<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16544" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>Ok, my bad. Let me clear it up a bit:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>eth0 = 189.2.x.x</FONT></DIV>
<DIV><FONT face=Arial size=2>eth0:0 = 189.2.x.y</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>only the last block changes.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I _think_ the SNAT rule is the problem, 'cause
that's the only thing I think would cause packets from server2 to 189.2.x.y
(eth0:0) to be detected and nated. I'll try to exclude 189.2.x.y from
the SNAT rule and see how it goes, but I _think_ I might have already tried it.
I've done so much changes on the last couple of days that I don't really know
for sure.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thanks,</FONT></DIV>
<DIV> </DIV></FONT></DIV>
<DIV>Giovani Moda<BR></DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=petermcgill@goco.net href="mailto:petermcgill@goco.net">Peter
McGill</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=giovani@mrinformatica.com.br
href="mailto:giovani@mrinformatica.com.br">'Giovani Moda - MR Informática'</A>
; <A title=users@openswan.org
href="mailto:users@openswan.org">users@openswan.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, October 23, 2007 5:30
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> RE: [Openswan Users]
openswan,alias interface and advanced routing (very long)</DIV>
<DIV><BR></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>If I've understood your post correctly you have a public
eth0 interface with a 189.2.x.x IP,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>and a virtual eth0:0 with a different (similar) IP,
which I'll call 189.2.v.v.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>Your IPSec traffic using eth0:0 is incorrectly being
NATed to 189.2.x.x by your SNAT rule?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>(Note: if you have more than one IP in 189.2.x.x range
then don't mask both as .x.x!</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>It's confusing as hell and impossible to determine which
routes go where...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>If you hide your IPs at least uniquely identify
each.)</FONT></SPAN></DIV></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>If that's the case then try this
change:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2>$IPTABLES -t nat -A POSTROUTING -o eth0 -s !
189.2.v.v -j SNAT --to-source 189.2.x.x</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=717591819-23102007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Giovani Moda - MR
Informática<BR><B>Sent:</B> October 23, 2007 2:11 PM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] openswan,alias
interface and advanced routing (very long)<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT face=Arial size=2>Hello,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It's been a while since I don't need your help,
but I've been pulling my hair out on this one and can't seem to figure it
out. Here it goes:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I have two servers connected trhough three
tunnels:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>net1-to-net2</FONT></DIV>
<DIV><FONT face=Arial size=2>server1-to-net2</FONT></DIV>
<DIV><FONT face=Arial size=2>net1-to-server2</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>In this particular case, I had to create the
