[Cialug] IPSec Routing & Evil NETKEY
Jonathan C. Bailey
jbailey at co.marshall.ia.us
Sun Nov 21 12:55:11 CST 2010
The only problem is that the routes don't seem to do anything.. My basic test is to see ping traffic from the client to an internal host to exit the internal interface of the VPN server (right now, I'm only seeing the decrypted packets on the external side).
-Jon
----- Original Message -----
From: "Nathan C. Smith" <nathan.smith at ipmvs.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Saturday, November 20, 2010 10:37:44 PM
Subject: Re: [Cialug] IPSec Routing & Evil NETKEY
I've not done this in Linux, only on firewalls (Juniper, pfSense), but usually you have to set a route to the subnet on the other side of the VPN through the local ipsec interface. All the devices that are going to send traffic through the interface also need to know about the route too - that gets more complicated if the device with the VPN is not your gateway.
-----Original Message-----
From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org] On Behalf Of Jonathan C. Bailey
Sent: Saturday, November 20, 2010 10:33 PM
To: Central Iowa Linux Users Group
Subject: Re: [Cialug] IPSec Routing & Evil NETKEY
What kind of route do you speak of? My routing table has the internal subnet, external subnet, and the default gateway on the external side.
I've also tried a "ip rule" with the source as the 192.168.101.0/24 subnet and various default gateways, but no luck there either..
-Jon
----- Original Message -----
From: "Nathan C. Smith" <nathan.smith at ipmvs.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Saturday, November 20, 2010 10:20:46 PM
Subject: Re: [Cialug] IPSec Routing & Evil NETKEY
And do you have a route set as well?
-----Original Message-----
From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org] On Behalf Of Jonathan C. Bailey
Sent: Saturday, November 20, 2010 9:43 PM
To: Central Iowa Linux Users Group
Subject: Re: [Cialug] IPSec Routing & Evil NETKEY
Yup... I've got the following in sysctl.conf:
net.ipv4.ip_forward=1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.default.log_martians = 0
----- Original Message -----
From: "Zachary Kotlarek" <zach at kotlarek.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Saturday, November 20, 2010 9:25:10 PM
Subject: Re: [Cialug] IPSec Routing & Evil NETKEY
On Nov 20, 2010, at 9:10 PM, Jonathan C. Bailey wrote:
> Based on the captures I'm have, it seems that the traffic is being successfully decrypted on eth1, but then it just goes "nowhere". I can't seem to find *anything* that would indicate how to move this decrypted traffic out the correct interface, or do anything else with it..
>
> Anyone have some thoughts on this? About to go bald from pulling my hair out...
Is IP forwarding enabled? I often forget that bit when first setting up a router.
Zach
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list