Koozali.org: home of the SME Server

Site to Site VPN (PPTP/IPSec)

ztasevski

Site to Site VPN (PPTP/IPSec)
« on: September 06, 2004, 07:18:40 AM »
Hi,

Has anyone successfully setup site to site VPN on SME6 ??

I found a howto but it specifies that it only works on sme 5.x.

Thanks in advance !

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #1 on: September 06, 2004, 12:52:08 PM »
http://forums.contribs.org/index.php?topic=8658.msg32470#msg32470
I've had a tunnel running between Sydney & Brisbane for over 6 months now and it hasn't missed a beat. Should work OK with 6.0.1-01
Lloyd

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #2 on: September 07, 2004, 01:45:32 AM »
Hi Lloyd,

Looks very promising !

Where are the ipsec setting for the tunnel stored? That forum entry only shows how to set it up !

Zoran

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #3 on: September 07, 2004, 02:07:07 AM »
Hi Zoran,
The dev-info-freeswan rpm installs a server manager panel and you configure the tunnel from there.
Lloyd

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #4 on: September 07, 2004, 02:16:20 AM »
Hi Lloyd,

Great ! The way it should be...

I will try out you setup early next weeks as Optus has to sort itself out and get a DSL connection on this one site. It's taken them over 2 months.

I'll keep yourself and the forum of the outcome posted of the progress !

Thanks once again Lloyd..

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #5 on: September 07, 2004, 05:38:02 AM »
I'm gunna test it out with another site up here both running 6.0.1-01 today or tommorrow. I'll report back.
lloyd

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #6 on: September 07, 2004, 11:05:21 AM »
Please do !

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #7 on: September 08, 2004, 01:55:10 AM »
Hey Zoran,
Great news - it works like a dream. Just managed to bring up a tunnel between two SME6.0.1 boxes:

Sep  8 09:06:31 ice ipsec__plutorun: 104 "net.local-net.192.168.10.0" #1: STATE_MAIN_I1: initiate
Sep  8 09:06:31 ice ipsec__plutorun: 106 "net.local-net.192.168.10.0" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep  8 09:06:31 ice ipsec__plutorun: 108 "net.local-net.192.168.10.0" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep  8 09:06:31 ice ipsec__plutorun: 004 "net.local-net.192.168.10.0" #1: STATE_MAIN_I4: ISAKMP SA established
Sep  8 09:06:31 ice ipsec__plutorun: 112 "net.local-net.192.168.10.0" #2: STATE_QUICK_I1: initiate
Sep  8 09:06:31 ice ipsec__plutorun: 004 "net.local-net.192.168.10.0" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
Sep  8 09:06:31 ice ipsec__plutorun: 112 "gate.local-net.192.168.10.0" #3: STATE_QUICK_I1: initiate
Sep  8 09:06:31 ice ipsec__plutorun: 004 "gate.local-net.192.168.10.0" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
Sep  8 09:06:32 ice ipsec__plutorun: 112 "gate.local-gate.192.168.10.0" #4: STATE_QUICK_I1: initiate
Sep  8 09:06:32 ice ipsec__plutorun: 004 "gate.local-gate.192.168.10.0" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
Sep  8 09:06:32 ice ipsec__plutorun: 112 "net.local-gate.192.168.10.0" #5: STATE_QUICK_I1: initiate
Sep  8 09:06:32 ice ipsec__plutorun: 004 "net.local-gate.192.168.10.0" #5: STATE_QUICK_I2: sent QI2, IPsec SA established


Welcome to SME Server 6.0.1-01
[root@ice root]# ping 192.168.163.1
PING 192.168.163.1 (192.168.163.1) from 192.168.163.1 : 56(84) bytes of data.
64 bytes from 192.168.163.1: icmp_seq=1 ttl=64 time=0.132 ms
64 bytes from 192.168.163.1: icmp_seq=2 ttl=64 time=0.125 ms

