Topic: Server to Server PPTP

[Rod Tinberg]

I've got an SME server running in server/gateway mode at both my home and at work.  After much trial and error, and reading of posts to this forum, I've been able to get Win2k machines on either end to establish working PPTP connections (both servers are connected to cable modems).  But I'd really like to establish a server to server connection so that individual clients would not have to.  Can this be done with PPTP?  I tried to implement ipsec, but couldn't make it work.  Thanks in advance for any help you can offer.

Rod

[Ryan]

There is a good how-to on this site by Darell May and Steve Bush for freeswan ipsec vpn between to SME servers.  The only part not mentioned is the "router" field under local networks must be left blank AND, after entering the local network (across VPN), you have to restart IPSEC by Clicking "modify" and the save under "IPSEC" settings.  The first ping across LANS might fail, but the second should work.  

Good luck

[Marc]

I have same troubles with the ipsec made by Darell May which do actually great job ! I have 2 networks connected to internet via Mitel server/gateway ADSL link i tried to make a VPN between them i succeed to ping all workstations across the tunnel but wasn't able to use the shares Is someone have an idea ?(both Mitel server are 5.1.2) i've Win2k and win98 workstations and NT4 server domain master

[Scott Carle]

I have been trying to get a server to server vpn running without success... best i can figure i must be doing something stupid simple wrong. I have read all the forum messages on this subject and followed the fac for freeswan setup on SME 5.1.2 i also did the removing gateway under adding local network and then reapplying the ipsec vpn on both servers. The client side server CB is giving a message that it can not route. That is shown at bottom of this message. I would appreciate any help.
Thank You
scott carle

here are details
network #1 the server side. we will call it MB
internal network eth0 is 192.168.1.0
esmith server is 192.168.1.1
netmask 255.255.255.0
I have full conectivity and routing to the internet from this network. It is a static adsl connection.
the external interface is eth1 63.108.180.40
gateway is 63.108.180.254
Local Network  is added
network = 192.168.2.0
subnet 255.255.255.0
number of hosts = 256
router = default

network #2 the client side. we will call it CB
internal network eth0 is 192.168.2.0
esmith server is 192.168.2.1
netmask 255.255.255.0
I have full conectivity and routing to the internet from this network. It is  adsl using a  dynamic pppoe connection.
the external interface is eth0 which uses ppp0 207.144.46.194
the gateway is  204.116.190.46
Local Network  is added
network = 192.168.1.0
subnet 255.255.255.0
number of hosts = 256
router = default

in the e-smith ipsec vpn panel on the MB server is this configuration
remote network = 192.168.2.0
remote router internal ip address = 192.168.2.1
remote router internal subnet mask = 255.255.255.0
remote router external ip address = 207.144.46.194
remote routers default gateway ip address = 204.116.190.46
encryption key is entered
all boxes are set to yes
local machine acts as server

in the e-smith ipsec vpn panel on the CB server is this configuration
remote network = 192.168.1.0
remote router internal ip address = 192.168.1.1
remote router internal subnet mask = 255.255.255.0
remote router external ip address = 63.108.180.40
remote routers default gateway ip address = 63.108.180.254
encryption key is entered
all boxes are set to yes
local machine acts as client

