Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Debian User (http://www.linux-archive.org/debian-user/)
-   -   Debian VPN IPSEC interface (http://www.linux-archive.org/debian-user/246433-debian-vpn-ipsec-interface.html)

"Martin Hilpert" 02-16-2009 12:30 PM

Debian VPN IPSEC interface
 
Hallo,

ich hänge seit tagen an einen problem.

Ich versuche einen VPN verbindung zwischen 2 server zu bekommen, das
funktioniert soweit auch nur fehlt mir das entsprechende tunnel interface,
was für unbedingt notwendig ist für Firewall und Routing.

Ich setz immoment Openswan ein.

Martin



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Stephan Seitz 02-16-2009 12:56 PM

Debian VPN IPSEC interface
 
On Mon, Feb 16, 2009 at 02:30:27PM +0100, Martin Hilpert wrote:
Ich versuche einen VPN verbindung zwischen 2 server zu bekommen, das
funktioniert soweit auch nur fehlt mir das entsprechende tunnel
interface, was für unbedingt notwendig ist für Firewall und Routing.


Ich setz immoment Openswan ein.


Wenn du nicht deinen eigenen Kernel selber gepatcht hast, dürfte es das
ipsec-Interface nicht mehr geben, da Openswan die kerneleigenen Treiber
verwendet. In diesem Fall laufen sowohl der verschlüsselte wie der
unverschlüsselte Datenverkehr über das gleiche Netzinterface.


Shade and sweet water!

Stephan

--
| Stephan Seitz E-Mail: stse@fsing.rootsland.net |
| PGP Public Keys: http://fsing.rootsland.net/~stse/pgp.html |

"Martin Hilpert" 02-16-2009 01:27 PM

Debian VPN IPSEC interface
 
first sorry for posting german in this section.


i know the fact about the openswan and the 2.6 kernel, but i think that
isn't useful.


is it possible without touching the kernel ( kernel modules are ok) bring
the ipsec interface back in game ?


is there a better solution then using Openswan ?

i hardly need ipsec because of cisco router ....

martin



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Martin 02-16-2009 04:29 PM

Debian VPN IPSEC interface
 
2009/2/16 Martin Hilpert <martin.hilpert@a-s-consulting.de>:
> is there a better solution then using Openswan ?

this answer may not be welcome here, from what I read OpenBSD is quite
nice with handling IPSec...

> i hardly need ipsec because of cisco router ....

<german>
hardly? Du brauchst das kaum?
</german>

I think the OP wanted to say:

"I desperately need..."


/Martin



--
http://soup.alt.delete.co.at
http://www.xing.com/profile/Martin_Marcher
http://www.linkedin.com/in/martinmarcher

You are not free to read this message,
by doing so, you have violated my licence
and are required to urinate publicly. Thank you.

Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

"Martin Hilpert" 02-17-2009 08:03 AM

Debian VPN IPSEC interface
 
okay i am a native german speaker so there was a mistake in the last post,

my setup looks like this




Site A ( cisco 1841 ) => Openswan A ( Debian)
Site B ( cisco 1841 ) => Openswan A ( Debian)
Site C ( cisco 1841 ) => Openswan A ( Debian)
Site D ( cisco 1841 ) => Openswan A ( Debian)
Openswan B(Debian) => Openswan A ( Debian)
Openswan C(Debian) => Openswan A ( Debian)

Site A ..D ip:10.30.0.0/16 ..10.33.0.0/16
Openswan B ip 10.0.0.0/16 .. 10.20.0.0/16
Openswan C ip 192.168.0.0/24

so if the VPN is up i need quagga to manage the routing stuff.

now i tryed to make a kernel-module for KLIPS to get a ipsec0 device.

but i want for all tunnel a seperate device but only get one.


martin



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Alex Samad 02-17-2009 11:18 AM

Debian VPN IPSEC interface
 
On Tue, Feb 17, 2009 at 10:03:40AM +0100, Martin Hilpert wrote:
> okay i am a native german speaker so there was a mistake in the last post,
>
> my setup looks like this
>
>
>
>
> Site A ( cisco 1841 ) => Openswan A ( Debian)
> Site B ( cisco 1841 ) => Openswan A ( Debian)
> Site C ( cisco 1841 ) => Openswan A ( Debian)
> Site D ( cisco 1841 ) => Openswan A ( Debian)
> Openswan B(Debian) => Openswan A ( Debian)
> Openswan C(Debian) => Openswan A ( Debian)
>
> Site A ..D ip:10.30.0.0/16 ..10.33.0.0/16
> Openswan B ip 10.0.0.0/16 .. 10.20.0.0/16
> Openswan C ip 192.168.0.0/24
>
> so if the VPN is up i need quagga to manage the routing stuff.
>
> now i tryed to make a kernel-module for KLIPS to get a ipsec0 device.
>
> but i want for all tunnel a seperate device but only get one.

why do you need a ipsecX device ? the ipsecX device where the old way
of doing ipsec.

>
>
> martin
>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"If affirmative action means what I just described, what I'm for, then I'm for it."

- George W. Bush
10/18/2000
St. Louis, MO
during the third presidential debate

"Martin Hilpert" 02-17-2009 12:04 PM

Debian VPN IPSEC interface
 
i need the ipsecX device for doing the routing stuff with quagga and for
Firewall rules

--
Martin Hilpert



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Alex Samad 02-17-2009 08:37 PM

Debian VPN IPSEC interface
 
On Tue, Feb 17, 2009 at 02:04:43PM +0100, Martin Hilpert wrote:
> i need the ipsecX device for doing the routing stuff with quagga and for
> Firewall rules

I am not sure about quagga, but I used use ipsecX for firewall rules as
well, but if you check out iptables there are new(? old by now) function
for picking ipsec'ed packets.

The simplest is to mark the packet whilst its encapsulated and restore
the mark once it is un encapsulated

you can match on policy, there are ways around it

note it has been a while since I play with ipsec, the time i was using
it was around the time of freeswan openswan and the 2 ipsec stacks. I
believe the in kernel stack won, but with the swan userland tools much
easier to use.

I had become used to use the ipsecX interfaces, but with a bit of
reading and relooking at the problem found that I could do all the stuff
I wanted to with the new tools.

my understanding of the packet path is

for inbound terminating on this box you see the packet twice, once as an
encrypted packet (presuming you are using that feature) and then once as
an unencrypted packet.

but on the way out you only see the unencrypted packet.


routing should still be the same though, the encrypted endpoint it
available via the normal nic interface instead of a ipsecX. One problem
we faced was with multiple paths ( redundant links )

Alex

>
> --
> Martin Hilpert
>
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"I believe we are called to do the hard work to make our communities and quality of life a better place."

- George W. Bush
01/05/2005
Collinsville, IL


All times are GMT. The time now is 04:18 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.