--- 192.168.163.1 ping statistics ---
2 packets transmitted, 2 received, 0% loss, time 999ms
rtt min/avg/max/mdev = 0.125/0.128/0.132/0.011 ms

[root@ice root]# ping 192.168.163.66
PING 192.168.163.66 (192.168.163.66) from 192.168.163.1 : 56(84) bytes of data.
64 bytes from 192.168.163.66: icmp_seq=1 ttl=60 time=4.45 ms
64 bytes from 192.168.163.66: icmp_seq=2 ttl=60 time=2.33 ms
64 bytes from 192.168.163.66: icmp_seq=3 ttl=60 time=2.33 ms

--- 192.168.163.66 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2016ms
rtt min/avg/max/mdev = 2.331/3.040/4.457/1.003 ms

[root@ice root]# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) from 203.213.xxx.xxx : 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=44.4 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=45.7 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=47.2 ms

--- 192.168.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2021ms
rtt min/avg/max/mdev = 44.419/45.796/47.234/1.163 ms

[root@ice root]# ping 192.168.10.67
PING 192.168.10.67 (192.168.10.67) from 203.213.xxx.xxx : 56(84) bytes of data.
64 bytes from 192.168.10.67: icmp_seq=1 ttl=127 time=46.0 ms
64 bytes from 192.168.10.67: icmp_seq=2 ttl=127 time=82.3 ms
64 bytes from 192.168.10.67: icmp_seq=3 ttl=127 time=113 ms

--- 192.168.10.67 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2017ms
rtt min/avg/max/mdev = 46.021/80.482/113.098/27.417 ms

Just a couple of gotchas to watch out for. Here is a very rough howto:

Download all three rpm's from www.comnetel.com/ipsec and put them in a temp directory
Install the freeswan rpm's first:
# rpm -Uvh freeswan*
Now install the dev-info rpm using --nodeps
#rpm -Uvh --nodeps devinfo-freeswan-1.99-8sme56.noarch.rpm
Run the following command:
#/sbin/e-smith/signal-event ipsec-install
Now go into the server-manager and modify the local networks panel and add the info for the remote:
Network address is the remote server's lan IP
Subnet address is the remote server's subnet
Router is the local lan address
Next go into the vitualprivatenetworks panel located at the bottom of the server-manager and "add an ipsec vpn". Most of the stuff in there is self explanatory. After doing this at both sites and providing all the keys are correct you should have your tunnel up and going. I had a problem with the rsa keys and when I tried to bring the tunnel up at the remote it froze me out but I was able to shell in to the remote from a third party and shut down ipsec. Let me know how you go.
Regards Lloyd

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #8 on: September 08, 2004, 03:10:33 AM »
Nice one Lloyd,

That looks very good !

As soon as the dsl connection is up I will give it a shot straightaway and let you know of the progress. I might give the interface a shot shortly to get familiar with it. I presume as soon as the tunnel is up there should be no probs duing Win2K AD syncs (in place before i got in) ?

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #9 on: September 08, 2004, 03:40:32 AM »
Quote
I presume as soon as the tunnel is up there should be no probs duing Win2K AD syncs (in place before i got in) ?

I dont think so. As long as you have added the remote network in "local networks" panel then for all intents and purposes they should appear as one and the same network.

Just make sure that you are well prepared prior to setting it up in that you have access to a third party shell so you can stop ipsec on the remote if something goes wrong. It's also best if you give yourself remote access to the remote sites server manager, that way you can set it all up from the one PC. You can e-mail me off list if you have any probs.
Regards Lloyd

ztasevski

Re: Site to Site VPN (PPTP/IPSec)
« Reply #10 on: September 08, 2004, 03:50:21 AM »
[/quote]
I dont think so. [/quote] - did you mean i think so...

You don't have your email in your profile...I have just enabled mine through my profile...email me and i'll disable so i don't get spammed..

mbachmann

Site to Site VPN (PPTP/IPSec)
« Reply #11 on: September 08, 2004, 02:38:31 PM »
Hey, we also want to know how it is going on.

