[Openswan Users] Packets not passing through Tunnel

Peter McGill petermcgill at goco.net
Thu Mar 13 10:18:53 EDT 2008


Well, it's not a particularly strong firewall script, but that's another issue.
To fix your ipsec problem, you should change this...
 iptables -A FORWARD -i ${WAN} -d 10.5.0.0/255.255.0.0 -j ACCEPT
+ iptables -t nat -I POSTROUTING -o ${WAN} -d 10.8.13.113/32 -j ACCEPT
 iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

 
Peter McGill
 


  _____  

From: Khan, Hammad Aslam [mailto:raohammad at gmail.com] 
Sent: March 12, 2008 5:44 PM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Packets not passing through Tunnel


I tried to make them work again(asper my understanding) but cldnt make it happen;
may be you can help to edit this file :-) (that I've made to configure firewall)... this can be a valuable asset to mailing list
too...
 
##First we flush our current rules
 iptables -F
 iptables -t nat -F
 
##Setup default policies to handle unmatched traffic
 iptables -P INPUT ACCEPT
 iptables -P OUTPUT ACCEPT
 iptables -P FORWARD DROP
 
##Copy and paste these examples ...
 export LAN=eth1
 export WAN=eth0
 
##Then we lock our services so they only work from the LAN
 iptables -I INPUT 1 -i ${LAN} -j ACCEPT
 iptables -I INPUT 1 -i lo -j ACCEPT
 iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
 iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
 
##(Optional) Allow access to our ssh server from the WAN
 iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
 
##Drop TCP / UDP packets to privileged ports
 iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
 iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
 
##Finally we add the rules for NAT
 iptables -I FORWARD -i ${LAN} -d 10.5.0.0/255.255.0.0 -j DROP
 iptables -A FORWARD -i ${LAN} -s 10.5.0.0/255.255.0.0 -j ACCEPT
 iptables -A FORWARD -i ${WAN} -d 10.5.0.0/255.255.0.0 -j ACCEPT
 iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
 
# allow IPsec IKE negotiations
iptables -I INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT

# ESP encryption and authentication
iptables -I INPUT  -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT

##Tell the kernel that ip forwarding is OK
 echo 1 > /proc/sys/net/ipv4/ip_forward
 for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
 
##This is so when we boot we don't have to run the rules by hand
 /etc/init.d/iptables save
 rc-update add iptables default
 nano /etc/sysctl.conf
 
##Add/Uncomment the following lines:
 net.ipv4.ip_forward = 1
 net.ipv4.conf.default.rp_filter = 1
 
 
Regards,
Hammad


On Thu, Mar 13, 2008 at 2:07 AM, Peter McGill <petermcgill at goco.net> wrote:


Two problems here:
 
First, you cannot MASQ the ipsec packets, so...
iptables -t nat -I POSTROUTING -d 10.8.13.113/32 -j ACCEPT
before
iptables -t nat -A POSTROUTING -s 10.5.0.0/16 -j MASQUERADE
 
Second, you cannot drop all packets to local and expect remote to get through...
So, change your forward chain...
remove this rule
iptables -t filter -A FORWARD -d 10.5.0.0/16 -j DROP
(This one might have additional options limiting what it drops, making it ok,
but I cannot tell without the -v (--verbose) flag on iptables.)
 
P.S. you didn't actually show us your full rules here, next time you might try this:
iptables -t filter -L -n -v
iptables -t nat -L -n -v
iptables -t mangle -L -n -v
 
Peter McGill
 


  _____  


From: Khan, Hammad Aslam [mailto:raohammad at gmail.com] 

Sent: March 12, 2008 4:43 PM 

To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Packets not passing through Tunnel


and what do you comment about my firewall settings?
Attached is more Formatted one... thanking in anticipation
 
 
Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
5    REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67 reject-with icmp-port-unreachable
6    REJECT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 reject-with icmp-port-unreachable
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22
8    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:0:1023
9    DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:0:1023
Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  0.0.0.0/0            10.5.0.0/16
2    ACCEPT     all  --  10.5.0.0/16          0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            10.5.0.0/16
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:500 dpt:500


 
On Wed, Mar 12, 2008 at 8:56 PM, Peter McGill <petermcgill at goco.net> wrote:


No, that should be working if ISAKMP SA and IPSec SA established.
 
