IPSec (FreeS/WAN) anyone??

Matthew Carpenter matt
Mon May 17 11:48:37 PDT 2004 

eww....  
That is definitely a hack, but if it works for the way you have to work.... 
the script is not bad in a pinch.  :)
Obviously it would be recommended to use static IP's.


On Tue, 24 Jun 2003 15:06:56 -0300
"Federico Voges" <fvoges at intrasoft.com.ar> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> On Tue, 24 Jun 2003 10:28:03 -0400, Matthew Carpenter wrote:
> 
> >First off, please describe your testing in depth.  FreeS/WAN gateways do
> >not use the tunnel by default so pinging through the tunnel from one of the
> >gateways won't work.  If you wish to test the tunnel you need to ping
> >through the tunnel using appropriately addressed hosts on either side of
> >the gateways.
> >
> 
> Searching the freeswan site again, I found that piece of info. BTW it
> should be mentioned in the quick start page and in the configuration
> page of the documentation ;)
> 
> After doing some ugly scripting to deal with my sub-optimal setup
> (dynamic IP on both ends), the VPN is now working.
> 
> Let me describe the situation:
> 
> 192.168.10.0/24     192.168.10.1 - dyn. IP
> BUE-NET ------------- BUE-GW (postgres server) [ADSL modem] ---------+
>                                                                      |
>                                                                    INET
> 192.168.11.0/24     192.168.11.1 - dyn. IP                           |
> NQN-NET ------------- NQN-GW [ADSL modem] ---------------------------+
> 
> I have 3 tunnels: net-net and net-gw (one for each end so ping works as
> expected).
> 
> The hack I'm using right know is this:
> 
> * Every morning (about 6:00am) I force NET-GW to reconnect (adsl-stop,
> wait, adsl-start)
> * ip-up.local (both ends) has some really ugly stuff(tm) in it:
> 
> #!/bin/bash
> 
> # Test connection status. Thanks Telefonica for a great service (not!)
> # Sometimes we connect but we don't get a default gateway....
> route -n|grep -q "^0\.0\.0\.0"
> if [ $? -ne 0 ]; then 
>   echo "No default route. Dropping connection..."
>   killall -HUP pppd
>   exit 1
> fi
> 
> # Test connection status. Thanks Telefonica for a great service (not!)
> # Sometimes we get a connection to a black hole.....
> ping -c 5 -w 5 200.69.192.31 >& /dev/null
> if [ $? -ne 0 ]; then 
>   echo "Can't ping to a known internet host. Dropping connection..."
>   killall -HUP pppd
>   exit 1
> fi
> 
> # Stop FreeS/WAN
> /usr/sbin/rcipsec stop >& /dev/null
> sleep 3
> # make sure ipsec is dead otherwise it won't start again
> /usr/bin/killall pluto >& /dev/null
> rm /var/run/pluto.pid >& /dev/null
> rmmod -r ipsec >& /dev/null
> 
> # Update DDNS
> echo "Updating DDNS..."
> /usr/bin/lynx -dump "SOME-SECRET-URL-:)" 
> if [ $? != 0 ]; then
>    # Danger! This could cause an endless loop ;)
>    echo "Ooops! Couldn't update DDNS! Dropping connection..."
>    /usr/bin/killall -HUP pppd
>    exit 1
> fi
> 
> # The TTL for the dynamic DNS A record is 6secs, let's wait 7secs
> sleep 7
> 
> # Let's restart IP Sec on the other GW (so it uses the new IP address)
> ssh OTHER-GW /usr/local/sbin/ipsec_hack.sh
> 
> # We restart IP Sec in our side
> /usr/sbin/rcipsec start
> - ---EOF---
> 
> /usr/local/sbin/ipsec_hack.sh
> #!/bin/bash
> 
> /bin/logger -i -t "ipsec_hack" "Start"
> /bin/logger -i -t "ipsec_hack" "Stopping ipsec"
> /etc/init.d/ipsec stop >& /dev/null
> /bin/sleep 3
> /sbin/rmmod -r ipsec >& /dev/null
> /bin/rm /var/run/pluto.pid >& /dev/null
> /bin/sleep 3
> /bin/logger -i -t "ipsec_hack" "Sarting ipsec"
> /etc/init.d/ipsec start >& /dev/null
> - ---EOF---
> 
> The trick is restarting FreeS/WAN on the other side after updating the
> dynamic DNS but before restarting FreeS/WAN on this side. If IP Sec is
> running on this side all traffic to the other gw will go thorugh the
> NET-GW tunnel which is down.
> 
> I know, it's a mess. But it's working ;)
> 
> Thinking agin, I've realized that I'll probably need just one tunnel.
> 
> BUE-GW is the router/firewall and is running the PostgreSQL server. The
> desktops on both LANs (BUE-NET & NQN-NET) run the ERP software that
> connects to BUE-GW.
> 
> So, I think I'd only need a net-gw tunnel from NQN-NET to BUE-GW. 
> 
> As I said, both ends have dynamic IP (ADSL). I hope to switch to static
> IP (still using ADSL) as soon as the telco start offering the service.
> That will be just on BUE-GW (different telcos on each end and only one
> plans to offer static IP).
> 
> I have no other choice for the inet conection (except a leased line
> that are waaay too expensive here).
> 
> Is my current setup too ugly?? Do you have any sugestion to improve
> it??
> 
> Once I get a static IP, what changes would I have to make? 
> 
> TIA!
> 
> >Secondly, if you are interested in a fairly decent Web-GUI for FreeS/WAN,
> >there is a pretty good WebMin module available.  Install WebMIN if you
> >haven't already (www.webmin.com) and then install the FreeS/WAN module. 
> > 
> 
> I have it installed, it comes with SCO Linux 4.0 (yup, first and only
> license sold in Argentina). But it's incomplete (ie: no tunnel status
> page), and it's not being developed (last version si about 2 years
> old).
> Federico Voges
> Socio gerente
> 
> Intrasoft
> Malabia 2137 14 A
> (1425) Buenos Aires
> Argentina
> 
> Te/Fax: 54-11-4833-5182
> e-mail: fvoges at intrasoft.com.ar
> Web: http://www.intrasoft.com.ar
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP SDK 3.0
> 
> iQA/AwUBPviTQBRcJRaVKt4XEQKpSgCgh+rpanmJOO55rZIfV3A7/NntinwAoNT2
> HV9ijaxRie3YIq1rRJ13IKKt
> =jErK
> -----END PGP SIGNATURE-----
> 
> 
> 
> _______________________________________________
> Linux-users mailing list
> Linux-users at linux-sxs.org
> Unsubscribe/Suspend/Etc ->
> http://www.linux-sxs.org/mailman/listinfo/linux-users


-- 
Matthew Carpenter 
matt at e-i-s.cc                          http://www.e-i-s.cc/

Enterprise Information Systems
*Network Consulting, Integration & Support
*Web Development and E-Business

More information about the Linux-users mailing list