conecto via VPN ipsec, os gateways se pingam(eu deixei aberto), mas as estações nao se pingam, usando o iptraf não consigo ver nenhum pacote chegando pelo ipsec.
detalhes
2 servidores com configs identicas
###############################################
servidor 1 - Suse 9.0
- kernel 2.4.21-243-default
- freeswan-2.04_1.5.3-45
- ipsec-tools-0.3rc4-17
- SuSefirewall2
- ipsec-tools-0.3rc4-17
- gmp-4.1.2-185
eth0:200.xxx.xxx.37/24
eth1:172.16.0.1
gw: 200.xxx.xxx.1
###############################################
route
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.0.0 1.xxx.xxx.200.d 255.255.255.0 UG 0 0 0 ipsec0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
200.xxx.xxx.0 * 255.255.255.0 U 0 0 0 eth0
200.xxx.xxx.0 * 255.255.255.0 U 0 0 0 ipsec0
default 1.xxx.xxx.200.d 0.0.0.0 UG 0 0 0 eth0
###############################################
###############################################
Servidor 2 - Suse 9.0
- kernel 2.4.21-243-default
- freeswan-2.04_1.5.3-45
- ipsec-tools-0.3rc4-17
- SuSefirewall2
- ipsec-tools-0.3rc4-17
- gmp-4.1.2-185
eth0: 200.xxx.xxx.41/24
eth1:192.168.0.11
gw: 200.xxx.xxx.1
###############################################
route
172.16.0.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 1.xxx.xxx.200.d 255.255.255.0 UG 0 0 0 ipsec0
200.xxx.xxx.0 * 255.255.255.0 U 0 0 0 eth0
200.xxx.xxx.0 * 255.255.255.0 U 0 0 0 ipsec0
default 1.xxx.xxx.200.d 0.0.0.0 UG 0 0 0 eth0
###############################################
Os servidores estão em localizações diferentes, bairros diferentes.
meu ipsec.con está identico nos dois servidores
###############################################
cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
### Converted to version 2.0 ipsec.conf by freeswan %post
version 2.0
config setup
interfaces="ipsec0=eth0"
#interfaces=%defaultroute
klipsdebug=none
plutodebug=none
### Commented out by freeswan %post
#plutoload=%search
#plutostart=%search
uniqueids=yes
#nat_traversal=yes
# defaults for subsequent connection descriptions
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand
# sample VPN connection
conn vpn
# Left security gateway, subnet behind it, next hop toward right.
left=200.xxx.xxx.87
leftsubnet=172.16.0.0/24
leftnexthop=200.xxx.xxx.1
[email protected]
leftrsasigkey=KEY GERADA DE 512(servidor a)
# Right security gateway, subnet behind it, next hop toward left.
right=200.xxx.xxx.81
rightsubnet=192.168.0.0/24
rightnexthop=200.xxx.xxx.1
[email protected]
rightrsasigkey=KEY GERADA DE 512(servidor b)
auto=start
Ja tentei varias regras de iptables, jah setei forward no SuSefirewall, o antispoofing está desabilidado, o forward está ativo.
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux FreeS/WAN U2.04/K1.98b
Checking for KLIPS support in kernel [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Opportunistic Encryption DNS checks:
Looking for TXT in forward map: gwconsult [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse map: 81.xxx.xxx.200.in-addr.arpa. [MISSING]
O erro é são os mesmos dos dois lados.
ipsec_setup: Starting FreeS/WAN IPsec 2.04...
ipsec_setup: Using /lib/modules/2.4.21-243-default/kernel/net/ipv4/ipsec/ipsec.o
ipsec_setup: /usr/lib/ipsec/_startklips: line 309: /proc/sys/net/ipsec/inbound_policy_check: No such file or directory
Se você puderem me ajudar eu agradeço.
A. Carlos Sender