Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Peter Smit on May 24, 2003, 02:59:12 AM
-
hi,
Just for the learning I try to connect 2 sme boxes.
Mine is SME 5.6u4 the other one is SME 5.5u6
Is this already a problem?
for the 5.6 I used lordsfam howto and rpm's
for the 5.5 I used dmc-mitel-freeswan-1.97-3sme55.noarch.rpm
and I followed for both sides the howto letter to letter.
Some how the boxes won't send or receive on ipsec0
Is there some file or log I can show you to help me ??
Peter Smit
-
Hi,
for your SME 5.6 use the devinfo-freeswan-1.99-8sme56.noarch.rpm, download at http://mirror.contribs.org/smeserver/contribs/saco/contrib/devinfo-freeswan-1.99/
In this enhanced version, you can set the ID of the 5.6 box to the external IP. You need this for a connection to a 5.5 box !
You must have fixed external IPs on both sides !
Best,
Peter
-
thanx,
I upgradet the devinfo-freeswan-1.99-8sme56.noarch.rpm and set the id to external the ip.
but I still see no traffic on ipsec0 on both side's
mine ipsec.conf looks like this :
#------------------------------------------------------------
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
#leftrsasigkey=%dnsondemand
#rightrsasigkey=%dnsondemand
##############################################################
conn net.local-net.192.168.0.0
also=net.local.left
right=80.56.120.178
rightsubnet=192.168.0.0/255.255.255.0
rightfirewall=yes
rightid=@80.56.120.178
rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2n
auto=start
conn gate.local-gate.192.168.0.0
also=gate.local.left
right=80.56.120.178
rightid=@80.56.120.178
rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2n
auto=start
conn net.local-gate.192.168.0.0
also=net.local.left
right=80.56.120.178
rightid=@80.56.120.178
rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2n
auto=start
conn gate.local-net.192.168.0.0
also=gate.local.left
right=80.56.120.178
rightsubnet=192.168.0.0/255.255.255.0
rightfirewall=yes
rightid=@80.56.120.178
rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2n
auto=start
##############################################################
##############################################################
# Attributes for connection #
# local net as left #
##############################################################
conn net.local.left
left=%defaultroute
leftsubnet=192.168.1.0/255.255.255.0
leftfirewall=yes
leftid=@212.127.156.125
leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
##############################################################
# Attributes for connection #
# local gate as left #
##############################################################
conn gate.local.left
left=%defaultroute
leftid=@212.127.156.125
leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
##############################################################
# Attributes for connection #
# local net as right #
##############################################################
conn net.local.right
right=%defaultroute
rightsubnet=192.168.1.0/255.255.255.0
rightfirewall=yes
rightid=@212.127.156.125
rightrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJk
QXLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y
5b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKr
IkXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF
6tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
##############################################################
# Attributes for connection #
# local gate as right #
##############################################################
conn gate.local.right
right=%defaultroute
rightid=@212.127.156.125
rightrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJk
QXLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y
5b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKr
IkXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF
6tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
#------------------------------------------------------------
# TEMPLATE END
#------------------------------------------------------------
the other side (sme5.5) :
#------------------------------------------------------------
