Topic: Site to Site VPN (PPTP/IPSec)

[ztasevski]

hi,

8 tunnels to date and they all work like a charm !

[cydonia]

To those who have successfully setup ipsec vpn on 6+ sme, do you have static ips?

I tried doing this between mine and a friends house but we both had dynamic ip's, and my friend wasn't too technically minded, so i had to guide him, whilst learning myself.

I never got it to work but believe i was close.

Has anyone done this successfully using dynamic ips?

[ldkeen]

All of my setups have been static > static.

[ztasevski]

likewise...all of mine static -> static

althought i am doing today a telstra dynamic to optus static by for the life of me i can not get it up any ideas ?

bigpond says it's setup in bridged mode but still no go.

snip:
--------------------------------------------------
Nov  15 01:58:34 fw-gb ipsec_setup: Stopping FreeS/WAN IPsec...
Nov  15 01:58:34 fw-gb ipsec__plutorun: 104 "net.local-gate.192.168.1.0" #1: STATE_MAIN_I1: initiate
Nov  15 01:58:34 fw-gb ipsec__plutorun: 010 "net.local-gate.192.168.1.0" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
Nov  15 01:58:34 fw-gb ipsec__plutorun: 010 "net.local-gate.192.168.1.0" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
Nov  15 01:58:34 fw-gb last message repeated 3 times
Nov  15 01:58:34 fw-gb ipsec__plutorun: ...could not start conn "net.local-gate.192.168.1.0"
Nov  15 01:58:34 fw-gb ipsec__plutorun: whack: read() failed (104 Connection reset by peer)
Nov  15 01:58:34 fw-gb ipsec__plutorun: ...could not start conn "gate.local-gate.192.168.1.0"
Nov  15 01:58:34 fw-gb ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto.ctl")
Nov  15 01:58:34 fw-gb ipsec__plutorun: ...could not start conn "net.local-net.192.168.1.0"
Nov  15 01:58:34 fw-gb ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto.ctl")
Nov  15 01:58:34 fw-gb ipsec__plutorun: ...could not start conn "gate.local-net.192.168.1.0"
Nov  15 01:58:35 fw-gb kernel: IPSEC EVENT: KLIPS device ipsec0 shut down.
Nov  15 01:58:35 fw-gb kernel: divert: no divert_blk to free, ipsec0 not ethernet
Nov  15 01:58:35 fw-gb kernel: divert: no divert_blk to free, ipsec1 not ethernet
Nov  15 01:58:35 fw-gb kernel: divert: no divert_blk to free, ipsec2 not ethernet
Nov  15 01:58:35 fw-gb /etc/hotplug/net.agent: NET unregister event not supported
Nov  15 01:58:35 fw-gb kernel: divert: no divert_blk to free, ipsec3 not ethernet
Nov  15 01:58:35 fw-gb kernel: klips_info:pfkey_cleanup: shutting down PF_KEY domain sockets.
Nov  15 01:58:35 fw-gb kernel: klips_info:cleanup_module: ipsec module unloaded.
Nov  15 01:58:35 fw-gb ipsec_setup: ...FreeS/WAN IPsec stopped
Nov  15 01:58:52 fw-gb ipsec_setup: Starting FreeS/WAN IPsec 1.99...
Nov  15 01:58:52 fw-gb ipsec_setup: Using /lib/modules/2.4.20-18.7/kernel/net/ipsec/ipsec.o
Nov  15 01:58:52 fw-gb kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.99
Nov  15 01:58:52 fw-gb kernel: divert: not allocating divert_blk for non-ethernet device ipsec0
Nov  15 01:58:52 fw-gb kernel: divert: not allocating divert_blk for non-ethernet device ipsec1
Nov  15 01:58:52 fw-gb kernel: divert: not allocating divert_blk for non-ethernet device ipsec2
Nov  15 01:58:52 fw-gb kernel: divert: not allocating divert_blk for non-ethernet device ipsec3
Nov  15 01:58:35 fw-gb last message repeated 3 times
Nov  15 01:58:52 fw-gb /etc/hotplug/net.agent: invoke ifup ipsec0
Nov  15 01:58:52 fw-gb ipsec_setup: KLIPS debug none'
Nov  15 01:58:52 fw-gb /etc/hotplug/net.agent: invoke ifup ipsec1
Nov  15 01:58:52 fw-gb /etc/hotplug/net.agent: invoke ifup ipsec2
Nov  15 01:58:52 fw-gb ipsec_setup: KLIPS ipsec0 on ppp0 138.217.138.225/255.255.255.255 pointopoint 172.31.151.24
Nov  15 01:58:52 fw-gb /etc/hotplug/net.agent: invoke ifup ipsec3
Nov  15 01:58:52 fw-gb ipsec_setup: ...FreeS/WAN IPsec started
--------------------------------------------------

ideas ?????????

