<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16544" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>If I've understood your post correctly you have a public
eth0 interface with a 189.2.x.x IP,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>and a virtual eth0:0 with a different (similar) IP,
which I'll call 189.2.v.v.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>Your IPSec traffic using eth0:0 is incorrectly being NATed
to 189.2.x.x by your SNAT rule?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>(Note: if you have more than one IP in 189.2.x.x range then
don't mask both as .x.x!</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>It's confusing as hell and impossible to determine which
routes go where...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>If you hide your IPs at least uniquely identify
each.)</FONT></SPAN></DIV></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>If that's the case then try this
change:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>$IPTABLES -t nat -A POSTROUTING -o eth0 -s !
189.2.v.v -j SNAT --to-source 189.2.x.x</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Giovani Moda - MR
Informática<BR><B>Sent:</B> October 23, 2007 2:11 PM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] openswan,alias
interface and advanced routing (very long)<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT face=Arial size=2>Hello,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It's been a while since I don't need your help,
but I've been pulling my hair out on this one and can't seem to figure it out.
Here it goes:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I have two servers connected trhough three
tunnels:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>net1-to-net2</FONT></DIV>
<DIV><FONT face=Arial size=2>server1-to-net2</FONT></DIV>
<DIV><FONT face=Arial size=2>net1-to-server2</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>In this particular case, I had to create the
tunnels using an alias interface of eth0, since the servers exchange non
encrypted communication, wich is huge and would overload the tunnels
if encrypted. In both servers, the external interface is eth0, and there
are aliases interfaces eth0:0. I can do that, since both ends have up to four
valid ips I can use. </FONT><FONT face=Arial size=2>So, the scenario is
something like:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial
size=2>
</FONT></DIV>
<DIV><FONT face=Arial size=2>net1 -> eth0:0 -> eth0 -> internet ->
eth0 -> eth0:0 -> net2</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>To make things more difficult (of course), at
server1, there's a second internet link, on wich there are traffic control
rules. That would be eth2. To acomplish the balancing between those links, a
set of advanced rules using ip rule have been created. I'll not mention the
HTB rules here, since they are specifically bonded to eth2, and only
eth2. And that's where all the problems began. It was all working 'till
I've added that second link and subsequent advanced rules.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Here are the advanced routing
rules:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>ip rule</FONT></DIV>
<DIV><FONT face=Arial size=2>0: from all lookup
local<BR>18: from all fwmark 0x3 lookup
router1<BR>19: from all fwmark 0x4 lookup
router2<BR>20: from all fwmark 0x5 lookup
router3</FONT></DIV>
<DIV><FONT face=Arial size=2>22: from 189.2.x.x lookup
router3 --> ip of eth0:0<BR>22: from 189.2.x.x
lookup router1 --> ip of eth0<BR>23: from
189.19.x.x lookup router2 --> ip of eth2<BR>32766: from all lookup
main<BR>32767: from all lookup default<BR></DIV></FONT></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>ip route show main</FONT></DIV>
<DIV><FONT face=Arial size=2>189.2.x.x via 189.2.x.x dev ipsec1
<BR>189.2.x.x/26 dev eth0 proto kernel scope link src
189.2.x.x<BR>189.2.x.x/26 dev ipsec0 proto kernel scope link
src 189.2.x.x<BR>189.2.x.x/26 dev ipsec1 proto kernel scope
link src 189.2.x.x<BR>189.19.x.x/24 dev eth2 proto kernel
scope link src 189.19.x.x<BR>172.31.72.0/22 via 189.2.x.x dev
