# Set the configuration of interfaces for IPSec-tunnels

## unax

Hello, comrades! I have a tiny question.

Suppose, create a tunnel between two addresses 100.111.222.1 and 100.111.222.2 uses (net-firewall/ipsec-tools-0.7.3-r1  USE="iconv ipv6 nat pam readline -hybrid -idea -kerberos -ldap -rc5 (-selinux)")

In first server have the configuration like this: (in /etc/racoon/racoon.conf)

```
path pre_shared_key "/etc/racoon/psk.txt"

remote 100.111.222.2[500]

{

    exchange_mode aggressive,main;

    doi ipsec_doi;

    situation identity_only;

    my_identifier address;

    initial_contact on;

    proposal_check obey;

    proposal {

            encryption_algorithm 3des;

            hash_algorithm sha1;

            authentication_method pre_shared_key;

            dh_group 5;

            }

}

sainfo anonymous

{

    pfs_group 2;

    lfetime time 12 hour ;

    encryption_algorithm 3des;

    authentication_algorithm hmac_sha1;

    compression_algorithm deflate;

}
```

in /etc/racoon/ipsec.conf

```
spdadd 100.111.222.2/32 100.111.222.1/32 ipencap -P in ipsec

esp/tunnel/100.111.222.2-100.111.222.1/require;

spdadd 100.111.222.1/32 100.111.222.2/32 ipencap -P out ipsec

esp/tunnel/100.111.222.1-100.111.222.2/require;
```

and in /etc/racoon/psk.txt

```
100.111.222.1 keykeykeykeykeykey
```

similar to the second server of tunnel.. 

And finaly, how to create virtual interfaces in /etc/conf.d/net ?? needed to set local addreses of tunnel and names of virtual interfaces. This needed for iptables and routing settings.

In FreeBSD this is simply. in /etc/rc.conf declare interfaces...  For example:

```
gifconfig_gif3="100.111.222.1 100.111.222.2"

ifconfig_gif3="inet 10.10.1.1 10.10.2.1 netmask 255.255.255.255"
```

How i can to declare virtual interfaces and to set his configuration for tunnel?

Waiting for your advice.

----------

## salahx

Unlike FreeBSD, Linux does not use separate interface for ipsec, rather the ipsec policies define what gets tunneled and how.

----------

## unax

 *salahx wrote:*   

> Unlike FreeBSD, Linux does not use separate interface for ipsec, rather the ipsec policies define what gets tunneled and how.

 

hmm.. then I can declare ip-addresses and names of interfaces in configuration files of racoon.. still not known, how its done...

Anybody can share their experiences? what to write?   :Embarassed: 

----------

## salahx

Well, I'm not exactly sure how you've got your network configured, but given that you are using tunnel model it sounds like you a probably trying to connect 2 networks at different sites. 

So using the IP you gave: 100.111.222.1 and 100.111.222.2, lets presume 100.111.222.1 has a 192.168.1.0/24 behind it, and 100.111.222.2 has a 192.168.2.0/24 behind it. 

So, for the router on 100.111.222.1, the ipsec.conf would be as follows 

```

#!/usr/sbin/setkey

spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec

    esp/tunnel/100.111.222.1-100.111.222.2/require;

spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec

    esp/tunnel/100.111.222.1-100.111.222.2/require;

#spdadd 192.168.2.0/24 192.168.1.0/24 any -P fwd ipsec

#   esp/tunnel/100.111.222.1-100.111.222.2/require;

```

For the other router, the rules are similar, except the source and destination rules are reversed (under Linux, the "fwd" rule is implied by the "in" rule so I commented it out)

And that's it. Any traffic from 192.168.1.0/24 going to 192.168.2.0/24 will be transparently tunneled from 100.111.222.1 to 100.111.222.2 and appear on the other side as though it came from 192.168.1.0/24.

So that means on 100.111.222.2 interface, packets will be appearing on it from 192.168.1.0/24. You'll need to setup ip forwarding and setup a route from 192.168.1.0/24 to 192.168.2.0/24 via whatever interface 100.111.222.2 is on. Note that this means you'll be legitimately getting private IP's from an interface with a public IP.  Make sure you're not blocking all 192.168.0.0/16 packets on the 100.111.222.2 interface via iptables (you can use iptables to set the ones in the tunnel though while blocking non-tunneled ones).

----------

## unax

 *salahx wrote:*   

>  * 

 

thanks for all!  i made as you advised..

But, today i try to create the tunnels between 2 servers in my home lan.  And has a problem   :Crying or Very sad: 

i think, working configuration now in test's servers, but don't understand, why tunnel is no created. Even  servers without firewall! (ACCEPT default policy uses on ipitables) I hope someone can help me understand the error...   :Rolling Eyes: 

Configurations:

test server 1:

```
config_eth0=( "10.0.11.26 netmask 255.255.255.0" )

config_eth1=( "192.168.1.1 netmask 255.255.255.0" )
```

eth1 eth0 real interfaces and they working.

/etc/racoon/racoon.conf

```
path include "/etc/racoon";

log debug;

path pre_shared_key "/etc/racoon/psk.txt";

padding

{

    maximum_length 20;    

    randomize off;       

    strict_check off;   

    exclusive_tail off;    

}

listen

{

    isakmp 10.0.11.26 [500];

}

timer

{

    counter 5;        

    interval 20 sec;   

    persend 1;       

    phase1 30 sec;

    phase2 15 sec;

}

remote 10.0.11.20[500]

{

    my_identifier address 10.0.11.26;

    exchange_mode aggressive,main;

    initial_contact off;

    doi ipsec_doi;

    lifetime time 24 hour; 

    proposal {

    encryption_algorithm 3des;

    hash_algorithm sha1;

    authentication_method pre_shared_key;

    dh_group 2;

    }

}

sainfo anonymous

{

    pfs_group 2;

    encryption_algorithm 3des;

    authentication_algorithm hmac_sha1;

    compression_algorithm deflate;

    lifetime time 3600 sec;

}
```

here /etc/racoon/ipsec.conf 

```
#!/usr/sbin/setkey -f

flush;

spdflush;

spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require;

spdadd 192.168.1.0/24 192.168.2.0/24 any -P fwd ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require;

spdadd 192.168.2.0/24 192.168.1.0/24 any -P in  ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require;

spdadd 192.168.2.0/24 192.168.1.0/24 any -P fwd ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require;
```

/etc/racoon/psk.txt  consist one line: 10.0.11.20 gentoothebest

more.. server 2 has configurations:

net..

```
config_eth0=( "10.0.11.20 netmask 255.255.255.0" )

vlans_eth0="1"

vconfig_eth0=( "set_name_type VLAN_PLUS_VID_NO_PAD" )

vconfig_vlan1=( "set_flag 1" "set_egress_map 2 6" )

```

for test i use virtual interface, to him ping exist from localhost.

file /etc/racoon/racoon.conf like as test server 1, differs only ip-addresses

/etc/racoon/ipsec.conf 

```
#!/usr/sbin/setkey -f

flush;

spdflush;

spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require;

spdadd 192.168.2.0/24 192.168.1.0/24 any -P fwd ipsec esp/tunnel/10.0.11.20-10.0.11.26 /require;

spdadd 192.168.1.0/24 192.168.2.0/24 any -P in  ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require;

spdadd 192.168.1.0/24 192.168.2.0/24 any -P fwd ipsec esp/tunnel/10.0.11.26-10.0.11.20 /require;
```

10.0.11.26 gentoothebest in /etc/racoon/psk.txt finaly.

so... test_server1#/etc/init.d/racoon start

test_server2#/etc/init.d/racoon start 

and see..

