Journal rosewood's Journal: Need some damn help!
Freeswan 1.97 + SSH Sentinal 1.3.2 - Shared Secret VPN
I have been trying to get freeswan working all week and seem to have failed miserably
I am running Redhat linux 7.3 w/ kernel 2.4.18-3ipsec (from steambaloon)
I installed all the kernel RPMs from steambaloon and am running that kernel
I also installed all the 'userland' rpms from steambaloon which are for freeswan 1.97
IPSec runs sucsessfully at startup or if I
The connection on the linux box is a cable modem connection with a static IP address assigned via DHCP. The IP address for eth0 is 65.27.126.190, the subnet mask is 255.255.255.248, the first hop on the network is 10.34.128.1, the default gatway is 65.27.120.1. eth1 has an ip addy of 10.0.0.1, subnet mask 255.255.255.0, and has DHCPd running assigning IP addresses in range of 10.0.0.100/200. IP Forwarding does work using iptables. My firescript looks like this: #!/bin/sh
IPTABLES="/sbin/iptables"
#Time to clean house
#Clear out any existing firewall rules, and any chains that might have #been created $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X
#Setup our policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading echo 1 >
#Source NAT everything heading out the eth0 (external) interface to be the #given IP. If you have a dynamic ip or a DHCP ip that changes #semi-regularly, comment this and uncomment the second line # #Remember to change the ip address to your static ip # #$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#Accept ourselves (loopback interface), 'cause we're all warm and friendly $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i eth1 -j ACCEPT
The windows box is running ssh sentinal and has a dynamic IP addy assigned via DHCP
I am wanting to use shared secret so I can just get this up and running, once running I plan to switch to certs.
My
# In the following, the authentication key to be used between the # FreeS/WAN security gateway (65.27.126.190) and the remote # host with SSH Sentinel is not defined. In this case, it is # a pre-shared key (PSK), the actual secret being "justatest". 65.27.126.190 %any: PSK "justatest"
My
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
conn %default
keyingtries=1
authby=secret
conn vpn
type=tunnel
left=65.27.126.190
leftnexthop=10.34.128.1
leftsubnet=10.0.0.1/24
right=%any
#rightnexthop=10.34.128.1
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
authby=secret
auto=add
What should the value of 'leftsubnet' be? What about leftnexthop? I assumed leftnexthop is the first hop on any tracert the left box goes through?
Ive gone through http://www.ssh.com/products/sentinel/SSH-Sentinel-Examples.pdf (namely 1.1)
The only other thing I have done is ipsec auto --add vpn . I have not passed any other commands to ipsec
My netstat -a looks like this while ssh sentinal is trying to connect
[root@dhcp-306-102 etc]# netstat --listening
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 localhost.localdom:1025 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost.localdom:smtp *:* LISTEN
udp 0 0 *:1024 *:*
udp 0 0 *:bootps *:*
udp 65216 0 *:bootpc *:*
udp 0 0 *:sunrpc *:*
udp 0 0 wks-65-27-126-19:isakmp *:*
raw 0 0 *:icmp *:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 1795
unix 2 [ ACC ] STREAM LISTENING 1724
unix 2 [ ACC ] STREAM LISTENING 7046
The error from SSH Sentinal is Cannot open the VPN connection. Confirm your network settings and verify that Policy manager is running.
My local network is eth1 (10.0.0.x) ip forwarding from boxes that have 10.0.0.1 set as their default gateway works. Do I need to do something different so connections from eth0 can talk to eth1?
ONCE when I changed the conf to specified IP addresses, I did ipsec auto --up vpn and I was able to establish a connection but the message I saw on the terminal read that it was expecting the right ip addy I specified, but the client was saying it was 0.0.0.0. My chosen network was "any" 0.0.0.0 in Sentinal, so I added one that had my ip address specs and I havent been able to get back to there since
please help the n00b
I tried the command "
104 "vpn" #1: STATE_MAIN_I1: initiate
010 "vpn" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "vpn" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
003 "vpn" #1: ignoring Vendor ID payload
106 "vpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "vpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "vpn" #1: we require peer to have ID '65.27.126.155', but peer declares '0.0.0.0'
218 "vpn" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
010 "vpn" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "vpn" #1: we require peer to have ID '65.27.126.155', but peer declares '0.0.0.0'
218 "vpn" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
010 "vpn" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "vpn" #1: we require peer to have ID '65.27.126.155', but peer declares '0.0.0.0'
218 "vpn" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
031 "vpn" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
I see in SSH Sentinal that my network is set to "any" which is 0.0.0.0 - what should that be set to? When I set it to my IP Info I dont get ANYTHING
Need some damn help! More Login
Need some damn help!
Slashdot Top Deals