| 1 |
Hi All, |
| 2 |
|
| 3 |
I have posted about this before, but did not get any responses. Since then I |
| 4 |
have made some progress and have been able to set up a VPN tunnel using |
| 5 |
racoon. |
| 6 |
|
| 7 |
However, each time I have to assign subnets and set up the tunnel manually, |
| 8 |
because the ipsec-tools initialisation scripts do not seem to work. |
| 9 |
|
| 10 |
The scripts are originally installed in: |
| 11 |
|
| 12 |
/usr/share/doc/ipsec-tools-0.7.3-r1/samples/roadwarrior/client/ |
| 13 |
|
| 14 |
phase1-up.sh.bz2 |
| 15 |
|
| 16 |
and |
| 17 |
|
| 18 |
phase1-down.sh.bz2 |
| 19 |
|
| 20 |
These scripts are meant to pick up local and remote addresses and set up |
| 21 |
appropriate security policies for the roadwarrior, as well as change the |
| 22 |
default gateway & DNS resolver to the LAN of the VPN router. Well, for some |
| 23 |
reason that escapes me completely they don't. |
| 24 |
|
| 25 |
|
| 26 |
The phase1-up.sh contains: |
| 27 |
======================================== |
| 28 |
#!/bin/sh |
| 29 |
|
| 30 |
# |
| 31 |
# sa-up.sh local configuration for a new SA |
| 32 |
# |
| 33 |
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin |
| 34 |
|
| 35 |
case `uname -s` in |
| 36 |
NetBSD) |
| 37 |
DEFAULT_GW=`netstat -rn | awk '($1 == "default"){print $2}'` |
| 38 |
;; |
| 39 |
Linux) |
| 40 |
DEFAULT_GW=`netstat -rn | awk '($1 == "0.0.0.0"){print $2}'` |
| 41 |
;; |
| 42 |
esac |
| 43 |
|
| 44 |
echo $@ |
| 45 |
echo "LOCAL_ADDR = ${LOCAL_ADDR}" |
| 46 |
echo "LOCAL_PORT = ${LOCAL_PORT}" |
| 47 |
echo "REMOTE_ADDR = ${REMOTE_ADDR}" |
| 48 |
echo "REMOTE_PORT = ${REMOTE_PORT}" |
| 49 |
echo "DEFAULT_GW = ${DEFAULT_GW}" |
| 50 |
echo "INTERNAL_ADDR4 = ${INTERNAL_ADDR4}" |
| 51 |
echo "INTERNAL_DNS4 = ${INTERNAL_DNS4}" |
| 52 |
|
| 53 |
echo ${INTERNAL_ADDR4} | grep '[0-9]' > /dev/null || exit 0 |
| 54 |
echo ${DEFAULT_GW} | grep '[0-9]' > /dev/null || exit 0 |
| 55 |
|
| 56 |
test -f /etc/resolv.conf.bak || cp /etc/resolv.conf /etc/resolv.conf.bak |
| 57 |
echo "# Generated by racoon on `date`" > /etc/resolv.conf |
| 58 |
echo "nameserver ${INTERNAL_DNS4}" >> /etc/resolv.conf |
| 59 |
|
| 60 |
case `uname -s` in |
| 61 |
NetBSD) |
| 62 |
if=`netstat -rn|awk '($1 == "default"){print $7}'` |
| 63 |
ifconfig ${if} alias ${INTERNAL_ADDR4} netmask ${INTERNAL_NETMASK4} |
| 64 |
route delete default |
| 65 |
route add default ${DEFAULT_GW} -ifa ${INTERNAL_ADDR4} |
| 66 |
route add ${REMOTE_ADDR} ${DEFAULT_GW} |
| 67 |
;; |
| 68 |
Linux) |
| 69 |
if=`netstat -rn|awk '($1 == "0.0.0.0"){print $8}'` |
| 70 |
ifconfig ${if}:1 ${INTERNAL_ADDR4} |
| 71 |
route delete default |
| 72 |
route add ${REMOTE_ADDR} gw ${DEFAULT_GW} dev ${if} |
| 73 |
route add default gw ${DEFAULT_GW} dev ${if}:1 |
| 74 |
;; |
| 75 |
esac |
| 76 |
|
| 77 |
# Use this for a NAT-T setup |
| 78 |
LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]" |
| 79 |
REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]" |
| 80 |
|
| 81 |
