Hi Peter,<br><br>Thanks for your help!<br><br>I completely shut down the firewalls for a few seconds tonight to test the configuration and bang, everything works. So my issue is with the restrictiveness of my shorewall firewall.
<br><br>I will start digging in this direction now.<br><br>Many thanks<br><br>Phil<br><br><div><span class="gmail_quote">On 29/11/2007, <b class="gmail_sendername">Phil Wild</b> <<a href="mailto:philwild@gmail.com">philwild@gmail.com
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Peter,<br><br>Thanks for the help :-)<br><br>It is good to know that the connection is active, just have to figure out where it is failing.
<br><br>I am using shorewall as a firewall and it is running on the hosts that I am trying to tie together. Because the connection appears to be established from your comments I am assuming I have the rules set correctly for the connection.
<br><br>I have tried pinging and ssh'ing between the hosts using the internal addresses and get no response. I have also now tried doing the same thing from hosts in each of the private networks and get the same result.
<br><br>I have cleared the shorewall configuration of all zones/interfaces that related to a vpn based on your comment about the data going to the external interface.<br><br>My shorewall configuration looks like the below:
<br><br>root@zulu:/etc/shorewall# cat zones<br>fwall firewall #<br>loc ipv4 #<br>net ipv4 #<br><br><br>root@zulu:/etc/shorewall# cat interfaces
<br>net ppp0 detect dhcp,norfc1918,routefilter,blacklist,tcpflags,logmartians,nosmurfs<br>loc eth1 detect tcpflags<br><br>root@zulu:/etc/shorewall# cat policy<br>fwall net ACCEPT<br>fwall loc ACCEPT<br>loc fwall ACCEPT
<br>net $FW DROP info<br>net all REJECT info<br># The FOLLOWING POLICY MUST BE LAST<br>all all DROP info<br><br>root@zulu:/etc/shorewall# cat rules<br>LOG:info fwall net:<a href="http://192.168.10.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.10.0/24</a> all<br>LOG:info net:<a href="http://192.168.10.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.10.0/24</a> $FW all<span class="q"><br>ACCEPT net:
<a href="http://202.72.167.27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">202.72.167.27</a> all all<br></span>ACCEPT net:<a href="http://202.72.167.27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
202.72.167.27</a> fwall 50<br>...other stuff deleted...<br><br>I am not seeing any dropped packets<br><br>If I ping from <a href="http://10.3.0.3" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
10.3.0.3</a> to <a href="http://192.168.10.2" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.10.2</a> I get the following in syslog on the sending host
<br><br>Nov 29 01:40:14 zulu kernel: [867825.734164] Shorewall:fwall2net:LOG:IN= OUT=ppp0 SRC=<a href="http://10.3.0.3" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.3.0.3</a> DST=<a href="http://192.168.10.2" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.10.2</a> LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28735 SEQ=1
<br>Nov 29 01:40:15 zulu kernel: [867826.732619] Shorewall:fwall2net:LOG:IN= OUT=ppp0 SRC=<a href="http://10.3.0.3" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.3.0.3</a> DST=<a href="http://192.168.10.2" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.10.2</a> LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28735 SEQ=2
<br>Nov 29 01:40:16 zulu kernel: [867827.731115] Shorewall:fwall2net:LOG:IN= OUT=ppp0 SRC=<a href="http://10.3.0.3" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.3.0.3</a> DST=<a href="http://192.168.10.2" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.10.2</a> LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28735 SEQ=3
<br><br>but nothing on the receiving host.<br><br>I have added the following to the config file at each side<br><br> leftsourceip=<a href="http://192.168.10.2" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.10.2</a><br> rightsourceip=<a href="http://10.3.0.3" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
10.3.0.3</a><br><br><br>Cheers<br><span class="sg"><br>Phil<br><br><br><br></span><div><span class="q"><span class="gmail_quote">On 29/11/2007, <b class="gmail_sendername">Peter McGill</b> <<a href="mailto:petermcgill@goco.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
petermcgill@goco.net</a>> wrote:
</span></span><div><span class="e" id="q_11687248e2aee6e8_6"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>This in a line in your status or logs indicates
that you have a phase 1 connection:</span></font></div><span>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>STATE_MAIN_I4 (ISAKMP SA
established)</span></font></div></span>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>This in a line in you status or logs indicates that you
have a phase 2 connection:</span></font></div><span>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>STATE_QUICK_I2 (sent QI2, IPsec SA
established)</span></font></div></span>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>Once you've received the IPsec SA established message
you know the connection is connected.</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>If you cannot ping the remote side, it could be due to
firewall rules or your conn settings, among other things.</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>You only get an ipsec0 interface if your using KLIPS,
which you only get if you specifically install it and turn of
NETKEY,</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>since NETKEY is enabled by default in most modern
kernels. NETKEY is also sometimes known as NATIVE and does
not</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>have ipsec0 interface instead it reuses the public
