+ Responder ao Tópico



  1. 01-09-2004, 09:46 #1
    Visitante

    Padrão Problema com VPN IPSEC - FREESWAN

    conecto via VPN ipsec, os gateways se pingam(eu deixei aberto), mas as estações nao se pingam, usando o iptraf não consigo ver nenhum pacote chegando pelo ipsec.

    detalhes

    2 servidores com configs identicas

    ###############################################
    servidor 1 - Suse 9.0
    - kernel 2.4.21-243-default
    - freeswan-2.04_1.5.3-45
    - ipsec-tools-0.3rc4-17
    - SuSefirewall2
    - ipsec-tools-0.3rc4-17
    - gmp-4.1.2-185


    eth0:200.xxx.xxx.37/24
    eth1:172.16.0.1
    gw: 200.xxx.xxx.1

    ###############################################
    route
    Destination Gateway Genmask Flags Metric Ref Use Iface
    172.16.0.0 1.xxx.xxx.200.d 255.255.255.0 UG 0 0 0 ipsec0
    192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
    200.xxx.xxx.0 * 255.255.255.0 U 0 0 0 eth0
    200.xxx.xxx.0 * 255.255.255.0 U 0 0 0 ipsec0
    default 1.xxx.xxx.200.d 0.0.0.0 UG 0 0 0 eth0
    ###############################################

    ###############################################

    Servidor 2 - Suse 9.0
    - kernel 2.4.21-243-default
    - freeswan-2.04_1.5.3-45
    - ipsec-tools-0.3rc4-17
    - SuSefirewall2
    - ipsec-tools-0.3rc4-17
    - gmp-4.1.2-185

    eth0: 200.xxx.xxx.41/24
    eth1:192.168.0.11
    gw: 200.xxx.xxx.1

    ###############################################
    route
    172.16.0.0 * 255.255.255.0 U 0 0 0 eth1
    192.168.0.0 1.xxx.xxx.200.d 255.255.255.0 UG 0 0 0 ipsec0
    200.xxx.xxx.0 * 255.255.255.0 U 0 0 0 eth0
    200.xxx.xxx.0 * 255.255.255.0 U 0 0 0 ipsec0
    default 1.xxx.xxx.200.d 0.0.0.0 UG 0 0 0 eth0
    ###############################################


    Os servidores estão em localizações diferentes, bairros diferentes.


    meu ipsec.con está identico nos dois servidores

    ###############################################

    cat /etc/ipsec.conf
    # /etc/ipsec.conf - FreeS/WAN IPsec configuration file

    # basic configuration
    ### Converted to version 2.0 ipsec.conf by freeswan %post
    version 2.0

    config setup
    interfaces="ipsec0=eth0"
    #interfaces=%defaultroute
    klipsdebug=none
    plutodebug=none
    ### Commented out by freeswan %post
    #plutoload=%search
    #plutostart=%search
    uniqueids=yes
    #nat_traversal=yes

    # defaults for subsequent connection descriptions
    conn %default
    keyingtries=0
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%dnsondemand
    rightrsasigkey=%dnsondemand

    # sample VPN connection
    conn vpn
    # Left security gateway, subnet behind it, next hop toward right.
    left=200.xxx.xxx.87
    leftsubnet=172.16.0.0/24
    leftnexthop=200.xxx.xxx.1
    [email protected]
    leftrsasigkey=KEY GERADA DE 512(servidor a)
    # Right security gateway, subnet behind it, next hop toward left.
    right=200.xxx.xxx.81
    rightsubnet=192.168.0.0/24
    rightnexthop=200.xxx.xxx.1
    [email protected]
    rightrsasigkey=KEY GERADA DE 512(servidor b)
    auto=start


    Ja tentei varias regras de iptables, jah setei forward no SuSefirewall, o antispoofing está desabilidado, o forward está ativo.

    ipsec verify
    Checking your system to see if IPsec got installed and started correctly:
    Version check and ipsec on-path [OK]
    Linux FreeS/WAN U2.04/K1.98b
    Checking for KLIPS support in kernel [FAILED]
    Checking for RSA private key (/etc/ipsec.secrets) [OK]
    Checking that pluto is running [OK]
    Two or more interfaces found, checking IP forwarding [OK]
    Checking NAT and MASQUERADEing

    Opportunistic Encryption DNS checks:
    Looking for TXT in forward map: gwconsult [MISSING]
    Does the machine have at least one non-private address? [OK]
    Looking for TXT in reverse map: 81.xxx.xxx.200.in-addr.arpa. [MISSING]

    O erro é são os mesmos dos dois lados.


    ipsec_setup: Starting FreeS/WAN IPsec 2.04...
    ipsec_setup: Using /lib/modules/2.4.21-243-default/kernel/net/ipv4/ipsec/ipsec.o
    ipsec_setup: /usr/lib/ipsec/_startklips: line 309: /proc/sys/net/ipsec/inbound_policy_check: No such file or directory


    Se você puderem me ajudar eu agradeço.


    A. Carlos Sender
    Citação Citação
  2. 02-09-2004, 09:25 #2
    rkferreira
    Visitante

    Padrão ssunto: Problema com VPN IPSEC - FREESWAN

    O anti-spoofing tem que estar desabilitado... ja vi que vc desabilitou... humm...
    Nao pode haver mascaramento dos pacotes que usam a VPN tb, tem que ver o seu iptables.

    Att.,

    Rodrigo
    Citação Citação
  3. 03-09-2004, 13:02 #3
    Visitante

    Padrão Problema com VPN IPSEC - FREESWAN

    Bom, retirei o NAT da jogada, comecei a ver os pacotes chegando, porque recebo estas informações nos logs, estou pesquisando ainda para ver se acho algum ajuste disso.

    Se alguém já o tiver me manda ai.


    Dec 4 12:48:56 gwstacm kernel: ; found spi=0x80e5616e, dst=200.xxx.xxx.87, proto=3/ESP
    Dec 4 12:48:56 gwstacm kernel: ipsec4_rcv: incoming packet failed policy check; dropped
    Dec 4 12:49:01 gwstacm kernel: ; found spi=0x80e5616e, dst=200.xxx.xxx.87, proto=3/ESP
    Dec 4 12:49:01 gwstacm kernel: ipsec4_rcv: incoming packet failed policy check; dropped
    Dec 4 12:49:06 gwstacm kernel: ; found spi=0x80e5616e, dst=200.xxx.xxx.87, proto=3/ESP
    Dec 4 12:49:06 gwstacm kernel: ipsec4_rcv: incoming packet failed policy check; dropped

    []´s
    Sender
    Citação Citação
  4. 04-09-2004, 15:16 #4
    Visitante

    Padrão Problema com VPN IPSEC - FREESWAN

    Problema resolvido galera, usei a versão que vem com as distribuição do SuSE 9, funcionou redondo,o freeswan 2 no SuSE 9.1 vem com algumas particularidades que só funcionam com o kernel do SuSE 9.1.

    Valeu.

    Sender.
    Citação Citação



« Tópico Anterior | Próximo Tópico »