tunnels using an alias interface of eth0, since the servers exchange non
encrypted communication, wich is huge and would overload the tunnels
if encrypted. In both servers, the external interface is eth0, and
there are aliases interfaces eth0:0. I can do that, since both ends have up
to four valid ips I can use. </FONT><FONT face=Arial size=2>So, the scenario
is something like:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial
size=2>
</FONT></DIV>
<DIV><FONT face=Arial size=2>net1 -> eth0:0 -> eth0 -> internet
-> eth0 -> eth0:0 -> net2</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>To make things more difficult (of course), at
server1, there's a second internet link, on wich there are traffic control
rules. That would be eth2. To acomplish the balancing between those links, a
set of advanced rules using ip rule have been created. I'll not mention the
HTB rules here, since they are specifically bonded to eth2, and only
eth2. And that's where all the problems began. It was all working 'till
I've added that second link and subsequent advanced rules.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Here are the advanced routing
rules:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>ip rule</FONT></DIV>
<DIV><FONT face=Arial size=2>0: from all
lookup local<BR>18: from all fwmark 0x3 lookup
router1<BR>19: from all fwmark 0x4 lookup
router2<BR>20: from all fwmark 0x5 lookup
router3</FONT></DIV>
<DIV><FONT face=Arial size=2>22: from 189.2.x.x
lookup router3 --> ip of eth0:0<BR>22: from
189.2.x.x lookup router1 --> ip of eth0<BR>23:
from 189.19.x.x lookup router2 --> ip of eth2<BR>32766: from all
lookup main<BR>32767: from all lookup
default<BR></DIV></FONT></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>ip route show main</FONT></DIV>
<DIV><FONT face=Arial size=2>189.2.x.x via 189.2.x.x dev ipsec1
<BR>189.2.x.x/26 dev eth0 proto kernel scope link src
189.2.x.x<BR>189.2.x.x/26 dev ipsec0 proto kernel scope
link src 189.2.x.x<BR>189.2.x.x/26 dev ipsec1 proto kernel
scope link src 189.2.x.x<BR>189.19.x.x/24 dev eth2 proto
kernel scope link src 189.19.x.x<BR>172.31.72.0/22 via 189.2.x.x
dev ipsec1<BR>172.31.68.0/22 dev eth1 proto kernel scope
link src
172.31.68.1<BR>default<BR> nexthop
via 189.2.x.x dev eth0 weight
1<BR> nexthop via 189.19.x.x
dev eth2 weight 1</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>ip route show table router1</FONT></DIV>
<DIV><FONT face=Arial size=2>189.2.x.x/26 dev eth0 scope link
src 189.2.x.x --> ip of eth0<BR>189.19.x.x/24 dev eth2 scope
link src 189.19.x.x<BR>172.31.68.0/22 dev eth1 scope link
src 172.31.68.1<BR>127.0.0.0/8 dev lo scope link<BR>default via
189.2.x.x dev eth0 src 189.2.x.x --> ip of eth0</FONT></DIV><FONT
face=Arial size=2>
<DIV><BR>ip route show table router2</DIV>
<DIV>189.2.x.x/26 dev eth0 scope link src
189.2.x.x<BR>189.19.x.x/24 dev eth2 scope link src
189.19.x.x<BR>172.31.68.0/22 dev eth1 scope link src
172.31.68.1<BR>127.0.0.0/8 dev lo scope link<BR>default via 189.19.x.x
dev eth2 src 189.19.x.x --> ip from eth2</DIV>
<DIV> </DIV>
<DIV>ip route show table router3</DIV>
<DIV>189.2.x.x/26 dev eth0 scope link src 189.2.x.x --> ip of
eth0:0<BR>189.19.x.x/24 dev eth2 scope link src
189.19.x.x<BR>172.31.68.0/22 dev eth1 scope link src
172.31.68.1<BR>127.0.0.0/8 dev lo scope link<BR>default via 189.2.x.x
dev eth0 src 189.2.x.x --> ip of eth0:0<BR></DIV></FONT>
<DIV><FONT face=Arial size=2> </DIV>
<DIV>Some iptables rules to direct the traffic to it's desirable