#setkey -DP

```
(per-socket policy) 

        Policy:[Invalid direciton]

        created: Dec  6 15:08:39 2010  lastused:                     

        lifetime: 0(s) validtime: 0(s)

        spid=716 seq=1 pid=24704

        refcnt=1

(per-socket policy) 

        Policy:[Invalid direciton]

        created: Dec  6 15:08:39 2010  lastused:                     

        lifetime: 0(s) validtime: 0(s)

        spid=707 seq=2 pid=24704

        refcnt=1

192.168.2.0/24[any] 192.168.1.0/24[any] any

        fwd prio def ipsec

        esp/tunnel/10.0.11.20-10.0.11.26/require

        created: Dec  6 15:08:39 2010  lastused:                     

        lifetime: 0(s) validtime: 0(s)

        spid=698 seq=3 pid=24704

        refcnt=1

192.168.2.0/24[any] 192.168.1.0/24[any] any

        in prio def ipsec

        esp/tunnel/10.0.11.20-10.0.11.26/require

        created: Dec  6 15:08:39 2010  lastused:                     

        lifetime: 0(s) validtime: 0(s)

        spid=688 seq=4 pid=24704

        refcnt=1

192.168.1.0/24[any] 192.168.2.0/24[any] any

        fwd prio def ipsec

        esp/tunnel/10.0.11.26-10.0.11.20/require

        created: Dec  6 15:08:39 2010  lastused:                     

        lifetime: 0(s) validtime: 0(s)

        spid=682 seq=5 pid=24704

        refcnt=1

192.168.1.0/24[any] 192.168.2.0/24[any] any

        out prio def ipsec

        esp/tunnel/10.0.11.26-10.0.11.20/require

        created: Dec  6 15:08:39 2010  lastused:                     

        lifetime: 0(s) validtime: 0(s)

        spid=673 seq=0 pid=24704

        refcnt=1

```

Nothing   :Crying or Very sad: 

and most incomprehensible to me...

#tcpdump -i eth0 port 500 or host 10.0.11.20 (in any server)

NOTHING!! O_o no try to connect, but the network without restrictions!

see logs...

```
2010-12-06 15:08:39: INFO: 10.0.11.26[500] used as isakmp port (fd=6)

2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv() 

2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message

2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv() 

2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message

2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in

2010-12-06 15:08:39: DEBUG: db :0x97b8d00: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=fwd

2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv() 

2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message

2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=fwd

2010-12-06 15:08:39: DEBUG: db :0x97b8d00: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=fwd

2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=fwd

2010-12-06 15:08:39: DEBUG: db :0x97b8f48: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in

2010-12-06 15:08:39: DEBUG: pk_recv: retry[0] recv() 

2010-12-06 15:08:39: DEBUG: get pfkey X_SPDDUMP message

2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out

2010-12-06 15:08:39: DEBUG: db :0x97b8d00: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=fwd

2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out

2010-12-06 15:08:39: DEBUG: db :0x97b8f48: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in

2010-12-06 15:08:39: DEBUG: sub:0xbfe81c5c: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out

2010-12-06 15:08:39: DEBUG: db :0x97b9190: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=fwd
```

no errors no warrnings...   :Shocked: 

Tunnels still down.. What happens...

----------

## salahx

Ok, if server1 has an extrnal IP of 10.0.11.26 and an internal IP of 192.168.1.1 (with a 192.168.1.0/24 behind it) and server2 ha an external IP of 10.0.11.20 and an internal IP for 192.168.2.1 (with a 192.168.2.0/24 behind it), then it should go something like this:

for server1 /etc/ipsec.conf:

```

#!/usr/sbin/setkey -f

flush;

spdflush; 

spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec 

     esp/tunnel/10.0.11.26-10.0.11.20/require; 

spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec 

     esp/tunnel/10.0.11.26-10.0.11.20/require; 

```

for server2 /etc/ipsec.conf:

```

flush;

spdflush; 

spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec 

     esp/tunnel/10.0.11.20-10.0.11.26/require; 

spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec 

     esp/tunnel/10.0.11.20-10.0.11.26/require; 

```

Now, from server1, ping 192.168.2.1 . You should see it go over the tunnel. Note, however, with this setup, any traffic going directly from 10.0.11.26 to 10.0.11.20 (or vice versa) does NOT go over the tunnel, only stuff from 192.168.1.0/24 to 192.168.2.0/24 (or vice versa). So "ping 10.0.11.20" from 10.0.11.26 does NOT go over the ipsec tunnel with these rules, but if you want it to, adding a rule to do that is simple.

----------

## unax

 *salahx wrote:*   

> 
> 
> Now, from server1, ping 192.168.2.1 . You should see it go over the tunnel. 

 

All the problem is that the tunnel is not created   :Sad:   I have already written to many variants of different configuration... and still don't see my error..

I got the impression that the whole server does not try to establish a connection...

----------

## salahx

Maybe something is wrong with /etc/racoon/racoon.conf. There a lot of extraneous stuff in there.

I suspect this ought to work (unfortunately while experimenting with this I killed the other machine and have no physical access to it right now)

For 10.0.11.26:

```

path pre_shared_key "/etc/racoon/psk.txt";

path script "/etc/racoon/scripts";

remote 10.0.11.20 {

        exchange_mode main;

        my_identifier address 10.0.11.26;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 14;

        }

}

sainfo subnet 192.168.1.0/24 any address 192.168.2.0/24 any {

        pfs_group 2;

        encryption_algorithm aes, 3des;

        authentication_algorithm hmac_sha1, hmac_md5;

        compression_algorithm deflate;

}

sainfo address 10.0.11.20 any address 10.0.11.26 any {

        pfs_group 2;

        encryption_algorithm aes, 3des;

        authentication_algorithm hmac_sha1, hmac_md5;

        compression_algorithm deflate;

}

```

For 10.0.11.20:

```

path pre_shared_key "/etc/racoon/psk.txt";

path script "/etc/racoon/scripts";

remote 10.0.11.26 {

        exchange_mode main;

        my_identifier address 10.0.11.20;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 14;

        }

}

sainfo subnet 192.168.2.0/24 any address 192.168.1.0/24 any {

        pfs_group 2;

        encryption_algorithm aes, 3des;

        authentication_algorithm hmac_sha1, hmac_md5;

        compression_algorithm deflate;

}

sainfo address 10.0.11.26 any address 10.0.11.20 any {

        pfs_group 2;

        encryption_algorithm aes, 3des;

        authentication_algorithm hmac_sha1, hmac_md5;

        compression_algorithm deflate;

}

```

You probably don't need both sainfo statement, but I'm not sure which one is correct, having both won't do any harm.

----------

## salahx

Ok, after some test, this ought to do it I've tested between 2 machines and packets flow though the tunnel. 

For 10.0.11.26 raccon.conf:

```

path pre_shared_key "/etc/racoon/psk.txt";

path script "/etc/racoon/scripts";

remote 10.0.11.20 {

        exchange_mode main;

        my_identifier address 10.0.11.26;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 14;

        }

}

sainfo subnet 192.168.1.0/24 any address 192.168.2.0/24 any {

        pfs_group 2;

        encryption_algorithm aes, 3des;

        authentication_algorithm hmac_sha1, hmac_md5;

        compression_algorithm deflate;

}

```

For 10.0.11.26 ipsec.conf:

```

#!/usr/sbin/setkey -f

flush;

spdflush;

spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec

     esp/tunnel/10.0.11.26-10.0.11.20/require;

spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec

     esp/tunnel/10.0.11.20-10.0.11.26/require;

```

For 10.0.11.20 racoon.conf:

```

path pre_shared_key "/etc/racoon/psk.txt";

path script "/etc/racoon/scripts";

remote 10.0.11.26 {

        exchange_mode main;

        my_identifier address 10.0.11.20;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 14;

        }

}

sainfo subnet 192.168.2.0/24 any address 192.168.1.0/24 any {

        pfs_group 2;

        encryption_algorithm aes, 3des;

        authentication_algorithm hmac_sha1, hmac_md5;

        compression_algorithm deflate;

} 

```

For 10.0.11.20 ipsec.conf:

```

#!/usr/sbin/setkey -f

flush;

spdflush;

spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec

     esp/tunnel/10.0.11.20-10.0.11.26/require;

spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec

     esp/tunnel/10.0.11.26-10.0.11.20/require;

```

Now, on 10.0.11.26:

```
ping -I eth1 192.168.2.1
```

This will cause the tunnel to be established, and encrypted packets will start flying over the link (you may not get a reply from the ping, that's OK, we don't have routes set up yet)

You can see it with:

```
tcpdump -i eth0 ip proto 50
```

You'll need to create the required routes:

On 10.0.11.26:

```
ip route add 192.168.2.0/24 via 10.0.11.20
```

On 10.0.11.20:

```
ip route add 192.168.1.0/24 via 10.0.11.26
```

One other thing: On my machine, to get this to work. I had to disable reverse path filtering over the interface the packets were being tunneled (in your case, that'll be eth0).

So you may need something like this on each machine

```
echo -n 2 >/proc/sys/net/ipv4/conf/eth0/rp_filter
```

----------

## unax

hm... how options of kernel "Network device support -> Universal TUN/TAP device driver support" affects on the racoon works?This option required for IPsec tunnels? 

now i use the OpenVPN, i like it   :Smile:   but setup the racoon too

----------

## salahx

You don't need tap/tun support for IPsec (you do for openvpn, however).

The config files above should establish the tunnel. Remember though, make sure when testing the applications are being to the right interface - in particular, most program bind to the interface which the default gateway

So use something like this:

```

tcpdump -I eth0 ip proto 50 or 51

ping -I eth1 192.168.2.1

traceroute -s 192.168.1.1 192.168.1.1

```

You should ESP packets flowing. Then the tricky part is setting up the routing, in my case, it got complicated because in the testbed I was using (2 computer connect via openvpn), neither was the default gateway (or even a router, so I had to turn on ip forwarding on both and convert them to routers) and both external connection were on the same subnet.

----------

## unax

I decided to continue experimenting, getting closer to solving the... salahx  my great thanks.

But all very strange stell.

in general, the main task in setting up tunnels gentoo<===>freebsd.

At now exist server with freebsd, and he has several working tunnels.. on server i create a new tunnel, like other in this server

Main FreeBSD server name "Server F" and his ip = xx.xx.xx.xx, localnet = 10.10.1.0/24

One of my Gentoo server has ip = yy.yy.yy.yy, localnet = 10.10.5.1/24 name = "Server G"

Server G: net-firewall/ipsec-tools-0.7.3-r1  USE="iconv ipv6 nat pam rc5 readline -hybrid -idea -kerberos -ldap (-selinux)"

in /etc/racoon/racoon.conf 

```
path pre_shared_key "/etc/racoon/psk.txt"; 

remote xx.xx.xx.xx {

        exchange_mode main; 

        my_identifier address yy.yy.yy.yy;

proposal { 

        encryption_algorithm 3des; 

        hash_algorithm sha1; 

        authentication_method pre_shared_key; 

        dh_group 2; 

        } 

} 

sainfo subnet 10.10.5.0/24 any address 10.10.1.0/24 any

{

    pfs_group 2;

    encryption_algorithm 3des;

    authentication_algorithm hmac_sha1;

    compression_algorithm deflate;

}
```

```
#!/usr/sbin/setkey -f

flush;

spdflush;

spdadd 10.10.5.0/24 10.10.1.0/24 any -P out ipsec esp/tunnel/xx.xx.xx.xx-yy.yy.yy.yy/require;

spdadd 10.10.1.0/24 10.10.5.0/24 any -P in ipsec esp/tunnel/yy.yy.yy.yy-xx.xx.xx.xx/require;
```

