1 |
Hi All, |
2 |
|
3 |
I have posted about this before, but did not get any responses. Since then I |
4 |
have made some progress and have been able to set up a VPN tunnel using |
5 |
racoon. |
6 |
|
7 |
However, each time I have to assign subnets and set up the tunnel manually, |
8 |
because the ipsec-tools initialisation scripts do not seem to work. |
9 |
|
10 |
The scripts are originally installed in: |
11 |
|
12 |
/usr/share/doc/ipsec-tools-0.7.3-r1/samples/roadwarrior/client/ |
13 |
|
14 |
phase1-up.sh.bz2 |
15 |
|
16 |
and |
17 |
|
18 |
phase1-down.sh.bz2 |
19 |
|
20 |
These scripts are meant to pick up local and remote addresses and set up |
21 |
appropriate security policies for the roadwarrior, as well as change the |
22 |
default gateway & DNS resolver to the LAN of the VPN router. Well, for some |
23 |
reason that escapes me completely they don't. |
24 |
|
25 |
|
26 |
The phase1-up.sh contains: |
27 |
======================================== |
28 |
#!/bin/sh |
29 |
|
30 |
# |
31 |
# sa-up.sh local configuration for a new SA |
32 |
# |
33 |
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin |
34 |
|
35 |
case `uname -s` in |
36 |
NetBSD) |
37 |
DEFAULT_GW=`netstat -rn | awk '($1 == "default"){print $2}'` |
38 |
;; |
39 |
Linux) |
40 |
DEFAULT_GW=`netstat -rn | awk '($1 == "0.0.0.0"){print $2}'` |
41 |
;; |
42 |
esac |
43 |
|
44 |
echo $@ |
45 |
echo "LOCAL_ADDR = ${LOCAL_ADDR}" |
46 |
echo "LOCAL_PORT = ${LOCAL_PORT}" |
47 |
echo "REMOTE_ADDR = ${REMOTE_ADDR}" |
48 |
echo "REMOTE_PORT = ${REMOTE_PORT}" |
49 |
echo "DEFAULT_GW = ${DEFAULT_GW}" |
50 |
echo "INTERNAL_ADDR4 = ${INTERNAL_ADDR4}" |
51 |
echo "INTERNAL_DNS4 = ${INTERNAL_DNS4}" |
52 |
|
53 |
echo ${INTERNAL_ADDR4} | grep '[0-9]' > /dev/null || exit 0 |
54 |
echo ${DEFAULT_GW} | grep '[0-9]' > /dev/null || exit 0 |
55 |
|
56 |
test -f /etc/resolv.conf.bak || cp /etc/resolv.conf /etc/resolv.conf.bak |
57 |
echo "# Generated by racoon on `date`" > /etc/resolv.conf |
58 |
echo "nameserver ${INTERNAL_DNS4}" >> /etc/resolv.conf |
59 |
|
60 |
case `uname -s` in |
61 |
NetBSD) |
62 |
if=`netstat -rn|awk '($1 == "default"){print $7}'` |
63 |
ifconfig ${if} alias ${INTERNAL_ADDR4} netmask ${INTERNAL_NETMASK4} |
64 |
route delete default |
65 |
route add default ${DEFAULT_GW} -ifa ${INTERNAL_ADDR4} |
66 |
route add ${REMOTE_ADDR} ${DEFAULT_GW} |
67 |
;; |
68 |
Linux) |
69 |
if=`netstat -rn|awk '($1 == "0.0.0.0"){print $8}'` |
70 |
ifconfig ${if}:1 ${INTERNAL_ADDR4} |
71 |
route delete default |
72 |
route add ${REMOTE_ADDR} gw ${DEFAULT_GW} dev ${if} |
73 |
route add default gw ${DEFAULT_GW} dev ${if}:1 |
74 |
;; |
75 |
esac |
76 |
|
77 |
# Use this for a NAT-T setup |
78 |
LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]" |
79 |
REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]" |
80 |
|
81 |
# Use this for a non NAT-T setup |
82 |
#LOCAL="${LOCAL_ADDR}" |
83 |
#REMOTE="${REMOTE_ADDR}" |
84 |
|
85 |
|
86 |
echo " |
87 |
spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any |
88 |
-P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require; |
89 |
spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any |
90 |
-P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require; |
91 |
" | setkey -c |
92 |
|
93 |
# |
94 |
# XXX This is a workaround for Linux forward policies problem. |
95 |
# Someone familiar with forward policies please fix this properly. |
96 |
# |
97 |
case `uname -s` in |
98 |
Linux) |
99 |
echo " |
100 |
spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any |
101 |
-P fwd ipsec esp/tunnel/${REMOTE}-${LOCAL}/require; |
102 |
" | setkey -c |
103 |
;; |
104 |
esac |
105 |
======================================== |
106 |
|
107 |
|
108 |
I have tried with a completed and an empty /etc/ipsec.conf file (in which the |
109 |
security policies are defined). If it is empty it is left so by the script |
110 |
and no routes are set up when I ping the remote LAN. |
111 |
|
112 |
When I run the script by hand this is what I get: |
113 |
|
114 |
# /etc/racoon/scripts/phase1-up.sh |
115 |
|
116 |
LOCAL_ADDR = |
117 |
LOCAL_PORT = |
118 |
REMOTE_ADDR = |
119 |
REMOTE_PORT = |
120 |
DEFAULT_GW = 193.30.166.3 |
121 |
INTERNAL_ADDR4 = |
122 |
INTERNAL_DNS4 = |
123 |
|
124 |
Which shows the roadwarriors ISPs gateway, but no local network or remote |
125 |
addresses. Of course pinging the remote LAN does not get me anywhere, until I |
126 |
add the remote LAN subnet VPN allocation manually to my interface device, and |
127 |
create a route to the remote LAN, e.g. by running: |
128 |
|
129 |
# ifconfig wlan0:1:0 172.16.1.1 |
130 |
# ip route add 10.10.10.0/24 via 172.16.1.1 dev wlan0 |
131 |
|
132 |
After doing this all works fine and I can ping, establish a connection to the |
133 |
remote LAN and get one with my work. |
134 |
|
135 |
I am not sure if there is something wrong with the way that the |
136 |
/etc/init.d/racoon initialises the service; i.e. perhaps the phase1-up.sh |
137 |
script is running at the wrong time? |
138 |
|
139 |
Notwithstanding something being wrong with the router's VPN implementation |
140 |
(there's a lot of poorly implemented IPSec routers out there) I am not sure if |
141 |
I have configured something wrong. According to Google I'm not supposed to |
142 |
set up routing manually as I do. This is all meant to be set up by the policy |
143 |
file. |
144 |
|
145 |
What do you get when you run the script? |
146 |
|
147 |
Any idea how could I troubleshoot this? |
148 |
|
149 |
I attach my kernel configuration just in case you spot something that I have |
150 |
missed out and that's the reason the kernel does not set up the routes. |
151 |
-- |
152 |
Regards, |
153 |
Mick |