Topic: SME 5.5u6 + FreeSwan

[Paul F]

Can anyone tell me if a fresh SME 5.5+u6 will work out of the box with dmc-mitel-freeswan-1.97-3sme55.noarch.rpm?

Thanks for any info.

I tried SME 5.6+u4 first with Shad Lands with no success. I then removed this, having to --nodeps on the packetfilter. Then I went to DM's for 5.6 and could not get that working either

I was told that I am likely to have better luck with 5.5.

[Peter Schubert]

It works fine:
Use this on your 5.6 Server with Shad  Lords RPM:

/sbin/e-smith/config setprop ipsec pubid {insert your external IP here}

then

/sbin/e-smith/expand-template /etc/ipsec.conf

Be shure to use the latest version at:
http://lordsfam.net/downloads/production/freeswan/

With problems have a look at the /var/log/messages and /var/log/secure
logfiles.

You have to do a /sbin/e-smith/signal-event ipsec-install, and this change your public key ! Be shure to change the key at the other side.

Peter

[Paul F]

Hi. Thanks for your reply. I'm curious that this version does not ask for the last hop/gateway/concentrator IP for either side. I will give this another try. Are the two extra commands you posted always necessary or they are only if there are problems?

Few mins later.... well at least now there is some TX bytes I can see and ipsec eroute responds with some data rather than blank! The client side is back down to 5.5 so I will have to switch over to 5.6 again tomorrow but this looks promising.

Thank you so much for this tip. I am up *&(& creek having installed 5.6 (fresh install, removing 5.1.2 and finding my drive image was corrupt to go back) and no more VPN, I would be extremely grateful if you have a chance to re-visit this thread today/tomrrow and I will post how I made out (or did not.)

-Paul-

[Peter Schubert]

Hi Paul,

Shad Lords use the domainname from each box as the ID, i have some trouble with this, because i have customers with the SAME domain at both sides.
If you use 5.6 with the new freeswan 1.99 at both sides, use the update to change the ID to your external IP´s, then use the mail function to view the parameters for your vpn (again on two sides).
This works great for me.

If possible try to use SME 5.6 and freeswan 1.99, it´s better.
Please UNINSTALL dmc-mitel-freeswan, before you (re-) install devinfo-freeswan-1.99-6sme56 (rpm -e dmc-mitel-freeswan).

Sometimes you need to restart mask (or the hole server) it you change the versions.

Good luck
Peter

[guestHH]

Hi Peter,

Could you please explain what your below advice is for?

/sbin/e-smith/config setprop ipsec pubid {insert your external IP here}

is this needed so the tunnel works with an update the remote router's ID to ip-number instead of name?

TIA

Regards,
guestHH

[Greg]

Will 5.6 work as the server with 5.5 clients?

[Paul F]

Thanks again.

Indeed we are using the same domain. I did however change the ID's to the external IP's with no luck. Any further suggestions appreciated.

SERVER
eroute
35         192.168.1.0/24     -> 192.168.4.0/24     => %hold
0          192.168.1.0/24     -> 216.130.44.154/32  => %trap
3          205.200.44.200/32  -> 192.168.4.0/24     => %hold
0          205.200.44.200/32  -> 216.130.44.154/32  => %trap