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #12 on: September 09, 2004, 04:51:51 AM »
Should have something early next week...waiting on ISP to setup DSL connection still !

Offline Ness

  • ***
  • 108
  • +0/-0
    • http://www.tapiochre.co.uk
Site to Site VPN (PPTP/IPSec)
« Reply #13 on: September 16, 2004, 06:28:19 PM »
I'm not spotting something here... is this simply site to site or are there complications on multi-site networks.

In partic, I'd like info or setup docs for both star and meshed topology for say a 5 node network.

Have I missed something folk?

Cheers

Chris
Chris Elliott - SME Server user and helper

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #14 on: September 19, 2004, 11:05:15 AM »
Chris,
I have succesfully brought up two consecutive tunnels and haven't had any problems with them. If two work then I couldn't see any problems with 5 tunnels in a star topology but meshed may be pushing the envelope a bit (not saying it can't work - just never tested it).
Lloyd

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #15 on: November 12, 2004, 06:49:44 AM »
hi,

8 tunnels to date and they all work like a charm !

cydonia

Site to Site VPN (PPTP/IPSec)
« Reply #16 on: November 14, 2004, 04:43:48 PM »
To those who have successfully setup ipsec vpn on 6+ sme, do you have static ips?

I tried doing this between mine and a friends house but we both had dynamic ip's, and my friend wasn't too technically minded, so i had to guide him, whilst learning myself.

I never got it to work but believe i was close.

Has anyone done this successfully using dynamic ips?

Offline ldkeen

  • *
  • 401
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #17 on: November 15, 2004, 03:09:54 AM »
All of my setups have been static > static.

ztasevski

Site to Site VPN (PPTP/IPSec)
« Reply #18 on: November 15, 2004, 03:54:54 AM »
likewise...all of mine static -> static

althought i am doing today a telstra dynamic to optus static by for the life of me i can not get it up any ideas ?

bigpond says it's setup in bridged mode but still no go.