interface whatever it is, in your case ppp0.</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>ipsec version or ipsec verify will tell you which one
your using, and are also good info to send to the list with your
problem.</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span></span></font> </div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>Are your ping tests being done to and from the
servers themselves or from hosts on the subnets.</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>Either do your ping tests to and from hosts on the
subnets or add leftsourceip=<left server LAN ip> and rightsourceip to your
conn.</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>If you've done this and still can't ping, it may be
your firewall, are you running firewall software or iptables on either server or
between them?</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>If you you need to allow the ipsec traffic as
follows:</span></font></div><span>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>protocol 17 (udp), port 500
(isakmp)</span></font></div></span>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>protocol 50 (esp)</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>protocol 17 (udp), port 4500 (nat-t) if your using nat
traversal to get through network address translation routers between the
hosts.</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>You also need to allow the ping and other traffic that
utilizes the tunnels.</span></font></div>
<div dir="ltr" align="left"><font color="#0000ff" face="Arial" size="2"><span>And you cannot NAT any of this traffic if your SNATing
or MASQUERADEing your LAN(s) to the internet.</span></font></div>
<div><font color="#0000ff" face="Arial" size="2"></font> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div> </div><br>
<blockquote style="border-left: 2px solid rgb(0, 0, 255); padding-left: 5px; margin-left: 5px; margin-right: 0px;">
<div dir="ltr" align="left" lang="en-us">
<hr>
<font face="Tahoma" size="2"><b>From:</b> Phil Wild [mailto:<a href="mailto:philwild@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">philwild@gmail.com</a>]
<br><b>Sent:</b> November 28, 2007 10:14 AM<br><b>To:</b> Paul Wouters;
<a href="mailto:petermcgill@goco.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">petermcgill@goco.net</a>; <a href="mailto:Users@openswan.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
Users@openswan.org</a><br><b>Subject:</b> Re: [Openswan
Users] Help required: Trouble setting up openswan<br></font><br></div><div><span>
<div></div>Hi <br><br>I have fixed the routing table and I think I have
progressed a little further. I have also turned off the
plutodebug.<br><br>netstat -rn shows<br><br>root@zulu:~# netstat -rn<br>Kernel
IP routing table<br>Destination
Gateway
Genmask Flags MSS
Window irtt Iface <br><a href="http://203.161.90.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">203.161.90.1</a> <a href="http://0.0.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
0.0.0.0</a>
<a href="http://255.255.255.255" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.255</a>
UH 0
0 0 ppp0<br><a href="http://10.3.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.3.0.0</a>
<a href="http://0.0.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0</a>
<a href="http://255.255.255.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.0</a>
U 0
0 0 eth1<br><a href="http://192.168.10.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.10.0</a> <a href="http://203.161.90.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
203.161.90.1 </a> <a href="http://255.255.255.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.0</a>
UG 0
0 0 ppp0<br><a href="http://0.0.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0</a>
<a href="http://0.0.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0</a>
<a href="http://0.0.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0</a>
U 0
0 0 ppp0
<br><br><br>Should I see an ipsec interface here?<br><br>I am still unsure if
I am actually getting a valid connection. What I do know is that I can not
ping through the vpn<br><br>running ipsec auto --status gives
me:<br><br>root@bravo:/var/log# ipsec auto --status<br>000 interface lo/lo
::1<br>000 interface lo/lo <a href="http://127.0.0.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">127.0.0.1</a><br>000
interface eth0/eth0 <a href="http://192.168.10.2" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.10.2</a><br>000
interface eth1/eth1 <a href="http://202.72.167.27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">202.72.167.27</a><br>000
interface eth1:1/eth1:1 <a href="http://202.72.167.29" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">202.72.167.29</a><br>000 %myid = (none)<br>000
debug none<br>000<br>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
keysizemin=64, keysizemax=64 <br>000 algorithm ESP encrypt: id=3,
name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<br>000 algorithm ESP
encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448<br>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0 <br>000 algorithm ESP encrypt: id=12, name=ESP_AES,
ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=252,
name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP
encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
<br>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 algorithm
ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
keysizemax=256 <br>000 algorithm ESP auth attr: id=9,
name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128<br>000 algorithm
ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0<br>000<br>000
algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
<br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128<br>000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
hashsize=16<br>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
bits=1024 <br>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
bits=1536<br>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
bits=3072 <br>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
bits=4096<br>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
bits=8192 <br>000<br>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0}<br>000<br>000 "bravo-zulu": <a href="http://192.168.10.0/24===202.72.167.27%5B@bravo.gastech.com.au%5D---202.72.167.25...203.161.90.1---203.161.71.190%5B@zulu%5D===10.3.0.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.10.0/24===202.72.167.27[@bravo.gastech.com.au]---202.72.167.25...203.161.90.1---203.161.71.190[@zulu]===10.3.0.0/24</a>;
erouted; eroute owner: #3<br>000 "bravo-zulu":
srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown; <br>000
"bravo-zulu": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0<br>000 "bravo-zulu":
policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1; <br>000
"bravo-zulu": newest ISAKMP SA: #1; newest IPsec SA: #3;<br>000
"bravo-zulu": IKE algorithm newest:
3DES_CBC_192-MD5-MODP1536<br>000<br>000 #3: "bravo-zulu":500 STATE_QUICK_I2
(sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28026s; newest IPSEC;
eroute owner <br>000 #3: "bravo-zulu" <a href="mailto:esp.2549d809@203.161.71.190" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">esp.2549d809@203.161.71.190</a> <a href="mailto:esp.f6c5b82a@202.72.167.27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
esp.f6c5b82a@202.72.167.27</a> <a href="mailto:tun.0@203.161.71.190" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">tun.0@203.161.71.190</a> <a href="mailto:tun.0@202.72.167.27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
tun.0@202.72.167.27</a><br>000 #2:
"bravo-zulu":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26858s<br>000 #2: "bravo-zulu" <a href="mailto:esp.b72ad41a@203.161.71.190" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">esp.b72ad41a@203.161.71.190</a> <a href="mailto:esp.e40902a@202.72.167.27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
esp.e40902a@202.72.167.27</a> <a href="mailto:tun.0@203.161.71.190" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">tun.0@203.161.71.190</a> <a href="mailto:tun.0@202.72.167.27" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
tun.0@202.72.167.27</a><br>000 #1:
"bravo-zulu":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
1543s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)<br>000<br><br><br>ifconfig
-a does not show an ipsec0 interface, should I see an ipsec interface on the
hosts? <br><br>Cheers<br><br>Phil<br><br>
<div><span class="gmail_quote">On 27/11/2007, <b class="gmail_sendername">Paul
Wouters</b> <<a href="mailto:paul@xelerance.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">paul@xelerance.com</a>>
wrote:</span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">On
Mon, 26 Nov 2007, Phil Wild wrote:<br><br>> I posted the below to the
list about a week ago and did not get any<br>> responses. Does anyone
have any ideas what is going wrong with my<br>> configuration as I have
not been able to get any further. <br><br>> > Nov 20 14:25:15 bravo
ipsec__plutorun: ...could not start conn "bravo-zulu"<br>> > netstat
-rn on host zulu shows:<br>> ><br>> >
Destination
Gateway
Genmask Flags
MSS Window irtt Iface <br>> > <a href="http://203.161.90.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">203.161.90.1</a> <a href="http://0.0.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
0.0.0.0</a>
<a href="http://255.255.255.255" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.255</a>
UH 0
0 0 ppp0<br>>
> <a href="http://10.3.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.3.0.0</a> <a href="http://0.0.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
0.0.0.0</a>
<a href="http://255.255.255.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.0</a>
U 0
0 0 eth1<br>>
> <a href="http://192.168.10.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.10.0</a> <a href="http://203.161.90.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
203.161.90.1</a> <a href="http://255.255.255.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">255.255.255.0</a>
UG 0
0 0 ppp0<br>>
> <a href="http://0.0.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0</a>
<a href="http://0.0.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0</a>
<a href="http://0.0.0.0" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0</a>
U 0
0 0
ppp0<br><br>Blame your ISP if that is really the default route you got. Try
changing to<br>something that might make sense. Run a traceroute and check
what your real gateway<br>is, then do a "route add -host ipofgw dev ppp0"
and "route add default gw ipofgw"<br><br>Paul<br></blockquote></div><br><br clear="all"><br>-- <br>Tel: 0400 466 952<br>Fax: 0433 123 226<br>email: <a href="mailto:philwild@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
philwild@gmail.com</a>
</span></div></blockquote></div>
</blockquote></span></div></div><div><span class="e" id="q_11687248e2aee6e8_8"><br><br clear="all"><br>-- <br>Tel: 0400 466 952<br>Fax: 0433 123 226<br>email: <a href="mailto:philwild@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
philwild@gmail.com</a>
</span></div></blockquote></div><br><br clear="all"><br>-- <br>Tel: 0400 466 952<br>Fax: 0433 123 226<br>email: <a href="mailto:philwild@gmail.com">philwild@gmail.com</a>