------
Apr 29 10:05:42 whopper1 ipsec__plutorun: Starting Pluto subsystem...
Apr 29 10:05:42 whopper1 pluto[30945]: Starting Pluto (FreeS/WAN Version 1.99)
Apr 29 10:05:42 whopper1 pluto[30945]: added connection description "gate.local-net.192.168.4.0"
Apr 29 10:05:43 whopper1 pluto[30945]: added connection description "net.local-gate.192.168.4.0"
Apr 29 10:05:43 whopper1 pluto[30945]: added connection description "gate.local-gate.192.168.4.0"
Apr 29 10:05:43 whopper1 pluto[30945]: added connection description "net.local-net.192.168.4.0"
Apr 29 10:05:43 whopper1 pluto[30945]: listening for IKE messages
Apr 29 10:05:43 whopper1 pluto[30945]: adding interface ipsec0/ppp0 205.200.44.200
Apr 29 10:05:43 whopper1 pluto[30945]: loading secrets from "/etc/ipsec.secrets"
Apr 29 10:05:43 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #1: initiating Main Mode
Apr 29 10:05:43 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #1: ERROR: asynchronous network error report on ppp0 for message to 216.130.44.154 port 500, complainant 216.130.44.154: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Apr 29 10:05:53 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #1: ERROR: asynchronous network error report on ppp0 for message to 216.130.44.154 port 500, complainant 216.130.44.154: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Apr 29 10:06:09 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #2: responding to Main Mode
Apr 29 10:06:10 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #2: sent MR3, ISAKMP SA established
Apr 29 10:06:19 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #2: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Apr 29 10:06:23 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #1: discarding duplicate packet; already STATE_MAIN_I3
Apr 29 10:06:32 whopper1 pluto[30945]: "net.local-net.192.168.4.0" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Apr 29 10:06:39 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS
Apr 29 10:06:40 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #2: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Apr 29 10:06:44 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #1: discarding duplicate packet; already STATE_MAIN_I3
Apr 29 10:07:20 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #5: responding to Main Mode
Apr 29 10:07:21 whopper1 pluto[30945]: "gate.local-net.192.168.4.0" #5: sent MR3, ISAKMP SA established



CLIENT
eroute
114        192.168.4.0/24     -> 192.168.1.0/24     => %hold
0          192.168.4.0/24     -> 205.200.44.215/32  => %trap
10         216.130.44.154/32  -> 192.168.1.0/24     => %hold
0          216.130.44.154/32  -> 205.200.44.215/32  => %trap

