[Help] Please Help me about FreeS/WAN question........Thanks

Mon, 28 Apr 2003 07:26:06 -0500 

Hello list  :

  i had tried to implement FreeS/WAN to protect my network , but i got some of  
problem.

My Network diagram as follow :


▲Diagram :
## INTERNET ##===== eth1[Home] 
eth0===============eth0[MIS]eth1===========[Windows2000 road-warrior Clients]
                          204.204.10.2           192.168.3.33       
192.168.3.254         192.168.10.254        (Dynamic IP:192.168.10.X) 
eg:192.168.10.223


▲Description:
[Home]
OS  : Debian Woody
FreeS/WAN : 1.96v
Authentication : X.509
eth0 : 192.168.3.33
eth1 : 204.204.10.2 (Public IP)

[MIS]
OS  : Debian Woody
FreeS/WAN : 1.96v
Authentication : X.509
eth0 : 192.168.3.254
eth1 : 192.168.10.254

[Windows2000 road-warrior Clients]
All of client OS is Windows 2000 sp3 and using dynamic IP, My testing machine 
IP is ' 192.168.10.223 '




▲Configuration
‧All of Windows2000 clients Default Gateway is 192.168.10.254

‧All of Windows2000 clients has already established ipsec tunnel to [MIS]

‧There has already a IPSEC tunnel  between the [MIS] and the [Home]
################################
### [MIS] /etc/ipsec.conf as follow : #
###############################
config setup
        interfaces="ipsec0=eth0 ipsec1=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

#----  LAN ----#
conn roadwarrior
        also=roadwarrior-net
conn roadwarrior-net
        right=%any
        left=192.168.10.235
        [EMAIL PROTECTED]
        auto=start
        pfs=yes

#---- MIS TO HOME ----#
conn home
        also=home-mis
conn home-mis
        left=192.168.3.254
        [EMAIL PROTECTED]
        right=192.168.3.33
        [EMAIL PROTECTED]
        auto=start



##################################
### [Home] /etc/ipsec.conf as follow :  #
##################################
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
conn %default
        keyingtries=0
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

#---- HOME TO MIS ----#
conn home
        also=home-mis
conn home-mis
        left=192.168.3.254
        [EMAIL PROTECTED]
        right=192.168.3.33
        [EMAIL PROTECTED]
        auto=start



‧NO any iptables rules to filter packets  in [Home] and  [MIS] ! 
    JUST MASQ rules in [MIS] as follow :

###BEGIN--- iptables MASQUERADE rules ###

iptables -t nat -A POSTROUTING -s 192.168.10.0/255.255.248.0 -j MASQUERADE
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -j ACCEPT

iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A INPUT -s 192.168.10.0/255.255.248.0 -j ACCEPT
iptables -A OUTPUT -d 192.168.10.0/255.255.248.0 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.10.0/255.255.248.0 -j ACCEPT

iptables -A INPUT -s 192.168.3.33 -j ACCEPT
iptables -A OUTPUT -s 192.168.3.33 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.3.33 -j ACCEPT

###END--- iptables MASQUERADE rules ###


▲My Steps:

1. In [Windows2000 Clinet], start ipsec , i am very sure Windows2000 ipsec is 
working correctly   ; )


2. In [MIS]  /etc/init.d/ipsec  restart  ,  then Windows2000 client ping 
192.168.3.254 is OK  but  not any respond from 192.168.3.33!!!!!
   Negotiating IP Security
   Reply from 192.168.3.254:  bytes=32  time=3ms  TTL=64
   Reply from 192.168.3.254:  bytes=32  time=3ms  TTL=64

3. In [HOME]  /etc/init.d/ipsec  restart to establish ipsec tunnel between 
[MIS] and [HOME] , then 
    Windows client ping 192.168.3.254 and 192.168.3.33 are OK!!!
   Negotiating IP Security
   Reply from 192.168.3.254:  bytes=32  time=3ms  TTL=64
   Reply from 192.168.3.254:  bytes=32  time=3ms  TTL=64
 
   Reply from 192.168.3.33:  bytes=32  time=3ms  TTL=64
   Reply from 192.168.3.33:  bytes=32  time=3ms  TTL=64

4. Using  ' tcpdump ' command to sniff packet in 192.168.3.254 and 192.168.3.33 
interface , i have already got 'ESP' packets! 

5. Using  ' tcpdump ' command to sniff packet in Windows2000 client 
(192.168.10.223) ,  i CAN NOT got 'ESP' packets!
   All packet transfer to [Home] are ' CLEAR' packets    -___-

6. Now, I restart 'ipsec' command again in Windows2000

7. However, I am using ping command to ping 192.168.10.254 , i got ESP packet 
respond!!!!!
    Unfortunately, i CAN NOT ping 192.168.3.254[MIS] and 192.168.3.33[HOME] 
now......Its very strange..... @_____@


▲My Question:

1. How do i let Windows2000 Clients using ipsec tunnel to connect to [HOME] 
??????

2. I need any patch ?????   FreeS/WAN patch??? or iptables patch???? i using 
Debian Woody official .deb to install FreeS/WAN
    i  didnt use FreeS/WAN source to re-compile!!!

3. Does anyone knows  where to find useful Document/Howto that is conform with 
My Diagram/Environment????
    i had already read http://jixen.tripod.com/  and 
http://www.thing.dyndns.org/debian/wifivpn.htm

4. Any questions about my question , please feel free to let me know.  i would 
explain for u ...  :-)


Very Very Thanks..........



-- 
Trust & Unique ...
axacheng <[EMAIL PROTECTED]>

Reply via email to