destination:</DIV>
<DIV>$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
189.2.x.x # make eth0 traffic go through eth0<BR>$IPTABLES -t nat -A
POSTROUTING -o eth2 -j SNAT --to-source 189.19.x.x # make eth2 traffic
go through eth2<BR>$IPTABLES -t mangle -A PREROUTING -p tcp -i eth1 --dport
80 -j MARK --set-mark 3 # http-trafic<BR>$IPTABLES -t mangle -A PREROUTING
-p tcp -i eth1 --dport 443 -j MARK --set-mark 3
# http-trafic<BR>$IPTABLES -t mangle -A PREROUTING -p tcp -i eth1
--dport 25 -j MARK --set-mark 4 # smtp<BR>$IPTABLES -t mangle -A PREROUTING
-p tcp -i eth1 --dport 110 -j MARK --set-mark 4 # pop3<BR>$IPTABLES -t
mangle -A PREROUTING -p tcp -i eth1 --dport 143 -j MARK --set-mark 4 #
imap<BR>$IPTABLES -t mangle -A PREROUTING -p tcp -i eth1 --dport 20 -j MARK
--set-mark 4 # ftp<BR>$IPTABLES -t mangle -A PREROUTING -p tcp -i eth1
--dport 21 -j MARK --set-mark 4 # ftp<BR>$IPTABLES -t mangle -A PREROUTING
-p udp -i eth1 --dport 500 -j MARK --set-mark 5 # ipsec identify redirected
to table router3<BR>$IPTABLES -t mangle -A PREROUTING -p udp -i eth1 --dport
4500 -j MARK --set-mark 5 # ipsec nat-t redirected to table
router3</DIV>
<DIV>$IPTABLES -t mangle -A PREROUTING -p ah -j MARK --set-mark 5 # ipsec
trafic redirected to table router3<BR>$IPTABLES -t mangle -A PREROUTING -p
esp -j MARK --set-mark 5 # ipsec trafic redirected to table
router3<BR>$IPTABLES -t mangle -A POSTROUTING -p ah -j MARK --set-mark 5 #
ipsec trafic redirected to table router3<BR>$IPTABLES -t mangle -A
POSTROUTING -p esp -j MARK --set-mark 5 # ipsec trafic redirected to table
router3<BR>$IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j MARK
--set-mark 3 # http-trafic<BR>$IPTABLES -t mangle -A OUTPUT -p tcp --dport
443 -j MARK --set-mark 3 # http-trafic<BR>$IPTABLES -t mangle -A OUTPUT -p
tcp --dport 25 -j MARK --set-mark 4 # smtp<BR>$IPTABLES -t mangle -A OUTPUT
-p tcp --dport 110 -j MARK --set-mark 4 # pop3<BR>$IPTABLES -t mangle -A
OUTPUT -p tcp --dport 20 -j MARK --set-mark 4 # ftp</DIV>
<DIV>$IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j MARK --set-mark 4 #
ftp<BR>$IPTABLES -t mangle -A OUTPUT -p udp --dport 500 -j MARK --set-mark 5
# ipsec identify redirected to table router3<BR>$IPTABLES -t mangle -A
OUTPUT -p udp --dport 4500 -j MARK --set-mark 5 # ipsec nat-t redirected to
table router3<BR><BR>and finally my ipsec.conf</DIV>
<DIV>#</DIV>
<DIV>config setup<BR>
klipsdebug=none<BR>
plutodebug=none<BR>
interfaces="ipsec0=eth0
ipsec1=eth0:0"<BR>
nat_traversal=yes<BR>
uniqueids=yes<BR>
virtual_private=%v4:10.0.0.0/8,%v4:!172.31.0.0/12,%v4:192.168.0.0/24,%v4:192.168.1.0/24,%v4:192.168.2.0/24</DIV>
<DIV> </DIV>
<DIV>conn %default<BR>
compress=yes<BR>
disablearrivalcheck=no</DIV>
<DIV> </DIV>
<DIV>conn sp-to-pira<BR>
keyingtries=0<BR>
authby=rsasig<BR>
left=189.2.x.x --> ip of
eth0:0<BR>
leftnexthop=189.2.x.x</DIV>
<DIV>
leftsubnet=172.31.68.0/22<BR> <A
href="mailto:leftid=@pira">leftid=@pira.</A>..<BR>
leftrsasigkey=</DIV>
<DIV>
right=189.2.x.x<BR>
rightnexthop=189.2.x.x<BR>
rightsubnet=172.31.72/22<BR>
rightrsasigkey=<BR> <A
href="mailto:rightid=@sp">rightid=@sp...</A><BR>
auto=start</DIV>
<DIV> </DIV>
<DIV>conn sp-to-piranet<BR>
keyingtries=0<BR>
authby=rsasig<BR> left=189.2.x.x
--> ip of eth0:0<BR>
leftnexthop=189.2.x.x<BR>
leftsubnet=172.31.68.0/22<BR> <A
href="mailto:leftid=@pira">leftid=@pira...</A><BR>
leftrsasigkey=<BR>
right=189.2.x.x<BR>
rightnexthop=189.2.x.x<BR>
rightrsasigkey=<BR> <A
href="mailto:rightid=@sp....">rightid=@sp....</A></DIV>
