Server Fault Asked by hazaki on December 21, 2020
I’m trying to configure a road warrior VPN client on a Linux distribution.
Here my configuraiton :
Client VPN LINUX – 1.1.1.1 – INTERNET – 2.2.2.2 – FireWall – 10.0.0.0/8
I wish to create a tunnel between the remote network 10.0.0.0/8 and the VPN client which will have the address 172.16.0.3
I already configured this with TheGreenBow and It worked well so the problem I’m having is from my client configuration and not my firewall.
To make this configuration on Linux I will use racoon.
I changed the file /etc/racoon/racoon.conf :
log notify;
path certificate "/etc/racoon/certs";
remote 2.2.2.2 {
exchange_mode main;
ca_type x509 "cacert.pem";
certificate_type x509 "cert.pem" "priv.key";
my_identifier asn1dn;
peers_identifier asn1dn;
doi ipsec_doi;
verify_cert on;
ike_frag on;
proposal_check obey;
mode_cfg off;
nat_traversal on;
lifetime time 21600 sec;
proposal {
encryption_algorithm aes256;
hash_algorithm sha2_256;
authentication_method rsasig;
dh_group 5;
}
generate_policy off;
}
sainfo anonymous {
lifetime time 3600 sec;
pfs_group 2;
encryption_algorithm aes256;
authentication_algorithm hmac_sha256;
compression_algorithm deflate;
}
`
I changed /etc/ipsec-tools.conf
spdadd 172.16.0.3/32[any] 10.0.0.0/8[any] any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 10.0.0.0/8[any] 172.16.0.3/32[any] any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;
Next, I configured a virtual interface to redirect the whole flow going to the remote network :
ip link add link eth1 name vlan0 type vlan id 1
ip addr add 172.16.0.3/24 brd 172.16.0.255 dev vlan0
route add -net 10.0.0.0/8 gw 172.16.0.3 dev vlan0
Here what I got when I do “ifconfig”
eth1 Link encap:Ethernet HWaddr 0c:54:a5:3a:4a:30
inet adr:1.1.1.1 Bcast:1.1.1.255 Masque:255.255.255.0
adr inet6: fe80::e54:a5ff:fe3a:4a30/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1300 Metric:1
Packets reçus:20775 erreurs:0 :0 overruns:0 frame:0
TX packets:17957 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:1000
Octets reçus:15271974 (15.2 MB) Octets transmis:2688417 (2.6 MB)
Interruption:17 Mémoire:f7d00000-f7d20000
lo Link encap:Boucle locale
inet adr:127.0.0.1 Masque:255.0.0.0
adr inet6: ::1/128 Scope:Hôte
UP LOOPBACK RUNNING MTU:65536 Metric:1
Packets reçus:611 erreurs:0 :0 overruns:0 frame:0
TX packets:611 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
Octets reçus:71525 (71.5 KB) Octets transmis:71525 (71.5 KB)
vlan0 Link encap:Ethernet HWaddr 0c:54:a5:3a:4a:30
inet adr:172.16.0.3 Bcast:172.16.0.255 Masque:255.255.255.0
adr inet6: fe80::e54:a5ff:fe3a:4a30/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1300 Metric:1
Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
TX packets:142 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:0
Octets reçus:0 (0.0 B) Octets transmis:24137 (24.1 KB)
What I got white “route”
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
default 1.1.1.1 0.0.0.0 UG 0 0 0 eth1
10.0.0.0 172.16.0.3 255.0.0.0 UG 0 0 0 vlan0
172.16.0.0 * 255.255.255.0 U 0 0 0 vlan0
1.1.1.1 * 255.255.255.0 U 1 0 0 eth1
The firewall tells me that the tunnel is well open (Phase 2 established).
However I can’t ping the remote network (but it worked on windows).
When I watch what’s happening on the firewall, I see that the ESP packets arrive to the external interface but they are not forwarded to the internal interface (what is done with the windows VPN).
Do you have any idea why Y have this problem ?
Instead:
route add -net 10.0.0.0/8 gw 172.16.0.3 dev vlan0
try:
ip route add to 10.0.0.0/8 via 172.16.0.3 dev vlan0 src 172.16.0.3
Answered by Mattie on December 21, 2020
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP