# "wlan-through-vpn" setup (ipsec)

## Holly

I'm going to set up a WLAN at home and have several questions. as i think the wlan encryption is not secure enough, i want to tunnel the connection through a ipsec-vpn (super-freeswan).

the network-topology looks like the following. so far everything but the wlan-stuff exists.

```
                          <Internet>

                               |

                               | ppp0/eth2

                               |

                 eth0   192.168.100.42

192.168.0.0/24---------internet gateway

  ethernet          |-->and vpn server

                    |          |

                    |          | eth1

                    |          |

                    |   192.168.100.0/24 --------- 192.168.100.1

                    |      ethernet              Windows-Workstation

                  V |          |

                  P |          |

                  N |          |

                    |   192.168.100.100 (192.168.200.X ?)

                    |  WLAN Access Point

                    |          |

                    |          |

                    |          |

                    |-->192.168.200.0/24

                         <WLAN Clients>

```

so, the wlan-clients should only be able to connect to the vpn-server on 192.168.100.42 via their "normal" connection. but when they connect through the vpn, they should have access to the whole network (192.168.0.0/24, 192.168.100.0/24 and the internet).

the first question regards the routing to the access point. does it have to have an ip-adress in the ethernet-subnet 192.168.100.0/24 or in the wlan-subnet 192.168.200.0/24?

besides that i have some problems with ipsec. i'm currently testing it with the a windows xp machine (192.168.100.1).

the windows machine times out:

```
Error 792: The L2TP connection attempt failed because security negotiation timed out.
```

And i'm getting the following errormessages in syslog when i connect.

```
Dec 21 22:34:23 [pluto] packet from 192.168.100.1:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]

Dec 21 22:34:23 [pluto] "heartofgold"[1] 192.168.100.1 #1: responding to Main Mode from unknown peer 192.168.100.1

Dec 21 22:34:23 [pluto] "heartofgold"[1] 192.168.100.1 #1: Peer ID is ID_IPV4_ADDR: '192.168.100.1'

Dec 21 22:34:23 [pluto] "heartofgold"[1] 192.168.100.1 #1: sent MR3, ISAKMP SA established

Dec 21 22:34:23 [pluto] "heartofgold"[1] 192.168.100.1 #1: cannot respond to IPsec SA request because no connection is known for 192.168.100.42:17/0...192.168.100.1:17/1701

Dec 21 22:34:23 [pluto] "heartofgold"[1] 192.168.100.1 #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168.100.1:500

Dec 21 22:34:24 [pluto] "heartofgold"[1] 192.168.100.1 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xa7daab92 (perhaps this is a duplicated packet)

Dec 21 22:34:24 [pluto] "heartofgold"[1] 192.168.100.1 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.100.1:500
```

the connection in ipsec.conf:

```
conn heartofgold

   right=192.168.100.42

   left=%any

   rightsubnet=0.0.0.0/0

   auto=add
```

and this is what "ipsec auto --status" says, while i'm trying to connect:

```
000 interface ipsec0/eth1 192.168.100.42

000

000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168

000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128

000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160

000

000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8, keydeflen=128

000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128

000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192

000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64

000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32

000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20

000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16

000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768

000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536 (extension), bits=1536

000 algorithm IKE dh group: id=42048, name=OAKLEY_GROUP_MODP2048 (extension), bits=2048

000 algorithm IKE dh group: id=43072, name=OAKLEY_GROUP_MODP3072 (extension), bits=3072

000 algorithm IKE dh group: id=44096, name=OAKLEY_GROUP_MODP4096 (extension), bits=4096

000

000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}

000

000 "heartofgold"[1]: 0.0.0.0/0===192.168.100.42...192.168.100.1

000 "heartofgold"[1]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1

000 "heartofgold"[1]:   policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth1; unrouted

000 "heartofgold"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #0; eroute owner: #0

000 "heartofgold"[1]:   IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict

000 "heartofgold"[1]:   IKE algorithms found:  5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,

000 "heartofgold"[1]:   IKE algorithm newest: 3DES_CBC_192-SHA-MODP1024

000 "heartofgold"[1]:   ESP algorithms wanted: 3_000-1, flags=-strict

000 "heartofgold"[1]:   ESP algorithms loaded: 3_168-1_096,

000 "heartofgold": 0.0.0.0/0===192.168.100.42...%any

000 "heartofgold":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1

000 "heartofgold":   policy: PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK; interface: eth1; unrouted

000 "heartofgold":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0

000 "heartofgold":   IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict

000 "heartofgold":   IKE algorithms found:  5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,

000 "heartofgold":   ESP algorithms wanted: 3_000-1, flags=-strict

000 "heartofgold":   ESP algorithms loaded: 3_168-1_096,

000

000 #1: "heartofgold"[1] 192.168.100.1 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3328s; newest ISAKMP
```

i guess, i will be able to set the wlan up correctly when i have it, but ipsec is pain in the ass  :Confused: 

----------

## Holly

ok, the wlan itself works. the setup is a little different from the drawing above, but i think the changes don't regard the vpn.

i'm still stuck with that problem. connecting to the vpn via wlan doesn't change anything. does anybody have an idea?

