Koozali.org: home of the SME Server

IPSEC /Freeswan

Peter Smit

IPSEC /Freeswan
« on: May 24, 2003, 02:59:12 AM »
hi,

Just for the learning I try to connect 2 sme boxes.

Mine is SME 5.6u4 the other one is SME 5.5u6
Is this already a problem?

for the 5.6 I used lordsfam howto and rpm's
for the 5.5 I used dmc-mitel-freeswan-1.97-3sme55.noarch.rpm
and I followed for both sides the howto letter to letter.

Some how the boxes won't send or receive on ipsec0

Is there some file or log I can show you to help me ??

Peter Smit

Peter Schubert

Re: IPSEC /Freeswan
« Reply #1 on: May 24, 2003, 03:15:37 PM »
Hi,

for your SME 5.6 use the devinfo-freeswan-1.99-8sme56.noarch.rpm, download at http://mirror.contribs.org/smeserver/contribs/saco/contrib/devinfo-freeswan-1.99/

In this enhanced version, you can set the ID of the 5.6 box to the external IP. You need this for a connection to a 5.5 box !

You must have fixed external IPs on both sides !

Best,
Peter

Peter Smit

Re: IPSEC /Freeswan
« Reply #2 on: May 25, 2003, 11:43:34 PM »
thanx,

I upgradet the devinfo-freeswan-1.99-8sme56.noarch.rpm and set the id to external the ip.

but I still see no traffic on ipsec0 on both side's

mine ipsec.conf looks like this :

#------------------------------------------------------------

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        #leftrsasigkey=%dnsondemand
        #rightrsasigkey=%dnsondemand

##############################################################

conn net.local-net.192.168.0.0
        also=net.local.left
        right=80.56.120.178
        rightsubnet=192.168.0.0/255.255.255.0
        rightfirewall=yes
        rightid=@80.56.120.178
        rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2n
        auto=start

conn gate.local-gate.192.168.0.0
        also=gate.local.left
        right=80.56.120.178
        rightid=@80.56.120.178
        rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2n
        auto=start

conn net.local-gate.192.168.0.0
        also=net.local.left
        right=80.56.120.178
        rightid=@80.56.120.178
        rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2n
        auto=start

conn gate.local-net.192.168.0.0
        also=gate.local.left
        right=80.56.120.178
        rightsubnet=192.168.0.0/255.255.255.0
        rightfirewall=yes
        rightid=@80.56.120.178
        rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2n
        auto=start

##############################################################




##############################################################
# Attributes for connection                                  #
# local net as left                                          #
##############################################################
conn net.local.left
        left=%defaultroute
        leftsubnet=192.168.1.0/255.255.255.0
        leftfirewall=yes
        leftid=@212.127.156.125
        leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3

##############################################################
# Attributes for connection                                  #
# local gate as left                                         #
##############################################################
conn gate.local.left
        left=%defaultroute
        leftid=@212.127.156.125
        leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3

##############################################################
# Attributes for connection                                  #
# local net as right                                         #
##############################################################
conn net.local.right
        right=%defaultroute
        rightsubnet=192.168.1.0/255.255.255.0
        rightfirewall=yes
        rightid=@212.127.156.125
        rightrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJk
QXLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y
5b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKr
IkXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF
6tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3

##############################################################
# Attributes for connection                                  #
# local gate as right                                        #
##############################################################
conn gate.local.right
        right=%defaultroute
        rightid=@212.127.156.125
        rightrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJk
QXLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y
5b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKr
IkXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF
6tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3


#------------------------------------------------------------
# TEMPLATE END
#------------------------------------------------------------

the other side (sme5.5) :

#------------------------------------------------------------

config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

conn %default
        # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        # How to authenticate gateways
        authby=rsasig
        # Enable compression
        compress=no
##############################################################

conn net.192.168.1.0-net.local
        left=212.127.156.125
        leftnexthop=212.127.156.1
        leftsubnet=192.168.1.0/255.255.255.0
        leftid=@212.127.156.125
        leftfirewall=yes
        leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
        also=net.local.right
        auto=start

conn gate.192.168.1.0-gate.local
        left=212.127.156.125
        leftnexthop=212.127.156.1
        leftid=@212.127.156.125
        leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
        also=gate.local.right
        auto=start

conn net.192.168.1.0-gate.local
        left=212.127.156.125
        leftnexthop=212.127.156.1
        leftsubnet=192.168.1.0/255.255.255.0
        leftid=@212.127.156.125
        leftfirewall=yes
        leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
        also=gate.local.right
        auto=start

conn gate.192.168.1.0-net.local
        left=212.127.156.125
        leftnexthop=212.127.156.1
        leftid=@212.127.156.125
        leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
        also=net.local.right
        auto=start