------
Apr 29 09:57:25 cheese ipsec__plutorun: Starting Pluto subsystem...
Apr 29 09:57:25 cheese pluto[7251]: Starting Pluto (FreeS/WAN Version 1.99)
Apr 29 09:57:26 cheese pluto[7251]: added connection description "net.local-gate.192.168.1.0"
Apr 29 09:57:27 cheese pluto[7251]: added connection description "gate.local-gate.192.168.1.0"
Apr 29 09:57:28 cheese pluto[7251]: added connection description "net.local-net.192.168.1.0"
Apr 29 09:57:28 cheese pluto[7251]: added connection description "gate.local-net.192.168.1.0"
Apr 29 09:57:28 cheese pluto[7251]: listening for IKE messages
Apr 29 09:57:28 cheese pluto[7251]: adding interface ipsec0/ppp0 216.130.44.154
Apr 29 09:57:28 cheese pluto[7251]: loading secrets from "/etc/ipsec.secrets"
Apr 29 09:57:30 cheese pluto[7251]: "net.local-gate.192.168.1.0" #1: initiating Main Mode
Apr 29 09:57:30 cheese pluto[7251]: "net.local-gate.192.168.1.0" #1: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 09:57:33 cheese pluto[7251]: "net.local-gate.192.168.1.0" #2: responding to Main Mode
Apr 29 09:57:34 cheese pluto[7251]: "net.local-gate.192.168.1.0" #2: no suitable connection for peer '@test.com'
Apr 29 09:57:40 cheese pluto[7251]: "net.local-gate.192.168.1.0" #1: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 09:57:44 cheese pluto[7251]: "net.local-gate.192.168.1.0" #2: no suitable connection for peer '@test.com'
Apr 29 09:57:52 cheese pluto[7251]: "net.local-gate.192.168.1.0" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Apr 29 09:57:59 cheese pluto[7251]: "net.local-gate.192.168.1.0" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Apr 29 09:58:00 cheese pluto[7251]: "net.local-gate.192.168.1.0" #1: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 09:58:02 cheese pluto[7251]: "net.local-gate.192.168.1.0" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Apr 29 09:58:03 cheese pluto[7251]: "net.local-gate.192.168.1.0" #2: no suitable connection for peer '@test.com'
Apr 29 09:58:09 cheese pluto[7251]: "net.local-gate.192.168.1.0" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Apr 29 09:58:29 cheese last message repeated 2 times
Apr 29 09:58:40 cheese pluto[7251]: "net.local-gate.192.168.1.0" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Apr 29 09:58:40 cheese pluto[7251]: "net.local-gate.192.168.1.0" #1: starting keying attempt 2 of an unlimited number, but releasing whack
Apr 29 09:58:40 cheese pluto[7251]: "net.local-gate.192.168.1.0" #3: initiating Main Mode to replace #1
Apr 29 09:58:41 cheese pluto[7251]: "net.local-gate.192.168.1.0" #3: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 09:58:43 cheese pluto[7251]: "net.local-gate.192.168.1.0" #4: responding to Main Mode
Apr 29 09:58:44 cheese pluto[7251]: "net.local-gate.192.168.1.0" #2: max number of retransmissions (2) reached STATE_MAIN_R2
Apr 29 09:58:44 cheese pluto[7251]: "net.local-gate.192.168.1.0" #4: no suitable connection for peer '@test.com'
Apr 29 09:58:51 cheese pluto[7251]: "net.local-gate.192.168.1.0" #3: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 09:58:54 cheese pluto[7251]: "net.local-gate.192.168.1.0" #4: no suitable connection for peer '@test.com'
Apr 29 09:59:11 cheese pluto[7251]: "net.local-gate.192.168.1.0" #3: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 09:59:14 cheese pluto[7251]: "net.local-gate.192.168.1.0" #4: no suitable connection for peer '@test.com'
Apr 29 09:59:51 cheese pluto[7251]: "net.local-gate.192.168.1.0" #3: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Apr 29 09:59:51 cheese pluto[7251]: "net.local-gate.192.168.1.0" #3: starting keying attempt 3 of an unlimited number
Apr 29 09:59:51 cheese pluto[7251]: "net.local-gate.192.168.1.0" #5: initiating Main Mode to replace #3
Apr 29 09:59:52 cheese pluto[7251]: "net.local-gate.192.168.1.0" #5: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 09:59:54 cheese pluto[7251]: "net.local-gate.192.168.1.0" #6: responding to Main Mode
Apr 29 09:59:54 cheese pluto[7251]: "net.local-gate.192.168.1.0" #4: max number of retransmissions (2) reached STATE_MAIN_R2