Here is the var messages log pertaining to ipsec starting up and running on the MB server
Mar  9 10:07:24 e-smith ipsec_setup: Starting FreeS/WAN IPsec 1.91...
Mar  9 10:07:31 e-smith kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.91
Mar  9 10:07:31 e-smith ipsec_setup: KLIPS debug none'
Mar  9 10:07:31 e-smith ipsec_setup: KLIPS ipsec0 on eth1 63.108.180.40/255.255.255.0 broadcast 63.108.180.255
Mar  9 10:07:32 e-smith ipsec_setup: ...FreeS/WAN IPsec started
Mar  9 10:07:48 e-smith ipsec__plutorun: 104 "gate.local-net.192.168.2.0" #1: STATE_MAIN_I1: initiate
Mar  9 10:07:48 e-smith ipsec__plutorun: 010 "gate.local-net.192.168.2.0" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
Mar  9 10:07:48 e-smith ipsec__plutorun: 106 "gate.local-net.192.168.2.0" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting MR2
Mar  9 10:07:48 e-smith ipsec__plutorun: 108 "gate.local-net.192.168.2.0" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting MR3
Mar  9 10:07:48 e-smith ipsec__plutorun: 004 "gate.local-net.192.168.2.0" #1: STATE_MAIN_I4: ISAKMP SA established
Mar  9 10:07:48 e-smith ipsec__plutorun: 112 "gate.local-net.192.168.2.0" #2: STATE_QUICK_I1: initiate
Mar  9 10:07:48 e-smith ipsec__plutorun: 004 "gate.local-net.192.168.2.0" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
Mar  9 10:07:49 e-smith ipsec__plutorun: 112 "net.local-gate.192.168.2.0" #3: STATE_QUICK_I1: initiate
Mar  9 10:07:49 e-smith ipsec__plutorun: 004 "net.local-gate.192.168.2.0" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
Mar  9 10:07:50 e-smith ipsec__plutorun: 112 "gate.local-gate.192.168.2.0" #4: STATE_QUICK_I1: initiate
Mar  9 10:07:50 e-smith ipsec__plutorun: 004 "gate.local-gate.192.168.2.0" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
Mar  9 10:07:51 e-smith ipsec__plutorun: 112 "net.local-net.192.168.2.0" #5: STATE_QUICK_I1: initiate
Mar  9 10:07:51 e-smith ipsec__plutorun: 004 "net.local-net.192.168.2.0" #5: STATE_QUICK_I2: sent QI2, IPsec SA established

here is the same message from the client server CB
Mar  9 09:57:27 calabash ipsec_setup: Starting FreeS/WAN IPsec 1.91...
Mar  9 09:57:54 calabash kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN
 IPSec version: 1.91
Mar  9 09:57:54 calabash ipsec_setup: KLIPS debug none'
Mar  9 09:57:55 calabash ipsec_setup: KLIPS ipsec0 on ppp0 207.144.46.194/255.25
5.255.255 pointopoint 204.116.190.46
Mar  9 09:57:56 calabash ipsec_setup: ...FreeS/WAN IPsec started
Mar  9 09:58:03 calabash ipsec__plutorun: 003 "gate.192.168.1.0-net.local": rout
e-client command exited with status 7
Mar  9 09:58:03 calabash ipsec__plutorun: 025 "gate.192.168.1.0-net.local": coul
d not route
Mar  9 09:58:04 calabash ipsec__plutorun: 003 "net.192.168.1.0-gate.local": rout
e-host command exited with status 7
Mar  9 09:58:04 calabash ipsec__plutorun: 025 "net.192.168.1.0-gate.local": coul
d not route
Mar  9 09:58:05 calabash ipsec__plutorun: 003 "gate.192.168.1.0-gate.local": rou
te-host command exited with status 7
Mar  9 09:58:05 calabash ipsec__plutorun: 025 "gate.192.168.1.0-gate.local": cou
ld not route
Mar  9 09:58:06 calabash ipsec__plutorun: 003 "net.192.168.1.0-net.local": route
-client command exited with status 7
Mar  9 09:58:06 calabash ipsec__plutorun: 025 "net.192.168.1.0-net.local": could
 not route

[13x]

the IPSEC rpm doesn't deal with dynamic addresses well.  Check /etc/ipsec.conf on the pppoe side.  You'll have to add the missing information manually.  Most likely it's missing the gateway.   Compare /etc/ipsec.conf from both sides and it will be obvious what is missing.

Try

# route -n  

to get the gateway information.

jim
13x

[Scott Carle]

thanks jim
I did what you recomended and it worked. I got the CB client side which has the pppoe dsl link on it to be able to ping from there to the MB server side private network. I can hit windows systems on the local network there.
I had to go back and take out a subnet mask reference on the CB side after that to get the MB side to be able to ping the CB side but i now have both sides up and running with full connectivity.

My next question would be for anyone  outthere is now that i have manually edited the /etc/ipsec.conf file how do i or what would be the best way to keep the templates from overwriting it the next time the server is rebooted.?
Thank you
Scott Carle

[Jono]

I guess you have found out that there's NO problem,..,.