----------

## Holly

well, does anyone have *any* working (super-)freeswan config, that is similar to mine? i can't imagine, i'm the only one who uses this kind of setup.

----------

## Holly

i have some more information on my problem. i tcpdump'ed the traffic during a vpn-connection attempt (heartofgold is the server, deepthought the windows-client):

```
tcpdump: listening on eth1

03:15:00.791188 deepthought.1031 > heartofgold.domain:  107+ A? heartofgold. (39)

03:15:00.793457 heartofgold.domain > deepthought.1031:  107* 1/0/0 A[|domain] (DF)

03:15:00.818779 deepthought.1471 > heartofgold.1723: S 3870137625:3870137625(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

03:15:00.818976 heartofgold.1723 > deepthought.1471: R 0:0(0) ack 3870137626 win 0 (DF)

03:15:01.260230 deepthought.1471 > heartofgold.1723: S 3870137625:3870137625(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

03:15:01.260474 heartofgold.1723 > deepthought.1471: R 0:0(0) ack 1 win 0 (DF)

03:15:01.760968 deepthought.1471 > heartofgold.1723: S 3870137625:3870137625(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)

03:15:01.761236 heartofgold.1723 > deepthought.1471: R 0:0(0) ack 1 win 0 (DF)

03:15:01.790607 deepthought.1031 > heartofgold.domain:  108+ A? heartofgold. (39)

03:15:01.791314 heartofgold.domain > deepthought.1031:  108* 1/0/0 A[|domain] (DF)

03:15:01.819599 deepthought.500 > heartofgold.500: isakmp: phase 1 I ident: [|sa]

03:15:01.819865 heartofgold > deepthought: icmp: heartofgold udp port 500 unreachable [tos 0xc0]

03:15:02.813509 deepthought.500 > heartofgold.500: isakmp: phase 1 I ident: [|sa]

03:15:02.813804 heartofgold > deepthought: icmp: heartofgold udp port 500 unreachable [tos 0xc0]

03:15:04.816631 deepthought.500 > heartofgold.500: isakmp: phase 1 I ident: [|sa]

03:15:04.818200 heartofgold.500 > deepthought.500: isakmp: phase 1 R ident: [|sa] (DF)

03:15:04.878904 deepthought.500 > heartofgold.500: isakmp: phase 1 I ident: [|ke]

03:15:04.912604 heartofgold.500 > deepthought.500: isakmp: phase 1 R ident: [|ke] (DF)

03:15:04.941091 deepthought.500 > heartofgold.500: isakmp: phase 1 I ident[E]: [encrypted id]

03:15:04.942899 heartofgold.500 > deepthought.500: isakmp: phase 1 R ident[E]: [encrypted id] (DF)

03:15:04.944568 deepthought.500 > heartofgold.500: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash]

03:15:05.938233 deepthought.500 > heartofgold.500: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash]

03:15:07.940526 deepthought.500 > heartofgold.500: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash]

03:15:11.947012 deepthought.500 > heartofgold.500: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash]

03:15:14.232225 deepthought.500 > heartofgold.500: isakmp: phase 2/others I inf[E]: [encrypted hash]

03:15:14.234019 heartofgold.500 > deepthought.500: isakmp: phase 2/others R inf[E]: [encrypted hash] (DF)
```

might the "udp port 500 unreachable" a problem? actually there should be no port blocked like with iptables.

----------

## puke

You must allow IPsec packets (IKE on UDP port 500 plus ESP, protocol 50) in and out of your gateway.

Ripped from freeswan.org:

```
# IKE negotiations

iptables -A INPUT  -p udp -i $world --sport 500 --dport 500 -j ACCEPT

iptables -A OUTPUT -p udp -o $world --sport 500 --dport 500 -j ACCEPT

# ESP encryption and authentication

iptables -A INPUT  -p 50 -i $world -j ACCEPT

iptables -A OUTPUT -p 50 -o $world -j ACCEPTOptionally, you could restrict this, allowing these packets only to and from a list of known gateways.

```

----------

