Topic: IPSEC plz help me!!

[Jono]

Hi

I am trying to connect my home lan to my compagny lan with 2 sme's in server and gateway mode, using Darrell May's FreeS ipsec howto
http://myezserver.com/downloads/mitel/contrib/freeswan/sme55/freeswan-howto.html


HOME: sme 5,5 update2 using DHCP on external IF
when i'm reviewing the configuration there's no gateway ip, but with the #route command i can see the default IP,  This IP should be the Remote router's external gateway IP or what!???
With the #ifconfig command i can see that the ipsec0 is reciving packs (RX) but is dropping them all.


COMP. Sme 5,5 up2 with fixed IP


NAT and all 3 Encrypt traffic is on YES and the public encryption key is dobbel checked, but now i can't even ping the remote ip so i have no other ways than to drive to the compagny to get the SME console, so i hope i only have problems in my home Sme.

A paste from my massage log:
Feb 14 16:15:01 gateway e-smith-bg: ipsec_setup: Starting FreeS/WAN IPsec 1.97...
Feb 14 16:15:01 gateway ipsec_setup: Starting FreeS/WAN IPsec 1.97...
Feb 14 16:15:01 gateway ipsec_setup: KLIPS debug none'
Feb 14 16:15:01 gateway ipsec_setup: KLIPS ipsec0 on ppp0 80.196.xxx.xx/255.255.255.255 pointopoint 195.249.x.xxx
Feb 14 16:15:02 gateway ipsec_setup: ...FreeS/WAN IPsec started
Feb 14 16:15:04 gateway ipsec__plutorun: 003 "net.192.168.3.0-gate.local": route-host command exited with status 7
Feb 14 16:15:04 gateway ipsec__plutorun: 025 "net.192.168.3.0-gate.local": could not route
Feb 14 16:15:04 gateway ipsec__plutorun: ...could not route conn "net.192.168.3.0-gate.local"
Feb 14 16:15:04 gateway ipsec__plutorun: 003 "net.192.168.3.0-net.local": route-client command exited with status 7
Feb 14 16:15:04 gateway ipsec__plutorun: 003 "net.192.168.3.0-net.local": down-client command exited with status 1
Feb 14 16:15:04 gateway ipsec__plutorun: 025 "net.192.168.3.0-net.local": could not route
Feb 14 16:15:04 gateway ipsec__plutorun: ...could not route conn "net.192.168.3.0-net.local"
Feb 14 16:15:05 gateway ipsec__plutorun: 003 "gate.192.168.3.0-gate.local": route-host command exited with status 7
Feb 14 16:15:05 gateway ipsec__plutorun: 025 "gate.192.168.3.0-gate.local": could not route
Feb 14 16:15:05 gateway ipsec__plutorun: ...could not route conn "gate.192.168.3.0-gate.local"
Feb 14 16:15:05 gateway ipsec__plutorun: 003 "gate.192.168.3.0-net.local": route-client command exited with status 7
Feb 14 16:15:05 gateway ipsec__plutorun: 003 "gate.192.168.3.0-net.local": down-client command exited with status 1
Feb 14 16:15:05 gateway ipsec__plutorun: 025 "gate.192.168.3.0-net.local": could not route
Feb 14 16:15:05 gateway ipsec__plutorun: ...could not route conn "gate.192.168.3.0-net.local"
Feb 14 16:15:10 gateway kernel: ip_demasq_esp(): Inbound from 80.196.xx.67 SPI 7AEE7338 has no masq table entry.
Feb 14 16:15:58 gateway kernel: ip_demasq_esp(): Inbound from 80.196.xx.67 SPI 7AEE7338 has no masq table entry.
Feb 14 16:16:17 gateway ipsec__plutorun: 104 "net.192.168.3.0-gate.local" #1: STATE_MAIN_I1: initiate
Feb 14 16:16:17 gateway ipsec__plutorun: 106 "net.192.168.3.0-gate.local" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Feb 14 16:16:17 gateway ipsec__plutorun: 108 "net.192.168.3.0-gate.local" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Feb 14 16:16:17 gateway ipsec__plutorun: 004 "net.192.168.3.0-gate.local" #1: STATE_MAIN_I4: ISAKMP SA established
