
leftid=@clubpeb.no-ip.info
rightid=@taylord.no-ip.info
leftrsasigkey=0sAQOJI1bO...
rightrsasigkey=0sAQOJI1bO...
#Here''s My ifconfig for the LEFT side:
eth0 Link encap:Ethernet HWaddr 00:D0:09:E3:0D:84
inet addr:192.168.2.3 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::2d0:9ff:fee3:d84/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11572030 errors:0 dropped:0 overruns:0 frame:0
TX packets:9428744 errors:1 dropped:12 overruns:1 carrier:1
collisions:0 txqueuelen:100
RX bytes:2615689427 (2494.5 Mb) TX bytes:926331055 (883.4 Mb)
Interrupt:9 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 00:03:6D:00:76:0B
inet addr:192.168.7.3 Bcast:192.168.7.255 Mask:255.255.255.0
inet6 addr: fe80::203:6dff:fe00:760b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10471207 errors:1 dropped:0 overruns:0 frame:1
TX packets:11690549 errors:33 dropped:0 overruns:0 carrier:66
collisions:0 txqueuelen:100
RX bytes:1161565293 (1107.7 Mb) TX bytes:2817830808 (2687.2 Mb)
Interrupt:12 Base address:0xda00
ipsec0 Link encap:IPIP Tunnel HWaddr
inet addr:192.168.2.3 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3042 errors:0 dropped:0 overruns:0 frame:0
TX packets:3042 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:303154 (296.0 Kb) TX bytes:303154 (296.0 Kb)
#Here''s my ifconfig for the RIGHT side:
eth0 Link encap:Ethernet HWaddr 00:03:6D:1B:86:96
inet addr:192.168.10.3 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::203:6dff:fe1b:8696/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:71593 errors:0 dropped:0 overruns:0 frame:0
TX packets:2906 errors:22 dropped:0 overruns:0 carrier:44
collisions:0 txqueuelen:100
RX bytes:20660551 (19.7 Mb) TX bytes:386851 (377.7 Kb)
Interrupt:9 Base address:0xf800
eth1 Link encap:Ethernet HWaddr 00:50:04:14:98:73
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:4ff:fe14:9873/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4132 errors:0 dropped:0 overruns:0 frame:0
TX packets:2187 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:549824 (536.9 Kb) TX bytes:571090 (557.7 Kb)
Interrupt:11 Base address:0xfc80
ipsec0 Link encap:IPIP Tunnel HWaddr
inet addr:192.168.10.3 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:657 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:584 errors:0 dropped:0 overruns:0 frame:0
TX packets:584 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:56997 (55.6 Kb) TX bytes:56997 (55.6 Kb)
#Here''s is the content of shorewall/restart from the left system
(192.168.7.3/2.3)
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Loading Modules...
/lib/modules/2.4.20-4GB/kernel/net/ipv4/netfilter/ip_nat_ftp.o: init_module:
Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including
invalid IO or IRQ parameters.
You may find more information in syslog or the output from dmesg
Initializing...
Determining Zones...
Zones: net loc vpn
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
VPN Zone: ipsec0:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Creating input Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
Adding rules for DHCP
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
IPSEC tunnel to taylord.no-ip.info defined.
Processing /etc/shorewall/rules...
Rule "DNAT net loc:192.168.7.63 tcp 10000:10003 -" added.
Rule "DNAT net loc:192.168.7.62 tcp 7777:7778 -" added.
Rule "DNAT net loc:192.168.7.40 tcp 3389 -" added.
Rule "DNAT net loc:192.168.7.40 tcp 5900 -" added.
Rule "DNAT net loc:192.168.7.20 udp 14567 -" added.
Rule "DNAT net loc:192.168.7.20 udp 20000 -" added.
Rule "DNAT net loc:192.168.7.20 udp 27900 -" added.
Rule "DNAT net loc:192.168.7.20 udp 28900 -" added.
Rule "DNAT net loc:192.168.7.40 tcp 8129 -" added.
Rule "DNAT net loc:192.168.7.40 tcp 1755 -" added.
Rule "DNAT net loc:192.168.7.40 tcp 2121:2131 -" added.
Rule "ACCEPT loc fw tcp 963 -" added.
Rule "ACCEPT fw net tcp 53" added.
Rule "ACCEPT fw net udp 53" added.
Rule "ACCEPT loc fw tcp 53 -" added.
