Shorewall users - Mar 2004 - Vpn Ipsec nat

Hello,

I want to estabilish an ipsec tunnel between two linux box (one is natted), 
I use trustix 2.0 (kernel 2.4.25 compiled for firewall), shorewall 1.4.10d 
and freeswan 2.04,

the right gateway is an linux box with a public ip address (for example 
80.54.8.105) and a dns name host105-8.pool8054.myprovider.com and his 
default gateway is 80.54.8.110 (example, not real)

the left gateway is a linux box with nat, there is a router with ip address 
80.54.162.150 and dns name host150-162.pool8054.myprovider.com, the 
router''s private interface is 192.168.2.1 and the linux box has two 
interfaces the public has ip address 192.168.2.2 and the private 
10.10.10.1. Linux box''s default gateway is 192.168.2.1

I have modified my shorewall configuration according to main shorewall site 
documentation (for the right gateway in /etc/shorewall/tunnel I have 
specified ipsecnat)

I have used ipsec rsasigkey to create the key according to 
http://jixen.tripod.com/ and so I have created ipsec.secrets

my ipsec.conf file looks like:

for the left gateway (natted)

config setup
	interfaces=%defaulroute
	klipsdebug=none
	plutodebug=none

conn block
	auto=ignore

conn private	
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear
	auto=ignore

conn packetdefault
	auto=ignore

conn site1-site2
	left=80.54.162.150
	leftsubnet=10.10.10.0/24
	leftnexthop=192.168.2.1
	right=%defaultroute
	rightsubnet=10.10.11.0/24
	rightnexthop	keyingtries=0
	auto=start
	authby=rsasig
	leftid=@host150-162.pool8054.myprovider.com
	rightid=@host105-8.pool8054.myprovider.com
	leftrsasigkey=<leftkey>
	rightrsasigkey=<rightkey>


for the right gateway (not natted)

config setup
	interfaces=%defaulroute
	klipsdebug=none
	plutodebug=none

conn block
	auto=ignore

conn private	
	auto=ignore

conn private-or-clear
	auto=ignore

conn clear
	auto=ignore

conn packetdefault
	auto=ignore

conn site1-site2
	left=%defaultroute
	leftsubnet=10.10.10.0/24
	leftnexthop	right=80.54.8.105
	rightsubnet=10.10.11.0/24
	rightnexthop=80.54.8.110
	auto=start
	authby=rsasig
	leftid=@host150-162.pool8054.myprovider.com
	rightid=@host105-8.pool8054.myprovider.com
	leftrsasigkey=<leftkey>
	rightrsasigkey=<rightkey>

when I start ipsec I have the following logs:

host105-8 ipsec_setup: KLIPS debug none
host105-8 kernel:
host105-8 ipsec_setup: KLIPS ipsec0 on eth0 80.54.8.105/255.255.255.248 
broadcast 80.54.8.111
host105-8 ipsec_setup: ...FreeS/WAN IPsec started
host105-8 ipsec_plutorun: whack error: "site1-site2" illegal
(non-DNS-name)
character in name "%defaultroute"
host105-8 ipsec_plutorun: ...could not add conn "site-site2"
host105-8 ipsec_plutorun: 021 no connection named "site1-site2"
host105-8 ipsec_plutorun: ...could not route conn "site-site2"
host105-8 ipsec_plutorun: 021 no connection named "site1-site2"
host105-8 ipsec_plutorun: ...could not start conn "site-site2"

What''s wrong?

Thanks

Regards
Nicola

Nicola Murino wrote:
> 
> when I start ipsec I have the following logs:
> 
> host105-8 ipsec_setup: KLIPS debug none
> host105-8 kernel:
> host105-8 ipsec_setup: KLIPS ipsec0 on eth0 80.54.8.105/255.255.255.248 
> broadcast 80.54.8.111
> host105-8 ipsec_setup: ...FreeS/WAN IPsec started
> host105-8 ipsec_plutorun: whack error: "site1-site2" illegal 
> (non-DNS-name) character in name "%defaultroute"
> host105-8 ipsec_plutorun: ...could not add conn "site-site2"
> host105-8 ipsec_plutorun: 021 no connection named "site1-site2"
> host105-8 ipsec_plutorun: ...could not route conn "site-site2"
> host105-8 ipsec_plutorun: 021 no connection named "site1-site2"
> host105-8 ipsec_plutorun: ...could not start conn "site-site2"
> 
Looks like an IPSEC configuration error to me but it''s been several 
years since I suffered through FreeS/WAN configuration.

