Topic: Can't get FreeS/Wan or IPSEC to work

[Ryan]

I am a newbie to Linux, but I have successfully updated samba and installed port fowarding on both 4.1.2 and 5.0.  I have given up on trying to set up a IPSEC tunnel between 2 e-smith servers.  I have tried about 10 times to set up the how-to rpms for both 4.1.2 and 5.0.  I can not get a tunnel established.  Pinging the other LAN fails.  Anyone, ANYONE, ANYONE that has set up Frees/Wan successfully with out service link, please provide any input/knowledge that is not included in the how-tos.  

Could it be a problem passing IPSEC?  I have 2 M$ proxy servers running with demand dialing using pptp..without problems...on the very same internet subnets I have tried to set up the e-smith Frees/Wan.  I have no problem connecting a single user to either 4.1.2 or 5.0 by VPN.

Every "how to" I have followed has worked fine except Frees/Wan....what gives?

If this can't be solved, I will have to replace the Proxy servers with M$ ISA servers....which is actually cheaper than paying for service link for 2 boxes over the life of the software.  I want to replace Micro$oft when possible, so I hope this forum will help.

Thanks.

[Darrell May]

Are you following this Howto:

http://myezserver.com/docs/mitel/freeswan-howto.html

Regards,

Darrell

[Ryan Sutton]

Yes, I followed that how to.

In Step 4 of the how to, it says to set up local network.  Is it saying to set up 2 local networks?  

First enter the remote Lan network address and subnet with the router entry being the internal IP of the local SME server.  

Second, enter the remote external IP address for the SME server plus 255.255.255.255 as mask with the router entry being the internal IP of the local SME server.

Do I have this correct?  

RS

[Ryan Sutton]

Another question:

Should "yes" be the answer for protecting traffic for all options or should only one be "yes".  Do both sme servers have to have the same answers for protection for IPSEC to work?  What happens if all are "no" for protection?

RS

[Buddy Edwards]

Ryan,

Are your two networks on different subnets or are they using a common set of IP's
ie. both networks on "192.168.1.0-255" if they are try changing one of the networks over to "192.168.2.0-255" and set up the VPN tunnel to point to the new IP range.

[Steve Bush]

I have set this up successfully on three SME5 servers, each with their own external static IP addresses.  The internal network subnets are different IP address ranges, ie 10.100.1.0/255.255.255.0, 10.100.2.0/255.255.255.0, and 10.100.3.0/255.255.255.0

The servers are setup with two NIC's in server and gateway mode.   In the local network page, add two entries to each of your servers leaving the router entry blank.

1 - The internal subnet range of your remote network - ie 10.100.2.0
2 - The external network card ethernet address of your remote server using 255.255.255.255 as the subnet mask

A documented feature requires you to resave the VPN config after making any modifications to the local networks panel to restart freeswan.

I have been running with this configuration for over a month with no problems.
I upgraded the version of freeswan on my SME5 server to the version that is installed in SME5.1b, but I was able to setup an IPSEC tunnel using the old version.  In fact I had both versions working together at one point.

When you get the servers setup, try pinging the remote servers' internal IP address from the local server to see if it's working.

Let me know if you have any questions.

[Ryan Sutton]

I appreciate the repsonses to my problem.  My LAN address are 192.168.1.0/255.255.255.0 and 192.168.2.0/255.255.255.0.

Steve, I will try your suggestions tomorrow.  I am using SME 5.0.  I was not leaving the router entry blank for the local network setting.  Could you send a link to the "documentation" that you referred to that requires the IPSEC settings to be "resaved" to restart Frees/WAN after changing the local network settings?  I also did not do this.  

Should I upgrade to 5.1a or 5.1b before I continue messing with 5.0?

Thanks again for the help.

Ryan Sutton

[Steve Bush]

This will work with the version of freeswan included with SME5.
I went ahead and pulled the version in SME5.1a and installed it on my SME5 servers.

The documentation I was talking about is from a thread on the SME developers list.  Here is a link to the email message.

http://www.mail-archive.com/devinfo@lists.e-smith.org/msg06557.html

Good luck with the test.

[Ryan Sutton]

Big Thanks to Steve.

Simply leaving the router entry blank for the local networks, and resaving the IPSEC Entry allowed the tunnel to connect.  

Now it looks 99% sure that our microsoft proxy servers will get replaced with linux instead of a new microsoft product.  

My opinion to Mitel company:  You have an awesome product.  You should consider breaking the cost of Service link into individual services.  My agency just installed a 9meg pipe to the internet and we quickly realized that a microsoft proxy server (2.0) can't keep up.  Using SME Server makes the most sense.  We have 2 offices and need a permanent VPN between them.  Considering we already have McAfee Antivirus Total Defense which is pruchased by the node, and includes all server software, we don't need virus protection for the SME Server.  Our external DNS is handled by the ISP.  When I looked at the cost of service link for 2 SME servers, the price can not be justified.  

