VPN doesn't go on a RFC1483 LLC routed, and goes on PPPoE

- T
- temporaneo1234
  
  Contact options for registered users
posted
19 years ago

Sun, Apr 10, 2005 10:42 PM

I have three sites: two has PPPoE connection, with DSL modem and variable IP one has RFC1483 LLC routed, with DSL router and fixed IP

each one has IPCOP v1.4.5, and every machine is directly pingable; (the router is configurated with DMZ to IPCOP machine)

The problem is that VPN goes on two PPPoE sites, and doesn't on the other site. Seeking the "ipsec barf" I can see this: Apr 10 23:57:56 ipcop pluto[3071]: packet from xxx.xxx.xxx.xxx:500: initial Main Mode message received on 192.168.1.1:500 but no connection has been authorized with policy=PSK

(xxx.xxx.xxx.xxx is public IP of the "remote" machine) (192.168.1.1 is the red IP of IPCOP)

The lan is so configurated: router: wan: fixed ip router: lan: 192.168.1.254 | ipcop: red: 192.168.1.1 ipcop: green: 192.168.130.254 | lan 192.168.130.0/255.255.255.0

The configuration are similar on the three IPCOP machine, so the only different is on RFC1483 sites. But what?

Code:

left=xxx.xxx.xxx.xxx leftnexthop=%defaultroute leftsubnet=192.168.130.0/255.255.255.0 right=yyy.yyy.yyy.yyy rightsubnet=192.168.101.0/255.255.255.0 rightnexthop=%defaultroute dpddelay=30 dpdtimeout=120 dpdaction=hold authby=secret auto=start

[/code]

- J
- Jim
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Tue, Apr 12, 2005 5:16 PM

snipped-for-privacy@yahoo.it wrote on 4/10/2005 6:42 PM:

Use aggressive mode.

Jim

- T
- temporaneo1234
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Wed, Apr 13, 2005 1:07 PM

Reading about it

formatting link

), I have found only an error in my last configuration, but it doesn't solve anyway: leftid's param

so, the connection should be:

left=xxx.xxx.xxx.xxx (red ip of ipcop 192.168.1.1) leftnexthop=%defaultroute leftid=zzz.zzz.zzz.zzz (public ip of the router connected to internet) leftsubnet=192.168.130.0/255.255.255.0 right=yyy.yyy.yyy.yyy (public ip of the remote) rightsubnet=192.168.101.0/255.255.255.0 rightnexthop=%defaultroute dpddelay=30 dpdtimeout=120 dpdaction=hold authby=secret auto=start

+++++++++++++ but nothing, the results is the same:

Apr 13 14:52:01 ipcop pluto[10322]: packet from yyy.yyy.yyy.yyy:500: initial Main Mode message received on 192.168.1.1:500 but no connection has been authorized with policy=PSK

and it's the same for the other end's: Apr 13 14:54:13 ipcop pluto[15548]: packet from zzz.zzz.zzz.zzz:4500: initial Main Mode message received on yyy.yyy.yyy.yyy:4500 but no connection has been authorized with policy=PSK

Seeking, route log of the dsl router show that there is connection from

192.168.1.1 to yyy.yyy.yyy.yyy

What can I do to solve?

- T
- temporaneo1234
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Wed, Apr 13, 2005 3:15 PM

I have found a new issue. Thinking, there is a problem with ipsec.secrets....

the message on "ipsec barf" say that is missing something... so I have tried to insert more "secrets"... like:

192.168.1.1 yyy.yyy.yyy.yyy and some other...

results: the connection now became opened, even if routing doesn't work...

in case of a router, how is the right ipsec.secrets pam's?

- J
- Jim
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Wed, Apr 13, 2005 6:44 PM

snipped-for-privacy@yahoo.it wrote on 4/10/2005 6:42 PM:

If you are trying to do this VPN connection through NAT, your problem is most likely there. Try using aggressive mode and that way NAT wont destroy your IPSEC header.

Jim

- T
- temporaneo1234
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Thu, Apr 28, 2005 2:34 PM

I sovle an "old" problem about making up a VPN with two IPCOP machines, where in one DSL is a PPPoE type, and another one is IPoA type.

The router used on IPoA must permit VPN-passthrough

Problems solves with a manual modify of files on IPCOP machines where is IPoA connection: /etc/ipsec.conf /etc/ipsec.secrets

/etc/ipsec.secrets: this file must referring to RED IPCOP interfaces (192.168.1.1) and to WAN address (xxx.xxx.xxx.xxx is the public IP addresso of other side of VPN):

192.168.1.1 xxx.xxx.xxx.xxx : PSK "password" WANIPpubblic xxx.xxx.xxx.xxx : PSK "password"

/etc/ipsec.conf: follow this schema left= RED IP of IPCOP leftid= public WAN IP leftnexthop= IP address of gatway (router)

 conn NameConnection         left=192.168.1.1         leftid=WANIPpubblic         leftnexthop=192.168.1.254         leftsubnet=192.168.130.0/255.255.255.0         right=xxx.xxx.xxx.xxx         rightsubnet=192.168.100.0/255.255.255.0         rightnexthop=%defaultroute         dpddelay=30         dpdtimeout=120         dpdaction=hold         authby=secret         auto=start