##############################################################



##############################################################
# Attributes for connection                                  #
# local net as left                                          #
##############################################################

conn net.local.left
        left=80.56.120.178
        leftnexthop=
        leftsubnet=192.168.0.0/255.255.255.0
        leftrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+mr
6ct82RaHi+LadW5dV2nSYD/ZaABhPl8WzEbcbZulI7Nr3+l8vVcZ2CuXFlEUN2OteDtekYVnup1JkhJ
fwVOefzJGcuzKorsiU6MosIKMJJSAagD6ztWkh84Y5NYoNhQcoqYMHu3WBfogjtqCXAtgOJd1NvUWCM
j91s3lYaQQv7OsRkWs6QzdSv5sa/3wDwm8VzDh6ESlA2WV9eYp2GnZhEU/W/Tv2lYE5fn4mucmAGhPp
Axd+tM1RQAMS/IzWTFYH+cPKzykSlh/QPa7GTsRkR2v/TkerJdNv
        leftid=@80.56.120.178
        leftfirewall=yes

##############################################################
# Attributes for connection                                  #
# local gate as left                                         #
##############################################################

conn gate.local.left
        left=80.56.120.178
        leftnexthop=
        leftrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+mr
6ct82RaHi+LadW5dV2nSYD/ZaABhPl8WzEbcbZulI7Nr3+l8vVcZ2CuXFlEUN2OteDtekYVnup1JkhJ
fwVOefzJGcuzKorsiU6MosIKMJJSAagD6ztWkh84Y5NYoNhQcoqYMHu3WBfogjtqCXAtgOJd1NvUWCM
j91s3lYaQQv7OsRkWs6QzdSv5sa/3wDwm8VzDh6ESlA2WV9eYp2GnZhEU/W/Tv2lYE5fn4mucmAGhPp
Axd+tM1RQAMS/IzWTFYH+cPKzykSlh/QPa7GTsRkR2v/TkerJdNv
        leftid=@80.56.120.178

##############################################################
# Attributes for connection                                  #
# local net as right                                         #
##############################################################

conn net.local.right
        right=80.56.120.178
        rightnexthop=
        rightsubnet=192.168.0.0/255.255.255.0
        rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2nSYD/ZaABhPl8WzEbcbZulI7Nr3+l8vVcZ2CuXFlEUN2OteDtekYVnup1Jkh
JfwVOefzJGcuzKorsiU6MosIKMJJSAagD6ztWkh84Y5NYoNhQcoqYMHu3WBfogjtqCXAtgOJd1NvUWC
Mj91s3lYaQQv7OsRkWs6QzdSv5sa/3wDwm8VzDh6ESlA2WV9eYp2GnZhEU/W/Tv2lYE5fn4mucmAGhP
pAxd+tM1RQAMS/IzWTFYH+cPKzykSlh/QPa7GTsRkR2v/TkerJdNv
        rightid=@80.56.120.178
        rightfirewall=yes

##############################################################
# Attributes for connection                                  #
# local gate as right                                        #
##############################################################

conn gate.local.right
        right=80.56.120.178
        rightnexthop=
        rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2nSYD/ZaABhPl8WzEbcbZulI7Nr3+l8vVcZ2CuXFlEUN2OteDtekYVnup1Jkh
JfwVOefzJGcuzKorsiU6MosIKMJJSAagD6ztWkh84Y5NYoNhQcoqYMHu3WBfogjtqCXAtgOJd1NvUWC
Mj91s3lYaQQv7OsRkWs6QzdSv5sa/3wDwm8VzDh6ESlA2WV9eYp2GnZhEU/W/Tv2lYE5fn4mucmAGhP
pAxd+tM1RQAMS/IzWTFYH+cPKzykSlh/QPa7GTsRkR2v/TkerJdNv
        rightid=@80.56.120.178


is something wrong in here ?


Peter Smit

guestHH

Re: IPSEC /Freeswan
« Reply #3 on: May 26, 2003, 02:48:11 AM »
Peter,

_NEVER_ do that again, posting all this real live info !!!!

I mean giving info is 1 thing but exposing _all_ ip and ipsec info is not done.

Never do that again for your own good. Chnage IP's and ipsec keys _NOW_ !!!

_everybody_ reading this topic can comprimise your servers now!

Just trying to help you.

Regards,
guestHH

Peter Schubert

Re: IPSEC /Freeswan
« Reply #4 on: May 26, 2003, 02:31:12 PM »
Peter !

do what RequestedDeletion told you !
- delete all IPsec konfiguration (partners)
- do an
      /sbin/e-smith/signal-evant ipsec-install
  on both installations !!!

Then you habe to setup IPsec/Freeswan new !

Look only at /var/log/messages and /var/log/secure for error with your connection !

And NEVER post your /etc/ipsec* files !!!!