snip:
--------------------------------------------------
Nov  15 01:58:34 fw-gb ipsec_setup: Stopping FreeS/WAN IPsec...
Nov  15 01:58:34 fw-gb ipsec__plutorun: 104 "net.local-gate.192.168.1.0" #1: STATE_MAIN_I1: initiate
Nov  15 01:58:34 fw-gb ipsec__plutorun: 010 "net.local-gate.192.168.1.0" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
Nov  15 01:58:34 fw-gb ipsec__plutorun: 010 "net.local-gate.192.168.1.0" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
Nov  15 01:58:34 fw-gb last message repeated 3 times
Nov  15 01:58:34 fw-gb ipsec__plutorun: ...could not start conn "net.local-gate.192.168.1.0"
Nov  15 01:58:34 fw-gb ipsec__plutorun: whack: read() failed (104 Connection reset by peer)
Nov  15 01:58:34 fw-gb ipsec__plutorun: ...could not start conn "gate.local-gate.192.168.1.0"
Nov  15 01:58:34 fw-gb ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto.ctl")
Nov  15 01:58:34 fw-gb ipsec__plutorun: ...could not start conn "net.local-net.192.168.1.0"
Nov  15 01:58:34 fw-gb ipsec__plutorun: whack: Pluto is not running (no "/var/run/pluto.ctl")
Nov  15 01:58:34 fw-gb ipsec__plutorun: ...could not start conn "gate.local-net.192.168.1.0"
Nov  15 01:58:35 fw-gb kernel: IPSEC EVENT: KLIPS device ipsec0 shut down.
Nov  15 01:58:35 fw-gb kernel: divert: no divert_blk to free, ipsec0 not ethernet
Nov  15 01:58:35 fw-gb kernel: divert: no divert_blk to free, ipsec1 not ethernet
Nov  15 01:58:35 fw-gb kernel: divert: no divert_blk to free, ipsec2 not ethernet
Nov  15 01:58:35 fw-gb /etc/hotplug/net.agent: NET unregister event not supported
Nov  15 01:58:35 fw-gb kernel: divert: no divert_blk to free, ipsec3 not ethernet
Nov  15 01:58:35 fw-gb kernel: klips_info:pfkey_cleanup: shutting down PF_KEY domain sockets.
Nov  15 01:58:35 fw-gb kernel: klips_info:cleanup_module: ipsec module unloaded.
Nov  15 01:58:35 fw-gb ipsec_setup: ...FreeS/WAN IPsec stopped
Nov  15 01:58:52 fw-gb ipsec_setup: Starting FreeS/WAN IPsec 1.99...
Nov  15 01:58:52 fw-gb ipsec_setup: Using /lib/modules/2.4.20-18.7/kernel/net/ipsec/ipsec.o
Nov  15 01:58:52 fw-gb kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.99
Nov  15 01:58:52 fw-gb kernel: divert: not allocating divert_blk for non-ethernet device ipsec0
Nov  15 01:58:52 fw-gb kernel: divert: not allocating divert_blk for non-ethernet device ipsec1
Nov  15 01:58:52 fw-gb kernel: divert: not allocating divert_blk for non-ethernet device ipsec2
Nov  15 01:58:52 fw-gb kernel: divert: not allocating divert_blk for non-ethernet device ipsec3
Nov  15 01:58:35 fw-gb last message repeated 3 times
Nov  15 01:58:52 fw-gb /etc/hotplug/net.agent: invoke ifup ipsec0
Nov  15 01:58:52 fw-gb ipsec_setup: KLIPS debug none'
Nov  15 01:58:52 fw-gb /etc/hotplug/net.agent: invoke ifup ipsec1
Nov  15 01:58:52 fw-gb /etc/hotplug/net.agent: invoke ifup ipsec2
Nov  15 01:58:52 fw-gb ipsec_setup: KLIPS ipsec0 on ppp0 138.217.138.225/255.255.255.255 pointopoint 172.31.151.24
Nov  15 01:58:52 fw-gb /etc/hotplug/net.agent: invoke ifup ipsec3
Nov  15 01:58:52 fw-gb ipsec_setup: ...FreeS/WAN IPsec started
--------------------------------------------------

ideas ?????????

cydonia

Site to Site VPN (PPTP/IPSec)
« Reply #19 on: November 15, 2004, 06:45:02 AM »
Quote from: "ztasevski"
All of my setups have been static > static.


Quote from: "ldkeen"
likewise...all of mine static -> static


Oh well, i can always have my pptp vpn... buts its just not the same...:(

Offline smitti

  • *
  • 27
  • +0/-0
    • http://smitti.mine.nu
YES! It's finaly working!
« Reply #20 on: November 29, 2004, 08:35:01 PM »
Somehowe I didn't get it working.
But I found out that they keys I copied in to the serverpanel(Send by e-mail) somehowe where corrupt.

Pasted in they right keys and it came up strait away.

Thanx to everyone here!

Peter

pjones

ipsec vpn - site to site
« Reply #21 on: January 20, 2005, 03:58:43 AM »
Thanks Lloyd,
Tested your (how to) out on two of my smeserver-6[1].01-01custom and it working GREAT !!!!
Thank you for sharing this know how.

Both server are on cable modems with dynamic ip's, working find with dyndns.org.

Anyone know how to add this to the startup cron job so the tunnels will start with the server.....only trouble I am having is a poor ISP on the remote site, need to add a check to the tunnels to restart if it's is down.