Apr 29 09:59:54 cheese pluto[7251]: "net.local-gate.192.168.1.0" #6: no suitable connection for peer '@test.com'
Apr 29 10:00:02 cheese pluto[7251]: "net.local-gate.192.168.1.0" #5: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 10:00:04 cheese pluto[7251]: "net.local-gate.192.168.1.0" #6: no suitable connection for peer '@test.com'
Apr 29 10:00:22 cheese pluto[7251]: "net.local-gate.192.168.1.0" #5: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 10:00:24 cheese pluto[7251]: "net.local-gate.192.168.1.0" #6: no suitable connection for peer '@test.com'
Apr 29 10:01:02 cheese pluto[7251]: "net.local-gate.192.168.1.0" #5: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Apr 29 10:01:02 cheese pluto[7251]: "net.local-gate.192.168.1.0" #5: starting keying attempt 4 of an unlimited number
Apr 29 10:01:02 cheese pluto[7251]: "net.local-gate.192.168.1.0" #7: initiating Main Mode to replace #5
Apr 29 10:01:03 cheese pluto[7251]: "net.local-gate.192.168.1.0" #7: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 10:01:04 cheese pluto[7251]: "net.local-gate.192.168.1.0" #6: max number of retransmissions (2) reached STATE_MAIN_R2
Apr 29 10:01:05 cheese pluto[7251]: "net.local-gate.192.168.1.0" #8: responding to Main Mode
Apr 29 10:01:05 cheese pluto[7251]: "net.local-gate.192.168.1.0" #8: no suitable connection for peer '@test.com'
Apr 29 10:01:13 cheese pluto[7251]: "net.local-gate.192.168.1.0" #7: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 10:01:15 cheese pluto[7251]: "net.local-gate.192.168.1.0" #8: no suitable connection for peer '@test.com'
Apr 29 10:01:33 cheese pluto[7251]: "net.local-gate.192.168.1.0" #7: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 10:01:35 cheese pluto[7251]: "net.local-gate.192.168.1.0" #8: no suitable connection for peer '@test.com'
Apr 29 10:02:13 cheese pluto[7251]: "net.local-gate.192.168.1.0" #7: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Apr 29 10:02:13 cheese pluto[7251]: "net.local-gate.192.168.1.0" #7: starting keying attempt 5 of an unlimited number
Apr 29 10:02:13 cheese pluto[7251]: "net.local-gate.192.168.1.0" #9: initiating Main Mode to replace #7
Apr 29 10:02:14 cheese pluto[7251]: "net.local-gate.192.168.1.0" #9: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 10:02:15 cheese pluto[7251]: "net.local-gate.192.168.1.0" #10: responding to Main Mode
Apr 29 10:02:15 cheese pluto[7251]: "net.local-gate.192.168.1.0" #8: max number of retransmissions (2) reached STATE_MAIN_R2
Apr 29 10:02:16 cheese pluto[7251]: "net.local-gate.192.168.1.0" #10: no suitable connection for peer '@test.com'
Apr 29 10:02:24 cheese pluto[7251]: "net.local-gate.192.168.1.0" #9: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 10:02:26 cheese pluto[7251]: "net.local-gate.192.168.1.0" #10: no suitable connection for peer '@test.com'
Apr 29 10:02:44 cheese pluto[7251]: "net.local-gate.192.168.1.0" #9: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 10:02:46 cheese pluto[7251]: "net.local-gate.192.168.1.0" #10: no suitable connection for peer '@test.com'
Apr 29 10:03:24 cheese pluto[7251]: "net.local-gate.192.168.1.0" #9: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Apr 29 10:03:24 cheese pluto[7251]: "net.local-gate.192.168.1.0" #9: starting keying attempt 6 of an unlimited number
Apr 29 10:03:24 cheese pluto[7251]: "net.local-gate.192.168.1.0" #11: initiating Main Mode to replace #9
Apr 29 10:03:25 cheese pluto[7251]: "net.local-gate.192.168.1.0" #11: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 10:03:25 cheese pluto[7251]: "net.local-gate.192.168.1.0" #10: max number of retransmissions (2) reached STATE_MAIN_R2
Apr 29 10:03:26 cheese pluto[7251]: "net.local-gate.192.168.1.0" #12: responding to Main Mode
Apr 29 10:03:26 cheese pluto[7251]: "net.local-gate.192.168.1.0" #12: no suitable connection for peer '@test.com'
Apr 29 10:03:34 cheese pluto[7251]: "net.local-gate.192.168.1.0" #11: we require peer to have ID '@205.200.44.200', but peer declares '@test.com'
Apr 29 10:03:36 cheese pluto[7251]: "net.local-gate.192.168.1.0" #12: no suitable connection for peer '@test.com'