Feb 14 16:16:17 gateway ipsec__plutorun: 003 "net.192.168.3.0-gate.local" #2: regenerating DH private secret to avoid Pluto 1.0 bug handling public value with leading zero
Feb 14 16:16:17 gateway ipsec__plutorun: 112 "net.192.168.3.0-gate.local" #2: STATE_QUICK_I1: initiate
Feb 14 16:16:17 gateway ipsec__plutorun: 003 "net.192.168.3.0-gate.local" #2: route-host command exited with status 7
Feb 14 16:16:17 gateway ipsec__plutorun: 032 "net.192.168.3.0-gate.local" #2: STATE_QUICK_I1: internal error
Feb 14 16:16:17 gateway ipsec__plutorun: 003 "net.192.168.3.0-gate.local" #2: route-host command exited with status 7
Feb 14 16:16:17 gateway ipsec__plutorun: 032 "net.192.168.3.0-gate.local" #2: STATE_QUICK_I1: internal error
Feb 14 16:16:17 gateway ipsec__plutorun: 010 "net.192.168.3.0-gate.local" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
Feb 14 16:16:17 gateway ipsec__plutorun: 010 "net.192.168.3.0-gate.local" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
Feb 14 16:16:17 gateway ipsec__plutorun: 003 "net.192.168.3.0-gate.local" #2: route-host command exited with status 7
Feb 14 16:16:17 gateway ipsec__plutorun: 032 "net.192.168.3.0-gate.local" #2: STATE_QUICK_I1: internal error
Feb 14 16:16:17 gateway ipsec__plutorun: 031 "net.192.168.3.0-gate.local" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Feb 14 16:16:17 gateway ipsec__plutorun: 000 "net.192.168.3.0-gate.local" #2: starting keying attempt 2 of an unlimited number, but releasing whack
Feb 14 16:16:17 gateway ipsec__plutorun: ...could not start conn "net.192.168.3.0-gate.local"
Feb 14 16:17:27 gateway ipsec__plutorun: 112 "net.192.168.3.0-net.local" #4: STATE_QUICK_I1: initiate
Feb 14 16:17:27 gateway ipsec__plutorun: 010 "net.192.168.3.0-net.local" #4: STATE_QUICK_I1: retransmission; will wait 20s for response
Feb 14 16:17:27 gateway ipsec__plutorun: 003 "net.192.168.3.0-net.local" #4: route-client command exited with status 7
Feb 14 16:17:27 gateway ipsec__plutorun: 032 "net.192.168.3.0-net.local" #4: STATE_QUICK_I1: internal error
Feb 14 16:17:27 gateway ipsec__plutorun: 003 "net.192.168.3.0-net.local" #4: route-client command exited with status 7
Feb 14 16:17:27 gateway ipsec__plutorun: 032 "net.192.168.3.0-net.local" #4: STATE_QUICK_I1: internal error
Feb 14 16:17:27 gateway ipsec__plutorun: 010 "net.192.168.3.0-net.local" #4: STATE_QUICK_I1: retransmission; will wait 40s for response
Feb 14 16:17:27 gateway ipsec__plutorun: 003 "net.192.168.3.0-net.local" #4: route-client command exited with status 7
Feb 14 16:17:27 gateway ipsec__plutorun: 032 "net.192.168.3.0-net.local" #4: STATE_QUICK_I1: internal error
Feb 14 16:17:27 gateway ipsec__plutorun: 031 "net.192.168.3.0-net.local" #4: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Feb 14 16:17:27 gateway ipsec__plutorun: 000 "net.192.168.3.0-net.local" #4: starting keying attempt 2 of an unlimited number, but releasing whack
Feb 14 16:17:27 gateway ipsec__plutorun: ...could not start conn "net.192.168.3.0-net.local"
Feb 14 16:17:35 gateway last message repeated 2 times

I hope someone can help me out.. and sorry 4 my english..

Jono

[Terry Brummell]

Same problem I posted a few weeks ago (here and at myezserver.com), never did get a working reply.  I'm doing a fresh install on my home server today (that's where I was getting the dropped packets) and am going to install FreeSwan as the only addon and see if it works then.  Will let you know how I make out.

Terry

[Jono]

Thanks Terry, i guess i have to do it "the hard way" too.
Let me know if u got it working...

