VPN from a redhat 9 using free s/wan problem

From: administrator (administrator_at_integrated-group.com)
Date: 12/08/03

Next message: Joe Giles: "Renice Command"

Previous message: Sherman, Yuval: "compiling on Redhat 9.0"
In reply to: tom pollerman: "Re: Document Manager - Web Based"
Next in thread: Samuel L. Schooler: "RE: VPN from a redhat 9 using free s/wan problem"
Maybe reply: Samuel L. Schooler: "RE: VPN from a redhat 9 using free s/wan problem"
Reply: administrator: "Re: VPN from a redhat 9 using free s/wan problem"
Maybe reply: Samuel L. Schooler: "RE: VPN from a redhat 9 using free s/wan problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: redhat-list@redhat.com
Date: Mon, 08 Dec 2003 07:28:52 +0200

hello i am trying to establish this vpn between a redhat 9 linux server
that serves NAT for computers on a LAN

to a

Cisco 2600

a complete diagram is provided to show network topology at
http://213.131.75.130/vpn.jpg
users on network 10.0.0.0 need to user services on servers
192.168.0.1,200.... , and 172.....
so we need to establish a tunnel from the linux server here using
freeswan to the cisco
on our linux server a static route for these ips to route traffic for
the remote servers thru the tunnel

i hope i am clear on this

i have tried to put what i could here

please check my configs , concept and correct me .
administrator@integrated-group.com

[root@apogee root]# uname -a
Linux apogee.integrated-group.com 2.4.20-20.9 #1 Mon Aug 18 11:45:58 EDT
2003 i686 i686 i386 GNU/Linux

[root@apogee root]# rpm -qa | grep freeswan
freeswan-module-2.04_2.4.20_20.9-0
freeswan-userland-2.04_2.4.20_20.9-0

[root@apogee root]# service ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 2.04...
ipsec_setup: Using /lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
[root@apogee root]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux FreeS/WAN 2.04
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing

Opportunistic Encryption DNS checks:
Looking for TXT in forward map: apogee.integrated-group.com
[MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse map: 130.75.132.213.in-addr.arpa.
[MISSING]