Hopefully someone with more recent IPSEC experience can help.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote on 23/03/2004 11:33:34:
> Nicola Murino wrote:
> 
> > 
> > when I start ipsec I have the following logs:
> > 
> > [...]
> 
> Looks like an IPSEC configuration error to me but it''s been
several
> years since I suffered through FreeS/WAN configuration.
> 
> Hopefully someone with more recent IPSEC experience can help.
> 
My recent experience with IPSEC: turn to OPENVPN, if you can.  Much 
simpler to implement and to integrate into shorewall.  And NO patches...

just my 2c...

Eduardo Ferreira

The two id:

leftid=@host150-162.pool8054.myprovider.com
rightid=@host105-8.pool8054.myprovider.com

don''t have to be the real dns names.
try putting something like

leftid=@site1.myprovider.com
rightid=@site2.myprovider.com

and put the correct entries for site1.myprovider.com and site2.
myprovider.com in /etc/hosts.

cheers
mizzio


Lì martedì, 2004/03/23 alle 11:54, +0100, Nicola Murino ha
scritto:
> Hello,
> 
> I want to estabilish an ipsec tunnel between two linux box (one is natted),
> I use trustix 2.0 (kernel 2.4.25 compiled for firewall), shorewall 1.4.10d 
> and freeswan 2.04,
> 
> the right gateway is an linux box with a public ip address (for example 
> 80.54.8.105) and a dns name host105-8.pool8054.myprovider.com and his 
> default gateway is 80.54.8.110 (example, not real)
> 
> the left gateway is a linux box with nat, there is a router with ip address
> 80.54.162.150 and dns name host150-162.pool8054.myprovider.com, the 
> router''s private interface is 192.168.2.1 and the linux box has
two
> interfaces the public has ip address 192.168.2.2 and the private 
> 10.10.10.1. Linux box''s default gateway is 192.168.2.1
> 
> I have modified my shorewall configuration according to main shorewall site
> documentation (for the right gateway in /etc/shorewall/tunnel I have 
> specified ipsecnat)
> 
> I have used ipsec rsasigkey to create the key according to 
> http://jixen.tripod.com/ and so I have created ipsec.secrets
> 
> my ipsec.conf file looks like:
> 
> for the left gateway (natted)
> 
> config setup
> 	interfaces=%defaulroute
> 	klipsdebug=none
> 	plutodebug=none
> 
> conn block
> 	auto=ignore
> 
> conn private	
> 	auto=ignore
> 
> conn private-or-clear
> 	auto=ignore
> 
> conn clear
> 	auto=ignore
> 
> conn packetdefault
> 	auto=ignore
> 
> conn site1-site2
> 	left=80.54.162.150
> 	leftsubnet=10.10.10.0/24
> 	leftnexthop=192.168.2.1
> 	right=%defaultroute
> 	rightsubnet=10.10.11.0/24
> 	rightnexthop> 	keyingtries=0
> 	auto=start
> 	authby=rsasig
> 	leftid=@host150-162.pool8054.myprovider.com
> 	rightid=@host105-8.pool8054.myprovider.com
> 	leftrsasigkey=<leftkey>
> 	rightrsasigkey=<rightkey>
> 
> 
> for the right gateway (not natted)
> 
> config setup
> 	interfaces=%defaulroute
> 	klipsdebug=none
> 	plutodebug=none
> 
> conn block
> 	auto=ignore
> 
> conn private	
> 	auto=ignore
> 
> conn private-or-clear
> 	auto=ignore
> 
> conn clear
> 	auto=ignore
> 
> conn packetdefault
> 	auto=ignore
> 
> conn site1-site2
> 	left=%defaultroute
> 	leftsubnet=10.10.10.0/24
> 	leftnexthop> 	right=80.54.8.105
> 	rightsubnet=10.10.11.0/24
> 	rightnexthop=80.54.8.110
> 	auto=start
> 	authby=rsasig
> 	leftid=@host150-162.pool8054.myprovider.com
> 	rightid=@host105-8.pool8054.myprovider.com
> 	leftrsasigkey=<leftkey>
> 	rightrsasigkey=<rightkey>
> 
> when I start ipsec I have the following logs:
> 
> host105-8 ipsec_setup: KLIPS debug none
> host105-8 kernel:
> host105-8 ipsec_setup: KLIPS ipsec0 on eth0 80.54.8.105/255.255.255.248 
> broadcast 80.54.8.111
> host105-8 ipsec_setup: ...FreeS/WAN IPsec started
> host105-8 ipsec_plutorun: whack error: "site1-site2" illegal
(non-DNS-name)
> character in name "%defaultroute"
> host105-8 ipsec_plutorun: ...could not add conn "site-site2"
> host105-8 ipsec_plutorun: 021 no connection named "site1-site2"
> host105-8 ipsec_plutorun: ...could not route conn "site-site2"
> host105-8 ipsec_plutorun: 021 no connection named "site1-site2"
> host105-8 ipsec_plutorun: ...could not start conn "site-site2"
> 
> What''s wrong?
> 
> Thanks
> 
> Regards
> Nicola
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