> A ping from 10.5.125.105 <http://10.5.125.105/>  to 10.8.13.113 <http://10.8.13.113/>  and vise-versa should work.
 
Peter McGill
 



  _____  


From: Khan, Hammad Aslam [mailto:raohammad at gmail.com] 

Sent: March 12, 2008 11:48 AM 

To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Packets not passing through Tunnel


ok thanks but if i dont want my gateway to talk to remote private. Instead I just want to access remote private from my-private;
will I be required to make changes even in that case?

rgds,
Hammad


On Wed, Mar 12, 2008 at 7:47 PM, Peter McGill <petermcgill at goco.net> wrote:


You cannot use route add or ip route add with openswan, you
must specify the traffic which uses the tunnel in left/rightsubnet(s).
To clarify where are you pinging/telneting from?
A ping from 10.5.125.105 <http://10.5.125.105/>  to 10.8.13.113 <http://10.8.13.113/>  and vise-versa should work.
A ping from 10.5.125.100 <http://10.5.125.100/>  or 58.58.58.58 <http://58.58.58.58/>  will not work because you
have not included them in leftsubnet.
Likewise a ping from 202.202.202.202 <http://202.202.202.202/>  or ?.?.?.? to 10.5.. will not work.
Pings to 58... and 202... will work but not encrypted, plain internet.
If you want your gateway to be able to communicate with remote private
also, then change your conn as follows:
    leftsourceip=10.5.125.100 <http://10.5.125.100/>  # gw will use this instead of 58... to talk to rem. priv.
    leftsubnet=10.5.125.96/28 # you'll need to change subnet on cisco too
 
Peter McGill
 



  _____  

From: Khan, Hammad Aslam [mailto:raohammad at gmail.com] 
Sent: March 12, 2008 2:11 AM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Packets not passing through Tunnel


I already have enabled ip forwarding; 
My Setup is like;

my private                                      my gateway           <<public>>      remote gw (cisco vpn 3000)               remote
private
--------                             -----------------------------------------
-------------------------------                     ----------------------
       |                            |                                        |                             |
|                     |                   |
   10.5.125.105 <http://10.5.125.105/>   === 10.5.125.100(eth1)     (eth0)58.58.58.58   >>><<<   202.202.202.202
<http://202.202.202.202/>         ?.?.?.? ==== 10.8.13.113 <http://10.8.13.113/>     |
       |                             |                                        |                            |
|                     |                   | 
-------                              -----------------------------------------
------------------------------                      ----------------------


My Config file
config setup
        interfaces="ipsec0=eth0"
        plutodebug="all"
        nat_traversal=yes

conn nattelenor
         type=tunnel
         authby=secret                   # secret key
         auth=esp
         pfs=no
         keylife=28800
         keyingtries=3
         auto=add
         ike=3des-md5-modp1024
         esp=3des-md5
         left=58.58.58.58 <http://58.58.58.58/>              # my external, internet-routable ip address, provided by NAT box=
         leftsubnet=10.5.125.105/32
         right=202.202.202.202 <http://202.202.202.202/>               # my peer's external, internet-routable ip address=
         rightsubnet=10.8.13.113/32
         
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

My ipsec verify result

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


Regards,
Hammad



On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <petermcgill at goco.net> wrote:


Did you add leftsourceip=leftlanip and rightsourceip=rightlanip?
Without them you can only ping hosts other than the ipsec gateway,
on the remote lan, and only from hosts on the local lan not the local
ipsec gateway.
Show us your ipsec.conf and ipsec verify.
 
Peter McGill
 


  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Khan, Hammad Aslam
Sent: March 11, 2008 1:45 PM
To: users at openswan.org
Subject: [Openswan Users] Packets not passing through Tunnel


Hello everyone,
My tunnel has been successfully established (both ISAKMP and IPSEC are UP);
but when I try to ping/telnet remote end's private network PC i dont get any response.,

Using tcpdump -i eth0 (which is my public interface of GW) it shows that GW is querying internet for remote-private-nw using ARP. No
ESP packets are seen...

I added a route of 
# route add <remote-private-ip> gw <remote-public-ip>
...but still, i see the same result?

Please help.

Regards,
Hammad






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080313/d52cb19f/attachment-0001.html 


More information about the Users mailing list