Dec 8 07:07:59 apogee ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Dec 8 07:07:59 apogee ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Dec 8 07:08:02 apogee ipsec_setup: Using
/lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
Dec 8 07:08:02 apogee ipsec_setup: Using
/lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
Dec 8 07:08:02 apogee kernel: klips_info:ipsec_init: KLIPS startup,
FreeS/WAN IPSec version: 2.04
Dec 8 07:08:02 apogee kernel: klips_info:ipsec_init: KLIPS startup,
FreeS/WAN IPSec version: 2.04
Dec 8 07:08:02 apogee kernel: divert: not allocating divert_blk for
non-ethernet device ipsec0
Dec 8 07:08:02 apogee kernel: divert: not allocating divert_blk for
non-ethernet device ipsec1
Dec 8 07:08:02 apogee kernel: divert: not allocating divert_blk for
non-ethernet device ipsec2
Dec 8 07:08:02 apogee kernel: divert: not allocating divert_blk for
non-ethernet device ipsec3
Dec 8 07:08:02 apogee ipsec_setup: KLIPS debug `none'
Dec 8 07:08:02 apogee ipsec_setup: KLIPS debug `none'
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec0
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec0
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec3
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec3
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec2
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec2
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec1
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec1
Dec 8 07:08:03 apogee kernel:
Dec 8 07:08:03 apogee kernel:
Dec 8 07:08:03 apogee ipsec_setup: KLIPS ipsec0 on eth0
213.132.75.130/255.255.255.0 broadcast 213.132.75.255
Dec 8 07:08:03 apogee ipsec_setup: KLIPS ipsec0 on eth0
213.132.75.130/255.255.255.0 broadcast 213.132.75.255
Dec 8 07:08:04 apogee ipsec__plutorun: Starting Pluto subsystem...
Dec 8 07:08:04 apogee ipsec_setup: ...FreeS/WAN IPsec started
Dec 8 07:08:04 apogee ipsec_setup: ...FreeS/WAN IPsec started
Dec 8 07:08:04 apogee pluto[3763]: Starting Pluto (FreeS/WAN Version
2.04 PLUTO_USES_KEYRR)
Dec 8 07:08:04 apogee pluto[3763]: Using KLIPS IPsec interface code
Dec 8 07:08:04 apogee pluto[3763]: added connection description
"packetdefault"
Dec 8 07:08:04 apogee ipsec__plutorun: ipsec_auto: fatal error in
"cisco": (/etc/ipsec.conf, line 50) duplicated
parameter "keyingtries"
Dec 8 07:08:04 apogee ipsec__plutorun: ipsec_auto: fatal error in
"cisco": (/etc/ipsec.conf, line 50) duplicated
parameter "keyingtries"
Dec 8 07:08:04 apogee ipsec__plutorun: ...could not add conn "cisco"
Dec 8 07:08:04 apogee ipsec__plutorun: ...could not add conn "cisco"
Dec 8 07:08:04 apogee pluto[3763]: added connection description "block"
Dec 8 07:08:04 apogee pluto[3763]: added connection description
"clear-or-private"
Dec 8 07:08:04 apogee pluto[3763]: added connection description "clear"
Dec 8 07:08:04 apogee pluto[3763]: added connection description
"private-or-clear"
Dec 8 07:08:05 apogee pluto[3763]: added connection description "private"
Dec 8 07:08:05 apogee pluto[3763]: listening for IKE messages
Dec 8 07:08:05 apogee pluto[3763]: adding interface ipsec0/eth0
213.132.75.130
Dec 8 07:08:15 apogee pluto[3763]: loading secrets from
"/etc/ipsec.secrets"
Dec 8 07:08:15 apogee pluto[3763]: loading group
"/etc/ipsec.d/policies/private"
Dec 8 07:08:15 apogee pluto[3763]: loading group
"/etc/ipsec.d/policies/private-or-clear"
Dec 8 07:08:15 apogee pluto[3763]: loading group
"/etc/ipsec.d/policies/clear"
Dec 8 07:08:15 apogee pluto[3763]: loading group
"/etc/ipsec.d/policies/clear-or-private"
Dec 8 07:08:15 apogee pluto[3763]: loading group
"/etc/ipsec.d/policies/block"
Dec 8 07:08:15 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec 8 07:08:15 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec 8 07:08:15 apogee ipsec__plutorun: ...could not route conn "cisco"
Dec 8 07:08:15 apogee ipsec__plutorun: ...could not route conn "cisco"
Dec 8 07:08:16 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec 8 07:08:16 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec 8 07:08:16 apogee ipsec__plutorun: ...could not start conn "cisco"
Dec 8 07:08:16 apogee ipsec__plutorun: ...could not start conn "cisco"
Dec 8 07:08:36 apogee pluto[3763]: can not use our IP
(213.132.75.130:TXT) as identity: no TXT RR found for us
Dec 8 07:08:55 apogee xinetd[2146]: START: pop3 pid=3979
from=213.132.75.130
Dec 8 07:08:56 apogee pluto[3763]: can not use our hostname
(@apogee.integrated-group.com:TXT) as identity: no TXT RR
found for us
