IPSec VPN Routing Post: 302487381

Sponsored Content

Special Forums IP Networking IPSec VPN Routing Post 302487381 by salukibob on Wednesday 12th of January 2011 09:06:52 AM

01-12-2011

Registered User

IPSec VPN Routing

Hello,

I'm trying to setup a gateway VPN between two routers across an unsecured network between two local networks. The routers are both linux and I'm using the ipsec tools, racoon and setkey. So far hosts from either local net can successfully ping hosts on the other local net without issue.

I'd like to also be able to ping from either of the routers to any host on the remote lan, including the remote router. This currently won't work.

My SPD policies on one of the routers is this:

Code:

spdadd 192.168.2.0/24[any] 192.168.1.0/24[any] any -P out ipsec esp/tunnel/194.16.1.6-194.16.1.7/require;
spdadd 192.168.1.0/24[any] 192.168.2.0/24[any] any -P in ipsec esp/tunnel/194.16.1.7-194.16.1.6/require;

Where my local networks are 192.168.2.0 an 192.168.1.0 with external IP's 194.16.1.6 and 194.16.1.7 respectively.

I've tried to add a route from the router to the remote network such are:

Code:

$ ip route add 192.168.2.0/24 dev eth0

but this doesn't work for me. I'm clearly missing something with the routing.

Any tips would be most appreciated.
Regards
Rob Smith

salukibob

View Public Profile for salukibob

Find all posts by salukibob

9 More Discussions You Might Find Interesting

1. Cybersecurity

IPSec - VPN using shared key

Hello! I have some trouble trying to configure a VPN with two gateways. One of them uses IPSec with a single key, 256bits length, specified in /etc/ipsec.secrets. As FreeSwan manual page says, if i put esp=3des-md5-96, will be used a "64bit IV key (internally generated), a 192bit 3des ekey and a...

2. IP Networking

internal routing & vpn

hi there. i got a vpn working. this is what happens: remote pc ----(vpn/INTERNET)----vpn server--(redirect)---webapp (internal network) real: 200.12.15.20 200.20.45.123 vpn: 10.8.0.2 10.8.0.1 internal: ...

3. BSD

Problem on IPSec

Hi, this is my first post...:p Hello Admin :) Can I have an ask for something with my configuration ? I have finished some kind of the tutorial to build ipsec site to site, and the "step" has finished completely. I have a simulation with a local design topology with two PC's (FreeBSD ...

4. UNIX for Advanced & Expert Users

Ipsec implementation

How can i implement Ipsec between two machines in linux_ ubuntu? any link?? suggestion??

5. Cybersecurity

IPSEC

hello, after configuration ipsec in ip4 I can not ping between client and server whereas I had success ping before configuration! I also generate different key for AH and ESP as i have shown below. what is my problem and what should i do to have ping and test the configuration? code: ...

6. IP Networking

VPN IPSec Openswan

Hi all, I have installed Openswan and configured IPSec and works perfect, but for some unknown reasons it stop working. I see that the tunnels are up and established. The route to the destination are added. Everything by the book seems to be ok. But somehow when i start to ping the other side (...

7. IP Networking

Cisco 3750 Switch ASA VPN Routing

Hi,I want connect my ASA 5510 firewall to a 3750 switch with RIP routing. Unfortunately,I am having issues passing the VPN subnet through rip to the 3750.I don't understand how the routing table is populated on the ASA. Any suggestions?

8. IP Networking

IPSec Openswan Site to Site VPN - Big Pain

Hi @all, I try to connect 2 LANs with IPSec/Openswan LAN 1: 192.168.0.0/24 LAN 2: 192.168.1.0/24 This is my Config: conn HomeVPN # # Left security gateway, subnet behind it, nexthop toward right. left=192.168.1.29 ...

9. IP Networking

Best tool to monitor VPN IPSEC Tunneling

We are using cyberoam device, VPN IPSEC tunnel is going of frequently even the traffic is throug. Please suggest what may be the cause for the above mentioned issue. Also suggest a best tool to monitor the same VPN IPSEC tunnel connectivity.

LEARN ABOUT DEBIAN

racoon

RACOON(8)						    BSD System Manager's Manual 						 RACOON(8)

NAME

     racoon -- IKE (ISAKMP/Oakley) key management daemon

SYNOPSIS

     racoon [-46BdFLVv] [-f configfile] [-l logfile] [-P isakmp-natt-port] [-p isakmp-port]

DESCRIPTION

     racoon speaks the IKE (ISAKMP/Oakley) key management protocol, to establish security associations with other hosts.  The SPD (Security Policy
     Database) in the kernel usually triggers racoon.  racoon usually sends all informational messages, warnings and error messages to syslogd(8)
     with the facility LOG_DAEMON and the priority LOG_INFO.  Debugging messages are sent with the priority LOG_DEBUG.	You should configure
     syslog.conf(5) appropriately to see these messages.

     -4

     -6      Specify the default address family for the sockets.

     -B      Install SA(s) from the file which is specified in racoon.conf(5).

     -d      Increase the debug level.	Multiple -d arguments will increase the debug level even more.

     -F      Run racoon in the foreground.

     -f configfile
	     Use configfile as the configuration file instead of the default.

     -L      Include file_name:line_number:function_name in all messages.

     -l logfile
	     Use logfile as the logging file instead of syslogd(8).

     -P isakmp-natt-port
	     Use isakmp-natt-port for NAT-Traversal port-floating.  The default is 4500.

     -p isakmp-port
	     Listen to the ISAKMP key exchange on port isakmp-port instead of the default port number, 500.

     -V      Print racoon version and compilation options and exit.

     -v      This flag causes the packet dump be more verbose, with higher debugging level.

     racoon assumes the presence of the kernel random number device rnd(4) at /dev/urandom.

RETURN VALUES

     The command exits with 0 on success, and non-zero on errors.

FILES

     /etc/racoon.conf  default configuration file.

SEE ALSO

     ipsec(4), racoon.conf(5), syslog.conf(5), setkey(8), syslogd(8)

HISTORY

     The racoon command first appeared in the ``YIPS'' Yokogawa IPsec implementation.

SECURITY CONSIDERATIONS

     The use of IKE phase 1 aggressive mode is not recommended, as described in http://www.kb.cert.org/vuls/id/886601.

BSD
								 January 23, 2009							       BSD