[fw-wiz] VPN help !! please (fwd)

Tina Bird tbird at precision-guesswork.com
Thu Jul 19 11:01:38 EDT 2001


---------- Forwarded message ----------
Date: Thu, 19 Jul 2001 08:10:39 -0500
From: Bill Asher <basher at schultz-design.com>
To: "Firewall Wizard Mailing List (E-mail)" <firewall-wizards at nfr.com>
Subject: [fw-wiz] VPN help !! please

My network:
ba-fw01        PPP                             199.217.219.121
199.217.219.126
Home LAN -- Firewall(ba-fw01) -- modem -->internet<-- Router --
Firewall(fw02) -- Office LAN
10.2.2.X --  10.2.2.1  -- modem -->internet<--                      10.0.0.1
-- 10.0.0.x
                                                                    
I'm having a few issues getting my VPN tunnel made.  Below are my config
files, I used jixen.tripod.com RoadWarrior as an example.  I am a bit
confused on the left and right aspects for each location.  I have read that
the configs should be identical, while other examples show the left and
right information swapping for each firewall.  I have also added:
ipchains -A forward -i $GREEN_DEV -d $GREEN_NETADDRESS/$GREEN_NETMASK -j
ACCEPT
to each firewall's rc.firewall.up config.  Also, what exactly should be in
my ipsec.secrets config file??
Any suggestions, show me where I'm going wrong!! Thanks, Bill

######### Configs ####################
# Road - Work VPN
# Road /etc/ipsec.conf config file - 7/16/01

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search

conn %default
        keyingtries=1

conn road-work
        left=%defaultroute
        leftsubnet=
        leftnexthop=
        right=199.217.219.126
        rightsubnet=10.0.0.0/8
        rightnexthop=199.217.219.121
        auto=start
        authby=rsasig
        leftid=@ba-fw01.basher.com
        rightid=@fw02.schultz-design.com
        leftrsasigkey=0x0A
        rightrsasigkey=0x0B

# Road - Work VPN
# Work /etc/ipsec.conf config file - 7/16/01

config setup
        interfaces="ipsec0=eth2"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search

conn %default
        keyingtries=1

conn road-work
        left=0.0.0.0
        leftsubnet=
        leftnexthop=
        right=199.217.219.126
        rightsubnet=10.0.0.0/8
        rightnexthop=199.217.219.121
        auto=add
        authby=rsasig
        leftid=@ba-fw01.basher.com
        rightid=@fw02.schultz-design.com
        leftrsasigkey=0x0A
        rightrsasigkey=0x0B

Error Messages:
root at ba-fw01~# ipsec setup --restart
ipsec_setup: Stopping FreeS/WAN IPSEC...
ipsec_setup: Starting FreeS/WAN IPSEC 1.8...
ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not
work
ipsec_setup:  (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0)
ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work
ipsec_setup:  (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0)
ipsec_setup: 102 "road-work" #1: STATE_MAIN_I1: initiate
ipsec_setup: 104 "road-work" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent
MI2, expecting MR2
ipsec_setup: 106 "road-work" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent
MI3, expecting MR3
ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no
leading 00. Bad key?
ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
ipsec_setup: 010 "road-work" #1: STATE_MAIN_I3: retransmission; will wait
20s for response
ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no
leading 00. Bad key?
ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
ipsec_setup: 010 "road-work" #1: STATE_MAIN_I3: retransmission; will wait
40s for response
ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no
leading 00. Bad key?
ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
ipsec_setup: 031 "road-work" #1: max number of retransmissions (2) reached
STATE_MAIN_I3.  Possible authentication failure: no acceptable response to
our first
encrypted message


root at ba-fw01~# ipsec auto --up road-work
102 "road-work" #2: STATE_MAIN_I1: initiate
104 "road-work" #2: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting
MR2
106 "road-work" #2: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting
MR3
003 "road-work" #2: SIG did not decrypt into good ECB: no leading 00. Bad
key?
217 "road-work" #2: STATE_MAIN_I3: INVALID_KEY_INFORMATION
010 "road-work" #2: STATE_MAIN_I3: retransmission; will wait 20s for
response
003 "road-work" #2: SIG did not decrypt into good ECB: no leading 00. Bad
key?
217 "road-work" #2: STATE_MAIN_I3: INVALID_KEY_INFORMATION

root at ba-fw01~# cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260 -> 1524
ipsec1 -> NULL mtu=0 -> 0
ipsec2 -> NULL mtu=0 -> 0
ipsec3 -> NULL mtu=0 -> 0

root at fw02~# cat /proc/net/ipsec_tncfg
ipsec0 -> eth2 mtu=16260 -> 1500
ipsec1 -> NULL mtu=0 -> 0
ipsec2 -> NULL mtu=0 -> 0
ipsec3 -> NULL mtu=0 -> 0


B . A s h e r
IT Manager
S C H U L T Z D E S I G N
(636)936-2900
www.schultz-design.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards at nfr.com
http://www.nfr.com/mailman/listinfo/firewall-wizards


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list