On 11/25/06, <b class="gmail_sendername">Paul Wouters</b> <<a href="mailto:paul@xelerance.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">paul@xelerance.com</a>> wrote:<div><span class="gmail_quote">
</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Fri, 24 Nov 2006, Christian Brechbühler wrote:<br><br>> I'll let you know if I get it to work. But even without SNAT, I get this<br>> weird situation (not serious, but may be the same issue): When lithium<br>> establishes an IPsec tunnel to the vpn gateway, connections that lithium
<br>> initiates (ping, ssh, traceroute, http) work fine. Any connection to<br>> lithium that the gateway initiates fails. Is this normal? I suspect NO,<br>> and the firewall on the gateway may be ruining things.
<br><br>Use leftsourceip=firewallinternalIP</blockquote><div><br>
Hi Paul,<br>
<br>Thank you! I haven't gotten it to work yet. Can you spell this out a bit more, please?<br>
<br>
I'd like to tell you first about a connection between two
linux/openswan hosts, which doesn't use SNAT but exhibits the same
routing problem. (Outside IPs changed out of paranoia.)<br>
Here's the layout; the connection is between "lithium" and "vpn"<br>
<br>
<div style="margin-left: 40px;">"lithium" <a href="http://192.168.2.2" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.2.2</a> (laptop) -- Linux Openswan U2.4.4/K2.6.9-1.11_FC2 (netkey)
<br>
|<br>
belkin inside <a href="http://192.168.2.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.2.1</a> (home router/NAT/firewall)<br>
belkin outside <a href="http://24.61.22.33" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 24.61.22.33</a> (UDP port 500 forwarded to lithium)<br>
|<br>
internet (ISP Comcast)<br>
...<br>
internet (ISP Speakeasy)<br>
|<br>
"vpn" outside <a href="http://66.92.44.55" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner has detected a possible fraud attempt from "66.92.44.55" claiming to be</b></font> 66.92.44.163</a> -- Linux Openswan U2.4.4/K2.6.11-gentoo-r5 (netkey)<br>
"vpn" inside <a href="http://10.0.0.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.1</a><br>
|<br>
<a href="http://10.0.0.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.0/24</a> private network<br>
</div>
</div><br>
ipsec.conf on lithium:<br>
<div style="margin-left: 40px;">version 2.0 # conforms to second version of ipsec.conf speci<br>
<br>
config setup<br>
nat_traversal=yes<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,%25v4:192.168.0.0/16,%25v4:172.16" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16</a><br>
interfaces=%defaultroute<br>
plutodebug="control parsing"<br>
<br>
conn %default<br>
keyingtries=1<br>
compress=yes<br>
authby=rsasig<br>
right=%defaultroute<br>
rightcert=lithium.pem<br>
leftrsasigkey=%cert<br>
auto=add<br>
<br>
conn boston<br>
leftsubnet=<a href="http://10.0.0.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.0/24</a><br>
left=<a href="http://66.92.44.55" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner has detected a possible fraud attempt from "66.92.44.55" claiming to be</b></font> 66.92.44.163</a><br>
</div>
<div style="margin-left: 40px;"> leftid="C=US, ST=Massachusetts, L=Boston, O=CompanyInc, CN=vpn"<br>
</div>
<br>
ipsec.conf on "vpn":<br>
<div style="margin-left: 40px;">version 2.0<br>
<br>
config setup<br>
plutodebug="control controlmore"<br>
nat_traversal=yes<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,%25v4:192.168.0.0/16,%25v4:172.16.0.0/12,%25v4:%2110.0.0.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
</a><br>
interfaces=%defaultroute<br>
<br>
conn %default<br>
keyingtries=1<br>
compress=yes<br>
auto=add<br>
<br>
conn openswan-part<br>
leftsubnet=<a href="http://10.0.0.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.0/24</a><br>
#### rightsourceip=<a href="http://192.168.2.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.2.1</a><br>
rightsubnet=vhost:%no,%priv<br>
left=%defaultroute<br>
right=%any<br>
authby=rsasig|secret<br>
leftcert=vpn.pem<br>
rightrsasigkey=%cert<br>
</div>
<br>
After I bring the the connection up (from lithium), 'route -n' reports the following new entries<br>
On "lithium":<br>
<div style="margin-left: 40px; font-family: courier new,monospace;"><font size="1">Destination
Gateway
Genmask Flags Metric
Ref Use Iface<br>
<a href="http://10.0.0.0"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.0</a>
<a href="http://192.168.2.1"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.2.1</a> <a href="http://255.255.255.0"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 255.255.255.0</a>
UG 0
0 0 eth0<br>
</font></div>
On "vpn":<br>
<div style="margin-left: 40px;"><font size="1"><span style="font-family: courier new,monospace;">Destination
Gateway
Genmask Flags Metric
Ref Use Iface</span></font><br style="font-family: courier new,monospace;">
<font size="1"><span style="font-family: courier new,monospace;"><a href="http://192.168.2.2"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.2.2</a>
<a href="http://66.92.44.161"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 66.92.44.161</a> <a href="http://255.255.255.255"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 255.255.255.255</a> UGH
0
0 0 eth1</span></font><br style="font-family: courier new,monospace;">
</div>
<br>
And from "lithium", I can reach (ping/ssh/tracepath) "vpn" and other hosts on the <a href="http://10.0.0.0/24"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.0/24</a> network. E.g.:<br>
<div style="margin-left: 40px;">$ tracepath <a href="http://10.0.0.1"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.1</a><br>
1?: [LOCALHOST] pmtu 1448<br>
1: lithium.localdomain
(<a href="http://192.168.2.2"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.2.2</a>)
0.081ms pmtu 1418<br>
1: <a href="http://10.0.0.1"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.1</a>
(<a href="http://10.0.0.1"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.1</a>)
34.536ms reached<br>
Resume: pmtu 1418 hops 1 back 1<br>
</div>
So far so good. Obviously I'm also getting the return packets.<br>
<br>
<span style="font-weight: bold;">The problem:</span> Any traffic
initiated by "vpn" toward <a href="http://192.168.2.2"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.2.2</a> (lithium) fails. From
tracepath I see the packets go out the "normal" route to the public
internet; I see two Speakeasy hosts (starting with <a href="http://66.92.44.161"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 66.92.44.161</a>), then
"No reply" for all further hops.<br>
<br>
I tried changing ipsec.config on "vpn"(left), setting once "leftsourceip=<a href="http://10.0.0.1"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.1</a>" and the other time "rightsourceip=<a href="http://192.168.2.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font>
192.168.2.1</a>".<br>
I "ipsec auto --replace"d the connection. It didn't make a difference.<br>
<br>
Thank you again for all your help.<br>
</div>