[Openswan Users] Tunnel established but no traffic
Mark Maiden
markm at globoforce.com
Mon Apr 25 18:00:49 CEST 2005
Hi all,
I've set up two linux boxes with OpenSwan and the tunnel has been
established correctly per these messages :
Apr 25 16:39:49 ftptest pluto[9113]: "dublin-to-boston" #1: ISAKMP SA
established
Apr 25 16:39:49 ftptest pluto[9113]: "dublin-to-boston" #4: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Apr 25 16:39:49 ftptest pluto[9113]: "dublin-to-boston" #4: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Apr 25 16:39:49 ftptest pluto[9113]: "dublin-to-boston" #4: sent QI2,
IPsec SA established {ESP=>0xd0862f55 <0x7a7cfd70}
But I can't establish a route between the two private
networks(192.168.1.x & 192.168.100.x) and I can't transmit info between
the two.
I have iptables firewalls on both boxes and made the appropriate changes
to exclude packets from traversing the tunnel with NAT.
Any help with this would be greatly appreciated.
Here are my rules for the firewalls :
Chain INPUT (policy DROP)
target prot opt source destination
LINVALID all -- anywhere anywhere state INVALID
CHECKBADFLAG tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
LREJECT all -- anywhere loopback/8
ACCEPT all -- 192.168.100.0/24 anywhere
LREJECT all -- 192.168.100.0/24 anywhere
ICMPINBOUND icmp -- anywhere anywhere
LDROP udp -- anywhere anywhere udp
dpts:traceroute:33523
SMB all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp
dpt:ident reject-with tcp-reset
TCPACCEPT tcp -- anywhere anywhere tcp dpt:ssh
TCPACCEPT tcp -- anywhere anywhere tcp dpt:isakmp
TCPACCEPT udp -- anywhere anywhere udp dpt:isakmp
TCPACCEPT esp -- anywhere anywhere
SPECIALPORTS all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
ESTABLISHED
TCPACCEPT tcp -- anywhere anywhere tcp
dpts:1024:65535 state RELATED
ACCEPT udp -- anywhere anywhere udp
dpts:1024:65535 state RELATED
LDROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LINVALID all -- anywhere anywhere state INVALID
CHECKBADFLAG tcp -- anywhere anywhere
SMB all -- anywhere anywhere
ACCEPT tcp -- 192.168.100.0/24 anywhere tcp
spts:1024:65535
ACCEPT udp -- 192.168.100.0/24 anywhere udp
spts:1024:65535
ACCEPT icmp -- 192.168.100.0/24 anywhere
SMB all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
ESTABLISHED
TCPACCEPT tcp -- anywhere anywhere tcp
dpts:1024:65535 state RELATED
ACCEPT udp -- anywhere anywhere udp
dpts:1024:65535 state RELATED
ACCEPT icmp -- anywhere anywhere state RELATED
LDROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.100.0/24
ICMPOUTBOUND icmp -- anywhere anywhere
SMB all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp
spt:ident reject-with tcp-reset
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spt:isakmp state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:isakmp
ACCEPT esp -- anywhere anywhere
ACCEPT tcp -- ftptest.globoforce.com anywhere tcp
spts:1024:65535
ACCEPT udp -- ftptest.globoforce.com anywhere udp
spts:1024:65535
LDROP all -- anywhere anywhere
Chain CHECKBADFLAG (2 references)
target prot opt source destination
LBADFLAG tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LBADFLAG tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LBADFLAG tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LBADFLAG tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LBADFLAG tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN,RST
LBADFLAG tcp -- anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN
Chain ICMPINBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp
echo-request limit: avg 5/sec burst 10
LPINGFLOOD icmp -- anywhere anywhere icmp
echo-request
LDROP icmp -- anywhere anywhere icmp redirect
LDROP icmp -- anywhere anywhere icmp
timestamp-request
LDROP icmp -- anywhere anywhere icmp
timestamp-reply
LDROP icmp -- anywhere anywhere icmp
address-mask-request
LDROP icmp -- anywhere anywhere icmp
address-mask-reply
ACCEPT icmp -- anywhere anywhere
