Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: rick1908 on January 11, 2006, 05:38:23 PM
-
I am having a little trouble figuring this out.
Background: I setup rync to backup one SME 6.01 server to another remote SME 6.01 server (100 miles away). The only way I knew how to do it was by using the ssh switches available in rync. I had to allow public access to ssh connections for it to all work. It did...loved the way it was working. However, a review of the Messages log showed several people were poking at the server trying to logon via ssh. So, I turned off public access to ssh and established a IPSec VPN between the two machines. I made sure that the hosts.allow file on both servers included each others private network in the sshd section as well as all the other sections, and tryied to resume my rsync backups via 192.168.x.x instead of mydomain.com. Just to make sure everthing was going to work well...I made a PuTTY connection into one server and tried to make a ssh connection to the other. I got an error back "ssh_exchange_identification: Connection closed by remote host". I picked through some posts and searched google, found many posts stating that the hosts.allow should have the remote network included. I verified again that infact it is included, however still no joy.
I then checked the Messages log immediatly after making another attempt to connect via ssh. That is when I saw that the ssh client was trying to connect to the server with the public ip address rather than the private one. Even though I entered the command: "ssh 192.168.x.x"
The funny thing is I can ssh into either server using the private ip address with PuTTY.
Questions: Is it possible to make this work as expected (i.e. both server and client recognize that connection of 192.168.x.x), or is this a "feature" of IPSec and/or ssh?
I am using: openssh-3.7.1p1-1es4 & freeswan-1.99_x509_0.9.15_2.4.20_18.7-1
Thanks for your help.
Sincerely,
Rick Evans
Ft. Lauderdale, FL
-
The problem appears to be a routing issure on the server. If I execute "ssh 192.168.1.1," I get a time out saying connection closed by remote. If I execute " ssh -b 192.168.10.1 192.168.1.1," then I get a succesful connection.
Would this indicate a routing issue? That is my guess anyhow. I do not know how to make sure that connections to private ip ranges go accross the VPN using the private ip address as the source address. Is there anyone that can help me with this? I have been trying to figure it out from two different website, they are:
http://www.av8n.com/vpn/iproute2.htm
http://www.policyrouting.org/iproute2.doc.html
From these sites I tried to fix my problem using the following:
1. added: "2 from.this.host" to the /etc/iproute2/rt_tables file,[/list]
and then executed the following commands:
2. ip rule add iif lo table from.this.host priority 500
3. ip route add 192.168.1.0/24 table from.this.host dev eth0 src 192.168.10.1
4. ip route flush cache[/list]
Now when I execute "ssh 192.168.1.1" I get:
ssh: connect to host 192.168.1.1 port 22: No route to host
I am a little gun shy of messing up the whole server by entering the wrong commands. It appears that I have already done some harm. Is there anyone familiar with setting up routing? I need to reverse what I have already done and see if I can get the routing to work correctly accross the VPN.
The out put from " ip route show" after I made the noted changes in 1-4 above is:
remote_public_ip_address via local_public_ip_router dev ipsec0
192.168.1.0/24 via local_public_ip_router dev ipsec0
192.168.10.0/24 dev eth0 scope link
local_public_ip_address_range/20 dev eth1 proto kernel scope link src local_public_ip_address
local_public_ip_address_range/20 dev ipsec0 proto kernel scope link src local_public_ip_address
127.0.0.0/8 dev lo scope link
default via local_public_ip_router dev eth1
Thanks for you help.
Sincerely,
Rick Evans
Ft. Lauderdale, FL
-
Found a solution!!!!
In case anyone has this problem in the future, the solution is really simple.
There is a file in the /etc/ssh/ dir called ssh_config
edit that file and Add:
BindAddress 192.168.x.x <-------------(IP address of local interface)
This will by default force the ssh connection over the local connection.
Very simple solution; problem solved.
Thanks to all those who helped ---- doh!!! no one
-Rick