Topic: Site to Site VPN (PPTP/IPSec)

[Shilotsugu]

This is a subject that has been giving me headaches since I first started playing with SME two years ago. I have two 6.0.1 boxes with ADSL dynamic ip using dyndns.org boths sides. With the following setup:

server name: jack
host address: office.dyndns.org
DNS server: 192.168.11.1
internal ip: 192.168.11.1
internal subnet mask: 255.255.255.0
external ip: 202.8.aaa.bbb
encryption key: blah-blah-one

server name: jill
host address: apartment.dyndns.org
DNS server: 192.168.7.1
internal ip: 192.168.7.1
internal subnet mask: 255.255.255.0
external ip: 202.8.xxx.yyy
encryption key: blah-blah-two

IPSEC VPN:
jack
Remote id: apartment.dyndns.org
Remote Host: apartment.dyndns.org
remote internal ip: 192.168.7.1

jill
Remote id: office.dyndns.org
Remote Host: office.dyndns.org
remote internal ip: 192.168.11.1
WINS Client

I set up local networks for each, but the best eroute I have seen yet was:

[root@jack root]# ipsec eroute
0  192.168.11.0/24  -> 192.168.7.0/24     => %trap
0  192.168.11.0/24  -> 202.8.aaa.bbb/32   => %trap
0  202.8.xxx.yyy/32 -> 192.168.7.0/24     => %tun0x@...
0  202.8.xxx.yyy/32 -> 192.168.aaa.bbb/24 => %tun0x@...

Looks like the servers are talking, but not the networks behind them. After mistakingly thinking a reboot would be helpful, eroute has changed to this:

[root@jack root]# ipsec eroute
0  192.168.11.0/24  -> 192.168.7.0/24     => %trap
7  192.168.11.0/24  -> 202.8.aaa.bbb/32   => %hold
0  202.8.xxx.yyy/32 -> 192.168.7.0/24     => %trap
0  202.8.xxx.yyy/32 -> 202.8.aaa.bbb/24   => %trap

What am I doing wrong?

[Michael_R]

hi,
try

Code: [Select]

ipsec auto --status
if you see something like

Code: [Select]

...
Ipsec SA estaplished
...the tunnel works, otherwise not.
And why you ve got at your settings a
external ip like 202.8.aaa.bbb ? I think there should be the dyndns-url.

[Shilotsugu]

I ran ipsec auto --status, and it looks like I'm back to my first scenario. The servers are talking, but I can't reach or ping the local networks behind them.

Michael, I'm not sure I understand your question. The dyndns-urls are the ones I entered into IPSEC, and the external ip is the dyamic one provided by the ISP, which got me where I am now. Both boxes use the same provider, hence the a.b and x.y variables.

I'm going to remove the respective local networks to see what changes.

[crazybob]

I have a freeswan tunnel running, and can ping the remote server(from either end). Both servers are assigned to the same work group, both are set as domain controllers. I have the same user and password on both servers. I can not see the remote server from the local network. I have an ibay that the remote user has rights to, but I can not see it or the server in on the network.

Any Ideas

Thanks in advance


Bob

[crazybob]

I have found a work arround by mapping the drive by referencing the remote servers ip and share name  (\\192.168.1.1\sharename)

Bob

ps

This distro rocks

[artful]

anyone tried this on 6.5??

[artful]

NO ONE HAD ANY LUCK WITH 6.5??
me neither

[jester]

Has anyone given this a go on SME7 ?!

Regards,
jester.

[alejandro]

have it installed on sme7b9 (tester box at home trying to tunnel to my office)
dependency problems (libpcap module incompatible or something wrong)
installing with nodeps option causes "software error" in server
Have to check libpcap rpm package and reinstall to make new tests
as soon as I get any news I'll post results
regards

[Franco]

ldkeen,

[root@ice root]# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) from 203.213.xxx.xxx : 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=44.4 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=45.7 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=47.2 ms

--- 192.168.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2021ms
rtt min/avg/max/mdev = 44.419/45.796/47.234/1.163 ms

[root@ice root]# ping 192.168.10.67
PING 192.168.10.67 (192.168.10.67) from 203.213.xxx.xxx : 56(84) bytes of data.
64 bytes from 192.168.10.67: icmp_seq=1 ttl=127 time=46.0 ms
64 bytes from 192.168.10.67: icmp_seq=2 ttl=127 time=82.3 ms
64 bytes from 192.168.10.67: icmp_seq=3 ttl=127 time=113 ms

--- 192.168.10.67 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 2017ms
rtt min/avg/max/mdev = 46.021/80.482/113.098/27.417 ms

I'm trying to implement a tunnel between two SME6 without success:
200.200.230.2XX
200.200.230.1XX
Two things are happening:
1- If I add the remote network to the local network, it tries to go out using the IP of the local gateway. If I remove, then it goes out as you put above.
2- # ipsec eroute
0          192.168.130.0/24   -> 192.168.0.0/24     => %trap
0          192.168.130.0/24   -> 200.200.230.1XX/32 => %trap
0          200.200.230.2XX/32 -> 192.168.0.0/24     => tun0x5164@200.200.230.1XX
0          200.200.230.2XX/32 -> 200.200.230.1XX/32 => tun0x3f88@200.200.230.1XX

ifconfig does show traffic on the ipsec0 interface in both sides.

Any ideas on what could I be doing wrong?
Regards,