[sclug] VPN Help Needed

Tom Dawes-Gamble tmdg at tmdg.co.uk
Sat Aug 13 16:21:25 UTC 2005 

On Sat, 2005-08-13 at 14:48 +0100, Alex Butcher wrote:
> On Sat, 13 Aug 2005, Tom Dawes-Gamble wrote:
> 
> > I'm trying to get a VPN Working from IpCop (openSWAN) and a Draytek
> > Vigor 2600.  According to the IpCop documentation if you can't ping and
> > traceroute the remote end forget it.  Well I can ping and get a to the
> > Web interface on the Draytek but traceroute fails.
> >
> > If I run traceroute from a server in harbour exchange I end up with
> >
> > 16  217.41.172.73 (217.41.172.73)  16.215 ms  14.693 ms  20.950 ms
> > 17  217.41.216.2 (217.41.216.2)  8.003 ms  10.290 ms  8.670 ms
> > 18  217.32.86.6 (217.32.86.6)  6.667 ms  6.731 ms  6.694 ms
> > 19  host86-128-210-103.range86-128.btcentralplus.com (86.128.210.103)
> > 19.059 ms  18.888 ms  17.850 ms
> >
> > If I tracetroute from my home sysytem
> >
> > 12  * * *
> > 13  217.41.216.2 (217.41.216.2)  38.330 ms  33.377 ms  36.048 ms
> > 14  217.32.86.6 (217.32.86.6)  37.563 ms  35.699 ms  33.375 ms
> > 15  * * *
> 
> Remember that UNIX traceroute uses UDP packets with monotonically increasing
> TTL values, whilst Windows uses ICMP Echo Request packets with the same TTL
> trick. UNIX traceroute can emulate Windows' traceroute with the -I flag.
> 

Ok with the -I flag traceroute works fine.  

> IPSec doesn't use ICMP as the underlying transport, though, so as long as
> the important ICMP messages can get through (e.g. destination unreachable,
> must fragment) then there's no need to worry. You do need to make sure that
> ESP (IP protocol 50) is allowed through, though, as well as 500/udp, though.
> 

This could be the problem.  I 'll go RTFM for a while and make sure it's
allowing that traffic.  I'm pretty sure it is as the VPN I use to get to
my Network at work is IPSec too and that does not have a problem.

The problem I see on the IpCop end is the following:-



Aug 13 16:15:37 ipcop pluto[6121]: loading secrets from
"/etc/ipsec.secrets"
Aug 13 16:15:37 ipcop pluto[6121]:   loaded private key file
'/var/ipcop/certs/hostkey.pem' (887 bytes)
Aug 13 16:15:38 ipcop pluto[6121]: "Weardale": deleting connection
Aug 13 16:15:38 ipcop pluto[6121]: | from whack: got --esp=3des
Aug 13 16:15:38 ipcop pluto[6121]: | from whack: got --ike=3des
Aug 13 16:15:38 ipcop pluto[6121]: added connection description
"Weardale"
Aug 13 16:15:38 ipcop pluto[6121]: "Weardale": we have no ipsecN
interface for either end of this connection


I've tried switching the the IpCop end from left to right with out luck.

Tom.

More information about the Sclug mailing list