[Openswan Users] Questions regarding firewall and routing accommodations for openswan 2.6.28

Stephen Jones hivemynd at hivemynd.net
Mon Aug 9 00:21:06 EDT 2010 

Greetings openswan users and gurus!

I am involved with a project that is attempting to drag the venerable 
SmoothWall 3.0 OSS firewall project kicking-and-screaming into the 21st 
century.  Among the many, many, many version upgrades required to 
re-establish the platform around modern versions of gcc 4.4.3 (from 
3.3.5) and current 2.6 kernels 2.6.32.17 (from 2.6.16.60), the openswan 
component was also updated to 2.6.28 (from 2.4.15).

It appears that openswan 2.6.28 (KLIPS) is installed and running on the 
modernized SmoothWall, however, the tunnels do not come up, and thus no 
traffic is passed. Both endpoints are identical platforms (i.e. same 
kernel, iptables and openswan versions).

My google-fu has failed me miserably in attempting to locate current 
how-to's for the newer versions of openswan that have the 'mast#' 
interfaces and what accommodations in routing and iptables rules are 
required on a firewall/gateway appliance such as the SmoothWall. I have 
read the 'Building and Integrating Virtual Private Networks with 
Openswan' from PACKT, 2006, but it appears to not cover the very latest 
versions, understandably (is there an updated version in the works Paul?)

Three lead-off questions:
1. mast0: What IP is it supposed to end up with (I'm thinking the public 
IP, evidence: 
http://lists.openswan.org/pipermail/users/2010-June/018881.html)

2. Do there need to be explicit firewall rules addressing the mast0 
interface? (I have attempted to add these rules, but to no apparent 
effect. Please see the ipsec-barf output link below).

3. Does there need to be explicit routing added for the mast0 interface 
to the other side of the tunnel? (Currently, I am thinking no.)

Any nudges in the right direction are greatly appreciated!

Again, thank you for your time and consideration in helping us modernize 
the venerable OSS SmoothWall project!

Best regards,

~SJ
-----------------------------------------------
Platform and configuration information follows:

Platform(s) Summary (both ends are identical):
kernel: 2.6.32.17-phaeton #1 SMP Fri Aug 6 17:57:24 BST 2010 i686 GNU/Linux
iptables: iptables v1.4.8
openswan: Linux Openswan 2.6.28 (klips)


ipsec.conf:

version 2

config setup
	interfaces=%defaultroute
	klipsdebug=none
	plutodebug=none
	plutowait=no
	uniqueids=yes
	mast=no

conn clear
	auto=ignore

conn clear-or-private
	auto=ignore

conn private-or-clear
	auto=ignore

conn private
	auto=ignore

conn block
	auto=ignore

conn packetdefault
	auto=ignore

conn phaeton2phaeton
	ike=3des-md5
	esp=3des-md5
	authby=secret
	keyingtries=0
	left=192.168.1.40
	leftsubnet=192.168.4.0/24
	leftnexthop=%defaultroute
	right=192.168.1.50
	rightsubnet=192.168.10.0/24
	rightnexthop=%defaultroute
	compress=no
	auto=start

ipsec status:
IPsec running  - pluto pid: 6113
pluto pid 6113
No tunnels up

ipsec verify:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Checking for IPsec support in kernel                        	[OK]
KLIPS detected, checking for NAT Traversal support          	[OK]
Checking that pluto is running                              	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]


ipsec barf: 
http://www.hivemynd.net/smoothwall/phaeton/openswan/ipsec_barf_2.6.28.txt

More information about the Users mailing list