[Users] [Help] Please Help me about FreeS/WAN question........Thanks

From: axacheng <axanet(at)ms32.hinet.net>
Date: Mon Apr 28 2003 - 21:18:28 EDT

Hello list :

  i had tried to implement FreeS/WAN to protect my network , but i got some of problem.

My Network diagram as follow :

¡¶Diagram ¡G

## INTERNET ##===== eth1[Home] eth0===============eth0[MIS]eth1===========[Windows2000 road-warrior Clients]

             204.204.10.2 192.168.3.33 192.168.3.254 192.168.10.254 (Dynamic IP:192.168.10.X) eg:192.168.10.223

¡¶Description¡G

[Home]
OS : Debian Woody
FreeS/WAN : 1.96v
Authentication : X.509
eth0 : 192.168.3.33
eth1 : 204.204.10.2 (Public IP)

[MIS]
OS : Debian Woody
FreeS/WAN : 1.96v
Authentication : X.509
eth0 : 192.168.3.254
eth1 : 192.168.10.254

[Windows2000 road-warrior Clients]
All of client OS is Windows 2000 sp3 and using dynamic IP, My testing machine IP is ' 192.168.10.223 '

¡¶Configuration
¡EAll of Windows2000 clients Default Gateway is 192.168.10.254

¡EAll of Windows2000 clients has already established ipsec tunnel to [MIS]

¡EThere has already a IPSEC tunnel between the [MIS] and the [Home]

################################

### [MIS] /etc/ipsec.conf as follow : #

###############################
config setup
        interfaces="ipsec0=eth0 ipsec1=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

#---- LAN ----#
conn roadwarrior

        also=roadwarrior-net
conn roadwarrior-net

        right=%any
        left=192.168.10.235
        leftcert=vpn@lanmu.ezplay.tv.pem
        auto=start
        pfs=yes

#---- MIS TO HOME ----#
conn home

        also=home-mis
conn home-mis

        left=192.168.3.254
        leftcert=vpn@lanmu.ezplay.tv.pem
        right=192.168.3.33
        rightcert=vpn@bala.ezplay.tv.pem
        auto=start



##################################

### [Home] /etc/ipsec.conf as follow : #

##################################
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
conn %default
        keyingtries=0
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

#---- HOME TO MIS ----#
conn home

        also=home-mis
conn home-mis

        left=192.168.3.254
        leftcert=vpn@lanmu.ezplay.tv.pem
        right=192.168.3.33
        rightcert=vpn@bala.ezplay.tv.pem
        auto=start

¡ENO any iptables rules to filter packets in [Home] and [MIS] !

    JUST MASQ rules in [MIS] as follow :

###BEGIN--- iptables MASQUERADE rules ###

iptables -t nat -A POSTROUTING -s 192.168.10.0/255.255.248.0 -j MASQUERADE iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -j ACCEPT

iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -s 192.168.10.0/255.255.248.0 -j ACCEPT
iptables -A OUTPUT -d 192.168.10.0/255.255.248.0 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.10.0/255.255.248.0 -j ACCEPT

iptables -A INPUT -s 192.168.3.33 -j ACCEPT

iptables -A OUTPUT -s 192.168.3.33 -j ACCEPT iptables -A FORWARD -p tcp -s 192.168.3.33 -j ACCEPT

###END--- iptables MASQUERADE rules ###

¡¶My Steps¡G

1. In [Windows2000 Clinet], start ipsec , i am very sure Windows2000 ipsec is working correctly ; )
2. In [MIS] /etc/init.d/ipsec restart , then Windows2000 client ping 192.168.3.254 is OK but not any respond from 192.168.3.33!!!!! Negotiating IP Security Reply from 192.168.3.254: bytes=32 time=3ms TTL=64 Reply from 192.168.3.254: bytes=32 time=3ms TTL=64
3. In [HOME] /etc/init.d/ipsec restart to establish ipsec tunnel between [MIS] and [HOME] , then Windows client ping 192.168.3.254 and 192.168.3.33 are OK!!! Negotiating IP Security Reply from 192.168.3.254: bytes=32 time=3ms TTL=64 Reply from 192.168.3.254: bytes=32 time=3ms TTL=64

   Reply from 192.168.3.33: bytes=32 time=3ms TTL=64    Reply from 192.168.3.33: bytes=32 time=3ms TTL=64

4. Using ' tcpdump ' command to sniff packet in 192.168.3.254 and 192.168.3.33 interface , i have already got 'ESP' packets¡I

5. Using ' tcpdump ' command to sniff packet in Windows2000 client (192.168.10.223) , i CAN NOT got 'ESP' packets¡I

   All packet transfer to [Home] are ' CLEAR' packets -___-

6. Now, I restart 'ipsec' command again in Windows2000

7. However, I am using ping command to ping 192.168.10.254 , i got ESP packet respond!!!!!

    Unfortunately, i CAN NOT ping 192.168.3.254[MIS] and 192.168.3.33[HOME] now......Its very strange..... @_____@

¡¶My Question¡G

1. How do i let Windows2000 Clients using ipsec tunnel to connect to [HOME] ??????
2. I need any patch ????? FreeS/WAN patch??? or iptables patch???? i using Debian Woody official .deb to install FreeS/WAN i didnt use FreeS/WAN source to re-compile!!!
3. Does anyone knows where to find useful Document/Howto that is conform with My Diagram/Environment???? i had already read http://jixen.tripod.com/ and http://www.thing.dyndns.org/debian/wifivpn.htm
4. Any questions about my question , please feel free to let me know. i would explain for u ... :-)

Very Very Thanks..........

-- 
Trust & Unique ...
axacheng 

_______________________________________________
Don't know where to look next?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related lists.freeswan.org Links
1998-fall
1998-spring
1998-summer
1998-winter
1999-winter
announce
briefs
bugs
design
freeswan-list
hipsec
ietf-sectest
users
users-admin
Request more information about Pantek
Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Received on Thu May 1 21:51:23 2003