rosewood's Journal: Need some damn help!

Freeswan 1.97 + SSH Sentinal 1.3.2 - Shared Secret VPN

I have been trying to get freeswan working all week and seem to have failed miserably

I am running Redhat linux 7.3 w/ kernel 2.4.18-3ipsec (from steambaloon)

I installed all the kernel RPMs from steambaloon and am running that kernel

I also installed all the 'userland' rpms from steambaloon which are for freeswan 1.97

IPSec runs sucsessfully at startup or if I /etc/rc.d/init.d/ipsec start.

The connection on the linux box is a cable modem connection with a static IP address assigned via DHCP. The IP address for eth0 is 65.27.126.190, the subnet mask is 255.255.255.248, the first hop on the network is 10.34.128.1, the default gatway is 65.27.120.1. eth1 has an ip addy of 10.0.0.1, subnet mask 255.255.255.0, and has DHCPd running assigning IP addresses in range of 10.0.0.100/200. IP Forwarding does work using iptables. My firescript looks like this: #!/bin/sh

IPTABLES="/sbin/iptables"

#Time to clean house

#Clear out any existing firewall rules, and any chains that might have #been created $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X

#Setup our policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading echo 1 > /proc/sys/net/ipv4/ip_forward

#Source NAT everything heading out the eth0 (external) interface to be the #given IP. If you have a dynamic ip or a DHCP ip that changes #semi-regularly, comment this and uncomment the second line # #Remember to change the ip address to your static ip # #$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#Accept ourselves (loopback interface), 'cause we're all warm and friendly $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i eth1 -j ACCEPT

The windows box is running ssh sentinal and has a dynamic IP addy assigned via DHCP

I am wanting to use shared secret so I can just get this up and running, once running I plan to switch to certs.

My /etc/ipsec.secrets file:

# In the following, the authentication key to be used between the # FreeS/WAN security gateway (65.27.126.190) and the remote # host with SSH Sentinel is not defined. In this case, it is # a pre-shared key (PSK), the actual secret being "justatest". 65.27.126.190 %any: PSK "justatest"

My /etc/ipsec.conf file looks like this:

# basic configuration
config setup
                # THIS SETTING MUST BE CORRECT or almost nothing will work;
                # %defaultroute is okay for most simple cases.
                interfaces="ipsec0=eth0"
                # Debug-logging controls: "none" for (almost) none, "all" for lots.
                klipsdebug=none
                plutodebug=none
                # Use auto= parameters in conn descriptions to control startup actions.
                plutoload=%search
                plutostart=%search
                # Close down old connection when new one using same ID shows up.
                uniqueids=yes
conn %default
                keyingtries=1
                authby=secret

conn vpn
                type=tunnel
                left=65.27.126.190
                leftnexthop=10.34.128.1
                leftsubnet=10.0.0.1/24
                right=%any
                #rightnexthop=10.34.128.1
                keyexchange=ike
                ikelifetime=240m
                keylife=60m
                pfs=yes
                compress=no
                authby=secret
                auto=add

What should the value of 'leftsubnet' be? What about leftnexthop? I assumed leftnexthop is the first hop on any tracert the left box goes through?

Ive gone through http://www.ssh.com/products/sentinel/SSH-Sentinel-Examples.pdf (namely 1.1)

The only other thing I have done is ipsec auto --add vpn . I have not passed any other commands to ipsec

My netstat -a looks like this while ssh sentinal is trying to connect

[root@dhcp-306-102 etc]# netstat --listening
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 localhost.localdom:1025 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost.localdom:smtp *:* LISTEN
udp 0 0 *:1024 *:*
udp 0 0 *:bootps *:*
udp 65216 0 *:bootpc *:*
udp 0 0 *:sunrpc *:*
udp 0 0 wks-65-27-126-19:isakmp *:*
raw 0 0 *:icmp *:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 1795 /tmp/.font-unix/fs7100
unix 2 [ ACC ] STREAM LISTENING 1724 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 7046 /var/run/pluto.ctl

The error from SSH Sentinal is Cannot open the VPN connection. Confirm your network settings and verify that Policy manager is running.

My local network is eth1 (10.0.0.x) ip forwarding from boxes that have 10.0.0.1 set as their default gateway works. Do I need to do something different so connections from eth0 can talk to eth1?

ONCE when I changed the conf to specified IP addresses, I did ipsec auto --up vpn and I was able to establish a connection but the message I saw on the terminal read that it was expecting the right ip addy I specified, but the client was saying it was 0.0.0.0. My chosen network was "any" 0.0.0.0 in Sentinal, so I added one that had my ip address specs and I havent been able to get back to there since

please help the n00b

I tried the command " /usr/sbin/ipsec auto --up vpn" and then tried to connect with SSH Sentinal 1.3.2 and this is what I got on my console:

104 "vpn" #1: STATE_MAIN_I1: initiate
010 "vpn" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "vpn" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
003 "vpn" #1: ignoring Vendor ID payload
106 "vpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "vpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "vpn" #1: we require peer to have ID '65.27.126.155', but peer declares '0.0.0.0'
218 "vpn" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
010 "vpn" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "vpn" #1: we require peer to have ID '65.27.126.155', but peer declares '0.0.0.0'
218 "vpn" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
010 "vpn" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "vpn" #1: we require peer to have ID '65.27.126.155', but peer declares '0.0.0.0'
218 "vpn" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
031 "vpn" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

I see in SSH Sentinal that my network is set to "any" which is 0.0.0.0 - what should that be set to? When I set it to my IP Info I dont get ANYTHING