Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > users > 04 > 043443.html (Request Expert lists.freeswan.org Support)

Re: [Users] Please help with NATed gateway

From: Andreas Steffen <andreas.steffen(at)strongsec.net>
Date: Tue Apr 06 2004 - 09:19:13 EDT

The error messages

 > 003 "west-east" #2: prepare-client command exited with status 127  > 003 "west-east" #2: route-client command exited with status 127

indicate that you either did not define nexthop correctly or that your Linux distribution does not have the ip command from the iproute2 package.

Regards

Andreas

Robert ?adogórski wrote:
> ISAKMP is estabilished, bu there are still no connection beetween sides. 

>> Which firewall did you turn off?
>>
>> Have you checked that UDP port 500 traffic is getting through to the 
>> Linux
>> boxes and that the boxes themselves are not running their own 
>> firewalls that
>> might drop packets?
>>
>> It looks like the UDP packets between the IKE daemons are just getting
>> dropped.
>>
>>
>>
>> After checking this and trying to find out where the packets might 
>> have got
>> lost, it would be a good idea to turn on plutodebug in both config 
>> files and
>> then output the contents of the log file (probably /var/log/messages) so
>> that you can paste it on this mailing list.  Then the experts on this 
>> list
>> can hopefully figure out what's wrong.
>>
>> ----- Original Message ----- From: "Robert ?adogórski" 
>> 
>> To: 
>> Sent: Tuesday, March 30, 2004 8:20 AM
>> Subject: [Users] Please help with NATed gateway
>>
>>
>>  
>>
>>> Hello, and first: sorry for my english. Please, help.
>>>
>>> I have installed freeswan-2.05 on west (Debian 3.0) and east (Slackware
>>> 9.1) side.
>>> Net looks that:
>>>
>>> <192.168.1.0/24>--(192.168.1.1 gateway-Debian-NAT
>>> 192.168.0.200)--(192.168.0.249 Asmax Router-NAT with DMZ to
>>> 192.168.0.200 - public static IP)------(Router - public static
>>> IP)--(public static IP- gateway Slackware-NAT
>>>   
>>
>> 192.168.2.3)--<192.168.2.0/24>
>>  
>>
>>> Why it doesn't work?
>>>
>>> When I type on both sides:
>>>
>>> ipsec auto --up west-east
>>>
>>> i see:
>>>
>>> 104 "west-east" #1: STATE_MAIN_I1: initiate
>>> 010 "west-east" #1: STATE_MAIN_I1: retransmission; will wait 20s for
>>> response
>>> ...
>>> 010 "west-east" #1: STATE_MAIN_I1: retransmission; will wait 40s for
>>> response
>>> 031 "west-east" #1: max number of retransmissions (20) reached

Do you need help?X

>>> STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE
>>> message
>>> 000 "west-east" #1: starting keying attempt 2 of an unlimited number,
>>> but releasing whack
>>>
>>> Why cannot I to connect?
>>> My configs:
>>> (east side)
>>>
>>> version 2.0
>>>    interfaces=%defaultroute
>>>    klipsdebug=none
>>>    plutodebug=none
>>> conn %default
>>> conn west-east
>>>        # Left security gateway, subnet behind it, next hop toward right.
>>>        left=(public router's IP)
>>>        leftid=@debians.dns.name
>>>        leftrsasigkey=0sAQN9vFX0Ab2Hu....
>>>        leftsubnet=192.168.1.0/24
>>>        leftnexthop=
>>>        right=%defaultroute
>>>        rightid=@slackware.dns.name
>>>        rightrsasigkey=0sAQOYHUJ4nD8aCddB...
>>>        rightsubnet=192.168.2.0/24
>>>        rightnexthop=
>>>        authby=rsasig
>>>        auto=add
>>> conn block
>>>    auto=ignore
>>> conn clear
>>>    auto=ignore
>>> conn private
>>>    auto=ignore
>>> conn private-or-clear
>>>    auto=ignore
>>> conn clear-or-private
>>>    auto=ignore
>>> conn packetdefault
>>>    auto=ignore
>>>
>>> (now config of west side)
>>>
>>> version 2.0
>>>    interfaces=%defaultroute
>>>    klipsdebug=none
>>>    plutodebug=none
>>> conn %default
>>> conn west-east
>>>        # Left security gateway, subnet behind it, next hop toward right.
>>>        left=%defaultroute
>>>        leftid=@debians.dns.name
>>>        leftrsasigkey=0sAQN9vFX0Ab2Hu....
>>>        leftsubnet=192.168.1.0/24
>>>        leftnexthop=
>>>        right=(public Slackware's IP)
>>>        rightid=@slackware.dns.name
>>>        rightrsasigkey=0sAQOYHUJ4nD8aCddB...
>>>        rightsubnet=192.168.2.0/24
>>>        rightnexthop=195.117.137.41

