[fw-wiz] VPN help !! please (fwd)
Tina Bird
tbird at precision-guesswork.com
Thu Jul 19 11:01:38 EDT 2001
---------- Forwarded message ----------
Date: Thu, 19 Jul 2001 08:10:39 -0500
From: Bill Asher <basher at schultz-design.com>
To: "Firewall Wizard Mailing List (E-mail)" <firewall-wizards at nfr.com>
Subject: [fw-wiz] VPN help !! please
My network:
ba-fw01 PPP 199.217.219.121
199.217.219.126
Home LAN -- Firewall(ba-fw01) -- modem -->internet<-- Router --
Firewall(fw02) -- Office LAN
10.2.2.X -- 10.2.2.1 -- modem -->internet<-- 10.0.0.1
-- 10.0.0.x
I'm having a few issues getting my VPN tunnel made. Below are my config
files, I used jixen.tripod.com RoadWarrior as an example. I am a bit
confused on the left and right aspects for each location. I have read that
the configs should be identical, while other examples show the left and
right information swapping for each firewall. I have also added:
ipchains -A forward -i $GREEN_DEV -d $GREEN_NETADDRESS/$GREEN_NETMASK -j
ACCEPT
to each firewall's rc.firewall.up config. Also, what exactly should be in
my ipsec.secrets config file??
Any suggestions, show me where I'm going wrong!! Thanks, Bill
######### Configs ####################
# Road - Work VPN
# Road /etc/ipsec.conf config file - 7/16/01
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
conn %default
keyingtries=1
conn road-work
left=%defaultroute
leftsubnet=
leftnexthop=
right=199.217.219.126
rightsubnet=10.0.0.0/8
rightnexthop=199.217.219.121
auto=start
authby=rsasig
leftid=@ba-fw01.basher.com
rightid=@fw02.schultz-design.com
leftrsasigkey=0x0A
rightrsasigkey=0x0B
# Road - Work VPN
# Work /etc/ipsec.conf config file - 7/16/01
config setup
interfaces="ipsec0=eth2"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
conn %default
keyingtries=1
conn road-work
left=0.0.0.0
leftsubnet=
leftnexthop=
right=199.217.219.126
rightsubnet=10.0.0.0/8
rightnexthop=199.217.219.121
auto=add
authby=rsasig
leftid=@ba-fw01.basher.com
rightid=@fw02.schultz-design.com
leftrsasigkey=0x0A
rightrsasigkey=0x0B
Error Messages:
root at ba-fw01~# ipsec setup --restart
ipsec_setup: Stopping FreeS/WAN IPSEC...
ipsec_setup: Starting FreeS/WAN IPSEC 1.8...
ipsec_setup: WARNING: ipsec0 has route filtering turned on, KLIPS may not
work
ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = `1', should be 0)
ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0)
ipsec_setup: 102 "road-work" #1: STATE_MAIN_I1: initiate
ipsec_setup: 104 "road-work" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent
MI2, expecting MR2
ipsec_setup: 106 "road-work" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent
MI3, expecting MR3
ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no
leading 00. Bad key?
ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
ipsec_setup: 010 "road-work" #1: STATE_MAIN_I3: retransmission; will wait
20s for response
ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no
leading 00. Bad key?
ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
ipsec_setup: 010 "road-work" #1: STATE_MAIN_I3: retransmission; will wait
40s for response
ipsec_setup: 003 "road-work" #1: SIG did not decrypt into good ECB: no
leading 00. Bad key?
ipsec_setup: 217 "road-work" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
ipsec_setup: 031 "road-work" #1: max number of retransmissions (2) reached
STATE_MAIN_I3. Possible authentication failure: no acceptable response to
our first
encrypted message
root at ba-fw01~# ipsec auto --up road-work
102 "road-work" #2: STATE_MAIN_I1: initiate
104 "road-work" #2: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting
MR2
106 "road-work" #2: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting
MR3
003 "road-work" #2: SIG did not decrypt into good ECB: no leading 00. Bad
key?
217 "road-work" #2: STATE_MAIN_I3: INVALID_KEY_INFORMATION
010 "road-work" #2: STATE_MAIN_I3: retransmission; will wait 20s for
response
003 "road-work" #2: SIG did not decrypt into good ECB: no leading 00. Bad
key?
217 "road-work" #2: STATE_MAIN_I3: INVALID_KEY_INFORMATION
root at ba-fw01~# cat /proc/net/ipsec_tncfg
ipsec0 -> ppp0 mtu=16260 -> 1524
ipsec1 -> NULL mtu=0 -> 0
ipsec2 -> NULL mtu=0 -> 0
ipsec3 -> NULL mtu=0 -> 0
root at fw02~# cat /proc/net/ipsec_tncfg
ipsec0 -> eth2 mtu=16260 -> 1500
ipsec1 -> NULL mtu=0 -> 0
ipsec2 -> NULL mtu=0 -> 0
ipsec3 -> NULL mtu=0 -> 0
B . A s h e r
IT Manager
S C H U L T Z D E S I G N
(636)936-2900
www.schultz-design.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards at nfr.com
http://www.nfr.com/mailman/listinfo/firewall-wizards
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list