<DIV> auto=start<BR></DIV>
<DIV>conn pira-to-spnet<BR>
keyingtries=0<BR>
authby=rsasig<BR> left=189.2.x.x
--> ip of eth0:0<BR>
leftnexthop=189.2.x.x<BR> <A
href="mailto:leftid=@pira">leftid=@pira...</A><BR>
leftrsasigkey=<BR>
right=189.2.x.x<BR>
rightnexthop=189.2.x.x<BR>
rightsubnet=172.31.72.0/22<BR>
rightrsasigkey=<BR> <A
href="mailto:rightid=@sp">rightid=@sp...</A><BR>
auto=start</DIV>
<DIV> </DIV>
<DIV>conn MR-AS<BR>
authby=rsasig<BR>
rightcert=mr.pem<BR>
rightid="C=BR..."<BR>
auto=add<BR> also=l2tp-ipsec</DIV>
<DIV> </DIV>
<DIV>conn RD1-AS<BR>
authby=rsasig<BR>
rightcert=rd1.pem<BR>
rightid="C=BR..."<BR>
auto=add<BR> also=l2tp-ipsec</DIV>
<DIV> </DIV>
<DIV>conn l2tp-ipsec<BR>
pfs=no<BR> left=189.2.x.x -->
ip of eth0<BR>
leftcert=mail1.pem<BR>
leftrsasigkey=%cert<BR>
leftsendcert=yes<BR>
leftprotoport=17/1701<BR>
right=%any<BR>
rightca=%same<BR>
rightprotoport=17/1701<BR>
rightrsasigkey=%cert<BR>
rightsubnet=vhost:%no,%priv<BR>
rekey=no</DIV>
<DIV> </DIV>
<DIV>include /etc/ipsec.d/examples/no_oe.conf<BR></DIV>
<DIV>#</DIV>
<DIV>So, all server-to-server and net-to-net traffic is supposed to go
through eth0:0 IP, and all roadwarrios connections through eth0 IP. The
problem is: it's not. All ipsec thaffic is reaching the other end with IP
from eth0, and not eth0:0, giving me this at server2:</DIV>
<DIV> </DIV>
<DIV>pluto[869]: packet from 189.2.x.x:500 (server1 eth0:0): initial Main
Mode message received on 189.2.x.x:500 (server2 eth0:0) but no
connection has been authorized. (obviously)</DIV>
<DIV> </DIV>
<DIV>And the MOST curious is that in server1 logs, I get a tunnel
estabilished through NAT-T with server2:</DIV>
<DIV> </DIV>
<DIV>pluto[1490]: "sp-to-piranet" #38: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): peer is NATed</DIV>
<DIV>pluto[1490]: "sp-to-piranet" #38: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}</DIV>
<DIV> </DIV>
<DIV>Biy server2 IS NOT nated. There's a route mix up somewhere wich leads
server1 to believe that packets delivered to eth0:0 are being nated.</DIV>
<DIV> </DIV>
<DIV>So, as result, from server2 I can ping both server1 and subnet1, but
not the other way around. Except if I ping explicitly from the internel
interface (eth1), wich does not work for my purposes.</DIV>
<DIV> </DIV>
<DIV>ping 172.31.72.2<BR>PING 172.31.72.2 (172.31.72.2) 56(84) bytes of
data.</DIV>
<DIV>--- 172.31.72.2 ping statistics ---<BR>2 packets transmitted, 0
received, 100% packet loss, time 999ms<BR></DIV>
<DIV>ping -I eth1 172.31.72.2<BR>PING 172.31.72.2 (172.31.72.2) from
172.31.68.1 eth1: 56(84) bytes of data.<BR>64 bytes from 172.31.72.2:
icmp_seq=1 ttl=127 time=37.1 ms<BR>64 bytes from 172.31.72.2: icmp_seq=2
ttl=127 time=33.9 ms<BR>64 bytes from 172.31.72.2: icmp_seq=3 ttl=127
time=33.8 ms<BR>--- 172.31.72.2 ping statistics ---<BR>3 packets
transmitted, 3 received, 0% packet loss, time 2000ms<BR></DIV>
<DIV>All roadwarriors connections are working. I'm pretty sure the problem
relies on:</DIV>
<DIV> </DIV>
<DIV>$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
189.2.x.x<BR></DIV>
<DIV>But I cannot make the advanced rules work without it. I've already
tried. And I can't find a way to tell iptables to not SNAT packets with
source IP of eth0:0. So, can anyone please help me? Any suggestion would be
dearly appreciated.</DIV>
<DIV> </DIV>
<DIV>Thanks, and sorry for the very, very long post.<BR></DIV></FONT>
<DIV><FONT face=Arial size=2>Giovani
Moda</FONT></DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>