ipsec1<BR>172.31.68.0/22 dev eth1 proto kernel scope link
src 172.31.68.1<BR>default<BR>
nexthop via 189.2.x.x dev eth0 weight
1<BR> nexthop via 189.19.x.x
dev eth2 weight 1</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>ip route show table router1</FONT></DIV>
<DIV><FONT face=Arial size=2>189.2.x.x/26 dev eth0 scope link src
189.2.x.x --> ip of eth0<BR>189.19.x.x/24 dev eth2 scope link
src 189.19.x.x<BR>172.31.68.0/22 dev eth1 scope link src
172.31.68.1<BR>127.0.0.0/8 dev lo scope link<BR>default via 189.2.x.x
dev eth0 src 189.2.x.x --> ip of eth0</FONT></DIV><FONT face=Arial
size=2>
<DIV><BR>ip route show table router2</DIV>
<DIV>189.2.x.x/26 dev eth0 scope link src
189.2.x.x<BR>189.19.x.x/24 dev eth2 scope link src
189.19.x.x<BR>172.31.68.0/22 dev eth1 scope link src
172.31.68.1<BR>127.0.0.0/8 dev lo scope link<BR>default via 189.19.x.x
dev eth2 src 189.19.x.x --> ip from eth2</DIV>
<DIV> </DIV>
<DIV>ip route show table router3</DIV>
<DIV>189.2.x.x/26 dev eth0 scope link src 189.2.x.x --> ip of
eth0:0<BR>189.19.x.x/24 dev eth2 scope link src
189.19.x.x<BR>172.31.68.0/22 dev eth1 scope link src
172.31.68.1<BR>127.0.0.0/8 dev lo scope link<BR>default via 189.2.x.x
dev eth0 src 189.2.x.x --> ip of eth0:0<BR></DIV></FONT>
<DIV><FONT face=Arial size=2> </DIV>
<DIV>Some iptables rules to direct the traffic to it's desirable
destination:</DIV>
<DIV>$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
189.2.x.x # make eth0 traffic go through eth0<BR>$IPTABLES -t nat -A
POSTROUTING -o eth2 -j SNAT --to-source 189.19.x.x # make eth2 traffic
go through eth2<BR>$IPTABLES -t mangle -A PREROUTING -p tcp -i eth1 --dport 80
-j MARK --set-mark 3 # http-trafic<BR>$IPTABLES -t mangle -A PREROUTING -p tcp
-i eth1 --dport 443 -j MARK --set-mark 3 # http-trafic<BR>$IPTABLES -t
mangle -A PREROUTING -p tcp -i eth1 --dport 25 -j MARK --set-mark 4 #
smtp<BR>$IPTABLES -t mangle -A PREROUTING -p tcp -i eth1 --dport 110 -j MARK
--set-mark 4 # pop3<BR>$IPTABLES -t mangle -A PREROUTING -p tcp -i eth1
--dport 143 -j MARK --set-mark 4 # imap<BR>$IPTABLES -t mangle -A PREROUTING
-p tcp -i eth1 --dport 20 -j MARK --set-mark 4 # ftp<BR>$IPTABLES -t mangle -A
PREROUTING -p tcp -i eth1 --dport 21 -j MARK --set-mark 4 # ftp<BR>$IPTABLES
-t mangle -A PREROUTING -p udp -i eth1 --dport 500 -j MARK --set-mark 5 #
ipsec identify redirected to table router3<BR>$IPTABLES -t mangle -A
PREROUTING -p udp -i eth1 --dport 4500 -j MARK --set-mark 5 # ipsec nat-t
redirected to table router3</DIV>
<DIV>$IPTABLES -t mangle -A PREROUTING -p ah -j MARK --set-mark 5 # ipsec
trafic redirected to table router3<BR>$IPTABLES -t mangle -A PREROUTING -p esp
-j MARK --set-mark 5 # ipsec trafic redirected to table router3<BR>$IPTABLES
-t mangle -A POSTROUTING -p ah -j MARK --set-mark 5 # ipsec trafic redirected
to table router3<BR>$IPTABLES -t mangle -A POSTROUTING -p esp -j MARK
--set-mark 5 # ipsec trafic redirected to table router3<BR>$IPTABLES -t mangle
-A OUTPUT -p tcp --dport 80 -j MARK --set-mark 3 # http-trafic<BR>$IPTABLES -t
mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 3 #
http-trafic<BR>$IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j MARK
--set-mark 4 # smtp<BR>$IPTABLES -t mangle -A OUTPUT -p tcp --dport 110 -j
MARK --set-mark 4 # pop3<BR>$IPTABLES -t mangle -A OUTPUT -p tcp --dport 20 -j
MARK --set-mark 4 # ftp</DIV>
<DIV>$IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j MARK --set-mark 4 #
ftp<BR>$IPTABLES -t mangle -A OUTPUT -p udp --dport 500 -j MARK --set-mark 5 #
ipsec identify redirected to table router3<BR>$IPTABLES -t mangle -A OUTPUT -p
udp --dport 4500 -j MARK --set-mark 5 # ipsec nat-t redirected to table
router3<BR><BR>and finally my ipsec.conf</DIV>
<DIV>#</DIV>
<DIV>config setup<BR>
klipsdebug=none<BR>
plutodebug=none<BR>
interfaces="ipsec0=eth0
ipsec1=eth0:0"<BR>
nat_traversal=yes<BR>
uniqueids=yes<BR>
virtual_private=%v4:10.0.0.0/8,%v4:!172.31.0.0/12,%v4:192.168.0.0/24,%v4:192.168.1.0/24,%v4:192.168.2.0/24</DIV>
<DIV> </DIV>
<DIV>conn %default<BR>
compress=yes<BR>
disablearrivalcheck=no</DIV>
<DIV> </DIV>
<DIV>conn sp-to-pira<BR>
keyingtries=0<BR>
authby=rsasig<BR>
left=189.2.x.x --> ip of
