Hi,
I have installed the IPsec connection between zentyal server and another router. The VPN is established:
192.168.10.0/24 --- LAN --- Zentyal 192.168.131.32 --- Router 192.168.131.80 --- LAN 192.168.36.0/24
But, the "ping" doesn't work.
Routes from the router:
/etc/ipsec.d $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.131.0 0.0.0.0 255.255.255.0 U 0 0 0 lan2
192.168.36.0 0.0.0.0 255.255.255.0 U 0 0 0 lan1
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 lan2
0.0.0.0 192.168.131.254 0.0.0.0 UG 0 0 0 lan2
Routes from the Zentyal:
root@zentyal:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.131.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
When i manually add a route to the zentyal:
ip r a 192.168.36.0/24 via 192.168.131.80
root@zentyal:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.131.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
192.168.36.0 192.168.131.80 255.255.255.0 UG 0 0 0 eth3
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Now, the ping "works". I added quotes, because the ping from the Router/LAN works using ESP (seen in the tcpdump), but the opposite connection doesn't use the ESP (only direct eth interface, without ESP header).
1) How can I force zentyal to use IPsec/ESP?
2) How can I set IPsec correctly to propagate routes?
Here are several files to include:
The router ipsec.conf:
authby=secret
keyingtries=%forever
aggrmode=yes
left=%defaultroute
leftsubnet=192.168.36.0/24
leftid=192.168.131.80
right=192.168.131.32
rightsubnet=192.168.10.0/24
rightid=192.168.131.32
ike=3des-md5-modp1536
ikelifetime=86400s
auth=esp
esp=3des-md5
keylife=28800s
pfs=yes
dpddelay=30
dpdtimeout=61
dpdaction=hold
auto=start
The zentyal ipsec.conf:
# VPN: lan10 : 192.168.131.32 <=> 192.168.131.80
conn lan10
left=192.168.131.32
leftsubnet=192.168.10.0/24
right=192.168.131.80
rightsubnet=192.168.36.0/24
authby=secret
auto=start
auth=esp
rekey=yes
keyingtries=0
keyexchange=ike
ike=3des-md5
ikelifetime=86400s
esp=3des-md5;modp1536
keylife=28800s
pfs=yes
Thank you for your time and help.
Tomas (Crypty)
----
(the IPsec is run by "ipsec setup start" command)