[ale] VPN (s are) hell

James P. Kinney III jkinney at localnetsolutions.com
Wed May 4 10:39:55 EDT 2005


On Wed, 2005-05-04 at 02:02 -0400, Dow Hurst wrote:
> One way of troubleshooting such a setup is to have four machines in a 
> testbed separated from any other network.  Is that what your working 
> on?  

In the _real_ world, clients _always_ plan for time to have a test bed
and test setups before bringing things live, right?! NOT!!!

Of course this is not the ideal test setup as one of the gateways is
live and can't be taken off line but for moments to reset the firewall.

They are both on separate networks, however, with machines behind them
on the LAN to be tunneled. I am on a third network ssh'ed into both of
the gateways and a LAN machine on each end. 

> That way you won't risk the real LANs.  Are you sure your routing 
> TCP and UDP traffic properly?  You might have the rules but not the 
> routes installed correctly.  You could post your netstat -rn for us.

[root at firegate sysconfig]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
192.168.100.0   216.27.161.1    255.255.255.0   UG        0 0          0
eth0
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0
eth1
216.27.161.0    0.0.0.0         255.255.255.0   U         0 0          0
eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0
eth1
0.0.0.0         216.27.161.1    0.0.0.0         UG        0 0          0
eth0

[root at server1 sysconfig]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
71.16.6.192     0.0.0.0         255.255.255.224 U         0 0          0
eth2
192.168.100.0   0.0.0.0         255.255.255.0   U         0 0          0
eth0
10.0.0.0        71.16.6.193     255.255.255.0   UG        0 0          0
eth2
192.168.200.0   0.0.0.0         255.255.255.0   U         0 0          0
eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0
eth2
0.0.0.0         71.16.6.193     0.0.0.0         UG        0 0          0
eth2

server1 is the live system. firegate is the new system. 

A new thing in openswan is the disappearance of the ipsec+ interfaces
when using the kernel ipsec modules.

> 
> For later, when the thing is working:
> If the VPN dies what will happen to the packets intended for LAN from 
> the other LAN?  Will they leave the originating LAN and then will they 
> be received by the other end but just not go thru the tunnel since that 
> died?  How specific are you on your ruleset and routing?

Right now things are wide open trying to get the routing working.
> Dow
> 
> 
> James P. Kinney III wrote:
> 
> >I have a new VPN I'm setting up and it just isn't working right. I'm
> >sure its a firewall issue but I'm stumped.
> >
> >It's a net-to-net setup using OpenSwan on the gateways. From one end on
> >the LAN, I can ping another machine on the other LAN by IP address.
> >However, I _can't_ ping back the other way which is why I think it's a
> >firewall issue. I can see the traffic moving with tcpdump running on
> >multiple interfaces. I can see the ESP packets leaving and returning to
> >the external interfaces and I can the the decrypted packets entering the
> >LAN interfaces. I did some ping size tests and can get a max MTU of
> >15236 which is bigger than normal.
> >
> >I can't get jack else through the tunnel. No ssh, no http, no netbios,
> >no telnet, nada, bipcus. 
> >
> >I set up a rule in iptables  on both ends to not NAT the traffic for the
> >other end (I don't expect I should be seeing any pings work otherwise).
> >
> >I have both ends of the firewall so open I'm worried right now.
> >
> >So I have developed a one way ping tunnel.  Argghhhhh.
> >  
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Ale mailing list
> >Ale at ale.org
> >http://www.ale.org/mailman/listinfo/ale
> >
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
-- 
James P. Kinney III          \Changing the mobile computing world/
CEO & Director of Engineering \          one Linux user         /
Local Net Solutions,LLC        \           at a time.          /
770-493-8244                    \.___________________________./
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list