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# How to authenticate gateways
authby=rsasig
# Enable compression
compress=no
##############################################################
conn net.192.168.1.0-net.local
left=212.127.156.125
leftnexthop=212.127.156.1
leftsubnet=192.168.1.0/255.255.255.0
leftid=@212.127.156.125
leftfirewall=yes
leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
also=net.local.right
auto=start
conn gate.192.168.1.0-gate.local
left=212.127.156.125
leftnexthop=212.127.156.1
leftid=@212.127.156.125
leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
also=gate.local.right
auto=start
conn net.192.168.1.0-gate.local
left=212.127.156.125
leftnexthop=212.127.156.1
leftsubnet=192.168.1.0/255.255.255.0
leftid=@212.127.156.125
leftfirewall=yes
leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
also=gate.local.right
auto=start
conn gate.192.168.1.0-net.local
left=212.127.156.125
leftnexthop=212.127.156.1
leftid=@212.127.156.125
leftrsasigkey=0sAQN0Hy9nCREFRBm0OD6IBj5Zoo8kjGrfqxtFSGtBlgv3G8mY1TLaJkQ
XLCbS4HJ8hMWr6lTXdIHlpDytnUM8BqvK2L3zK/XP1PJ2pgcMeo5ox3sxufMxp9kGbO/k8NSvE7w8y5
b58ewRF7ekDYeai0NMnZnMoJNJMb7goHBA/YiLPEDO+qJiHKUdR13vwGobDkOlPMymhf1dTfQWvFKrI
kXU0lSBY2X0lZUTbQaN4Kl8GqAJV7+e0Jy0JDd3xhBEMJAFBdbsJ0qlkWGeyJnUYDsdagL0eJegRyF6
tZMFbHAG+4DgPTigHpPOO6mcchFMyt70fElPvNt0xCkijjjpCez3
also=net.local.right
auto=start
##############################################################
##############################################################
# Attributes for connection #
# local net as left #
##############################################################
conn net.local.left
left=80.56.120.178
leftnexthop=
leftsubnet=192.168.0.0/255.255.255.0
leftrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+mr
6ct82RaHi+LadW5dV2nSYD/ZaABhPl8WzEbcbZulI7Nr3+l8vVcZ2CuXFlEUN2OteDtekYVnup1JkhJ
fwVOefzJGcuzKorsiU6MosIKMJJSAagD6ztWkh84Y5NYoNhQcoqYMHu3WBfogjtqCXAtgOJd1NvUWCM
j91s3lYaQQv7OsRkWs6QzdSv5sa/3wDwm8VzDh6ESlA2WV9eYp2GnZhEU/W/Tv2lYE5fn4mucmAGhPp
Axd+tM1RQAMS/IzWTFYH+cPKzykSlh/QPa7GTsRkR2v/TkerJdNv
leftid=@80.56.120.178
leftfirewall=yes
##############################################################
# Attributes for connection #
# local gate as left #
##############################################################
conn gate.local.left
left=80.56.120.178
leftnexthop=
leftrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+mr
6ct82RaHi+LadW5dV2nSYD/ZaABhPl8WzEbcbZulI7Nr3+l8vVcZ2CuXFlEUN2OteDtekYVnup1JkhJ
fwVOefzJGcuzKorsiU6MosIKMJJSAagD6ztWkh84Y5NYoNhQcoqYMHu3WBfogjtqCXAtgOJd1NvUWCM
j91s3lYaQQv7OsRkWs6QzdSv5sa/3wDwm8VzDh6ESlA2WV9eYp2GnZhEU/W/Tv2lYE5fn4mucmAGhPp
Axd+tM1RQAMS/IzWTFYH+cPKzykSlh/QPa7GTsRkR2v/TkerJdNv
leftid=@80.56.120.178
##############################################################
# Attributes for connection #
# local net as right #
##############################################################
conn net.local.right
right=80.56.120.178
rightnexthop=
rightsubnet=192.168.0.0/255.255.255.0
rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2nSYD/ZaABhPl8WzEbcbZulI7Nr3+l8vVcZ2CuXFlEUN2OteDtekYVnup1Jkh
JfwVOefzJGcuzKorsiU6MosIKMJJSAagD6ztWkh84Y5NYoNhQcoqYMHu3WBfogjtqCXAtgOJd1NvUWC
Mj91s3lYaQQv7OsRkWs6QzdSv5sa/3wDwm8VzDh6ESlA2WV9eYp2GnZhEU/W/Tv2lYE5fn4mucmAGhP
pAxd+tM1RQAMS/IzWTFYH+cPKzykSlh/QPa7GTsRkR2v/TkerJdNv
rightid=@80.56.120.178
rightfirewall=yes
##############################################################
# Attributes for connection #
# local gate as right #
##############################################################
conn gate.local.right
right=80.56.120.178
rightnexthop=
rightrsasigkey=0sAQPBqOigRmdtYU4dbhDG6FTDB/sJBzGXkMUkdBwf+ob1ASx0H7Ef+m
r6ct82RaHi+LadW5dV2nSYD/ZaABhPl8WzEbcbZulI7Nr3+l8vVcZ2CuXFlEUN2OteDtekYVnup1Jkh
JfwVOefzJGcuzKorsiU6MosIKMJJSAagD6ztWkh84Y5NYoNhQcoqYMHu3WBfogjtqCXAtgOJd1NvUWC
Mj91s3lYaQQv7OsRkWs6QzdSv5sa/3wDwm8VzDh6ESlA2WV9eYp2GnZhEU/W/Tv2lYE5fn4mucmAGhP
pAxd+tM1RQAMS/IzWTFYH+cPKzykSlh/QPa7GTsRkR2v/TkerJdNv
rightid=@80.56.120.178
is something wrong in here ?
Peter Smit
-
Peter,
_NEVER_ do that again, posting all this real live info !!!!
I mean giving info is 1 thing but exposing _all_ ip and ipsec info is not done.
