Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > users > 03 > 042224.html (Request Expert lists.freeswan.org Support)

[Users] [Help] Please Help me about FreeS/WAN question........Thanks

From: axacheng <axanet(at)ms32.hinet.net>
Date: Mon Apr 28 2003 - 21:48:10 EDT


Hello list :

  i had tried to implement FreeS/WAN to protect my network , but i got some of problem.

My Network diagram as follow :

¡¶Diagram ¡G

## INTERNET ##===== eth1[Home] eth0===============eth0[MIS]eth1===========[Windows2000 road-warrior Clients]

             204.204.10.2 192.168.3.33 192.168.3.254 192.168.10.254 (Dynamic IP:192.168.10.X) eg:192.168.10.223

¡¶Description¡G

[Home]
OS : Debian Woody
FreeS/WAN : 1.96v
Authentication : X.509
eth0 : 192.168.3.33
eth1 : 204.204.10.2 (Public IP)

[MIS]
OS : Debian Woody
FreeS/WAN : 1.96v
Authentication : X.509
eth0 : 192.168.3.254
eth1 : 192.168.10.254

[Windows2000 road-warrior Clients]
All of client OS is Windows 2000 sp3 and using dynamic IP, My testing machine IP is ' 192.168.10.223 '

Do you need help?X

¡¶Configuration
¡EAll of Windows2000 clients Default Gateway is 192.168.10.254

¡EAll of Windows2000 clients has already established ipsec tunnel to [MIS]

¡EThere has already a IPSEC tunnel between the [MIS] and the [Home] 

################################

### [MIS] /etc/ipsec.conf as follow : # 
###############################
config setup
        interfaces="ipsec0=eth0 ipsec1=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

#---- LAN ----#
conn roadwarrior

        also=roadwarrior-net
conn roadwarrior-net 

        right=%any
        left=192.168.10.235
        leftcert=vpn@lanmu.ezplay.tv.pem
        auto=start
        pfs=yes

#---- MIS TO HOME ----#
conn home

        also=home-mis
conn home-mis 

        left=192.168.3.254
        leftcert=vpn@lanmu.ezplay.tv.pem
        right=192.168.3.33
        rightcert=vpn@bala.ezplay.tv.pem
        auto=start



##################################

### [Home] /etc/ipsec.conf as follow : # 
##################################
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
conn %default
        keyingtries=0
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

#---- HOME TO MIS ----#
conn home

Do you need more help?X

        also=home-mis
conn home-mis 

        left=192.168.3.254
        leftcert=vpn@lanmu.ezplay.tv.pem
        right=192.168.3.33
        rightcert=vpn@bala.ezplay.tv.pem
        auto=start

¡ENO any iptables rules to filter packets in [Home] and [MIS] !

    JUST MASQ rules in [MIS] as follow :

###BEGIN--- iptables MASQUERADE rules ###

iptables -t nat -A POSTROUTING -s 192.168.10.0/255.255.248.0 -j MASQUERADE iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -j ACCEPT

iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT 
iptables -A INPUT -s 192.168.10.0/255.255.248.0 -j ACCEPT
iptables -A OUTPUT -d 192.168.10.0/255.255.248.0 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.10.0/255.255.248.0 -j ACCEPT

iptables -A INPUT -s 192.168.3.33 -j ACCEPT
iptables -A OUTPUT -s 192.168.3.33 -j ACCEPT iptables -A FORWARD -p tcp -s 192.168.3.33 -j ACCEPT

###END--- iptables MASQUERADE rules ###

¡¶My Steps¡G

  1. In [Windows2000 Clinet], start ipsec , i am very sure Windows2000 ipsec is working correctly ; )
  2. In [MIS] /etc/init.d/ipsec restart , then Windows2000 client ping 192.168.3.254 is OK but not any respond from 192.168.3.33!!!!! Negotiating IP Security Reply from 192.168.3.254: bytes=32 time=3ms TTL=64 Reply from 192.168.3.254: bytes=32 time=3ms TTL=64
  3. In [HOME] /etc/init.d/ipsec restart to establish ipsec tunnel between [MIS] and [HOME] , then Windows client ping 192.168.3.254 and 192.168.3.33 are OK!!! Negotiating IP Security Reply from 192.168.3.254: bytes=32 time=3ms TTL=64 Reply from 192.168.3.254: bytes=32 time=3ms TTL=64

   Reply from 192.168.3.33: bytes=32 time=3ms TTL=64    Reply from 192.168.3.33: bytes=32 time=3ms TTL=64

Can we help you?X

4. Using ' tcpdump ' command to sniff packet in 192.168.3.254 and 192.168.3.33 interface , i have already got 'ESP' packets¡I

5. Using ' tcpdump ' command to sniff packet in Windows2000 client (192.168.10.223) , i CAN NOT got 'ESP' packets¡I

   All packet transfer to [Home] are ' CLEAR' packets -___-

6. Now, I restart 'ipsec' command again in Windows2000

7. However, I am using ping command to ping 192.168.10.254 , i got ESP packet respond!!!!!

    Unfortunately, i CAN NOT ping 192.168.3.254[MIS] and 192.168.3.33[HOME] now......Its very strange..... @_____@

¡¶My Question¡G

  1. How do i let Windows2000 Clients using ipsec tunnel to connect to [HOME] ??????
  2. I need any patch ????? FreeS/WAN patch??? or iptables patch???? i using Debian Woody official .deb to install FreeS/WAN i didnt use FreeS/WAN source to re-compile!!!
  3. Does anyone knows where to find useful Document/Howto that is conform with My Diagram/Environment???? i had already read http://jixen.tripod.com/ and http://www.thing.dyndns.org/debian/wifivpn.htm
  4. Any questions about my question , please feel free to let me know. i would explain for u ... :-)

Very Very Thanks.......... 

-- 
Trust & Unique ...
axacheng 

_______________________________________________

Don't know where to look next?X

Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
Received on Fri May 2 00:37:39 2003
Can't find what you're looking for?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:01:29 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library