ipcop support

Hi all,

I have a IPSec tunnel using the "shared secret" method of authentication-according to the GUI these tunnels are open. I am trying to route specific traffic across this interface but I don't see any "virtual adaptor" to route to through "ifconfig" The only adaptors that come up are the green, red and lo interfaces. Any idea what I'm doing wrong here?

Ok so I have two hosts A and B. These have an IPSec tunnel OPEN between the two of them on the RED interface according to the GUI.

A has local subnet of 10.204.35/24 and B had local subnet of 10.11/16-these two need to be able to communicate to one another over the tunnel and route traffic between the two of them.

When I do an ifconfig on host A i get:
lan-1 Link encap:Ethernet HWaddr 00:50:56:95:00:0
inet addr:XX.XX.XX.150 Bcast:0.0.0.0 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:399885 errors:0 dropped:0 overruns:0 frame:0
TX packets:13982 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39954423 (38.1 MiB) TX bytes:2822710 (2.6 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:516 errors:0 dropped:0 overruns:0 frame:0
TX packets:516 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:32226 (31.4 KiB) TX bytes:32226 (31.4 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:XX.XX.X.X P-t-P:10.32.6.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:9799 errors:0 dropped:0 overruns:0 frame:0
TX packets:11951 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:922187 (900.5 KiB) TX bytes:9856473 (9.3 MiB)

wan-1 Link encap:Ethernet HWaddr 00:50:56:95:00:0d
inet addr:XX.XX.XX.XX Bcast:0.0.0.0 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:627640 errors:0 dropped:0 overruns:0 frame:0
TX packets:14491 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39570381 (37.7 MiB) TX bytes:11188554 (10.6 MiB)

Is there not supposed to be another "virtual adapter" in this listing for the IPSec tunnel (like ipsec0) so that I can do a "route add....blah blah" to move traffic between these two subnets.

-Greg

There's nothing going wrong.

IPCop v2 makes use of IPsec 'NETKEY' (and not IPsec 'KLIPS' like IPCop v1.4 does).

_________________
If you don't see the fnord, it can't eat you.

Thanks for that. I'm trying to test the routing between the two by trying to ping the IP-Cop host on the other end. I'm not getting any response-do I have to setup these policies or are they already setup for me when I enter the remote subnet in the IPSec configuration?

src 10.204.35.0/24 dst 10.11.0.0/16
dir out priority 2352
tmpl src XX.XX.XX.150 dst XX.XX.XX.150
proto esp reqid 16401 mode tunnel
src 10.11.0.0/16 dst 10.204.35.0/24
dir fwd priority 2352
tmpl src XX.XX.XX.150 dst XX.XX.XX.150
proto esp reqid 16401 mode tunnel
src 10.11.0.0/16 dst 10.204.35.0/24
dir in priority 2352
tmpl src XX.XX.XX.150 dst XX.XX.XX.150
proto esp reqid 16401 mode tunnel


PING XX.XX.X.150 (XX.XX.XX.150) 56(84) bytes of data.
^C
--- 10.11.1.150 ping statistics ---
517 packets transmitted, 0 received, 100% packet loss, time 516018ms

-Greg

Check your firewall logs and see if IPCOP is blocking any of the traffic.

You try to ping directly from IPCop 'A' (via TTY or PuTTY) to IPCop 'B', right?

_________________
If you don't see the fnord, it can't eat you.

I can ping the external interfaces from IPCop A to IPCop B and vice versa just fine but trying to ping the internal subnet's is not working at all.

So from IPCop A on subnet 10.204.35/24 I get no response from 10.11/16 and vice versa.

Here's my policy table with the external IP's X'ed out
src 10.204.35.0/24 dst 10.11.0.0/16
dir out priority 2352
tmpl src XX.XX.XX.150 dst XX.XX.XX.150
proto esp reqid 16389 mode tunnel
src 10.11.0.0/16 dst 10.204.35.0/24
dir fwd priority 2352
tmpl src XX.XX.XX.150 dst XX.XX.XX.150
proto esp reqid 16389 mode tunnel
src 10.11.0.0/16 dst 10.204.35.0/24
dir in priority 2352
tmpl src XX.XX.XX.150 dst XX.XX.XX.150
proto esp reqid 16389 mode tunnel

I did turn on all of the logging options and got this:
imuxsock begins to drop messages from pid 1777 due to rate-limiting

Is this a concern?

Or is there some really stupid setting to turn this routing "on".

-Greg

_________________
If you don't see the fnord, it can't eat you.

Hi,

Thanks for that last post I can ping the other hosts. So I guess another question would be:

Why am I pinging 10.11.x.x on lan-1, I would expect that IPSec would intercept the traffic to be run through the wan-1 interface since it is being encrypted and sent out into the world to be decrypted on the other end.

-Greg

In any case, thanks all-the IPSec tunnels work like a charm.

-Greg