Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
User Journal

Journal rosewood's Journal: Need some damn help!

Freeswan 1.97 + SSH Sentinal 1.3.2 - Shared Secret VPN

I have been trying to get freeswan working all week and seem to have failed miserably

I am running Redhat linux 7.3 w/ kernel 2.4.18-3ipsec (from steambaloon)

I installed all the kernel RPMs from steambaloon and am running that kernel

I also installed all the 'userland' rpms from steambaloon which are for freeswan 1.97

IPSec runs sucsessfully at startup or if I /etc/rc.d/init.d/ipsec start.

The connection on the linux box is a cable modem connection with a static IP address assigned via DHCP. The IP address for eth0 is, the subnet mask is, the first hop on the network is, the default gatway is eth1 has an ip addy of, subnet mask, and has DHCPd running assigning IP addresses in range of IP Forwarding does work using iptables. My firescript looks like this: #!/bin/sh


#Time to clean house

#Clear out any existing firewall rules, and any chains that might have #been created $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X

#Setup our policies

#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading echo 1 > /proc/sys/net/ipv4/ip_forward

#Source NAT everything heading out the eth0 (external) interface to be the #given IP. If you have a dynamic ip or a DHCP ip that changes #semi-regularly, comment this and uncomment the second line # #Remember to change the ip address to your static ip # #$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to


#Accept ourselves (loopback interface), 'cause we're all warm and friendly $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i eth1 -j ACCEPT

The windows box is running ssh sentinal and has a dynamic IP addy assigned via DHCP

I am wanting to use shared secret so I can just get this up and running, once running I plan to switch to certs.

My /etc/ipsec.secrets file:

# In the following, the authentication key to be used between the # FreeS/WAN security gateway ( and the remote # host with SSH Sentinel is not defined. In this case, it is # a pre-shared key (PSK), the actual secret being "justatest". %any: PSK "justatest"

My /etc/ipsec.conf file looks like this:

# basic configuration
config setup
                # THIS SETTING MUST BE CORRECT or almost nothing will work;
                # %defaultroute is okay for most simple cases.
                # Debug-logging controls: "none" for (almost) none, "all" for lots.
                # Use auto= parameters in conn descriptions to control startup actions.
                # Close down old connection when new one using same ID shows up.
conn %default

conn vpn

What should the value of 'leftsubnet' be? What about leftnexthop? I assumed leftnexthop is the first hop on any tracert the left box goes through?

Ive gone through http://www.ssh.com/products/sentinel/SSH-Sentinel-Examples.pdf (namely 1.1)

The only other thing I have done is ipsec auto --add vpn . I have not passed any other commands to ipsec

My netstat -a looks like this while ssh sentinal is trying to connect

[root@dhcp-306-102 etc]# netstat --listening
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 localhost.localdom:1025 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost.localdom:smtp *:* LISTEN
udp 0 0 *:1024 *:*
udp 0 0 *:bootps *:*
udp 65216 0 *:bootpc *:*
udp 0 0 *:sunrpc *:*
udp 0 0 wks-65-27-126-19:isakmp *:*
raw 0 0 *:icmp *:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 1795 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 1724 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 7046 /var/run/pluto.ctl

The error from SSH Sentinal is Cannot open the VPN connection. Confirm your network settings and verify that Policy manager is running.

My local network is eth1 (10.0.0.x) ip forwarding from boxes that have set as their default gateway works. Do I need to do something different so connections from eth0 can talk to eth1?

ONCE when I changed the conf to specified IP addresses, I did ipsec auto --up vpn and I was able to establish a connection but the message I saw on the terminal read that it was expecting the right ip addy I specified, but the client was saying it was My chosen network was "any" in Sentinal, so I added one that had my ip address specs and I havent been able to get back to there since

please help the n00b

I tried the command " /usr/sbin/ipsec auto --up vpn" and then tried to connect with SSH Sentinal 1.3.2 and this is what I got on my console:

104 "vpn" #1: STATE_MAIN_I1: initiate
010 "vpn" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "vpn" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
003 "vpn" #1: ignoring Vendor ID payload
106 "vpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "vpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "vpn" #1: we require peer to have ID '', but peer declares ''
010 "vpn" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "vpn" #1: we require peer to have ID '', but peer declares ''
010 "vpn" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "vpn" #1: we require peer to have ID '', but peer declares ''
031 "vpn" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

I see in SSH Sentinal that my network is set to "any" which is - what should that be set to? When I set it to my IP Info I dont get ANYTHING

This discussion has been archived. No new comments can be posted.

Need some damn help!

Comments Filter:

Perfection is acheived only on the point of collapse. - C. N. Parkinson