Do you need more help?X

>>>        authby=rsasig
>>>        auto=add
>>> conn block
>>>    auto=ignore
>>> conn clear
>>>    auto=ignore
>>> conn private
>>>    auto=ignore
>>> conn private-or-clear
>>>    auto=ignore
>>> conn clear-or-private
>>>    auto=ignore
>>> conn packetdefault
>>>    auto=ignore
>>>
>>> That's all. Is it good? Probably that configs must be different because
>>> one of gateways is NATed.
>>> When I type
>>>  ipsec verify
>>> I see on Slackware:
>>>
>>> Checking your system to see if IPsec got installed and started 
>>> correctly:
>>> Version check and ipsec on-path
>>>   
>>
>> [OK]
>>  
>>
>>> Linux FreeS/WAN 2.05
>>> Checking for IPsec kernel support: found KLIPS
>>>   
>>
>> [OK]
>>  
>>
>>> Checking that pluto is running
>>>   
>>
>> [OK]
>>  
>>
>>> Two or more interfaces found, checking IP forwarding
>>>   
>>
>> [OK]
>>  
>>
>>> Checking NAT and MASQUERADEing
>>> Opportunistic Encryption DNS checks:
>>> Looking for TXT in forward map:  /myname/
>>>                                [OK]
>>> Does the machine have at least one non-private address?
>>>   
>>
>> [OK]
>>  
>>
>>> Looking for TXT in reverse map: xx.yyy.zzz.qqq.in-addr.arpa.
>>>   
>>
>> [OK]
>>  
>>
>>> Looking for TXT in reverse map: /my.domain.@myname/.in-addr.arpa.
>>> [MISSING]
>>>
>>> And on Debian:
>>>
>>> Checking your system to see if IPsec got installed and started 
>>> correctly:
>>> Version check and ipsec on-path
>>>   
>>
>> [OK]
>>  
>>
>>> Linux FreeS/WAN 2.05
>>> Checking for IPsec kernel support: found KLIPS
>>>   
>>
>> [OK]
>>  
>>
>>> Checking that pluto is running
>>>   
>>
>> [OK]
>>  
>>
>>> Two or more interfaces found, checking IP forwarding
>>>   
>>
>> [OK]
>>  
>>
>>> Checking NAT and MASQUERADEing
>>>
>>> Opportunistic Encryption DNS checks:

Can we help you?X

>>> Looking for TXT in forward map: debian
>>> [MISSING]
>>> Does the machine have at least one non-private address?
>>> [FAILED]
>>>
>>> Is it should be OK to work in my case, or not?
>>> Does somone know where I do mistake? I turned of firewall and it doesn't
>>> help too.
>>>
>>> Please help.
>>>
>>> Robert
>>>
>>> _______________________________________________
>>> FreeS/WAN Users mailing list
>>> users@lists.freeswan.org
>>> 
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
>>> ______________________________________________________________________
>>> FreeS/WAN Users-moderated mailing list
>>> You are subscribed to a moderated version of the Users list.
>>> 
https://lists.freeswan.org/cgi-bin/mj_wwwusr
>>>
>>>
>>>
>>>   
>>
>>
>> _______________________________________________
>> FreeS/WAN Users mailing list
>> users@lists.freeswan.org
>> 
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
>>
>>  
>>

>
>
> _______________________________________________ 
-- 
=======================================================================
Andreas Steffen                   e-mail: andreas.steffen@strongsec.com
strongSec GmbH                    home:   
http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===

_______________________________________________
FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
Received on Tue Apr 6 09:36:46 2004

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:30 EDT

Can't find what you're looking for?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library