Ipsec VPN to standalone internet linux server

nroos · January 27, 2012, 3:02pm

Hello,

I have the rather simple problem to connect a routerboard with a dynamic IP address to a linux server with a fixed IP address via VPN (“Connect a public internet server into your private network”). I guess it’s not much what is missing, but i can’t get it working..

The setup on one side:

Local network 10.1.1.0/24
Routerboard
NAT
(Dyn. IP)
Internet

The NAT is outside of the routerboard (it’s actually a second router)

The other side:

Internet
(fixed IP 22.22.22.22, example address)
Linux Server
racoon / ipsec-tools

What i want is that the connection between the 10.1.1.0 net and 22.22.22.22 gets ipsec encrypted. The routerboard should be the only one who initiates the connection.

The initial key exchange seems to be working, but a ping from 10.1.1.0 to 22.22.22.22 does not succeed.

From the routerboard configuration, i think the relevant settings are:

IPsec policies:

Src. Address: 10.1.1.0/24
Dst. Address: 22.22.22.22/32
SA Src. Address: 0.0.0.0
SA Dst. Address: 22.22.22.22

IPsec Peers:

Address: 22.22.22.22/32

The racoon configuration on the linux server is:

path pre_shared_key “/etc/racoon/psk.txt”;

remote anonymous {
exchange_mode aggressive;
my_identifier user_fqdn “****”;
passive on;
generate_policy on;
proposal_check obey;

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group modp1024;
}
}

sainfo anonymous {
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}

After starting “ping”, routerboard shows in IPsec Installed SAs the two associations, and on the linux server:

$ racoonctl show-sa isakmp
Destination Cookies Created
33.33.33.33.1722 12be57c613c81ff0:c71de86acde5a5fd 2012-01-27 15:50:18

where 33.33.33.33 is the dynamic IP address of the routerboard side.

Wireshark on the linux server tells me that ESP packets are arriving, but shows no unencrypted packets (but i don’t know if they actually should be displayed by wireshark).

Does someone have any idea where the ping packets get lost? Or how i could trace it further?

Thanks in advance
Norbert

Edit: The linux server has ping responds enabled; when bypassing the routerboard vpn thing, ping is ok.

nroos · February 1, 2012, 12:56pm

… and for the reader with the same problem:

I got it working when i applied a second, local IP address to the internet server:

$ ifconfig eth0:1 10.2.2.2 netmask 255.255.255.0

The configuration above is then:

Src. Address: 10.1.1.0/24
Dst. Address: 10.2.2.0/24
SA Src. Address: 0.0.0.0
SA Dst. Address: 22.22.22.22

(i guess the netmasks could be reduced to the one machine)