Topic: IPsec sme 6.0.1 not working.

[timtaylor11]

Hello all.  I have 2 e-smith boxes.  One with a dedicated ip the other dhcp behind a dls modem set in gateway mode.  I have the same version of SME on both.

# uname -a
Linux wolverine 2.4.20-18.7 #1 Thu May 29 08:32:50 EDT 2003 i686 unknown

Both sides show IPsec running.

The side with the static IP shows
[root@cpsremote root]# ipsec verify
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path                             [OK]
Checking for KLIPS support in kernel                        [OK]
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                              [OK]
DNS checks.
Looking for forward key for cpsremote                       [OK]
Looking for KEY in reverse map: 154.150.58.164.in-addr.arpa [OK]
Does the machine have at least one non-private address      [OK]
[root@cpsremote root]#

The side behind the DSL shows

root@wolverine root]# ipsec verify
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path                             [OK]
Checking for KLIPS support in kernel                        [OK]
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                              [OK]
DNS checks.
Looking for forward key for wolverine                       [FAILED]
Looking for KEY in reverse map: 93.149.39.162.in-addr.arpa  [FAILED]
Does the machine have at least one non-private address      [OK]
[root@wolverine root]#

Both sides give me the same information when I do a restart but I can not get any traffic across the vpn.  

[root@cpsremote etc]# service ipsec restart
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
ipsec_setup: Using /lib/modules/2.4.20-18.7/kernel/net/ipsec/ipsec.o
[root@cpsremote etc]#


Have tried about every connedtion and option.  I have tried it with only ip, host name, and can not seem to get it to work.  Anyone got this to work yet.  I see a lot of older ones not 6.0 trying with a dhcp ip address.

Tim Taylor
NOT TOOL TIME

[MSmith]

Can you set the DSL modem to bridged mode and have the SME box do the username/password authentication?  And do both sides have static IPs?  Because that's the proven configuration.

[timtaylor11]

the modem is set to bridge mode but the dsl is dynamic ip.

[MSmith]

I don't recall seeing any success stories of FreeS/WAN LAN-to-LAN VPNs using dynamic IPs with any FreeS/WAN version under 2.0, which includes none of the SME contribs that I know of.  I think OpenVPN may be more flexible in this regard but have no direct experience.

[psc]

the freeswan contribs DO NOT WORK with dynip !
You may have a short success, but if the remote ip change, you have to restart freeswan on both sides !

[Michael_R]

hi,
I ve installed freeswan on two SME 6.0.1-1 Boxes with dynamic ips and as it described here it works only since one of the ip´s changes.
But I think this can be solved.
The only thing you have to do is to define a cronjob on both sides which restarts the inet-connection and after this the ipsec-service. For a short time in the night you ll be disconnected but in my enviroment this isn´t so important.

Normaly your dsl-connection disconnects after about 24 hours. To garantee that the ipsec-connection works all the day you have to disconnect 2 times in the night because the online-time vary every night about some minutes.
For example first at 23:00 and second time at 3:00 o´clock. So you should have a connection all the day.

Anyone tried something like this above a longer time?
I m going to test this ...

Michael