[Leaplist] ipsec help
Ingo Claro
miclaro at netred.cl
Tue Dec 2 13:58:58 EST 2008
Hello all!
I need some help in a vpn with ipsec configuration, or please guide me
in a good direction.
I've just learned how to set up an ipsec vpn and got it ok with a
client. He can access a web site in our side without problems.
The problem is that it seems that ALL our traffic is going trough the
VPN, for example our emails, and they don't have their mailserver
configured there, so they don't receive it.
Like I said before, I'm a newbie in the ipsec stuff, I just learned the
thing in 2 days an managed to get it up. I read all sorts of
documentation and I don't see where it's the problem, in setkey there is
no rule to encript every traffic to their IP.
CentOS 5.2
[root at firewall log]# uname -a
Linux firewall.netred.cl 2.6.18-92.1.10.el5 #1 SMP Tue Aug 5 07:41:53
EDT 2008 i686 i686 i386 GNU/Linux
ipsec-tools-0.6.5-9.el5_2.3
using racoon and setkey
racoon configuration:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log info;
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm 3des, blowfish 448, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
remote 199.186.28.228 {
exchange_mode main;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
lifetime time 1440 minutes;
}
}
#local - remote
sainfo address 10.3.41.2/24 any address 161.131.252.95/24 any {
lifetime time 3600 seconds;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
-------------------------------------------------------------------------------------
setkey configuration:
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 10.3.41.2/24 161.131.0.0/16 any -P out ipsec
esp/tunnel/200.27.104.33-199.186.28.228/require;
#spdadd 200.27.104.33/24 199.186.28.228/24 any -P out ipsec
# esp/tunnel/200.27.104.33-199.186.28.228/require;
spdadd 161.131.0.0/16 10.3.41.2/24 any -P in ipsec
esp/tunnel/199.186.28.228-200.27.104.33/require;
spdadd 199.186.28.228/24 200.27.104.33/24 any -P in ipsec
esp/tunnel/199.186.28.228-200.27.104.33/require;
------------------------------------
iptables configuration:
$IPTABLES -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
--tunnel-dst 200.27.104.33 --tunnel-src 199.186.28.228 -j LOG
--log-prefix "vpnBCI in:"
$IPTABLES -A FORWARD -m policy --dir out --pol ipsec --mode tunnel
--tunnel-src 200.27.104.33 --tunnel-dst 199.186.28.228 -j LOG
--log-prefix "vpn out:"
$IPTABLES -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
--tunnel-dst 200.27.104.33 --tunnel-src 199.186.28.228 -s 161.131.0.0/16
-d 10.3.41.2 --protocol tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -m policy --dir in --pol ipsec --mode tunnel
--tunnel-dst 200.27.104.33 --tunnel-src 199.186.28.228 -s 161.131.0.0/16
-d 10.3.41.2 --protocol tcp --dport 443 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s 161.131.0.0/16 -d 10.3.41.2 -j DNAT
--to 200.27.48.250
---------------------------------------------------------
[root at firewall racoon]# setkey -D
199.186.28.228 200.27.104.33
esp mode=tunnel spi=223311691(0x0d4f774b) reqid=0(0x00000000)
E: 3des-cbc 03c28d4d ae24ff2a bd9973ca a1e56ea8 30bbdefb 59b323ec
A: hmac-sha1 efb589d4 2b67e01b d2b026a8 1192cbdf cec2ea5d
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Dec 2 14:58:53 2008 current: Dec 2 15:51:26 2008
diff: 3153(s) hard: 3600(s) soft: 2880(s)
last: Dec 2 14:58:54 2008 hard: 0(s) soft: 0(s)
current: 2411(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 36 hard: 0 soft: 0
sadb_seq=1 pid=9368 refcnt=0
200.27.104.33 199.186.28.228
esp mode=tunnel spi=297932617(0x11c21749) reqid=0(0x00000000)
E: 3des-cbc fa40a75a 768c93ac c156049e 11abd653 7b2ae3cd 4f38d52c
A: hmac-sha1 f98de996 3b16d01b bc2e7ca8 44eb1103 f142cf7a
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Dec 2 14:58:53 2008 current: Dec 2 15:51:26 2008
diff: 3153(s) hard: 3600(s) soft: 2880(s)
last: Dec 2 14:58:54 2008 hard: 0(s) soft: 0(s)
current: 53728(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 51 hard: 0 soft: 0
sadb_seq=0 pid=9368 refcnt=0
---------------------------------------------------------
[root at firewall ~]# setkey -D -P
161.131.0.0/16[any] 10.3.41.2/24[any] any
in prio def ipsec
esp/tunnel/199.186.28.228-200.27.104.33/require
created: Dec 2 15:53:07 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=880 seq=32 pid=9386
refcnt=1