Dec 8 07:07:59 apogee ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Dec 8 07:07:59 apogee ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Dec 8 07:08:02 apogee ipsec_setup: Using
/lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
Dec 8 07:08:02 apogee ipsec_setup: Using
/lib/modules/2.4.20-20.9/kernel/net/ipsec/ipsec.o
Dec 8 07:08:02 apogee kernel: klips_info:ipsec_init: KLIPS startup,
FreeS/WAN IPSec version: 2.04
Dec 8 07:08:02 apogee kernel: klips_info:ipsec_init: KLIPS startup,
FreeS/WAN IPSec version: 2.04
Dec 8 07:08:02 apogee kernel: divert: not allocating divert_blk for
non-ethernet device ipsec0
Dec 8 07:08:02 apogee kernel: divert: not allocating divert_blk for
non-ethernet device ipsec1
Dec 8 07:08:02 apogee kernel: divert: not allocating divert_blk for
non-ethernet device ipsec2
Dec 8 07:08:02 apogee kernel: divert: not allocating divert_blk for
non-ethernet device ipsec3
Dec 8 07:08:02 apogee ipsec_setup: KLIPS debug `none'
Dec 8 07:08:02 apogee ipsec_setup: KLIPS debug `none'
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec0
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec0
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec3
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec3
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec2
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec2
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec1
Dec 8 07:08:02 apogee /etc/hotplug/net.agent: invoke ifup ipsec1
Dec 8 07:08:03 apogee kernel:
Dec 8 07:08:03 apogee kernel:
Dec 8 07:08:03 apogee ipsec_setup: KLIPS ipsec0 on eth0
213.132.75.130/255.255.255.0 broadcast 213.132.75.255
Dec 8 07:08:03 apogee ipsec_setup: KLIPS ipsec0 on eth0
213.132.75.130/255.255.255.0 broadcast 213.132.75.255
Dec 8 07:08:04 apogee ipsec__plutorun: Starting Pluto subsystem...
Dec 8 07:08:04 apogee ipsec_setup: ...FreeS/WAN IPsec started
Dec 8 07:08:04 apogee ipsec_setup: ...FreeS/WAN IPsec started
Dec 8 07:08:04 apogee pluto[3763]: Starting Pluto (FreeS/WAN Version
2.04 PLUTO_USES_KEYRR)
Dec 8 07:08:04 apogee pluto[3763]: Using KLIPS IPsec interface code
Dec 8 07:08:04 apogee pluto[3763]: added connection description
"packetdefault"
Dec 8 07:08:04 apogee ipsec__plutorun: ipsec_auto: fatal error in
"cisco": (/etc/ipsec.conf, line 50) duplicated
parameter "keyingtries"
Dec 8 07:08:04 apogee ipsec__plutorun: ipsec_auto: fatal error in
"cisco": (/etc/ipsec.conf, line 50) duplicated
parameter "keyingtries"
Dec 8 07:08:04 apogee ipsec__plutorun: ...could not add conn "cisco"
Dec 8 07:08:04 apogee ipsec__plutorun: ...could not add conn "cisco"
Dec 8 07:08:04 apogee pluto[3763]: added connection description "block"
Dec 8 07:08:04 apogee pluto[3763]: added connection description
"clear-or-private"
Dec 8 07:08:04 apogee pluto[3763]: added connection description "clear"
Dec 8 07:08:04 apogee pluto[3763]: added connection description
"private-or-clear"
Dec 8 07:08:05 apogee pluto[3763]: added connection description "private"
Dec 8 07:08:05 apogee pluto[3763]: listening for IKE messages
Dec 8 07:08:05 apogee pluto[3763]: adding interface ipsec0/eth0
213.132.75.130
Dec 8 07:08:15 apogee pluto[3763]: loading secrets from
"/etc/ipsec.secrets"
Dec 8 07:08:15 apogee pluto[3763]: loading group
"/etc/ipsec.d/policies/private"
Dec 8 07:08:15 apogee pluto[3763]: loading group
"/etc/ipsec.d/policies/private-or-clear"
Dec 8 07:08:15 apogee pluto[3763]: loading group
"/etc/ipsec.d/policies/clear"
Dec 8 07:08:15 apogee pluto[3763]: loading group
"/etc/ipsec.d/policies/clear-or-private"
Dec 8 07:08:15 apogee pluto[3763]: loading group
"/etc/ipsec.d/policies/block"
Dec 8 07:08:15 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec 8 07:08:15 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec 8 07:08:15 apogee ipsec__plutorun: ...could not route conn "cisco"
Dec 8 07:08:15 apogee ipsec__plutorun: ...could not route conn "cisco"
Dec 8 07:08:16 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec 8 07:08:16 apogee ipsec__plutorun: 021 no connection named "cisco"
Dec 8 07:08:16 apogee ipsec__plutorun: ...could not start conn "cisco"
Dec 8 07:08:16 apogee ipsec__plutorun: ...could not start conn "cisco"
Dec 8 07:08:36 apogee pluto[3763]: can not use our IP
(213.132.75.130:TXT) as identity: no TXT RR found for us
Dec 8 07:08:55 apogee xinetd[2146]: START: pop3 pid=3979
from=213.132.75.130
Dec 8 07:08:56 apogee pluto[3763]: can not use our hostname
(@apogee.integrated-group.com:TXT) as identity: no TXT RR
found for us