Note if you do a :
cd /root
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot

This will load the IPSEC VPN under the Security tab, did this on both of my servers. ;-)

bluefire

Re: Site to Site VPN (PPTP/IPSec)
« Reply #22 on: February 06, 2005, 11:58:47 AM »
Quote from: "ldkeen"

Just a couple of gotchas to watch out for. Here is a very rough howto:

Download all three rpm's from www.comnetel.com/ipsec and put them in a temp directory
Install the freeswan rpm's first:
# rpm -Uvh freeswan*
Now install the dev-info rpm using --nodeps
#rpm -Uvh --nodeps devinfo-freeswan-1.99-8sme56.noarch.rpm
Run the following command:
#/sbin/e-smith/signal-event ipsec-install
Now go into the server-manager and modify the local networks panel and add the info for the remote:
Network address is the remote server's lan IP
Subnet address is the remote server's subnet
Router is the local lan address
Next go into the vitualprivatenetworks panel located at the bottom of the server-manager and "add an ipsec vpn". Most of the stuff in there is self explanatory. After doing this at both sites and providing all the keys are correct you should have your tunnel up and going. I had a problem with the rsa keys and when I tried to bring the tunnel up at the remote it froze me out but I was able to shell in to the remote from a third party and shut down ipsec. Let me know how you go.
Regards Lloyd


Hi!

I did exactly what you explained to do but when I try to add an IPsec VPN I get this :

"Error: network 192.168.2.0 (derived from IP address 192.168.2.1 and subnet mask 255.255.255.0) has already been added. Did not add new network."

I did try to add that particular network but something went wrong so I reinstalled the server and I actually didn't expect it to be stored in the backup file I made right before the reinstall. Apparently it did so now's the big question - how do I either remove it from the system so I can add it the right way or otherwise get it back on the list??

Rgds,

Offline brianr

  • *
  • 988
  • +2/-0
Site to Site VPN (PPTP/IPSec)
« Reply #23 on: February 07, 2005, 05:56:15 PM »
Am trying to find the howto and the rpms for Freeswan on 6.0.1 - can someone point me in the right direction?
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Site to Site VPN (PPTP/IPSec)
« Reply #24 on: February 12, 2005, 07:03:47 AM »
I am going to try this between 2 SME 6.0.1 boxes. One end has a static ip, but one has a dynamic IP /(ppoe DSL). Any heads up on what to watch for?

Thanks

Bob
If you think you know whats going on, you obviously have no idea whats going on!

Offline brianr

  • *
  • 988
  • +2/-0
Site to Site VPN (PPTP/IPSec)
« Reply #25 on: February 12, 2005, 11:11:02 AM »
I have just tried this between 2 6.0.1 boxes (one of them updated using the update script from here), and the link was not very reliable, and seemed to stop PPTP VPN working, and also SMTP as well on the non updated end (wasn't able to check the other one)

I am now setting up a test bed to investigate more fully, but I'd be glad of any thoughts.
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Michael_R

Site to Site VPN (PPTP/IPSec)
« Reply #26 on: February 13, 2005, 01:44:43 PM »
hi,
I ve installed two SME 6.0.1-1 Boxes with
http://www.comnetel.com/ipsec
these packages with dynamic ips on both sides.
I m using two accounts from dyndns.org and it works ok.
You ve to create some cronjobs to disconnect the inet-connection in night and restart ipsec after this on BOTH sides, but then you ve got a reliable connection all over the day.
In my enviroment it isn´t important to have a stable connection in the night .. so this is ok for me ..

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Site to Site VPN (PPTP/IPSec)
« Reply #27 on: February 13, 2005, 02:16:29 PM »
Can you give an example of the cron jobs you use?

Thanks

Bob
If you think you know whats going on, you obviously have no idea whats going on!

Michael_R

Site to Site VPN (PPTP/IPSec)
« Reply #28 on: February 13, 2005, 04:50:21 PM »
I ve defined 3 Cronjobs on every machine:
You ve to restart inetconnection 2 times in night because the time of your 24hour-disconnection isn´t allways exactly the same.
Then you need a ipsec-restart on every machine.
I choose the time of this 1 hour after pppoe-restart because dyndns-services arnt so fast sometimes.
I ve not tried a shorter time .. so it works.