Rule "ACCEPT loc fw udp 53 -" added.
Rule "ACCEPT loc fw tcp 80 -" added.
Rule "ACCEPT net fw tcp 22 -" added.
Rule "ACCEPT loc fw tcp 22 -" added.
Rule "ACCEPT vpn fw tcp 22 -" added.
Rule "ACCEPT loc fw icmp 8" added.
Rule "ACCEPT net fw icmp 8" added.
Rule "ACCEPT fw loc icmp 8" added.
Rule "ACCEPT fw net icmp 8" added.
Rule "ACCEPT fw loc tcp 22" added.
Rule "DNAT net loc:192.168.7.22 tcp 6891:6900 -" added.
Rule "DNAT net loc:192.168.7.22 tcp 1863 -" added.
Rule "DNAT net loc:192.168.7.22 tcp 5190 -" added.
Rule "DNAT net loc:192.168.7.22 tcp 6900 -" added.
Rule "DNAT net loc:192.168.7.22 tcp 8080 -" added.
Rule "DNAT net loc:192.168.7.51 udp 6996 -" added.
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain fw2net
Policy REJECT for fw to loc using chain all2all
Policy ACCEPT for fw to vpn using chain fw2vpn
Policy DROP for net to fw using chain net2all
Policy DROP for net to loc using chain net2all
Policy REJECT for loc to fw using chain all2all
Policy ACCEPT for loc to net using chain loc2net
Policy ACCEPT for loc to vpn using chain loc2vpn
Policy ACCEPT for vpn to fw using chain vpn2fw
Policy ACCEPT for vpn to loc using chain vpn2loc
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.7.0/24 through eth0
Processing /etc/shorewall/tos...
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 16" added.
Rule "all all tcp ftp - 16" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted
#Here is the output of shorewall restart on the Right system
(192.168.10.3/1.3)
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Restarting Shorewall...
Loading Modules...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Connection Tracking Match: Available
Determining Zones...
Zones: net loc vpn
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
VPN Zone: ipsec0:0.0.0.0/0
Processing /etc/shorewall/init ...
Deleting user chains...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Adding Common Rules
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
IPSEC tunnel to clubpeb.no-ip.info defined.
Processing /etc/shorewall/rules...
Rule "ACCEPT net fw tcp 22" added.
Rule "ACCEPT loc fw tcp 22" added.
Rule "ACCEPT loc fw tcp 10000" added.
Rule "ACCEPT net fw tcp 10000" added.
Rule "ACCEPT loc fw tcp 963" added.
Rule "ACCEPT net fw tcp 963" added.
Rule "ACCEPT net fw tcp 50" added.
Rule "ACCEPT net fw tcp 500" added.
Rule "ACCEPT loc fw tcp 80" added.
Rule "ACCEPT fw net tcp 53" added.
Rule "ACCEPT fw net udp 53" added.
Rule "ACCEPT loc fw tcp 22" added.
Rule "ACCEPT loc fw icmp 8" added.
Rule "ACCEPT net fw icmp 8" added.
Rule "ACCEPT fw loc icmp 8" added.
Rule "ACCEPT fw net icmp 8" added.
Processing /etc/shorewall/policy...
Policy ACCEPT for fw to net using chain fw2net
Policy REJECT for fw to loc using chain all2all
Policy ACCEPT for fw to vpn using chain fw2vpn
Policy DROP for net to fw using chain net2all
Policy REJECT for loc to fw using chain all2all
Policy ACCEPT for loc to net using chain loc2net
Policy ACCEPT for loc to vpn using chain loc2vpn
Policy ACCEPT for vpn to loc using chain vpn2loc
Policy ACCEPT for vpn to vpn using chain vpn2vpn
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from 192.168.1.0/24 through eth0
Processing /etc/shorewall/tos...
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 16" added.
Rule "all all tcp ftp - 16" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
Shorewall Restarted
#Attached is a TCPdump from the Right side gateway when i connected and
tried to ping hosts in the 192.168.7.x network.
#Does anyone have any clues why i can''t get through? Let me know if
you
need anymore information or anything.
_________________________________________________________________
<b>MSN 8:</b> Get 6 months for $9.95/month.
http://join.msn.com/?page=dept/dialup
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tcpdump
Type: application/octet-stream
Size: 13904 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030819/5a9a4498/tcpdump-0001.obj