[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] IPSEC - SuSE 9.1 - Shorewall 2.x



I got one step nearer to my goals:

ISAKMP SA is established, so key-exchange seems to work and
encryption is not the reason.
But pluto complains, that he cannot find a connection for that SA,
although everything else is *exactly* like on 9.0 before.

I did define my roadwarriors like that:

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
version    2.0    # conforms to second version of ipsec.conf specification

# basic configuration
config setup
   interfaces=%defaultroute
   klipsdebug=all
   plutodebug=all
   nat_traversal=yes

# default settings for connections
conn %default
   leftrsasigkey=%cert
   rightrsasigkey=%cert

# OE policy groups are disabled by default
conn block
   auto=ignore
conn clear
   auto=ignore
conn private
   auto=ignore
conn private-or-clear
   auto=ignore
conn clear-or-private
   auto=ignore
conn packetdefault
   auto=ignore

# VPN connection Roadwarrior 1
conn Road1
       left=%defaultroute
       leftcert=/etc/ipsec.d/gateway-cert.der
       leftsubnet=192.168.2.0/24
       leftnexthop=217.19.x.y
       right=%any
       rightcert=/etc/ipsec.d/certs/username@xxxxxxxxxxxxxxxxxx
       auto=add
       pfs=yes


I also added rightid= .... to my conf, but nothing changed !
Any hint appreciated,
Philipp


Philipp Rusch schrieb:

Hi Thomas,

first, thanks for your fast reply  :-)

next, I get errors when booting about interface "sit0", has
this something to do with the new ipsec / Freeswan 2.04 versions ?
With SuSE 9.0 this was no problem at all, whats wrong here ?
I mean what IS differnet ?)

Regards,
Philipp


t.henneberger@xxxxxxxxxxxxxxx schrieb:

Hey Philipp

From:    philipp.rusch@xxxxxxxxxxxx
To:      suse-security@xxxxxxxx


Hi all,

I use the same setup in production with Suse 8.1 / 8.2 and 9.0,
IPSEC-VPN with Freeswan and Shorewall as firewall.
ipsec.conf is modified for this new setup, main difference is
the kernel 2.6.x

what happens:
- I don't see an interface "ipsec0" or similar anymore when I startup IPSEC


Native IPsec doesn't have a virtual interface anymore, you only get this with
KLIPS.

- I get errors in firewall logs about connection attempts from my road-
warriors on port 4500 (???) what's this ?


UDP port 4500 is the ESP-Protocoll, I guess thats why your Roadwarriors are acting strange, too.

Best Regards
Thomas





--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here