eth0:0<BR>
leftnexthop=189.2.x.x</DIV>
<DIV>
leftsubnet=172.31.68.0/22<BR> <A
href="mailto:leftid=@pira">leftid=@pira.</A>..<BR>
leftrsasigkey=</DIV>
<DIV>
right=189.2.x.x<BR>
rightnexthop=189.2.x.x<BR>
rightsubnet=172.31.72/22<BR>
rightrsasigkey=<BR> <A
href="mailto:rightid=@sp">rightid=@sp...</A><BR>
auto=start</DIV>
<DIV> </DIV>
<DIV>conn sp-to-piranet<BR>
keyingtries=0<BR>
authby=rsasig<BR> left=189.2.x.x
--> ip of eth0:0<BR>
leftnexthop=189.2.x.x<BR>
leftsubnet=172.31.68.0/22<BR> <A
href="mailto:leftid=@pira">leftid=@pira...</A><BR>
leftrsasigkey=<BR>
right=189.2.x.x<BR>
rightnexthop=189.2.x.x<BR>
rightrsasigkey=<BR> <A
href="mailto:rightid=@sp....">rightid=@sp....</A></DIV>
<DIV> auto=start<BR></DIV>
<DIV>conn pira-to-spnet<BR>
keyingtries=0<BR>
authby=rsasig<BR> left=189.2.x.x
--> ip of eth0:0<BR>
leftnexthop=189.2.x.x<BR> <A
href="mailto:leftid=@pira">leftid=@pira...</A><BR>
leftrsasigkey=<BR>
right=189.2.x.x<BR>
rightnexthop=189.2.x.x<BR>
rightsubnet=172.31.72.0/22<BR>
rightrsasigkey=<BR> <A
href="mailto:rightid=@sp">rightid=@sp...</A><BR>
auto=start</DIV>
<DIV> </DIV>
<DIV>conn MR-AS<BR>
authby=rsasig<BR>
rightcert=mr.pem<BR>
rightid="C=BR..."<BR>
auto=add<BR> also=l2tp-ipsec</DIV>
<DIV> </DIV>
<DIV>conn RD1-AS<BR>
authby=rsasig<BR>
rightcert=rd1.pem<BR>
rightid="C=BR..."<BR>
auto=add<BR> also=l2tp-ipsec</DIV>
<DIV> </DIV>
<DIV>conn l2tp-ipsec<BR>
pfs=no<BR> left=189.2.x.x --> ip
of eth0<BR>
leftcert=mail1.pem<BR>
leftrsasigkey=%cert<BR>
leftsendcert=yes<BR>
leftprotoport=17/1701<BR>
right=%any<BR>
rightca=%same<BR>
rightprotoport=17/1701<BR>
rightrsasigkey=%cert<BR>
rightsubnet=vhost:%no,%priv<BR>
rekey=no</DIV>
<DIV> </DIV>
<DIV>include /etc/ipsec.d/examples/no_oe.conf<BR></DIV>
<DIV>#</DIV>
<DIV>So, all server-to-server and net-to-net traffic is supposed to go through
eth0:0 IP, and all roadwarrios connections through eth0 IP. The problem is:
it's not. All ipsec thaffic is reaching the other end with IP from eth0, and
not eth0:0, giving me this at server2:</DIV>
<DIV> </DIV>
<DIV>pluto[869]: packet from 189.2.x.x:500 (server1 eth0:0): initial Main Mode
message received on 189.2.x.x:500 (server2 eth0:0) but no connection has
been authorized. (obviously)</DIV>
<DIV> </DIV>
<DIV>And the MOST curious is that in server1 logs, I get a tunnel
estabilished through NAT-T with server2:</DIV>
<DIV> </DIV>
<DIV>pluto[1490]: "sp-to-piranet" #38: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): peer is NATed</DIV>
<DIV>pluto[1490]: "sp-to-piranet" #38: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}</DIV>
<DIV> </DIV>
<DIV>Biy server2 IS NOT nated. There's a route mix up somewhere wich leads
server1 to believe that packets delivered to eth0:0 are being nated.</DIV>
<DIV> </DIV>
<DIV>So, as result, from server2 I can ping both server1 and subnet1, but not
the other way around. Except if I ping explicitly from the internel interface
(eth1), wich does not work for my purposes.</DIV>
<DIV> </DIV>
<DIV>ping 172.31.72.2<BR>PING 172.31.72.2 (172.31.72.2) 56(84) bytes of
data.</DIV>
<DIV>--- 172.31.72.2 ping statistics ---<BR>2 packets transmitted, 0 received,
100% packet loss, time 999ms<BR></DIV>
<DIV>ping -I eth1 172.31.72.2<BR>PING 172.31.72.2 (172.31.72.2) from
172.31.68.1 eth1: 56(84) bytes of data.<BR>64 bytes from 172.31.72.2:
icmp_seq=1 ttl=127 time=37.1 ms<BR>64 bytes from 172.31.72.2: icmp_seq=2
ttl=127 time=33.9 ms<BR>64 bytes from 172.31.72.2: icmp_seq=3 ttl=127
time=33.8 ms<BR>--- 172.31.72.2 ping statistics ---<BR>3 packets transmitted,
3 received, 0% packet loss, time 2000ms<BR></DIV>
<DIV>All roadwarriors connections are working. I'm pretty sure the problem
relies on:</DIV>
<DIV> </DIV>
<DIV>$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
189.2.x.x<BR></DIV>
<DIV>But I cannot make the advanced rules work without it. I've already tried.
And I can't find a way to tell iptables to not SNAT packets with source IP of
eth0:0. So, can anyone please help me? Any suggestion would be dearly
appreciated.</DIV>
<DIV> </DIV>
<DIV>Thanks, and sorry for the very, very long post.<BR></DIV></FONT>
<DIV><FONT face=Arial size=2>Giovani
Moda</FONT></DIV></BLOCKQUOTE></BODY></HTML>