# Use this for a non NAT-T setup |
| 82 |
#LOCAL="${LOCAL_ADDR}" |
| 83 |
#REMOTE="${REMOTE_ADDR}" |
| 84 |
|
| 85 |
|
| 86 |
echo " |
| 87 |
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any |
| 88 |
-P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require; |
| 89 |
spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any |
| 90 |
-P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require; |
| 91 |
" | setkey -c |
| 92 |
|
| 93 |
# |
| 94 |
# XXX This is a workaround for Linux forward policies problem. |
| 95 |
# Someone familiar with forward policies please fix this properly. |
| 96 |
# |
| 97 |
case `uname -s` in |
| 98 |
Linux) |
| 99 |
echo " |
| 100 |
spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any |
| 101 |
-P fwd ipsec esp/tunnel/${REMOTE}-${LOCAL}/require; |
| 102 |
" | setkey -c |
| 103 |
;; |
| 104 |
esac |
| 105 |
======================================== |
| 106 |
|
| 107 |
|
| 108 |
I have tried with a completed and an empty /etc/ipsec.conf file (in which the |
| 109 |
security policies are defined). If it is empty it is left so by the script |
| 110 |
and no routes are set up when I ping the remote LAN. |
| 111 |
|
| 112 |
When I run the script by hand this is what I get: |
| 113 |
|
| 114 |
# /etc/racoon/scripts/phase1-up.sh |
| 115 |
|
| 116 |
LOCAL_ADDR = |
| 117 |
LOCAL_PORT = |
| 118 |
REMOTE_ADDR = |
| 119 |
REMOTE_PORT = |
| 120 |
DEFAULT_GW = 193.30.166.3 |
| 121 |
INTERNAL_ADDR4 = |
| 122 |
INTERNAL_DNS4 = |
| 123 |
|
| 124 |
Which shows the roadwarriors ISPs gateway, but no local network or remote |
| 125 |
addresses. Of course pinging the remote LAN does not get me anywhere, until I |
| 126 |
add the remote LAN subnet VPN allocation manually to my interface device, and |
| 127 |
create a route to the remote LAN, e.g. by running: |
| 128 |
|
| 129 |
# ifconfig wlan0:1:0 172.16.1.1 |
| 130 |
# ip route add 10.10.10.0/24 via 172.16.1.1 dev wlan0 |
| 131 |
|
| 132 |
After doing this all works fine and I can ping, establish a connection to the |
| 133 |
remote LAN and get one with my work. |
| 134 |
|
| 135 |
I am not sure if there is something wrong with the way that the |
| 136 |
/etc/init.d/racoon initialises the service; i.e. perhaps the phase1-up.sh |
| 137 |
script is running at the wrong time? |
| 138 |
|
| 139 |
Notwithstanding something being wrong with the router's VPN implementation |
| 140 |
(there's a lot of poorly implemented IPSec routers out there) I am not sure if |
| 141 |
I have configured something wrong. According to Google I'm not supposed to |
| 142 |
set up routing manually as I do. This is all meant to be set up by the policy |
| 143 |
file. |
| 144 |
|
| 145 |
What do you get when you run the script? |
| 146 |
|
| 147 |
Any idea how could I troubleshoot this? |
| 148 |
|
| 149 |
I attach my kernel configuration just in case you spot something that I have |
| 150 |
missed out and that's the reason the kernel does not set up the routes. |
| 151 |
-- |
| 152 |
Regards, |
| 153 |
Mick |
Archives