IPSec is nice to have up and running. I need to do some tweaking but Im kinda burned out on it and I have a shitload of school work now.

THe point tho is this. I AM NOT AN IPSEC EXPERT. I downright suck. So, if you want help, hit the mailing lists from www.freeswan.ca -- that site kicks ass btw. They are really nice and answer questions asap. The list is a lil spammy so watch out you win32 outlook users.

Now, my current goal is to find a good sendmail configer. I used to use linuxconf and I just downloaded and installed it in rh 8 and it had the sendmail conf stuff. I just want to be able to send email damn it and maybe even get some, eh?

Well, those routing issues bellow fucked me

I need to ssh into farmers.dynu.com, and reboot it

but I cant ping farmers.dynu.com nor access it

So, can someone please hook me up with shell access for 2.5 seconds?

W00t! I finally got it working. I am just as amazed as you are!

However, I am still having some weird routing issues.

This part is really strange, I think. Once I establish a VPN with my linux box (fs2fs), I can no longer ping the security gateway, nor can the security gateway ping the box. The same thing goes for the SSH Sent Freeswan. Once the VPN is established, I can ping the local addresses but no longer the public. Then, once the VPN is down, I can no longer ping or access, but in both cases I can re-establish the VPN. Once I do that and then restart IPSec on the gateway, I can ping the gateway and access it normally. I honestly didn't remember this happening before I was able to connect with SSH Sent.

Well, others have been able to do freeswan 2 freeswan connections with my VPN. I will try this later -- I have to get my linux box a direct, not NAT'd connection first. So, it appears that the problem lies with SSH Sentinal.

I have looked and looked but there seem to be no detailed DOCs on howto do a preshared secret with SSH Sent version 1.3 All the 1.2 docs seem to be up to date, but I found a 1.2 installer, installed it, and it wouldnt work!!

So please, slashdot crowd, I need the help!

Well, its 8 weeks later and I am still having troubles! So PLEASE, if you have any solutions, please post here since comments have expired on my previous journal entry.

Freeswan 1.97 + SSH Sentinal 1.3.2 - Shared Secret VPN

I have been trying to get freeswan working all week and seem to have failed miserably

I am running Redhat linux 7.3 w/ kernel 2.4.18-3ipsec (from steambaloon)

I installed all the kernel RPMs from steambaloon and am running that kernel

I also installed all the 'userland' rpms from steambaloon which are for freeswan 1.97

IPSec runs sucsessfully at startup or if I /etc/rc.d/init.d/ipsec start.

The connection on the linux box is a cable modem connection with a static IP address assigned via DHCP. The IP address for eth0 is 65.27.126.190, the subnet mask is 255.255.255.248, the first hop on the network is 10.34.128.1, the default gatway is 65.27.120.1. eth1 has an ip addy of 10.0.0.1, subnet mask 255.255.255.0, and has DHCPd running assigning IP addresses in range of 10.0.0.100/200. IP Forwarding does work using iptables. My firescript looks like this: #!/bin/sh

IPTABLES="/sbin/iptables"

#Time to clean house

#Clear out any existing firewall rules, and any chains that might have #been created $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X

#Setup our policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading echo 1 > /proc/sys/net/ipv4/ip_forward

#Source NAT everything heading out the eth0 (external) interface to be the #given IP. If you have a dynamic ip or a DHCP ip that changes #semi-regularly, comment this and uncomment the second line # #Remember to change the ip address to your static ip # #$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Accept ourselves (loopback interface), 'cause we're all warm and friendly $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i eth1 -j ACCEPT

The windows box is running ssh sentinal and has a dynamic IP addy assigned via DHCP

I am wanting to use shared secret so I can just get this up and running, once running I plan to switch to certs.