Jono

[Terry Brummell]

Well, freshly installed 5.5u3 machine and I'm still getting the same thing.  I do, however, think I have found the root cause, now just need a solution.
When the link is created and it creates all the rules for masq I see some rules are not being created:
Here is a part of the ipchains rules from my home server:

Chain forward (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     all  ------  192.168.12.0/24      192.168.12.0/24       n/a
ACCEPT     all  ------  192.168.12.0/24      192.168.12.0/24       n/a
MASQ       all  ------  192.168.12.0/24      anywhere              n/a
MASQ       all  ------  192.168.33.0/24      anywhere              n/a
DENY       all  ------  anywhere             anywhere              n/a

(12.0 being my local subnet and 33.0 being the remote network)

and the same portion of ipchains from the remote server:

Chain forward (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     all  ------  xxxxxxx.cpe.net.cable.rogers.com 192.168.33.0/24       n/a
ACCEPT     all  ------  192.168.33.0/24      xxxxxxx.cpe.net.cable.rogers.com  n/a
ACCEPT     all  ------  192.168.12.0/24      192.168.33.0/24       n/a
ACCEPT     all  ------  192.168.33.0/24      192.168.12.0/24       n/a
ACCEPT     all  ------  192.168.33.0/24      192.168.33.0/24       n/a
ACCEPT     all  ------  192.168.33.0/24      192.168.33.0/24       n/a
MASQ       all  ------  192.168.33.0/24      anywhere              n/a
MASQ       all  ------  192.168.12.0/24      anywhere              n/a
DENY       all  ------  anywhere             anywhere              n/a

Where ....rogers.com is the reverse DNS lookup of my IP address.  The only differences between the 2 setups that I can see is the fact that there is no reverse lookup of the remote servers IP published on the 'net.
So, I guess my question is, does FreeSwan "have" to be able to do a remote lookup of the other servers IP address?  Does anybody have IPSec working in an environment where their public IP address do not have reverse lookups programmed in DNS published to the internet?
My guess is that because the IP cannot be looked up FreeSwan fails to create the proper masq rules calling the far end insecure or a lame server.  Makes it more secure I guess.
Any comments on this would be appreciated.

Terry

[Jono]

Hi again

My ipchains on client and server looks just the same..

I mabye found a bug or somthing' : when i'm adding the "remote" local net and running a #route command
output:
[root@gateway root]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
195.xxx.x.231   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
195.xxx.x.231   0.0.0.0         255.255.255.255 UH    0      0        0 ipsec0
192.168.3.0     192.168.2.2     255.255.255.0   UG    0      0        0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         195.xxx.x.231   0.0.0.0         UG    0      0        0 ppp0

this seems ok to me anyways ..
195.168.3.0 is the remote net, and this is routed from 192.168.2.2 (sme on the inside local net)
195.xxx.x.231 is the PPPOE gateway to my ISP

Here comes the bug or whatever :
when i'm adding a new IPSEC VPN to 192.168.3.2 (sme internal IP on remote)
This is the output of route:

[root@gateway root]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
195.xxx.x.231   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
195.xxx.x.231   0.0.0.0         255.255.255.255 UH    0      0        0 ipsec0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         195.xxx.x.231   0.0.0.0         UG    0      0        0 ppp0

the remote net is gone ???
i just don't get it .....

[Kirk]

Jono,
I have the same problem.  I've tried turning NAT on and off (I don't use NAT.. I have a cable modem..Is this software NATing??), turning encryption off, re-installing 5.5 without the 2 upgrade, installing 5.6, adding to the routing table manually, removing the 'local network' and adding it again (using the interface), using the external addresses of the machines as 'local network' on both sides, manually re-writting the ipsec.conf, re-doing signal-event ipsec-install (on both sides), re-installing the VPN before and after adding the local network (with and without the external ips), running around my chair (twice, once counter-clockwise), kicking the machine and drinking lots of coffee.  Nothing seems to work.

I initially installed as server-gateway.  For the last 10 or so attempts I've used private server-gateway on install.  Today I'm switching back to the public one. It seems to me that this only turns off ports 110 and 80 to the outside, but I could be mistaken.

What all have you tried?

Let me know if you get anywhere with it, and I'll do the same. I brought a stable VPN down for this because of the many extras that SME others us.  I hope I don't have to reverse my decision.

If anyone sees our error, please let us know.  Any help would be appreciated.

