[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPSec / FreeSWAN (linux) - Question 'bout VPN
- To: <misc@openbsd.org>
- Subject: IPSec / FreeSWAN (linux) - Question 'bout VPN
- From: Martín Marconcini <martin@marconcini.com.ar>
- Date: Tue, 3 Feb 2004 13:03:33 +0100
- Thread-Index: AcPqTb8KBtJ54r//RWOYndGmrIZ5jw==
Hello everybody,
I've got four linux boxes which connect vía FreesWan to another Linux Box.
The VPN scheme is something like this:
LAN 1 192.168.1.x/24 -> LINUX01-xDSL -> TUNNEL ->
LAN 2 192.168.2.x/24 -> LINUX02-xDSL -> TUNNEL ->
LAN 3 192.168.3.x/24 -> LINUX03-xDSL -> TUNNEL ->
LAN n...
All the TUNNEL -> points to the SAME Linux Box. Due to the 80 columns limit,
I will draw down here.
TUNNEL -> STATIC_IP -> LINUX -> 192.168.0.0/16
Every box is connecting then, from its dynamic IP, to the static ip box
(which has 192.168.0.0/16). This box then re-routes traffic to the correct
gw/net.
Everything works, except for a bug/limitation in FreesWan that keeps you
from being able to ping from LINUXn to LINUXn. (Gateways do not see each
other). This is documented and out of the scope of this message.
All the boxes create the IPSec tunnel using RSA. When a new box (gw) is
added to the company, we create the preshared keys and all the stuff.
Now the nice part. Two OpenBSD Boxes are ready to be plugged in this
scenario, but after all of us (Me, The STATIC_IP linux box admin, and the
other openBsd Admin) spent days/hours trying to make it work, I've decided
to look for advice since we're horribly failing.
I've searched on every possible search engine, yet every single document,
reference, etc. is either outdated or has a completely different scenario.
I've noticed Obsd faq 'bout IPSEC has been removed, but I've got a copy. Yet
It's not helping us either.
We're trying to do it from the basics... Preshared Secret, i.e.: Password.
I'm not pasting all the config files because:
A) half of 'em are Linux based (the STATIC_IP guy) and I don't know if
someone would like to read those.
B) I wouldn't mind doing this on my own if someone's so kind to point me in
the right direction (ie: man/faq/help/advice/etc)
C) I have tried dozens of different ipsec.conf/policy/etc... Copied and
pasted (then reviewed) from dozens of Faqs/documents/howto's. So I wouldn't
know which one to paste.
Yes, I've read man vpn/ipsec on the openbsd box. And I know you'd love to
see the logfile, but it's really long, and since a lot has been tried, I
really don't know what to say.
If this I am trying to accomplish is possible, then I'll recreate all
configs, try, and then paste everything for advice. But 1st I'd love to see
if what I'm trying to do is not possible.
All the configs will be changed in a future to x509 certs (god help us
there, but that's schedule for july!), as soon as the linux boxes receive a
new kernel with SuperFreesWan, but in the mean time I have to make this
work. We're not ipsec experts, but we did make the linux part work (it works
fine, I can ping all the other networks from here!). One thing I did, was
plug a linux box instead of the obsd box, to see if the xDSL router was
blocking vpn traffic or something. It was not, the linux box with the
freeswan config worked fine.
The Ip's from the example above are 'real'. We're using the C Class
192.168.x.x/24 on every 'client'.
Thank you very much for your time and sorry for the long post.
Regards,
Martín Marconcini