> > 
> > Looks like an IPSEC configuration error to me but it''s been
several
> > years since I suffered through FreeS/WAN configuration.
> > 
> > Hopefully someone with more recent IPSEC experience can help.
> > 
> 
> My recent experience with IPSEC: turn to OPENVPN, if you can.  Much 
> simpler to implement and to integrate into shorewall.  And NO 
> patches...
> 
> just my 2c...
I can second that. Busted my chops with ipsec on and off for a few months
with no success, then after switching to openvpn, I had it configured and
running in no time.

--Micha
> 
> Eduardo Ferreira _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

the same openvpn.

Eduardo in my case i have problem only when create certificate, 
preshare key work fine.

the faq for the creation not complete.

i have one error and one file not eexist.


El mar, 23-03-2004 a las 11:02, Eduardo Ferreira escribió:
> Tom Eastep wrote on 23/03/2004 11:33:34:
> 
> > Nicola Murino wrote:
> > 
> > > 
> > > when I start ipsec I have the following logs:
> > > 
> > > [...]
> > 
> > Looks like an IPSEC configuration error to me but it''s been
several
> > years since I suffered through FreeS/WAN configuration.
> > 
> > Hopefully someone with more recent IPSEC experience can help.
> > 
> 
> My recent experience with IPSEC: turn to OPENVPN, if you can.  Much 
> simpler to implement and to integrate into shorewall.  And NO patches...
> 
> just my 2c...
> 
> Eduardo Ferreira
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

Micha Silver wrote:
> 
> I can second that. Busted my chops with ipsec on and off for a few months
> with no success, then after switching to openvpn, I had it configured and
> running in no time.
> 
I second the notion that OpenVPN is a better solution for Linux<->Linux 
VPN. Furthermore, the 2.6 Kernel''s implementation of IPSEC is currently
broken with respect to Netfilter/iptables. Even when the implementation 
is fixed, it will still be awkward to firewall IPSEC because of the 
elimination of the ''ipsecN'' devices.

So unless there is a need for IPSEC for compatibility, I would avoid it.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks,

I''ll try openvpn

Nicola

 >
 > I can second that. Busted my chops with ipsec on and off for a few months
 > with no success, then after switching to openvpn, I had it configured and
 > running in no time.
 >
I second the notion that OpenVPN is a better solution for Linux<->Linux
VPN. Furthermore, the 2.6 Kernel''s implementation of IPSEC is currently
broken with respect to Netfilter/iptables. Even when the implementation
is fixed, it will still be awkward to firewall IPSEC because of the
elimination of the ''ipsecN'' devices.
So unless there is a need for IPSEC for compatibility, I would avoid it.
-Tom
-- 
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net