This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TJ2 Solutions Ipsec Vpn Problem

The goal is to lay down a network between Katwijk and Voorburg.
I have added an attachment with a picture of the current network.

The problem is, I can’t get the VPN connection in optimal use between the Astaro machines.
For this I have followed the manual from the website. (http://docs.astaro.org/docs_v3/vpn/Net_to_Net_RSA_Dynamic.pdf )
Net-2-Net VPN RSA.

I have also read the manual from www.freeswan.org, but it didn’t seem wise
to configure the configuration files manually
I think I have tried out all the possible options, I have checked the forum on
astaro.org but haven’t found any close related problems.

At the moment I haven’t got any comments about the logfile.
I have found some interesting clues that could be the source
of the problem.(check below for the logfile)

Aug 26 09:34:31 maanen-kw Pluto[26945]: listening for IKE messages
Aug 26 09:34:31 maanen-kw Pluto[26945]: | found lo with address
127.0.0.1
Aug 26 09:34:31 maanen-kw Pluto[26945]: | found eth0 with address
192.168.10.250
Aug 26 09:34:31 maanen-kw Pluto[26945]: | found eth1 with address
213.84.37.193
Aug 26 09:34:31 maanen-kw Pluto[26945]: | IP interface eth1
213.84.37.193 has no matching ipsec* interface -- ignored
Aug 26 09:34:31 maanen-kw Pluto[26945]: | IP interface eth0
192.168.10.250 has no matching ipsec* interface -- ignored
Aug 26 09:34:31 maanen-kw Pluto[26945]: | IP interface lo 127.0.0.1 has
no matching ipsec* interface -- ignored
Aug 26 09:34:31 maanen-kw Pluto[26945]: | could not open
/proc/net/if_inet6
Aug 26 09:34:31 maanen-kw Pluto[26945]: no public interfaces found
Aug 26 09:34:31 maanen-kw Pluto[26945]: loading secrets from
"/etc/ipsec.secrets"
Aug 26 09:34:31 maanen-kw Pluto[26945]: | next event EVENT_SHUNT_SCAN in
118 seconds
------------
Aug 26 09:45:26 maanen-kw ipsec_setup: KLIPS debug `none'
Aug 26 09:45:26 maanen-kw ipsec_setup: KLIPS ipsec0 on eth0
192.168.10.250/255.255.0.0 broadcast 192.168.255.255 mtu 16260
------------
Aug 26 09:45:30 maanen-kw Pluto[31787]: | found eth1 with address
213.84.37.193
Aug 26 09:45:30 maanen-kw Pluto[31787]: | found ipsec0 with address
192.168.10.250
Aug 26 09:45:30 maanen-kw Pluto[31787]: | IP interface eth1
213.84.37.193 has no matching ipsec* interface -- ignored
Aug 26 09:45:30 maanen-kw Pluto[31787]: adding interface ipsec0/eth0
192.168.10.250
Aug 26 09:45:30 maanen-kw Pluto[31787]: | IP interface lo 127.0.0.1 has
no matching ipsec* interface -- ignored
--------------
Aug 26 09:45:30 maanen-kw Pluto[31787]: | executing prepare-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client'
PLUTO_CONNECTION='VPN-naar-Voorburg_1' PLUTO_NEXT_HOP='10.0.0.138'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='192.168.10.250'
PLUTO_MY_ID='192.168.10.250' PLUTO_MY_CLIENT='192.168.10.0/24'
PLUTO_MY_CLIENT_NET='192.168.10.0' PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_PEER='213.84.201.197' PLUTO_PEER_ID='@maanen-vb.xs4all.nl'
PLUTO_PEER_CLIENT='192.168.20.0/24' PLUTO_PEER_CLIENT_NET='192.168.20.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' ipsec _updown
Aug 26 09:45:30 maanen-kw Pluto[31787]: | executing route-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-client'
PLUTO_CONNECTION='VPN-naar-Voorburg_1' PLUTO_NEXT_HOP='10.0.0.138'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='192.168.10.250'
PLUTO_MY_ID='192.168.10.250' PLUTO_MY_CLIENT='192.168.10.0/24'
PLUTO_MY_CLIENT_NET='192.168.10.0' PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_PEER='213.84.201.197' PLUTO_PEER_ID='@maanen-vb.xs4all.nl'
PLUTO_PEER_CLIENT='192.168.20.0/24' PLUTO_PEER_CLIENT_NET='192.168.20.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' ipsec _updown
Aug 26 09:45:30 maanen-kw Pluto[31787]: "VPN-naar-Voorburg_1":
route-client output: SIOCADDRT: Network is unreachable
Aug 26 09:45:30 maanen-kw Pluto[31787]: "VPN-naar-Voorburg_1":
route-client output: /usr/local/lib/ipsec/_updown: `route add -net
192.168.20.0 netmask 255.255.255.0 dev ipsec0 gw 10.0.0.138' failed
Aug 26 09:45:30 maanen-kw Pluto[31787]: "VPN-naar-Voorburg_1":
route-client output: /usr/local/lib/ipsec/_updown: (incorrect or missing
nexthop setting??)
Aug 26 09:45:30 maanen-kw Pluto[31787]: "VPN-naar-Voorburg_1":
route-client command exited with status 7

