[Openswan Users] Help required: Trouble setting up openswan
Phil Wild
philwild at gmail.com
Wed Nov 28 11:43:48 EST 2007
Hi Peter,
Thanks for the help :-)
It is good to know that the connection is active, just have to figure out
where it is failing.
I am using shorewall as a firewall and it is running on the hosts that I am
trying to tie together. Because the connection appears to be established
from your comments I am assuming I have the rules set correctly for the
connection.
I have tried pinging and ssh'ing between the hosts using the internal
addresses and get no response. I have also now tried doing the same thing
from hosts in each of the private networks and get the same result.
I have cleared the shorewall configuration of all zones/interfaces that
related to a vpn based on your comment about the data going to the external
interface.
My shorewall configuration looks like the below:
root at zulu:/etc/shorewall# cat zones
fwall firewall #
loc ipv4 #
net ipv4 #
root at zulu:/etc/shorewall# cat interfaces
net ppp0 detect
dhcp,norfc1918,routefilter,blacklist,tcpflags,logmartians,nosmurfs
loc eth1 detect tcpflags
root at zulu:/etc/shorewall# cat policy
fwall net ACCEPT
fwall loc ACCEPT
loc fwall ACCEPT
net $FW DROP info
net all REJECT info
# The FOLLOWING POLICY MUST BE LAST
all all DROP info
root at zulu:/etc/shorewall# cat rules
LOG:info fwall net:192.168.10.0/24 all
LOG:info net:192.168.10.0/24 $FW all
ACCEPT net:202.72.167.27 all all
ACCEPT net:202.72.167.27 fwall 50
...other stuff deleted...
I am not seeing any dropped packets
If I ping from 10.3.0.3 to 192.168.10.2 I get the following in syslog on the
sending host
Nov 29 01:40:14 zulu kernel: [867825.734164] Shorewall:fwall2net:LOG:IN=
OUT=ppp0 SRC=10.3.0.3 DST=192.168.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=28735 SEQ=1
Nov 29 01:40:15 zulu kernel: [867826.732619] Shorewall:fwall2net:LOG:IN=
OUT=ppp0 SRC=10.3.0.3 DST=192.168.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=28735 SEQ=2
Nov 29 01:40:16 zulu kernel: [867827.731115] Shorewall:fwall2net:LOG:IN=
OUT=ppp0 SRC=10.3.0.3 DST=192.168.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=28735 SEQ=3
but nothing on the receiving host.
I have added the following to the config file at each side
leftsourceip=192.168.10.2
rightsourceip=10.3.0.3
Cheers
Phil
On 29/11/2007, Peter McGill <petermcgill at goco.net> wrote:
>
> This in a line in your status or logs indicates that you have a phase 1
> connection:
> STATE_MAIN_I4 (ISAKMP SA established)
> This in a line in you status or logs indicates that you have a phase 2
> connection:
> STATE_QUICK_I2 (sent QI2, IPsec SA established)
> Once you've received the IPsec SA established message you know the
> connection is connected.
> If you cannot ping the remote side, it could be due to firewall rules or
> your conn settings, among other things.
>
> You only get an ipsec0 interface if your using KLIPS, which you only get
> if you specifically install it and turn of NETKEY,
> since NETKEY is enabled by default in most modern kernels. NETKEY is also
> sometimes known as NATIVE and does not
> have ipsec0 interface instead it reuses the public interface whatever it
> is, in your case ppp0.
> ipsec version or ipsec verify will tell you which one your using, and are
> also good info to send to the list with your problem.
>
> Are your ping tests being done to and from the servers themselves or from
> hosts on the subnets.
> Either do your ping tests to and from hosts on the subnets or add
> leftsourceip=<left server LAN ip> and rightsourceip to your conn.
> If you've done this and still can't ping, it may be your firewall, are you
> running firewall software or iptables on either server or between them?
> If you you need to allow the ipsec traffic as follows:
> protocol 17 (udp), port 500 (isakmp)
> protocol 50 (esp)
> protocol 17 (udp), port 4500 (nat-t) if your using nat traversal to get
> through network address translation routers between the hosts.
> You also need to allow the ping and other traffic that utilizes the
> tunnels.
> And you cannot NAT any of this traffic if your SNATing or MASQUERADEing
> your LAN(s) to the internet.
