[Cialug] IPSec VPN not passing traffic

Jonathan C. Bailey jbailey at co.marshall.ia.us
Tue Sep 7 12:34:03 CDT 2010


The machine has no firewall rules of any sort set (it's still internal - my test machine is just on a different subnet). As for routing, I've manually added routes for 192.168.22.0/24 via eth0, but get nothing. From what I understand, IPSec on linux doesn't have any sort of "pseudo-interface" to pass traffic on (I'm used to OpenVPN myself..).

-Jon

----- Original Message -----
From: "Nathan C. Smith" <nathan.smith at ipmvs.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Tuesday, September 7, 2010 12:29:16 PM
Subject: Re: [Cialug] IPSec VPN not passing traffic

You may have the connection set up but no rules for forwarding traffic or routes set?

-Nate

-----Original Message-----
From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org] On Behalf Of Jonathan C. Bailey
Sent: Tuesday, September 07, 2010 12:25 PM
To: cialug at cialug.org
Subject: [Cialug] IPSec VPN not passing traffic

Hello,

I'm trying to set up a "roadwarrior" type VPN for some Sun Rays we have that can natively do IPSec (no L2TP needed). I found an example (http://www.tjhsst.edu/admin/livedoc/index.php/IPSec_VPN) and went off of that. I'm using a Windows PC with the Shrew Soft VPN client for testing.

While I can connect and authenticate fine, it seems that I'm unable to pass traffic. When running tcpdump on the IPSec server, I'm seeing the plaintext traffic on eth0, but it never passes to the network.

Since this is my first (and probably only) foray into IPSec, I'm a bit stumped. It's probably something quite easy, too. Has anyone else had an issue like this?

BTW, my racoon.conf (if it helps):

path certificate "/etc/ssl/certs";
path pre_shared_key "/etc/racoon/psk.txt";

remote anonymous {
	exchange_mode aggressive;
	passive on;
	generate_policy on;
	proposal_check obey;
	nat_traversal force;
	ike_frag on;
	proposal {
		encryption_algorithm aes;
		hash_algorithm sha1;
		authentication_method xauth_psk_server;
		dh_group 2;
	}
}

sainfo anonymous {
	encryption_algorithm aes;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}

mode_cfg {
	network4 192.168.22.2;
	pool_size 200;
	netmask4 255.255.255.0;
	dns4 x.y.10.17;
	default_domain "domain.com";
	split_network include x.y.10.17/32;
	split_network include x.y.28.2/32;
	split_network include x.y.28.3/32;
	split_network include x.y.28.4/32;
	split_network include 192.168.22.0/24;
	auth_source pam;
	banner "/etc/racoon/motd";
}



-Jon
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug


More information about the Cialug mailing list