[cydonia]

All of my setups have been static > static.

likewise...all of mine static -> static

Oh well, i can always have my pptp vpn... buts its just not the same...

[smitti]

Somehowe I didn't get it working.
But I found out that they keys I copied in to the serverpanel(Send by e-mail) somehowe where corrupt.

Pasted in they right keys and it came up strait away.

Thanx to everyone here!

Peter

[pjones]

Thanks Lloyd,
Tested your (how to) out on two of my smeserver-6[1].01-01custom and it working GREAT !!!!
Thank you for sharing this know how.

Both server are on cable modems with dynamic ip's, working find with dyndns.org.

Anyone know how to add this to the startup cron job so the tunnels will start with the server.....only trouble I am having is a poor ISP on the remote site, need to add a check to the tunnels to restart if it's is down.

Note if you do a :
cd /root
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot

This will load the IPSEC VPN under the Security tab, did this on both of my servers.

[bluefire]

Just a couple of gotchas to watch out for. Here is a very rough howto:

Download all three rpm's from www.comnetel.com/ipsec and put them in a temp directory
Install the freeswan rpm's first:
# rpm -Uvh freeswan*
Now install the dev-info rpm using --nodeps
#rpm -Uvh --nodeps devinfo-freeswan-1.99-8sme56.noarch.rpm
Run the following command:
#/sbin/e-smith/signal-event ipsec-install
Now go into the server-manager and modify the local networks panel and add the info for the remote:
Network address is the remote server's lan IP
Subnet address is the remote server's subnet
Router is the local lan address
Next go into the vitualprivatenetworks panel located at the bottom of the server-manager and "add an ipsec vpn". Most of the stuff in there is self explanatory. After doing this at both sites and providing all the keys are correct you should have your tunnel up and going. I had a problem with the rsa keys and when I tried to bring the tunnel up at the remote it froze me out but I was able to shell in to the remote from a third party and shut down ipsec. Let me know how you go.
Regards Lloyd

Hi!

I did exactly what you explained to do but when I try to add an IPsec VPN I get this :

"Error: network 192.168.2.0 (derived from IP address 192.168.2.1 and subnet mask 255.255.255.0) has already been added. Did not add new network."

I did try to add that particular network but something went wrong so I reinstalled the server and I actually didn't expect it to be stored in the backup file I made right before the reinstall. Apparently it did so now's the big question - how do I either remove it from the system so I can add it the right way or otherwise get it back on the list??

Rgds,

[brianr]

Am trying to find the howto and the rpms for Freeswan on 6.0.1 - can someone point me in the right direction?

[crazybob]

I am going to try this between 2 SME 6.0.1 boxes. One end has a static ip, but one has a dynamic IP /(ppoe DSL). Any heads up on what to watch for?

Thanks

Bob

[brianr]

I have just tried this between 2 6.0.1 boxes (one of them updated using the update script from here), and the link was not very reliable, and seemed to stop PPTP VPN working, and also SMTP as well on the non updated end (wasn't able to check the other one)

I am now setting up a test bed to investigate more fully, but I'd be glad of any thoughts.

[Michael_R]

hi,
I ve installed two SME 6.0.1-1 Boxes with
http://www.comnetel.com/ipsec
these packages with dynamic ips on both sides.
I m using two accounts from dyndns.org and it works ok.
You ve to create some cronjobs to disconnect the inet-connection in night and restart ipsec after this on BOTH sides, but then you ve got a reliable connection all over the day.
In my enviroment it isn´t important to have a stable connection in the night .. so this is ok for me ..

[crazybob]

Can you give an example of the cron jobs you use?

Thanks

Bob

[Michael_R]

I ve defined 3 Cronjobs on every machine:
You ve to restart inetconnection 2 times in night because the time of your 24hour-disconnection isn´t allways exactly the same.
Then you need a ipsec-restart on every machine.
I choose the time of this 1 hour after pppoe-restart because dyndns-services arnt so fast sometimes.
I ve not tried a shorter time .. so it works.

Here are the cronjobs which i ve created in the folder /etc/cron.d/

1. First restart of inet-connection:

Code: [Select]

0    3   *    *   *  root /etc/rc.d/init.d/pppoe restart


2. Second restart of inet-connection

Code: [Select]

0    5   *    *   *  root /etc/rc.d/init.d/pppoe restart

3. restart of ipsec:

Code: [Select]

0    6   *    *   *  root /etc/rc.d/init.d/ipsec restart



With this configuration my Conncetion from office to office works ok about 3 weeks.
The delay between the restarts are very big to be on the save side.

Michael

[crazybob]

Michael, Thanks for the info. I will be trying it later this week. I am going to try to get a static IP for the box that is on ppoe, but now I know I can make this work.

Bob