>
> Peter McGill
>
>
> ------------------------------
> *From:* Phil Wild [mailto:philwild at gmail.com]
> *Sent:* November 28, 2007 10:14 AM
> *To:* Paul Wouters; petermcgill at goco.net; Users at openswan.org
> *Subject:* Re: [Openswan Users] Help required: Trouble setting up openswan
>
> Hi
>
> I have fixed the routing table and I think I have progressed a little
> further. I have also turned off the plutodebug.
>
> netstat -rn shows
>
> root at zulu:~# netstat -rn
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt
> Iface
> 203.161.90.1 0.0.0.0 255.255.255.255 UH 0 0 0
> ppp0
> 10.3.0.0 0.0.0.0 255.255.255.0 U 0 0 0
> eth1
> 192.168.10.0 203.161.90.1 255.255.255.0 UG 0 0 0
> ppp0
> 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0
> ppp0
>
>
> Should I see an ipsec interface here?
>
> I am still unsure if I am actually getting a valid connection. What I do
> know is that I can not ping through the vpn
>
> running ipsec auto --status gives me:
>
> root at bravo:/var/log# ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.10.2
> 000 interface eth1/eth1 202.72.167.27
> 000 interface eth1:1/eth1:1 202.72.167.29
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "bravo-zulu":
> 192.168.10.0/24===202.72.167.27[@bravo.gastech.com.au]---202.72.167.25...203.161.90.1---203.161.71.190[@zulu]===10.3.0.0/24<http://192.168.10.0/24===202.72.167.27%5B@bravo.gastech.com.au%5D---202.72.167.25...203.161.90.1---203.161.71.190%5B@zulu%5D===10.3.0.0/24>;
> erouted; eroute owner: #3
> 000 "bravo-zulu": srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "bravo-zulu": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "bravo-zulu": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
> interface: eth1;
> 000 "bravo-zulu": newest ISAKMP SA: #1; newest IPsec SA: #3;
> 000 "bravo-zulu": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000
> 000 #3: "bravo-zulu":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 28026s; newest IPSEC; eroute owner
> 000 #3: "bravo-zulu" esp.2549d809 at 203.161.71.190
> esp.f6c5b82a at 202.72.167.27 tun.0 at 203.161.71.190 tun.0 at 202.72.167.27
> 000 #2: "bravo-zulu":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 26858s
> 000 #2: "bravo-zulu" esp.b72ad41a at 203.161.71.190 esp.e40902a at 202.72.167.27
> tun.0 at 203.161.71.190 tun.0 at 202.72.167.27
> 000 #1: "bravo-zulu":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 1543s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> 000
>
>
> ifconfig -a does not show an ipsec0 interface, should I see an ipsec
> interface on the hosts?
>
> Cheers
>
> Phil
>
> On 27/11/2007, Paul Wouters <paul at xelerance.com> wrote:
> >
> > On Mon, 26 Nov 2007, Phil Wild wrote:
> >
> > > I posted the below to the list about a week ago and did not get any
> > > responses. Does anyone have any ideas what is going wrong with my
> > > configuration as I have not been able to get any further.
> >
> > > > Nov 20 14:25:15 bravo ipsec__plutorun: ...could not start conn
> > "bravo-zulu"
> > > > netstat -rn on host zulu shows:
> > > >
> > > > Destination Gateway Genmask Flags MSS
> > Window irtt Iface
> > > > 203.161.90.1 0.0.0.0 255.255.255.255 UH 0
> > 0 0 ppp0
> > > > 10.3.0.0 0.0.0.0 255.255.255.0 U 0
> > 0 0 eth1
> > > > 192.168.10.0 203.161.90.1 255.255.255.0 UG 0
> > 0 0 ppp0
> > > > 0.0.0.0 0.0.0.0 0.0.0.0 U 0
> > 0 0 ppp0
> >
> > Blame your ISP if that is really the default route you got. Try changing
> > to
> > something that might make sense. Run a traceroute and check what your
> > real gateway
> > is, then do a "route add -host ipofgw dev ppp0" and "route add default
> > gw ipofgw"
> >
> > Paul
> >
>
>
>
> --
> Tel: 0400 466 952
> Fax: 0433 123 226
> email: philwild at gmail.com
>
>
--
Tel: 0400 466 952
Fax: 0433 123 226
email: philwild at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071129/ab194ce5/attachment-0001.html
More information about the Users
mailing list