In the last section is says the firewall can’t make a route for the ipsec.

With the problems of the VPN, the astaro machine does works optimal.
Hope you can help me with this problem

This thread was automatically locked due to age.

Parents

0 Andy_01 over 23 years ago

do you have dynamic IPs on the Astaros?
Cancel
Vote Up 0 Vote Down

Cancel
0 maanen over 23 years ago in reply to Andy_01

Hi all, i'm working on the same project.

All the used IP's are static.
The used internet line is a DSL line with a modem, I think that perhaps the problem lies in the (spoofing??) of the modem.
The config on both ends is equal.

Please let me draw the config:
INTERNET-------“DSL-modem”---------“astaro-ETH1”

Left of DSL modem:
        static IP
        IP: aa.bb.cc.dd   (www.my-domain.com)

Right of DSL modem:
        static IP
        IP: 10.0.0.138

Astaro machine ETH1:
        Static IP
        IP: aa.bb.cc.dd   (www.my-domain.com)

The adress on the astaro is the same as the internet IP, as far as i can see is all incomming data routed from the "outside" to "inside" of the modem.

Please help, I followed the astaro VPN-how2 by the letter, and stil it's not working. Is there any way I can check the incomming data of the VPN to see what is wrong?

Please reply in non-superduper-linux-guru language (still learning for guru  [;)]  ).

Kees Barnhoorn
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 23 years ago in reply to maanen

Are you using PPPoE with the DSL connection ?
Cancel
Vote Up 0 Vote Down

Cancel
0 maanen over 23 years ago in reply to Simon Shaw

The DSL modem is using PPPoA (similar to PPPoE)

Googled me some info:
PPPoA info
Info on PPPoE DSL modems

The DSL modem is NOT using NAT

Could the use of PPPoA / PPPoE prevent the VPN from connecting [:S]
Cancel
Vote Up 0 Vote Down

Cancel
0 oliver.desch over 23 years ago in reply to maanen

Maanen,

just some questions:

1. what did you configure as Astaroes default gateway?
2. What about the modem? Is it transparent after
the connection is established?

read you
o|iver
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 23 years ago in reply to oliver.desch

I'm also having troubles establishing a IPSEC VPN over PPPoE.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Simon Shaw over 23 years ago in reply to oliver.desch

I'm also having troubles establishing a IPSEC VPN over PPPoE.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 maanen over 23 years ago in reply to Simon Shaw

As far as I can see the modem is "transparent".

The DSL modem "Alcatel speed touch pro" establishes the DSL connection. After the connection to the ISP is "up" all incomming (internet) data is routed to the "internal" side of the DSL modem.
configuration of the network (previous post)

The "external" DSL modem ip: aa.bb.cc.dd
The "internal" DSL modem IP: 10.0.0.138  (!static!)
The ASL Eth1: ip:  aa.bb.cc.dd (same as external DSL modem)

ASL config:
ETH0: internal network
ETH1: Internet
  - IP:      aa.bb.cc.dd
  - mask:    255.255.255.255
  - gateway: 10.0.0.138 (DSL modem)
  - all entry's are static (none dhcp)

>

[size="1"][ 05 September 2002, 12:34: Message edited by: maanen ][/size]
Cancel
Vote Up 0 Vote Down

Cancel