My /etc/ipsec.secrets file:

# In the following, the authentication key to be used between the # FreeS/WAN security gateway (65.27.126.190) and the remote # host with SSH Sentinel is not defined. In this case, it is # a pre-shared key (PSK), the actual secret being "justatest". 65.27.126.190 %any: PSK "justatest"

My /etc/ipsec.conf file looks like this:

# basic configuration
config setup
                # THIS SETTING MUST BE CORRECT or almost nothing will work;
                # %defaultroute is okay for most simple cases.
                interfaces="ipsec0=eth0"
                # Debug-logging controls: "none" for (almost) none, "all" for lots.
                klipsdebug=none
                plutodebug=none
                # Use auto= parameters in conn descriptions to control startup actions.
                plutoload=%search
                plutostart=%search
                # Close down old connection when new one using same ID shows up.
                uniqueids=yes
conn %default
                keyingtries=1
                authby=secret

conn vpn
                type=tunnel
                left=65.27.126.190
                leftnexthop=10.34.128.1
                leftsubnet=10.0.0.1/24
                right=%any
                #rightnexthop=10.34.128.1
                keyexchange=ike
                ikelifetime=240m
                keylife=60m
                pfs=yes
                compress=no
                authby=secret
                auto=add

What should the value of 'leftsubnet' be? What about leftnexthop? I assumed leftnexthop is the first hop on any tracert the left box goes through?

Ive gone through http://www.ssh.com/products/sentinel/SSH-Sentinel-Examples.pdf (namely 1.1)

The only other thing I have done is ipsec auto --add vpn . I have not passed any other commands to ipsec

My netstat -a looks like this while ssh sentinal is trying to connect

[root@dhcp-306-102 etc]# netstat --listening
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 localhost.localdom:1025 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost.localdom:smtp *:* LISTEN
udp 0 0 *:1024 *:*
udp 0 0 *:bootps *:*
udp 65216 0 *:bootpc *:*
udp 0 0 *:sunrpc *:*
udp 0 0 wks-65-27-126-19:isakmp *:*
raw 0 0 *:icmp *:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 1795 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 1724 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 7046 /var/run/pluto.ctl

The error from SSH Sentinal is Cannot open the VPN connection. Confirm your network settings and verify that Policy manager is running.

My local network is eth1 (10.0.0.x) ip forwarding from boxes that have 10.0.0.1 set as their default gateway works. Do I need to do something different so connections from eth0 can talk to eth1?

ONCE when I changed the conf to specified IP addresses, I did ipsec auto --up vpn and I was able to establish a connection but the message I saw on the terminal read that it was expecting the right ip addy I specified, but the client was saying it was 0.0.0.0. My chosen network was "any" 0.0.0.0 in Sentinal, so I added one that had my ip address specs and I havent been able to get back to there since

please help the n00b

I tried the command " /usr/sbin/ipsec auto --up vpn" and then tried to connect with SSH Sentinal 1.3.2 and this is what I got on my console:

104 "vpn" #1: STATE_MAIN_I1: initiate
010 "vpn" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "vpn" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
003 "vpn" #1: ignoring Vendor ID payload
106 "vpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "vpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "vpn" #1: we require peer to have ID '65.27.126.155', but peer declares '0.0.0.0'
218 "vpn" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
010 "vpn" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "vpn" #1: we require peer to have ID '65.27.126.155', but peer declares '0.0.0.0'
218 "vpn" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
010 "vpn" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "vpn" #1: we require peer to have ID '65.27.126.155', but peer declares '0.0.0.0'
218 "vpn" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
031 "vpn" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

I see in SSH Sentinal that my network is set to "any" which is 0.0.0.0 - what should that be set to? When I set it to my IP Info I dont get ANYTHING

Ugh! All I wanna do is sleep. I went to "sleep" around 2am, and now its 8:00am and I have been up for two hours. I have a grand total of 4 hours of sleep. YEY. Wtf is wrong with me? Right now Im dead tired but my skin is itchy, I feel too hot in my bed (with a multitude of fans), my balls itch, its too bright, etc. and I just CAN NOT FALL ASLEEP! GRRRRR - what sucks is as soon as I shower, eat, get dressed and get in my car, Im gonna fucking colapse from lack of sleep. It drives me NUTS.

Well, I am half way through watching season 3. So far this is a really great show but I have yet to see seasons 1-2. If anyone has a good rip of those, I would apriciate. Anyways, my point.

Does watching TV shows like this influence anyone else out there? I notice that after I watch a long more or a few Sopranos episodes, I start talking like I am a fucking gangsta. All the sudden I have an accent and a good Irish boy turns Italian.

This happens to a lot of movies and shit. It drives me crazy. Tell me your stories