Best
Peter

Peter Smit

Re: IPSEC /Freeswan
« Reply #5 on: May 26, 2003, 11:23:44 PM »
I am a stupid .... Never did think about that,

Changed every thing

sorry kick my bud :(

Peter

Peter Smit

Re: IPSEC /Freeswan
« Reply #6 on: May 27, 2003, 12:57:44 AM »
after my stupid mistakes still trying to get this to work...

made a new vpn on the 5.6 box and it started to send!
made the vpn on the 5.5 box but it won't do nothing.

the logfile says :

ay 26 21:51:49 server ipsec_setup: ...FreeS/WAN IPsec started
May 26 21:51:54 server ipsec__plutorun: 003 "gate.192.168.1.0-net.local": route-client command exited with status 7
May 26 21:51:54 server ipsec__plutorun: 003 "gate.192.168.1.0-net.local": down-client command exited with status 1
May 26 21:51:54 server ipsec__plutorun: 025 "gate.192.168.1.0-net.local": could not route
May 26 21:51:54 server ipsec__plutorun: ...could not route conn "gate.192.168.1.0-net.local"
May 26 21:51:54 server ipsec__plutorun: 003 "net.192.168.1.0-gate.local": route-host command exited with status 7
May 26 21:51:54 server ipsec__plutorun: 025 "net.192.168.1.0-gate.local": could not route
May 26 21:51:54 server ipsec__plutorun: ...could not route conn "net.192.168.1.0-gate.local"
May 26 21:51:55 server ipsec__plutorun: 003 "gate.192.168.1.0-gate.local": route-host command exited with status 7
May 26 21:51:55 server ipsec__plutorun: 025 "gate.192.168.1.0-gate.local": could not route
May 26 21:51:55 server ipsec__plutorun: ...could not route conn "gate.192.168.1.0-gate.local"
May 26 21:51:55 server ipsec__plutorun: 003 "net.192.168.1.0-net.local": route-client command exited with status 7
May 26 21:51:55 server ipsec__plutorun: 003 "net.192.168.1.0-net.local": down-client command exited with status 1
May 26 21:51:55 server ipsec__plutorun: 025 "net.192.168.1.0-net.local": could not route
May 26 21:51:55 server ipsec__plutorun: ...could not route conn "net.192.168.1.0-net.local"

stil confused about the 5.5 box..

Peter

Peter Schubert

Re: IPSEC /Freeswan
« Reply #7 on: May 27, 2003, 04:10:57 AM »
Did you add a "Local Network" at the 5.5 box ?
(With empty router field)

Peter Smit

Re: IPSEC /Freeswan
« Reply #8 on: May 27, 2003, 10:44:21 AM »
Yes I made a local network:

  Network     Subnet mask Number of hosts  Router  
192.168.1.0 255.255.255.0          256           default

Peter

ryan

Re: IPSEC /Freeswan
« Reply #9 on: May 27, 2003, 11:45:04 AM »
Peter,

Got some older computers lying around?  Take a look at IPCop.org....a simple firewall, proxy, IPSEC VPN router that is easy to set up, GPL, and a small download.

I have incorporated IPCop as my 'primary' internet connection at each location.  I have experienced the problems you have posted, and basically have gone through this headache with every e-smith/SME upgrade.  IPCop is a simple router and is designed to connect LANs with IPSEC.  I am very happy with IPCop.  You can continue to use SME in server/gateway by putting the outer nick card on the DMZ subnet with the IPCop server....or just run SME as server only mode.  IPCop 1.3 allows you to easily port forward PPTP vpn to SME on the LAN if you only have a single internet IP address available at your site.  This allows you to keep PPTP to SME without SME being on the internet.  Setting up IPSEC on IPcop is simple if you have read the documentation completely.

Have fun.

ryan

Dean

Re: IPSEC /Freeswan
« Reply #10 on: May 27, 2003, 08:04:13 PM »
I too have the exact same problem, followed info in this thread, still no joy.

Anybody got anymore constructive ideas .. IPCop is out of the question.  We have 2 sme 5.5 servers on broadband and need to link them both.

TIA

Dean

T. BLOTIN

Re: IPSEC /Freeswan
« Reply #11 on: July 03, 2003, 12:31:20 AM »
I have the same problem too and I correct it by adding the "GatewayIP=62.4....." item in the /home/e-smith/configuration file on each side of the connection (with the corresponding value). After this I stop and start the Ipsec service by using the "service ipsec start" or "service ipsec stop" command.
But now I'd like to find another solution because my ISP change my Gateway IP regularly even if I am in Static IP.However I have installed and configurated my VPN using typical howto document and I am very surprised to see it doesn't work as indicated in the document, I think I have done as it is indicated but it doesn't work. If someone has a solution or an explanation could he or she indicate me how to proceed. I have been looking everywhere on the net but I haven't found anything anywhere, thank you all beforehand for your help to come, thanks.