Here are the cronjobs which i ve created in the folder /etc/cron.d/

1. First restart of inet-connection:
Code: [Select]
0    3   *    *   *  root /etc/rc.d/init.d/pppoe restart


2. Second restart of inet-connection
Code: [Select]
0    5   *    *   *  root /etc/rc.d/init.d/pppoe restart

3. restart of ipsec:
Code: [Select]
0    6   *    *   *  root /etc/rc.d/init.d/ipsec restart



With this configuration my Conncetion from office to office works ok about 3 weeks.
The delay between the restarts are very big to be on the save side.

Michael

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Site to Site VPN (PPTP/IPSec)
« Reply #29 on: February 13, 2005, 05:17:05 PM »
Michael, Thanks for the info. I will be trying it later this week. I am going to try to get a static IP for the box that is on ppoe, but now I know I can make this work.

Bob
If you think you know whats going on, you obviously have no idea whats going on!

Offline Shilotsugu

  • *
  • 23
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #30 on: February 15, 2005, 06:29:52 AM »
This is a subject that has been giving me headaches since I first started playing with SME two years ago. I have two 6.0.1 boxes with ADSL dynamic ip using dyndns.org boths sides. With the following setup:

server name: jack
host address: office.dyndns.org
DNS server: 192.168.11.1
internal ip: 192.168.11.1
internal subnet mask: 255.255.255.0
external ip: 202.8.aaa.bbb
encryption key: blah-blah-one

server name: jill
host address: apartment.dyndns.org
DNS server: 192.168.7.1
internal ip: 192.168.7.1
internal subnet mask: 255.255.255.0
external ip: 202.8.xxx.yyy
encryption key: blah-blah-two


IPSEC VPN:
jack
Remote id: apartment.dyndns.org
Remote Host: apartment.dyndns.org
remote internal ip: 192.168.7.1

jill
Remote id: office.dyndns.org
Remote Host: office.dyndns.org
remote internal ip: 192.168.11.1
WINS Client

I set up local networks for each, but the best eroute I have seen yet was:

[root@jack root]# ipsec eroute
0  192.168.11.0/24  -> 192.168.7.0/24     => %trap
0  192.168.11.0/24  -> 202.8.aaa.bbb/32   => %trap
0  202.8.xxx.yyy/32 -> 192.168.7.0/24     => %tun0x@...
0  202.8.xxx.yyy/32 -> 192.168.aaa.bbb/24 => %tun0x@...

Looks like the servers are talking, but not the networks behind them. After mistakingly thinking a reboot would be helpful, eroute has changed to this:

[root@jack root]# ipsec eroute
0  192.168.11.0/24  -> 192.168.7.0/24     => %trap
7  192.168.11.0/24  -> 202.8.aaa.bbb/32   => %hold
0  202.8.xxx.yyy/32 -> 192.168.7.0/24     => %trap
0  202.8.xxx.yyy/32 -> 202.8.aaa.bbb/24   => %trap

What am I doing wrong?
.........

Michael_R

Site to Site VPN (PPTP/IPSec)
« Reply #31 on: February 15, 2005, 09:31:50 AM »
hi,
try
Code: [Select]
ipsec auto --status
if you see something like
Code: [Select]
...
Ipsec SA estaplished
...
the tunnel works, otherwise not.
And why you ve got at your settings a
external ip like 202.8.aaa.bbb ? I think there should be the dyndns-url.

Offline Shilotsugu

  • *
  • 23
  • +0/-0
Site to Site VPN (PPTP/IPSec)
« Reply #32 on: February 15, 2005, 05:07:36 PM »
I ran ipsec auto --status, and it looks like I'm back to my first scenario. The servers are talking, but I can't reach or ping the local networks behind them.

Michael, I'm not sure I understand your question. The dyndns-urls are the ones I entered into IPSEC, and the external ip is the dyamic one provided by the ISP, which got me where I am now. Both boxes use the same provider, hence the a.b and x.y variables.