/etc/conf.d/racoon 

```
ACOON_OPTS=" -l /var/log/racoon.log -v"

RACOON_CONF="/etc/racoon/racoon.conf"

RACOON_PSK_FILE="/etc/racoon/psk.txt"

SETKEY_CONF="/etc/ipsec.conf"

RACOON_RESET_TABLES="true"
```

/etc/racoon/psk.txt exist to..

firewall has true configuration (iptables and ipfw)

1) # /etc/init.d/ipsec start 

```
 * Starting IPSEC ... ...

ipsec_setup: Starting Openswan IPsec 2.4.15...  

```

and for a long long time thinking... Then I press Ctrl+C...  It is unclear why not start correctly О_о

more.. time to try started racoon

2) /etc/init.d/racoon start, ps ax said: /usr/sbin/racoon -f /etc/racoon/racoon.conf -l /var/log/racoon.log -v

Look in the log file in the Server F, looking attempt to connect.. And nothing about tunnel from ServerG!

ОК, look in fileon G server... 

```
2010-12-23 05:49:12: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)

2010-12-23 05:49:12: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)

2010-12-23 05:49:12: INFO: Reading configuration from "/etc/racoon/racoon.conf"

2010-12-23 05:49:13: ERROR: failed to bind to address 127.0.0.1[500] (Address already in use).  <= x_X

2010-12-23 05:49:13: ERROR: failed to bind to address 10.10.5.1[500] (Address already in use).

2010-12-23 05:49:13: ERROR: failed to bind to address yy.yy.yy.yy[500] (Address already in use).   

2010-12-23 05:49:13: ERROR: failed to bind to address ::1[500] (Address already in use).

2010-12-23 05:49:13: INFO: fe80::2e0:4cff:fea0:8bbf%eth0[500] used as isakmp port (fd=6)

2010-12-23 05:49:13: INFO: fe80::4e00:10ff:fea1:95b9%eth1[500] used as isakmp port (fd=7)

2010-12-23 06:27:17: INFO: caught signal 15
```

"addres in use" in use for wat O_o What does this mean... And what ipsec start problem mean...   :Sad: 

----------

## salahx

"Address in use" means something already listing on that port. If you're trying to run both Openswan and racoon on the same machine, don't, as they both do the same thing and will conflict with one another.

----------

## unax

Ok.. now start without ipsec (to avoid any conflict)

log in Server G:

```
2010-12-24 04:21:26: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)

2010-12-24 04:21:26: INFO: @(#)This product linked OpenSSL 0.9.8n 24 Mar 2010 (http://www.openssl.org/)

2010-12-24 04:21:26: INFO: Reading configuration from "/etc/racoon/racoon.conf"

2010-12-24 04:21:26: INFO: 127.0.0.1[500] used as isakmp port (fd=6)

2010-12-24 04:21:26: INFO: 127.0.0.1[500] used for NAT-T

2010-12-24 04:21:26: INFO: 10.10.5.1[500] used as isakmp port (fd=7)

2010-12-24 04:21:26: INFO: 10.10.5.1[500] used for NAT-T

2010-12-24 04:21:26: INFO: yy.yy.yy.yy[500] used as isakmp port (fd=8)

2010-12-24 04:21:26: INFO: yy.yy.yy.yy[500] used for NAT-T

2010-12-24 04:21:26: INFO: ::1[500] used as isakmp port (fd=9)

2010-12-24 04:21:26: INFO: fe80::2e0:4cff:fea0:8bbf%eth0[500] used as isakmp port (fd=10)

2010-12-24 04:21:26: INFO: fe80::4e00:10ff:fea1:95b9%eth1[500] used as isakmp port (fd=11)
```

and looking on Server F logs: nothing again! no logs about try to connect from server G

Obsalyutno not understand, why he was not trying to connection with Server F >_<

----------

## salahx

racoon won't bring up the tunnel until something actually needs it. So do:

```
ping -I eth1 10.10.1.0
```

(where eth1 the the interface connected to your INTERNAL network). You should see the tunnel get established.