[Paul F]

No go still

I don't understand this but I tried changing hostname on the client.

site1.test
domain.site1.com

can you provide an example from a fqdn?

Thanks!

[Paul F]

OK, I don't know htf but things are working now. Used same domains and simply specified external router IP for ID as Peter suggested.

There is one quirk. /proc/sys/net/ipv4/conf/ppp0/rp_filter is set to 1 by default and FreeSwan seems to need 0 to work (build the tunnels anyway.)

If anyone can instuct me on how and where to add a command to echo 0 to that file when starting IPSEC then maybe (??? advisable ???) back to 1 once the tunnels are up, that would be great!


Thanks again!

[guestHH]

echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter

at least me for me it's eth1.... !!??

[Paul F]

Yeah mine is a pppoe adaptor. However on server reboot it is set back to 1 and the tunnels don't come up.

So I would like to know how I can make FreeSwan echo 0 at start then 1 (I don't even know the functionality of this filtering but maybe shoud be turned back on?) once the tunnels are up.

Thanks!

[guestHH]

Good question Paul,

I get confused by that manual setting too. Does anybody know why
/proc/sys/net/ipv4/conf/'adaptername'/rp_filter has to be set to zero? and what purpose it servers. Especially interested in the security impact....

TIA
Regards,
guestHH

[guestHH]

JFYI,

http://lists.freeswan.org/pipermail/distro/2002q3/000012.html
http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/07/msg00231.html
http://mailman.mplug.org/pipermail/monmotha-discuss/2002-September/000429.html

and

http://en.tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap25sec206.html

Hope it helps a bit.

Regards,
guestHH

[guestHH]

General question:

what are the results of setting rp_filter to 0 for ipsec0 only ?
(so leaving the deafults for other interfaces alone)

what do you get ?

[guestHH]

Some findings:

setting the 0 (zero) to ipsec0 only will result in not being able to access the internal network on the other side. Setting eth0 and eth1 to 0 (zero) will grant you access to the local network on the other side.

[Paul F]

Interesting. I have still to figure out how to modify the template to do this when FreeSwan starts. I'm sure you will notice that on a reboot it is set back to 1.

Also, I came back in this morning and the tunnels were down. With 5.1.2 I had tunnels up for weeks straight. So I will have to keep watch.

Thanks again for all your help!

[Peter Schubert]

Hmm .......

The template fragment for mask should do this:  

 # Turn on Source Address Verification
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 0 > $f
    done

maybe try to insert this also in the ipsec-start script.

[Paul F]

Has anyone tried using this in a situation where one client is dynamic IP and using the hostname instead?

Thanks!

[guestHH]

Peter,

dont't know programming but is it possible that 'echo 0 > $f' should be:
'echo 0 > /proc/sys/net/ipv4/conf/$f/rp_filter'

Just a thought...

[Peter Schubert]

No ....

try it out:

for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo -n Old value of $f" is "
cat $f
echo 0 >$f
echo -n New value of $f" is "
cat $f
done

>
> Peter,
>
> dont't know programming but is it possible that 'echo 0 > $f'
> should be:
> 'echo 0 > /proc/sys/net/ipv4/conf/$f/rp_filter'
>
> Just a thought...

[guestHH]

Ok Peter, that's clear. Thx.

Now I just rebooted my machine and rp_filter is back to 1. When I echo > 0 to the device it still remains 1...??

Anyting I overlook ?

TIA
Regards,
guestHH

[Peter Schubert]

I made an update to the source an add 2 new things:
update ot /etc/sysctl.conf (to set rp_filter default to 0)
panel function to change the public ID (domainname oder external IP)

You can download the new
devinfo-freeswan-1.99-8sme56.noarch.rpm
at
http://mirror.contribs.org/smeserver/contribs/saco/contrib/devinfo-freeswan-1.99/

You only need devinfo-freeswan-1.99-8sme56.noarch.rpm, all other rpms are unchanged.

Good Luck
Peter
guestHH wrote:
>
> Ok Peter, that's clear. Thx.
>
> Now I just rebooted my machine and rp_filter is back to 1.
> When I echo > 0 to the device it still remains 1...??
>
> Anyting I overlook ?
>
> TIA
> Regards,
> RequestedDeletion

[guestHH]

Thanks Peter i'll test it over the weekend.

btw:

I try to set up a VPN between two 5.6U4 server both behind a Alcatel ADSL modem. Yep, it's not working because the public IP on the modem is not the IP of the eth1 of the servers. The adsl (Altcatel speedtouch) do NAT.

I read trough the Freeswan lists and it comes up a few times, but not a real solution or procedure. And it's all very high technical...

Does anybody have some hints/tips  

TIA
Regards,
guestHH

[guestHH]

As promised Paul the feedback,

the latest dev-info adjustment makes 'rp_filter = 1' go away Using 5.6U4.

Thx.

issue with sme -> xdsl modem -> Internet <- Xdsl modem <- sme remains...
Maybe a roadwarrior setup...?

Regards,
guestHH

[Paul F]

Thanks to Peter and RequestedDeletion for clearing this up!