sorry fü den allgemein gehaltenen Titel, aber irgendwie kann ich mein Problem nicht genauer spezifizieren.
Nun zum Thema. Ich wolte mal so mit freeswan experimentieren, daher habe ich auf 2 Servern, die jeweils mit sarge laufen, freeswan installiert. Beiden habe ich dann noch jeweils eine virtuelle NIC spendiert.
Server1(salsa)
eth0=192.168.2.90
eth0:1=192.168.200.1
Server2(tango)
eth0=192.168.2.83
eth0:1=192.168.100.1
Nun sollen die beiden Server die Netze 192.168.200.0 und 192.168.100.0 per VPN miteinander verbinden.
Unserem router habe ich ebenfalls 2 virtuelle NICs gegeben, damit dieser das GW für alle spielt, also eth0=192.168.2.1, eth0:1=192.168.200.2, eth0:2=192.168.100.2
Alle Server können sich untereinander anpingen. z.B. auf salsa
Code: Alles auswählen
salsa:~# ping -c 4 -I eth0:1 192.168.100.1
PING 192.168.100.1 (192.168.100.1) from 192.168.200.1 eth0:1: 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=63 time=0.995 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=63 time=0.497 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.420 ms
From 192.168.200.2: icmp_seq=4 Redirect Host(New nexthop: 192.168.100.1)
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=0.373 ms
--- 192.168.100.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.373/0.571/0.995/0.249 ms
salsa:~#
Die /etc/ipsec.conf auf salsa sieht so aus:
Code: Alles auswählen
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=eth0"
klipsdebug=all
plutodebug=all
#plutoload=%search
#plutostart=%search
uniqueids=yes
conn %default
#rightrsasigkey=%cert
#leftrsasigkey=%cert
keyingtries=0
disablearrivalcheck=no
conn salsa2tango
right=192.168.2.83
rightsubnet=192.168.100.0/255.255.255.0
#rightnexthop=%defaultroute
left=192.168.2.90
leftsubnet=192.168.200.0/255.255.255.0
#leftnexthop=192.168.200.2
ikelifetime=1h
keylife=8h
#dpddelay=30
#dpdtimeout=120
#dpdaction=clear
pfs=yes
authby=secret
auto=add
Code: Alles auswählen
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces="ipsec0=eth0"
klipsdebug=all
plutodebug=all
uniqueids=yes
nat_traversal=yes
conn %default
#rightrsasigkey=%cert
#leftrsasigkey=%cert
keyingtries=0
disablearrivalcheck=no
conn tango2salsa
right=192.168.2.83
rightsubnet=192.168.100.0/255.255.255.0
#rightnexthop=%defaultroute
left=192.168.2.90
leftsubnet=192.168.200.0/255.255.255.0
#leftnexthop=%defaultroute
ikelifetime=1h
keylife=8h
#dpddelay=30
#dpdtimeout=120
#dpdaction=clear
pfs=yes
authby=secret
auto=add
Code: Alles auswählen
%any %any : PSK "xxxxxxxx"
Code: Alles auswählen
tango:~# /etc/init.d/ipsec restart
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: Starting FreeS/WAN IPsec 2.04...
tango:~# tail -f /var/log/syslog
Sep 28 17:15:38 tango ipsec_setup: Stopping FreeS/WAN IPsec...
Sep 28 17:15:39 tango ipsec_setup: ...FreeS/WAN IPsec stopped
Sep 28 17:15:39 tango ipsec_setup: Starting FreeS/WAN IPsec 2.04...
Sep 28 17:15:40 tango ipsec_setup: KLIPS ipsec0 on eth0 192.168.2.83/255.255.255.0 broadcast 192.168.2.255
Sep 28 17:15:40 tango ipsec_setup: ...FreeS/WAN IPsec started
Sep 28 17:15:41 tango ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
Sep 28 17:15:41 tango ipsec__plutorun: ipsec_auto: fatal error in "block": %defaultroute requested but not known
Sep 28 17:15:41 tango ipsec__plutorun: ipsec_auto: fatal error in "clear-or-private": %defaultroute requested but not known
Sep 28 17:15:41 tango ipsec__plutorun: ipsec_auto: fatal error in "clear": %defaultroute requested but not known
Sep 28 17:15:42 tango ipsec__plutorun: ipsec_auto: fatal error in "private-or-clear": %defaultroute requested but not known
Sep 28 17:15:42 tango ipsec__plutorun: ipsec_auto: fatal error in "private": %defaultroute requested but not known
Sep 28 17:15:42 tango ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) not supported by kernel -- NAT-T disabled
Sep 28 17:15:42 tango ipsec__plutorun: 021 no connection named "packetdefault"
Sep 28 17:15:42 tango ipsec__plutorun: ...could not route conn "packetdefault"
Sep 28 17:15:42 tango ipsec__plutorun: 021 no connection named "block"
Sep 28 17:15:42 tango ipsec__plutorun: ...could not route conn "block"
Sep 28 17:15:42 tango ipsec__plutorun: 021 no connection named "clear-or-private"
Sep 28 17:15:42 tango ipsec__plutorun: ...could not route conn "clear-or-private"
Sep 28 17:15:42 tango ipsec__plutorun: 021 no connection named "clear"
Sep 28 17:15:42 tango ipsec__plutorun: ...could not route conn "clear"
Sep 28 17:15:43 tango ipsec__plutorun: 021 no connection named "private-or-clear"
Sep 28 17:15:43 tango ipsec__plutorun: ...could not route conn "private-or-clear"
Sep 28 17:15:43 tango ipsec__plutorun: 021 no connection named "private"
Sep 28 17:15:43 tango ipsec__plutorun: ...could not route conn "private"
tango:~#
Ein versuch mittels ipsec auto --up tango2salsa ergibt dies:
Code: Alles auswählen
tango:~# ipsec auto --up tango2salsa
104 "tango2salsa" #1: STATE_MAIN_I1: initiate
010 "tango2salsa" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "tango2salsa" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
Was könnte denn an der Konstellation die Fehlerquelle sein?
Gruß
Torsten