[root@apogee root]# ipsec barf

gave nothing at all

[root@apogee root]# cat /etc/ipsec.conf
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces=%defaultroute
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

conn cisco
        type=tunnel
        keyingtries=0
        authby=secret
        # Left security gateway, subnet behind it, next hop toward right.
        left=10.0.0.16
        leftnexthop=213.132.75.130
        leftsubnet=10.0.0.0/24
        # Right security gateway, subnet behind it, next hop toward left.
        right=213.132.64.249
        # rightnexthop=213.132.64.249
        rightsubnet=62.241.134.0/28
        keylife=8h
        auto=start
    # How persistent to be in (re)keying negotiations (0 means very).
        keyingtries=0
        esp=3des-md5-96
        # key lifetime (before automatic rekeying)
        keylife=8h

[root@apogee root]# pico /etc/ipsec.secrets

: RSA {
        # RSA 2192 bits apogee.integrated-group.com Sat Dec 6
00:38:26 2003
        # for signatures only, UNSAFE FOR ENCRYPTION

#pubkey=0sAQPgaOVjp4CndkvaBLxh/ScD973FKHbHmI0/BWPiJcm2y/c/RTYPRzp9ZBdrxN16P1KEXGX64Uu28i6LPGk7nbqr1QC9VfSwMLTfLaNtW$
        Modulus:
0xe068e563a780a7764bda04bc61fd2703f7bdc52876c7988d3f0563e225c9b6cbf73f45360f473a7d64176bc4dd7a3f52845c65fa$
        PublicExponent: 0x03
        # everything after this point is secret
        PrivateExponent:
0x2566d0e5f1401be90ca4561f65aa312b53f4f631692144178a80e5fb064c4921fe8a8b89028bdf14e603e74b7a3f0a8d$
        Prime1:
0xf433e0c7fb6f398ff53afdee6cbfce883e5e7c7c9e1470093f686d14ee104675bfb0b10debdc0ec7c50c29ea1ae31a687264c9052$
        Prime2:
0xeb403bd5c6e5025292faf60929d6a4fb65aefb219b8515ac4503319865b3764b4ba7c2b7d61c5d544dae095ae4dd5c30f40975749$
        Exponent1:
0xa2cd4085524a265ff8d1fe9ef32a89b0299452fdbeb84ab0d4f048b89eb5844e7fcb20b3f292b4852e081bf16742119af6eddb$
        Exponent2:
0x9cd57d392f4356e1b751f95b7139c35243c9fcc11258b91d8357766599224edcdd1a81cfe412e8e2de74063c989392cb4d5ba3$
        Coefficient:
0xe5328ceec18b1a34ad7101fa303dd5fa5b505ea704b1c1981095eeb2ff5bcd539933b83afb39843e37041f8be23196efb5d8$
        }
# do not change the indenting of that "}"
213.132.75.130 213.132.64.249: PSK "preshared-key"

-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Next message: Joe Giles: "Renice Command"

Previous message: Sherman, Yuval: "compiling on Redhat 9.0"
In reply to: tom pollerman: "Re: Document Manager - Web Based"
Next in thread: Samuel L. Schooler: "RE: VPN from a redhat 9 using free s/wan problem"
Maybe reply: Samuel L. Schooler: "RE: VPN from a redhat 9 using free s/wan problem"
Reply: administrator: "Re: VPN from a redhat 9 using free s/wan problem"
Maybe reply: Samuel L. Schooler: "RE: VPN from a redhat 9 using free s/wan problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]