1 SME service link $175 x 12 = 2100 x 2 servers = 4200 per year

1 MS 2000 Server $ 400 plus ISA server $800 = 1200 x 2 servers = 2400 to own and will be useful for at least 3 years.  Given we already own the necessary NT CALS.  (and you know M$ is way over priced).

If an option existed to purchase service link for the vpn and support, and could compete with Microsoft over 3 or more years, I would considered purchasing it.  I keep asking myself..."how can linux cost more than microsoft????"

[Steve Bush]

Great news...Now if I could find the time to update the how-to...

[John Phillips]

Steve,

I've had the same experiences as you have in my lab.   I've been able to install  dmc-mitel-freeswan-0.4-11.noarch.rpm directly from Darrell May's Howto and bring up tunnels with no problems on machines with static IP's and an ethernet network.

2--192.168.1.0--1-SME5-x.x.x.5|||x.x.x.4-SME5-1--192.168.2.0-2

        Computer-2---1-Gateway||||||||Gateway1------2Computer

Even while incrementally upgrading FreeS/Wan at one end of the tunnel.

However, everything I try behind a DSL (pppoe) pipe cannot orient itself while booting.   I've tried hard coding the "interfaces" instead of interfaces=%defaultroute in the ipsec.conf file, but I continue to get this message.

Fw1 Pluto[771]: "lan1-lan2": could not orient connection

A simple /etc/rc.d/init.d/ipsec restart will bring the tunnel up after the boot process is finished.

Steve Bush wrote:
>
> I have set this up successfully on three SME5 servers, each
> with their own external static IP addresses.  The internal
> network subnets are different IP address ranges, ie
> 10.100.1.0/255.255.255.0, 10.100.2.0/255.255.255.0, and
> 10.100.3.0/255.255.255.0
>
> The servers are setup with two NIC's in server and gateway
> mode.   In the local network page, add two entries to each of
> your servers leaving the router entry blank.
>
> 1 - The internal subnet range of your remote network - ie
> 10.100.2.0
> 2 - The external network card ethernet address of your remote
> server using 255.255.255.255 as the subnet mask
>
> A documented feature requires you to resave the VPN config
> after making any modifications to the local networks panel to
> restart freeswan.
>
> I have been running with this configuration for over a month
> with no problems.
> I upgraded the version of freeswan on my SME5 server to the
> version that is installed in SME5.1b, but I was able to setup
> an IPSEC tunnel using the old version.  In fact I had both
> versions working together at one point.
>
> When you get the servers setup, try pinging the remote
> servers' internal IP address from the local server to see if
> it's working.
>
> Let me know if you have any questions.

[Robert Field]

Please can any one shine light on what I've done wrong/not done.

I've installed freeswan as per how to. All went ok.

Added network (without router ip). All went ok.

Resaved IPSEC and rebooted both servers, restarted Freeswan with /etc/rc.d/init.d/ipsec restart  but I can not get tunnel to work.

SME5 Server one. Two NIC one with fixed IP using TELE2 (samba update applied)
192.168.253.95  255.255.255.0


SME5 Server two. Two NIC one with fixed IP via BT ADSL line (no samba update)
192.168.254.99 255.255.255.0

In both cases have tried using external IP for router and actual router address just to make sure.  I can still vpn using Win 2K client to both boxes but no tunnel.

I am a loss what to try next.

[Ryan Sutton]

You say your servers have one fixed IP address.  On my servers, both IP addresses are static.  If the private IPs you listed are the static IPs you refer to, are you using dhcp on your external NICs?  If so, I think Freeswan will not work....the documentation says you need static external/internet IP addresses.  

When you set up your local networks, you have to set up 2 additional local networks:  The private LAN network, and the single external IP of the remote server.  Leave the router entry blank.  After entering this, go back to the IPSEC VPN page and re-save the settings you put in prior to doing the local network entryies.

I did not have to reboot to get the tunnel to connect.  If you ping an IP on the remote LAN, it might appear to fail, as it takes a couple of seconds for the tunnel to connect.  Try the ping several times.  Good luck.

[Robert Field]

Thanks for the thoughts.  I did not explain my self.  I have two fixed IP's per server, One internal and on external.  I have entered both of these to the local network.

Have resaved the IPSEC and I still have no tunnel.

I have now updated SAMBA on both boxes but it does not seemed to have helped.


Real head scratcher this one!!!!!!


Any thoughts

[Robert Field]

Latest logfile.


[Mon Jan 28 09:01:41 2002] virtualprivatenetworks: Prototype mismatch: sub esmith::showPubKey ($) vs ($$) at /etc/e-smith/web/panels/manager/cgi-bin/virtualprivatenetworks line 250.


Does any body no what Prototype mismatch indicates?