I'm going to remove the respective local networks to see what changes.
.........

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Site to Site VPN (PPTP/IPSec)
« Reply #33 on: March 02, 2005, 04:53:34 PM »
I have a freeswan tunnel running, and can ping the remote server(from either end). Both servers are assigned to the same work group, both are set as domain controllers. I have the same user and password on both servers. I can not see the remote server from the local network. I have an ibay that the remote user has rights to, but I can not see it or the server in on the network.

Any Ideas

Thanks in advance


Bob
If you think you know whats going on, you obviously have no idea whats going on!

Offline crazybob

  • ****
  • 894
  • +0/-0
    • Stalzer R&D
Site to Site VPN (PPTP/IPSec)
« Reply #34 on: March 02, 2005, 07:21:04 PM »
I have found a work arround by mapping the drive by referencing the remote servers ip and share name  (\\192.168.1.1\sharename)

Bob

ps

This distro rocks
If you think you know whats going on, you obviously have no idea whats going on!

artful

Site to Site VPN (PPTP/IPSec)
« Reply #35 on: July 18, 2005, 12:08:49 AM »
anyone tried this on 6.5?? :-D

artful

Site to Site VPN (PPTP/IPSec)
« Reply #36 on: August 08, 2005, 05:49:39 PM »
NO ONE HAD ANY LUCK WITH 6.5??
me neither

Offline jester

  • *
  • 496
  • +1/-0
Site to Site VPN (PPTP/IPSec)
« Reply #37 on: January 03, 2006, 09:12:46 AM »
Has anyone given this a go on SME7 ?!

Regards,
jester.

alejandro

Site to Site VPN (PPTP/IPSec)
« Reply #38 on: January 03, 2006, 03:24:51 PM »
have it installed on sme7b9 (tester box at home trying to tunnel to my office)
dependency problems (libpcap module incompatible or something wrong)
installing with nodeps option causes "software error" in server
Have to check libpcap rpm package and reinstall to make new tests
as soon as I get any news I'll post results
regards

Offline Franco

  • *
  • 1,171
  • +0/-0
    • http://contribs.org
Re: Site to Site VPN (PPTP/IPSec)
« Reply #39 on: January 15, 2006, 03:33:49 AM »
ldkeen,
Quote from: "ldkeen"

[root@ice root]# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) from 203.213.xxx.xxx : 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=44.4 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=45.7 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=47.2 ms

--- 192.168.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2021ms
rtt min/avg/max/mdev = 44.419/45.796/47.234/1.163 ms

[root@ice root]# ping 192.168.10.67
PING 192.168.10.67 (192.168.10.67) from 203.213.xxx.xxx : 56(84) bytes of data.
64 bytes from 192.168.10.67: icmp_seq=1 ttl=127 time=46.0 ms
64 bytes from 192.168.10.67: icmp_seq=2 ttl=127 time=82.3 ms
64 bytes from 192.168.10.67: icmp_seq=3 ttl=127 time=113 ms

--- 192.168.10.67 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2017ms
rtt min/avg/max/mdev = 46.021/80.482/113.098/27.417 ms


I'm trying to implement a tunnel between two SME6 without success:
200.200.230.2XX
200.200.230.1XX
Two things are happening:
1- If I add the remote network to the local network, it tries to go out using the IP of the local gateway. If I remove, then it goes out as you put above.
2- # ipsec eroute
0          192.168.130.0/24   -> 192.168.0.0/24     => %trap
0          192.168.130.0/24   -> 200.200.230.1XX/32 => %trap
0          200.200.230.2XX/32 -> 192.168.0.0/24     => tun0x5164@200.200.230.1XX
0          200.200.230.2XX/32 -> 200.200.230.1XX/32 => tun0x3f88@200.200.230.1XX

ifconfig does show traffic on the ipsec0 interface in both sides.

Any ideas on what could I be doing wrong?
Regards,