199.186.28.228/24[any] 200.27.104.33/24[any] any
in prio def ipsec
esp/tunnel/199.186.28.228-200.27.104.33/require
created: Dec 2 15:53:07 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=896 seq=31 pid=9386
refcnt=1
10.3.41.2/24[any] 161.131.0.0/16[any] any
out prio def ipsec
esp/tunnel/200.27.104.33-199.186.28.228/require
created: Dec 2 15:53:07 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=873 seq=30 pid=9386
refcnt=1
161.131.0.0/16[any] 10.3.41.2/24[any] any
fwd prio def ipsec
esp/tunnel/199.186.28.228-200.27.104.33/require
created: Dec 2 15:53:07 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=890 seq=29 pid=9386
refcnt=1
199.186.28.228/24[any] 200.27.104.33/24[any] any
fwd prio def ipsec
esp/tunnel/199.186.28.228-200.27.104.33/require
created: Dec 2 15:53:07 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=906 seq=28 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=859 seq=27 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=843 seq=26 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=827 seq=25 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=811 seq=24 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=795 seq=23 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=779 seq=22 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=763 seq=21 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=747 seq=20 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=731 seq=19 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=715 seq=18 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=699 seq=17 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused: Dec 2 14:58:53 2008
lifetime: 0(s) validtime: 0(s)
spid=683 seq=16 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=667 seq=15 pid=9386
refcnt=1
(per-socket policy)
in none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=651 seq=14 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=868 seq=13 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=852 seq=12 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=836 seq=11 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=820 seq=10 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=804 seq=9 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=788 seq=8 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=772 seq=7 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=756 seq=6 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=740 seq=5 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=724 seq=4 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=708 seq=3 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused: Dec 2 14:58:53 2008
lifetime: 0(s) validtime: 0(s)
spid=692 seq=2 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=676 seq=1 pid=9386
refcnt=1
(per-socket policy)
out none
created: Dec 2 14:58:08 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=660 seq=0 pid=9386
refcnt=1
------------------------------------------
/var/log/messages:
Dec 2 14:58:53 firewall racoon: INFO: respond new phase 1 negotiation:
200.27.104.33[500]<=>199.186.28.228[500]
Dec 2 14:58:53 firewall racoon: INFO: begin Identity Protection mode.
Dec 2 14:58:53 firewall racoon: INFO: ISAKMP-SA established
200.27.104.33[500]-199.186.28.228[500]
spi:e51d4e9b04ffd9fb:5e3847d9c327cfe3
Dec 2 14:58:53 firewall racoon: INFO: respond new phase 2 negotiation:
200.27.104.33[500]<=>199.186.28.228[500]
Dec 2 14:58:53 firewall racoon: ERROR: wrong state 8.
Dec 2 14:58:53 firewall racoon: ERROR: failed to pre-process packet.
Dec 2 14:58:53 firewall racoon: INFO: IPsec-SA established: ESP/Tunnel
199.186.28.228[0]->200.27.104.33[0] spi=223311691(0xd4f774b)
Dec 2 14:58:53 firewall racoon: INFO: IPsec-SA established: ESP/Tunnel
200.27.104.33[0]->199.186.28.228[0] spi=297932617(0x11c21749)
here you can see that it logs traffic from 200.27.104.36 (our
mailserver) to their IP:
Dec 2 13:35:51 firewall kernel: vpn out:IN=eth1 OUT=eth2
SRC=200.27.104.36 DST=199.186.28.60 LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=53440 DF PROTO=TCP SPT=46058 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
regards,
Ingo
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.leap-cf.org/pipermail/leaplist/attachments/20081202/cb1665c8/attachment-0001.html
More information about the Leaplist
mailing list