----------

## unax

 :Very Happy:  Yes it work! I just forget something roles for firewall, but tcpdump fix my problems with iptables)

p.s.

Maybe someone will be helpful.. Something about a firewall for client-server (remote office)

this example of iptables roles apply only for work local network of offices

```
  

LOCAL_NET=10.10.5.0/24  # office network

LAN_IP=10.10.5.1  # ip office gateway

WAN_IP=yy.yy.yy.yy   # ip ppp0 

REMOTE_LAN=10.0.10.0/24 # remote lan

IPSEC_SERVER=xx.xx.xx.xx # server of main office

IINTERFACE=eth1 # LAN office

OINTERFACE=eth0 # for pppoe

VINTERFACE=ppp0 # pppoe iface

  $IPTABLES -A INPUT -i $IINTERFACE -s $REMOTE_LAN -j ACCEPT

  $IPTABLES -A INPUT -i lo -s $REMOTE_LAN -j ACCEPT

  $IPTABLES -A INPUT -p udp -s $IPSEC_SERVER -d $WAN_IP --dport 500 -j ACCEPT

  $IPTABLES -A INPUT -p udp -s $IPSEC_SERVER -d $WAN_IP --dport 4500 -j ACCEPT

  $IPTABLES -A INPUT -p esp -s $IPSEC_SERVER -d $WAN_IP -j ACCEPT

  $IPTABLES -A INPUT -p ah  -s $IPSEC_SERVER -d $WAN_IP -j ACCEPT

  $IPTABLES -A INPUT -p gre -s $IPSEC_SERVER -d $WAN_IP -j ACCEPT

  inet=`cat /etc/firewall/IP_FULL_ACCEESS_LIST | grep -v "#"` # ip list of office LAN for full intrnet access

  $IPTABLES -A FORWARD -i $IINTERFACE  -o $VINTERFACE -d $REMOTE_LAN -s $LOCAL_NET -j ACCEPT

  $IPTABLES -A FORWARD -i $VINTERFACE  -o $IINTERFACE -s $REMOTE_LAN -d $LOCAL_NET -j ACCEPT

  $IPTABLES -A FORWARD -i $VINTERFACE -o $IINTERFACE ! --source $REMOTE_LAN --destination $LOCAL_NET --match state --state ESTABLISHED -j ACCEPT

    for ip in $inet

    {

      $IPTABLES -A FORWARD -i $IINTERFACE  -o $VINTERFACE --source $ip ! --destination $REMOTE_LAN --match state --state NEW,ESTABLISHED -j ACCEPT

    }

 $IPTABLES -t nat -A POSTROUTING -s $LOCAL_NET ! -d $REMOTE_LAN -o $VINTERFACE -p ALL -j SNAT --to-source $WAN_IP

```

----------

## unax

 :Smile: 

i have tiny question.. 

If I specify interface, the traffic goes into the tunnel.

 *Quote:*   

> ping -I eth1 10.100.1.100

 

When 10.100.1.0/24 is remote subnet. 

How configurate routing for direct access... (just ping 10.100.1.10)

if set new route 

 *Quote:*   

> route add -net 10.100.1.0/24 dev eth0

 

access to remote subnet is not.. Perhaps this can be done by iptables, but I do not know what to write exactly   :Embarassed: 

----------

## unax

so.. One route decided my problem   :Rolling Eyes: 

#ip route add -net <remote lan> via <global ip of router> src <local ip of router>

everything is fine   :Smile: 

----------