-Kirk

[Todd]

I don't use FreeSWAN on sme, but I use it on a bunch of other linux routers.  Your problem appears to be during the FreeSWAN initialiation, well before it tries to bring up any tunnels.  I'd try a post to the FreeSWAN list to see if they at least point you in the right direction to troubleshoot.


Feb 14 16:15:01 gateway e-smith-bg: ipsec_setup: Starting FreeS/WAN IPsec 1.97...
Feb 14 16:15:01 gateway ipsec_setup: Starting FreeS/WAN IPsec 1.97...
Feb 14 16:15:01 gateway ipsec_setup: KLIPS debug none'
Feb 14 16:15:01 gateway ipsec_setup: KLIPS ipsec0 on ppp0 80.196.xxx.xx/255.255.255.255 pointopoint 195.249.x.xxx
Feb 14 16:15:02 gateway ipsec_setup: ...FreeS/WAN IPsec started
Feb 14 16:15:04 gateway ipsec__plutorun: 003 "net.192.168.3.0-gate.local": route-host command exited with status 7

The SME FreeSWAN rpms for 5.5 have been around for a while so I'd be surprised if they didn't work, but serveral of you having the identical problem and on clean installs in concerning.  Sorry I can't help, I just wanted to steer you away from troubleshooting the tunnels because I don't think that;s the problem yet.  In fact, try starting freeswan without any connection defined and see if you get any errors.

- Todd

[Kirk]

I just tried it.  It does not give errors without a connection defined in SME.  Actually, it doesn't give an error when encrytion is disabled either. If I leave the connection defined and disable all the encryption, no errors.  Hopefully this helps the troubleshooters, not me it doesn't I still can't establish a connection.  

Here's  a new error.  I'm using pptp because I can't get this up. Without a VPN defined I'm getting

Feb 17 11:50:29  vpn ipsec__plutorun: 003 IP interfaces ppp0 and eth0 share address 192.168.x.x !

I'm not sure what's with the exclamation(!) point... it's a surprise!
Thanks for your help Todd.

-K

[Jono]

No Kirk it's not a surprice...  it's here too, so i put up a second sme at my main site, and got one more way to get inside hehe , it's working fine fine,..

so now i'm not getting the :
Feb 17 11:50:29 vpn ipsec__plutorun: 003 IP interfaces ppp0 and eth0 share address 192.168.x.x anymore..

Well anyways, i got the IPSEC link up ,,, YAHOO!!!
I can ping all computers at the main site from home, and all home computers from main site, but i can't get online with the web servers on main site ,.., !??? i'll try to fix that now.. the WINS server on my home SME is pointing to the main site SME so i don't really get this.,.,.,,. Hmmm



Here's what i did to get the link up.. :
use the #route commande a lot .. check the default route, thats the gateway to the internet, when u add a local network the gateway on that new net must be the same as the default route, but when you add the IPSEC VPN the new net you just added is gone.. to get around this i made a second local net, and deleted it again, when i did this some times the route to the "old new net" was back.
then just edit the /etc/ipsec.conf to add the missing gateway information manually and RESET the server BINGO!! thats it...
the IPSEC is loaded and up and running rightaway!!!!  yaaahhhhh.,.,.,.,.

another thing i found on my old 5.5 installation was that the IPSEC VPN was loaded before the PPPOE link was made, and that made the plutorun to f... up!!
now the PPPOE is loaded and up long before the IPSEC is started...

anybody got an ide to why i can't get online to the http servers on the main net...!??

[Kirk]

You have squid up and running?  It's cache'ing it and sending it to the internet instead of across the ipsec tunnel.  You may be able to get around it by putting your intranet on a different non-standard port.

Can you give me some numbers to your example?
How I understand it is:
Central - Internal :192.168.100.1
Central - External : 64.x.x.x

Remote- Internal: 192.168.0.1
Remote- External: 46.x.x.x

on the remote side make a local net of
net 192.168.100.1
subnet 255.255.255.0
gw 46.x.x.x ??

-Kirk

[Terry Brummell]

Well, I've managed to get IPSec up on 2 machines at work, both in the same public subnet range.  Both of the machines do not have published host names for them.  I'll try the same box at home with rearranged IP info and see what happens, I suspect it will fail because the hostname of the machine and the reverse lookup do not match.  Will post later with my resluts...