Re: Help! Ipsec-tools/Racoon link through NAT .. "ip route" fails
From: Alexander Clouter (alex_at_digriz.junk-this.org.uk)
Date: 11/28/04
- Next message: Bruce Coryell: "Windows-Linux networking noob"
- Previous message: Fernando Peral: "tcp connections blocked on a suse server (very strange)"
- In reply to: Sundial Services: "Re: Help! Ipsec-tools/Racoon link through NAT .. "ip route" fails"
- Next in thread: Sundial Services: "Re: Help! Ipsec-tools/Racoon link through NAT .. "ip route" fails"
- Reply: Sundial Services: "Re: Help! Ipsec-tools/Racoon link through NAT .. "ip route" fails"
- Reply: Sundial Services: "Re: Help! Ipsec-tools/Racoon link through NAT .. "ip route" fails"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 28 Nov 2004 11:06:19 -0000
On 2004-11-27, Sundial Services <info@sundialservices.com> wrote:
>
> Setkey -DP is interesting:
>
> [snipped]
>
> All zeroes!
>
Thats not the interesting bit, the bits which are interesting are the
'in none' and 'out none' which means you have no ipsec policies configured.
The zero's mean from '0.0.0.0/0' to '0.0.0.0/0' no crypto. Its the default
config.
For me (client to my server) I use (run the file with
'setkey -f /path/to/sa-conf'):
[snip]
#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
## WormNET
spdadd 10.128.10.0/24 10.128.10.0/24 any -P out none;
spdadd 10.128.10.0/24 10.128.10.0/24 any -P in none;
# bitbucket hack
spdadd 10.128.10.1 10.128.0.20 any -P out none;
spdadd 10.128.0.20 10.128.10.1 any -P in none;
# wifi-inskipp - we only do AH as guacmole ain't fast :)
spdadd 10.128.10.1 0.0.0.0/0 any -P out ipsec
ah/tunnel/10.128.10.1-10.128.10.254/require;
# esp/tunnel/10.128.10.1-10.128.10.254/require;
spdadd 0.0.0.0/0 10.128.10.1 any -P in ipsec
ah/tunnel/10.128.10.254-10.128.10.1/require;
# esp/tunnel/10.128.10.254-10.128.10.1/require;
[/snip]
This is the config I use to convert my wireless gateway into a pure ipsec
only gateway. However as I'm using a good old 50Mhz Sun Lunchbox[1] which
caps out at 100kB/s with ESP (with AH its 300kB/s)[2] I have had to whitelist
our bitbucket, so I get 500kB/s; I do only have an old 11Mbps gateway.
The setup means everything to and from 10.128.10.0/24 is not encrpyted,
however (if we ignore the hacks) everything to the internet (from
10.128.10.1, my address but it must be static) goes through an ipsec tunnel
between 10.128.10.254 to 10.128.10.1. Its important you have a rule for each
direction.
You seem to have none of these polices. As for the routing table, this is
transparent to it. With freeswan you got a virtual interface, with kame (2.6
and racoon) you do not; it simply just does it.
All you can do is really keep an eye on the output of the racoon daemon in
debug mode and have a good read of the IPSec HOWTO[4] as to be frank, I think
you have missed some rather major points :P
> The "ifup-ipsec" command gave "network is unreachable." A query of the
> "route" command shows no routes whatsoever mentioning the VPN
> address-range...
>
> "ping" of the desired address says:
> "Connect: invalid argument."
>
> "ip route get to <<any VPN address>>" shows a perfectly uninteresting route,
> going out the default gateway.
>
As covered above, IPSec with KAME is transparent to the routing table.
Of course I would blame it on your distro DeadRat being a Debian guy myself
:P
Cheers
Alex
[1] http://eintr.net/systems/sun/sparcclassic/
[2] when it maxes out the DNS server on it no longer responses and this is
why I go for AH. Really I have the attitude "if they do not sniff
the traffic here they will further up" so I use ssh/ssl/etc for
sensitive things, the AH just guarentees only people I give a
certificate to can use my wifi gateway. The advantage of this is I
can have MAC locking/WEP disabled and broadcast the ESSID which makes
for a very easy client setup. Of course this needs re'inforcement on
the gateway with firewall rules (hint: the MARK on packets is
maintained over decryption)
[3] http://www.ipsec-howto.org/x247.html
- Next message: Bruce Coryell: "Windows-Linux networking noob"
- Previous message: Fernando Peral: "tcp connections blocked on a suse server (very strange)"
- In reply to: Sundial Services: "Re: Help! Ipsec-tools/Racoon link through NAT .. "ip route" fails"
- Next in thread: Sundial Services: "Re: Help! Ipsec-tools/Racoon link through NAT .. "ip route" fails"
- Reply: Sundial Services: "Re: Help! Ipsec-tools/Racoon link through NAT .. "ip route" fails"
- Reply: Sundial Services: "Re: Help! Ipsec-tools/Racoon link through NAT .. "ip route" fails"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