Chain ICMPOUTBOUND (1 references)
target prot opt source destination
LDROP icmp -- anywhere anywhere icmp redirect
LDROP icmp -- anywhere anywhere icmp
ttl-zero-during-transit
LDROP icmp -- anywhere anywhere icmp
ttl-zero-during-reassembly
LDROP icmp -- anywhere anywhere icmp
parameter-problem
LDROP icmp -- anywhere anywhere icmp
timestamp-request
LDROP icmp -- anywhere anywhere icmp
timestamp-reply
LDROP icmp -- anywhere anywhere icmp
address-mask-request
LDROP icmp -- anywhere anywhere icmp
address-mask-reply
ACCEPT icmp -- anywhere anywhere
Chain LBADFLAG (6 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=BADFLAG:1
a=DROP '
DROP all -- anywhere anywhere
Chain LDROP (17 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=TCP:1 a=DR
OP '
LOG udp -- anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=UDP:2 a=DR
OP '
LOG icmp -- anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=ICMP:3 a=D
ROP '
LOG all -f anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=FRAGMENT:4
a=DROP '
DROP all -- anywhere anywhere
Chain LINVALID (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=INVALID:1
a=DROP '
DROP all -- anywhere anywhere
Chain LPINGFLOOD (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=PINGFLOOD:
1 a=DROP '
DROP all -- anywhere anywhere
Chain LREJECT (2 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=TCP:1 a=RE
JECT '
LOG udp -- anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=UDP:2 a=RE
JECT '
LOG icmp -- anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=ICMP:3 a=R
EJECT '
LOG all -f anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=FRAGMENT:4
a=REJECT '
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Chain LSPECIALPORT (11 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=SPECIALPOR
T:1 a=DROP '
DROP all -- anywhere anywhere
Chain LSYNFLOOD (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
2/sec burst 10 LOG level warning prefix `fp=SYNFLOOD:1
a=DROP '
DROP all -- anywhere anywhere
Chain SMB (4 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp
dpt:netbios-ns
DROP tcp -- anywhere anywhere tcp
dpt:netbios-dgm
DROP tcp -- anywhere anywhere tcp
dpt:netbios-ssn
DROP tcp -- anywhere anywhere tcp
dpt:microsoft-ds
DROP udp -- anywhere anywhere udp
dpt:netbios-ns
DROP udp -- anywhere anywhere udp
dpt:netbios-dgm
DROP udp -- anywhere anywhere udp
dpt:netbios-ssn
DROP udp -- anywhere anywhere udp
dpt:microsoft-ds
DROP tcp -- anywhere anywhere tcp
spt:netbios-ns
DROP tcp -- anywhere anywhere tcp
spt:netbios-dgm
DROP tcp -- anywhere anywhere tcp
spt:netbios-ssn
DROP tcp -- anywhere anywhere tcp
spt:microsoft-ds
DROP udp -- anywhere anywhere udp
spt:netbios-ns
DROP udp -- anywhere anywhere udp
spt:netbios-dgm
DROP udp -- anywhere anywhere udp
spt:netbios-ssn
DROP udp -- anywhere anywhere udp
spt:microsoft-ds
Chain SPECIALPORTS (1 references)
target prot opt source destination
LSPECIALPORT tcp -- anywhere anywhere tcp
dpt:vocaltec-gold
LSPECIALPORT tcp -- anywhere anywhere tcp
dpt:serialgateway
LSPECIALPORT udp -- anywhere anywhere udp
dpt:serialgateway
LSPECIALPORT tcp -- anywhere anywhere tcp
dpt:27374
LSPECIALPORT udp -- anywhere anywhere udp
dpt:27374
LSPECIALPORT tcp -- anywhere anywhere tcp
dpts:6711:6713
LSPECIALPORT tcp -- anywhere anywhere tcp
dpts:italk:12346
LSPECIALPORT tcp -- anywhere anywhere tcp
dpt:nburn_id
LSPECIALPORT udp -- anywhere anywhere udp
dpts:31337:31338
LSPECIALPORT tcp -- anywhere anywhere tcp
dpts:6000:6063
LSPECIALPORT udp -- anywhere anywhere udp
dpt:28431
Chain TCPACCEPT (6 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN limit: avg 5/sec burst 10
LSYNFLOOD tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN
--
Mark Maiden
Systems Administrator
Globoforce
6 Beckett Way,
Park West Business Park,
Dublin 12, Ireland.
t: +353-1-6258812
f: +353-1-6258880
e: sysadmin at globoforce.com
w: www.globoforce.com
More information about the Users
mailing list