Never do that again for your own good. Chnage IP's and ipsec keys _NOW_ !!!
_everybody_ reading this topic can comprimise your servers now!
Just trying to help you.
Regards,
guestHH
-
Peter !
do what RequestedDeletion told you !
- delete all IPsec konfiguration (partners)
- do an
/sbin/e-smith/signal-evant ipsec-install
on both installations !!!
Then you habe to setup IPsec/Freeswan new !
Look only at /var/log/messages and /var/log/secure for error with your connection !
And NEVER post your /etc/ipsec* files !!!!
Best
Peter
-
I am a stupid .... Never did think about that,
Changed every thing
sorry kick my bud :(
Peter
-
after my stupid mistakes still trying to get this to work...
made a new vpn on the 5.6 box and it started to send!
made the vpn on the 5.5 box but it won't do nothing.
the logfile says :
ay 26 21:51:49 server ipsec_setup: ...FreeS/WAN IPsec started
May 26 21:51:54 server ipsec__plutorun: 003 "gate.192.168.1.0-net.local": route-client command exited with status 7
May 26 21:51:54 server ipsec__plutorun: 003 "gate.192.168.1.0-net.local": down-client command exited with status 1
May 26 21:51:54 server ipsec__plutorun: 025 "gate.192.168.1.0-net.local": could not route
May 26 21:51:54 server ipsec__plutorun: ...could not route conn "gate.192.168.1.0-net.local"
May 26 21:51:54 server ipsec__plutorun: 003 "net.192.168.1.0-gate.local": route-host command exited with status 7
May 26 21:51:54 server ipsec__plutorun: 025 "net.192.168.1.0-gate.local": could not route
May 26 21:51:54 server ipsec__plutorun: ...could not route conn "net.192.168.1.0-gate.local"
May 26 21:51:55 server ipsec__plutorun: 003 "gate.192.168.1.0-gate.local": route-host command exited with status 7
May 26 21:51:55 server ipsec__plutorun: 025 "gate.192.168.1.0-gate.local": could not route
May 26 21:51:55 server ipsec__plutorun: ...could not route conn "gate.192.168.1.0-gate.local"
May 26 21:51:55 server ipsec__plutorun: 003 "net.192.168.1.0-net.local": route-client command exited with status 7
May 26 21:51:55 server ipsec__plutorun: 003 "net.192.168.1.0-net.local": down-client command exited with status 1
May 26 21:51:55 server ipsec__plutorun: 025 "net.192.168.1.0-net.local": could not route
May 26 21:51:55 server ipsec__plutorun: ...could not route conn "net.192.168.1.0-net.local"
stil confused about the 5.5 box..
Peter
-
Did you add a "Local Network" at the 5.5 box ?
(With empty router field)
-
Yes I made a local network:
Network Subnet mask Number of hosts Router
192.168.1.0 255.255.255.0 256 default
Peter
-
Peter,
Got some older computers lying around? Take a look at IPCop.org....a simple firewall, proxy, IPSEC VPN router that is easy to set up, GPL, and a small download.
I have incorporated IPCop as my 'primary' internet connection at each location. I have experienced the problems you have posted, and basically have gone through this headache with every e-smith/SME upgrade. IPCop is a simple router and is designed to connect LANs with IPSEC. I am very happy with IPCop. You can continue to use SME in server/gateway by putting the outer nick card on the DMZ subnet with the IPCop server....or just run SME as server only mode. IPCop 1.3 allows you to easily port forward PPTP vpn to SME on the LAN if you only have a single internet IP address available at your site. This allows you to keep PPTP to SME without SME being on the internet. Setting up IPSEC on IPcop is simple if you have read the documentation completely.
Have fun.
ryan
-
I too have the exact same problem, followed info in this thread, still no joy.
Anybody got anymore constructive ideas .. IPCop is out of the question. We have 2 sme 5.5 servers on broadband and need to link them both.
TIA
Dean
-
I have the same problem too and I correct it by adding the "GatewayIP=62.4....." item in the /home/e-smith/configuration file on each side of the connection (with the corresponding value). After this I stop and start the Ipsec service by using the "service ipsec start" or "service ipsec stop" command.
But now I'd like to find another solution because my ISP change my Gateway IP regularly even if I am in Static IP.However I have installed and configurated my VPN using typical howto document and I am very surprised to see it doesn't work as indicated in the document, I think I have done as it is indicated but it doesn't work. If someone has a solution or an explanation could he or she indicate me how to proceed. I have been looking everywhere on the net but I haven't found anything anywhere, thank you all beforehand for your help to come, thanks.