<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
I'm stumped by the kernel 2.6 changes to openswan use.<br>
<br>
On the server end, I have a Fedora Core 4 (FC4) linux server with
openswan 2.4 installed. Eth0 is on the Internet, Eth1 is private. I
can ping eth0 from the outside; I can ping eth1 from the inside. IP
forwarding is enabled.<br>
<br>
VPN Server:<br>
Eth0 x.y.z.58/27, gw x.y.z.33 (External, public)<br>
Eth1 172.20.7.145/21<br>
<br>
The 172.20.0.0 LAN has it's default route s 172.20.0.1. Name servers
are internal at 172.20.7.194 and 172.20.7.194. They resolve against an
internal domain and then recurse anything not found in the internal
domain.<br>
<br>
ipsec verify looks good:<br>
<tt>[root@vpn ~]# ipsec verify<br>
Checking your system to see if IPsec got installed and started
correctly:<br>
Version check and ipsec on-path [OK]<br>
Linux Openswan U2.4.0/K2.6.12-1.1447_FC4 (netkey)<br>
Checking for IPsec support in kernel [OK]<br>
Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>
Checking that pluto is running [OK]<br>
Two or more interfaces found, checking IP forwarding [OK]<br>
Checking NAT and MASQUERADEing <br>
Checking for 'ip' command [OK]<br>
Checking for 'iptables' command [OK]<br>
Checking for 'curl' command for CRL fetching [OK]<br>
Checking for 'setkey' command for NETKEY IPsec stack support [OK]<br>
Opportunistic Encryption Support
[DISABLED]<br>
[root@vpn ~]# </tt><br>
<br>
On the client end, I have Windows 2000 and the Greenbow VPN client.
The Win2K workstation is behind a Linux firewall providing NAT via
Shorewall firewall. I have a self-signed CA built and certificates
properly generated and signed.<br>
<br>
Client side:<br>
Win2K: 192.168.0.62/24 (DHCP), gw 192.168.0.1, name servers are
Adelphias.<br>
Linux-Shorewall firewall:<br>
Eth1: 192.168.0.1<br>
Eth0: Dynamic, Adelphia, currently 70.33.197.36<br>
<br>
I have openswan and greenbow correctly configured in that I have a
successful tunnel. Below is my ipsec.conf.<br>
<br>
<tt>version 2.0 # conforms to second version of ipsec.conf
specification<br>
<br>
# basic configuration<br>
config setup<br>
# plutodebug / klipsdebug = "all", "none" or a combation from
below:<br>
# "raw crypt parsing emitting control klips pfkey natt x509
private"<br>
# eg:<br>
# plutodebug="control parsing"<br>
#<br>
# Only enable klipsdebug=all if you are a developer<br>
#<br>
# NAT-TRAVERSAL support, see README.NAT-Traversal<br>
# nat_traversal=yes<br>
#
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12<br>
# Debug-logging controls: "none" for (almost) none, "all" for
lots.<br>
interfaces=%defaultroute<br>
nat_traversal=yes<br>
# crlcheckinterval=600<br>
# strictcrlpolicy=yes<br>
# klipsdebug=all<br>
klipsdebug=none<br>
# plutodebug="control parse"<br>
plutodebug=none<br>
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16<br>
<br>
conn %default<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
# Left security gateway, subnet behind it, next hop toward
right.<br>
rekey=no<br>
keyingtries=1<br>
compress=yes<br>
disablearrivalcheck=no<br>
left=%defaultroute<br>
authby=rsasig<br>
<br>
#Disable Opportunistic Encryption<br>
include /etc/ipsec.d/examples/no_oe.conf<br>
<br>
# left = local (vpn)<br>
# right = remote (DGE Win2K Box, dynamic)<br>
conn dgevpn-net<br>
leftsubnet=172.20.0.0/21<br>
also=dgevpn<br>
<br>
conn dgevpn<br>
# VPN connection from Darren's Win2K machine<br>
rekey=yes<br>
keyingtries=1<br>
authby=rsasig<br>
leftrsasigkey=%cert<br>
left=%defaultroute<br>
rightrsasigkey=%cert<br>
rightsubnet=vhost:%no,%priv<br>
leftcert=vpn.pem<br>
rightcert=dgecert.pem<br>
right=%any<br>
pfs=yes<br>
auto=add</tt><br>
<br>
There is a server on the 172.20.0.0/21 LAN, 172.200.7.193 that I am
trying to access. I am unable to ping it. I found that I had an
asymetric routing problem as the VPN server is not the default
gateway. So, I added a route to the default gateway to forward all
traffice destined for the 192.168.0.0/24 LAN back to the VPN server.<br>
<br>
Ethereal reports pings reaching 172.20.7.193 from 192.168.0.62 and
172.20.7.193 replies to 192.168.0.62. The replies are routed to
172.20.0.1, which forwards them to 172.20.7.145 via a simple static
route.<br>
<br>
Clearly, I misunderstand somethig or have misconfigured something as I
am not able to get traffic to flow properly over the established
tunnel. I have googled for help, as well as reviewed the openswan 2.4
docs. Unfortunately, I am using 2.6.11 or newer kernels, and there
seems to be very little documenation on the "new" way of doing things.
I have successfully used openswan 2.3.1 with 2.4 kernels, but they had
ipsec0 interfaces to work with.<br>
<br>
My questions are as follows:<br>
1. What other information do I need to provide to the list? This is a
fairly complex configuration, at least for me, though it's real-world
common, and I'm sure I omitted a detail or three.<br>
2. Do I need to be using racoon or KLIPS? I think I should be using
KLIPS and am doing so at the moment.<br>
<blockquote><tt>[root@vpn ~]# rpm -qa | grep openswan<br>
openswan-2.4.0-1<br>
openswan-klips-2.4.0-2.6.12_1.1447_FC4_1<br>
openswan-doc-2.4.0-1<br>
[root@vpn ~]# </tt><br>
</blockquote>
<br>
3. Is there a HOWTO doc somewhere that details the steps and
requirements?<br>
<br>
Thanks.<br>
<br>
Darren<br>
<br>
</body>
</html>