I've some trouble with the IPsec configuration on my debian server (6 squeeze). This server should connect via IPsec VPN to an windows server, which is protected by an firewall.
I've used racoon and ipsec-tools and this tutorial http://wiki.debian.org/IPsec.
However, I am not quite sure, if this tutorial fits to my purpose, because of some differences:
- my Host and my gateway are the same server. So I don't have two different ip addresses. I guess, that's not a problem
- the other server is an windows system behind a firewall. Hopefully, not a problem
- the subnet of the windows system is /32 not /24. So I change it to /32.
I worked through the tutorial step by step, but I wasn't able to route the ip.
The following command didn't work for me:
ip route add to 172.16.128.100/32 via XXX.XXX.XXX.XXX src XXX.XXX.XXX.XXX
So I tried the following instead:
ip route add to 172.16.128.100
.., which obviously not solved the problem.
The next problem is the compression. The windows doesn't use a compression, but 'compression_algorithm none;' doesn't work with my racoon. So the current value is 'compression_algorithm deflate;'
So my current result looks like this:
When I am trying to ping the windows host (ping 172.16.128.100), I receive the following error message from ping:
ping: sendmsg: Operation not permitted
And racoon logs:
racoon: ERROR: failed to get sainfo.
After googling for a while I came to no conclusion, what's the solution.
Does this error message mean that the first phase of IPsec works?
I am thankful for any advice.
I guess my configs might be helpful.
My racoon.conf looks like this:
path pre_shared_key "/etc/racoon/psk.txt";
remote YYY.YYY.YYY.YYY {
exchange_mode main; proposal { lifetime time 8 hour; encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; }}
sainfo address XXX.XXX.XXX.XXX/32 any address 172.16.128.100/32 any {
pfs_group 2; lifetime time 8 hour; encryption_algorithm aes 256; authentication_algorithm hmac_sha1; compression_algorithm deflate;}
And my ipsec-tools.conf looks like this:
flush;
spdflush;
spdadd XXX.XXX.XXX.XXX/32 172.16.128.100/32 any -P out ipsec
esp/tunnel/XXX.XXX.XXX.XXX-YYY.YYY.YYY.YYY/require;spdadd 172.16.128.100/32 XXX.XXX.XXX.XXX/32 any -P in ipsec
esp/tunnel/YYY.YYY.YYY.YYY-XXX.XXX.XXX.XXX/require;
If anyone has an advice, that would be awesome.
Thanks in Advance.
Greets, Michael
It was a simple copy-and-paste error in an ip address.
Best Answer
Wouldn't OpenVPN be more appropriate? OpenVPN is super simple to configure. Here is a sample config and some links to guide your through the certificate creation process.
Just configure the intermediary to be the host, and the guests can dial in and still communicate with each other.
Then create a new file
/etc/openvpn/client_server.confand put the following in it, changing theSERVER_IP_ADDRESSas appropriateThen build a key per user who is going to connect, and create the config file in the ccd dir
The IP address MUST be suitable for a /30 subnet (see http://www.subnet-calculator.com/cidr.php), as there is only 2 addresses available (server and client) per connection. So your next available client IP would be 192.168.100.6 and so on.
Then you now have static IPs per connecting user.
Then supply
the user1@domain.com.p12file to the end-user and use the following config file