Topic: Ipsec _updown script

[Lloyd Keen]

Has anyone managed to get an IPsec tunnel up and going on SME 5.5 The _updown script supplied with 1.97 doesn't seem to update the firewall rules. I've tried manually updating the rules but still can't get it to work. The ipsec0 interface is coming up and packets are being transmitted but not received at the other end. I've tried using all 3 scripts (_updown_1.8, 1.91 and 1.97) I've tried both versions of dmc-mitel-freeswan (4.11 & 4.12). I've tried to go back to freeswan 1.91. Keep getting the same error message "Could not start conn ".........." Both sites have static IP's. Anyone have any ideas before I switch back to SME 5.1.2

[Rod]

Hi Lloyd,
I've just managed to get SME5.5 to talk to 4.12 via IPSEC
I had to reconfigure both ipsec.conf to disable compression.

        # Enable compression
        compress=no
This was the only way I could get IPSEC to connect

I am currently running the following config on both
GateToGate no
GateToNet yes
NAT yes
NetToNet yes

As GateToGate yes was killing my remote connection while debugging. I may turn it back on later.

I have also modified /etc/e-smith/templates/etc/rc.d/init.d/masq/10masq_ipsec
on the 4.1.2 box
from
    my $loadme = db_get_prop(\%services, 'masq', $me) || "yes";
to
    my $loadme = db_get_prop(\%services, 'masq', $me) || "no";

Now I suspect that altering the config for ipsec and adding |masq|no|
would do the same thing but not 100% sure.

I did all of this because I was getting masq errors on the 4.1.2 box

I ended up rebooting the 4.1.2 box to remove the masq_ipsec module.

I can now ping from server to remote server, server to remote network and remote server to local network.
I haven't managed to sort out windoze peer to peer yet.
Rod

[Rod]

ps I forgot to mention that I had to manually copy the rsa secrets from one machine to another. I suspect that it was a problem with cut and paste into the web browser that was stuffing things up.
I also copied the _updown script into both /usr/lib/ipsec & /usr/local/lib/ipsec
the .18 script for the 4.1.2 box and the 1.91 for the 5.5 box
I have a feeling that it was something trivial but don't know what as I have been stuffing around with this for a couple of days now.
Rod

[Lloyd Keen]

Thanks Rod,
I tried disabling all 4 settings and still had no luck
GateToGate no
GateToNet no
NAT no
NetToNet no
I did notice that the ip_masq_ipsec module had not been loaded so I loaded that up but didn't seem to make any difference. The only thing I haven't tried yet was turning off compression, I'll give that a go and report back. Funny thing I noticed while testing If I used dmc-mitel-freeswan-4.12 after I add the IPsec-VPN can no longer ping external sites - remove the vpn and am able to ping external. This doesn't happen with dmc-mitel-freeswan-4.11 Something screwy goin on there. I'll try the 1.91 _updown with compression off.

[Lloyd Keen]

Rod,
What version of dmc-mitel-freeswan were you using on the SME 5.5 box?

[Rod]

dmc-mitel-freeswan-0.4-12 on both the 4.1.2  box and the SME5.5 box
Don't forget to turn of compression.
rod

[Lloyd Keen]

Rod, you are a freaking legend. Turned off compression and BANG straight in..... God I've spent some hours on this bloody IPsec. Thanks heaps

[rod]

The info was actually found in the user forum hidden amongst the various posts.
Now the problem I am having is the lack of firewall rules to allow windoze networking between the sites.
The netbios over IP traffic is being blocked at each end by the firewall rules.
I guess it's time to dust off the ipchains manual to work out how to allow the traffic.
Something like http://www.fwbuilder.org/ would be fantastic in SME.
I can however see the problem for the 'unskilled' to really stuff things up.
Problem with the exsiting firewall rules is trying to get a grip on what is actually there. Lots of customisation is available via the configuration file it's just having to reverse engineer the code to work out what you can and can't do.
None of the IPSEC howto's I have seen so far progress past the IP to IP configuration
Keep at it.
Rod

[Rod]

After reading the forum info again all I had to do was create a local network on each system for the remote network, You need to give the remote network address, mask but leave the gateway blank. I had a problem with SME5.5 not allowing me to have a default gateway but am discussing that seperately with 'bugs'.

Next problem is that one of my ADSL connections picks ups differring gatways depending upon which way the wind blows. Now I have to work out how to get the gateway IP changed dynamically in the ipsec.conf as the link comes up.
Rod

[Lloyd Keen]

Rod,
Have you seen this http://e-smith.org/bugs/index.php3?op=showBug&bugID=71

[Lloyd Keen]

Skip that last one I just saw your post in the general forum.