<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html>
<head>
<meta name="Generator" content="Zarafa WebAccess v6.40.0-18625">
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<title>RE: Re: [Openswan Users] Tunnel initiates to Sonicwall but cannot reach anything inside network</title>
<style type="text/css">
body
{
font-family: Arial, Verdana, Sans-Serif;
font-size: 12px;
padding: 5px 5px 5px 5px;
margin: 0px;
border-style: none;
background-color: #ffffff;
}
p, ul, li
{
margin-top: 0px;
margin-bottom: 0px;
}
</style>
</head>
<body>
<p>fortissimo ~ # ipsec verify<br />Checking your system to see if IPsec got installed and started correctly:<br />Version check and ipsec on-path [OK]<br />Linux Openswan U2.4.14/K2.6.24-gentoo-r8 (netkey)<br />Checking for IPsec support in kernel [OK]<br />NETKEY detected, testing for disabled ICMP send_redirects [OK]<br />NETKEY detected, testing for disabled ICMP accept_redirects [OK]<br />Checking for RSA private key (/etc/ipsec/ipsec.secrets) [OK]<br />Checking that pluto is running [OK]<br />Two or more interfaces found, checking IP forwarding [OK]<br />Checking NAT and MASQUERADEing<br />Checking for 'ip' command [OK]<br />Checking for 'iptables' command [OK]<br />Opportunistic Encryption Support [DISABLED]</p><p> </p><p>tcpdump -n -p udp port 500 or udp port 4500 reports nothing at all. Also iptables -v -L -n only shows this:</p><p> 4 1568 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 <br /> 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 <br /> 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 <br /> 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 </p><p> </p><p>As far as masquerading goes, I set up </p><p>iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.0/24 -d ! 10.10.12.0/24 -j MASQUERADE</p><br /><p> </p><blockquote style="border-left: 2px solid rgb(50, 95, 186); padding-left: 5px; margin-left: 5px;">-----Original message-----<br /><strong>From:</strong> Randy Wyatt <rwyatt@nvtl.com><br /><strong>Sent:</strong> Mon 02-15-2010 09:14 pm<br /><strong>To:</strong> users@openswan.org; <br /><strong>Subject:</strong> Re: [Openswan Users] Tunnel initiates to Sonicwall but cannot reach anything inside network<br /><br /> <p><font size="2">Have you run ipsec verify?<br /> <br /> What does your tcpdump or wireshark trace show?<br /> <br /> Have you set up masquerading correctly?<br /> <br /> <br /> What version of openswan?<br /> -----Original Message-----<br /> From: users-bounces@openswan.org on behalf of Michael Leonetti<br /> Sent: Mon 2/15/2010 5:27 PM<br /> To: users@openswan.org<br /> Subject: [Openswan Users] Tunnel initiates to Sonicwall but cannot reach anything inside network<br /> <br /> I set up a connection to a Sonicwall system with the current config:<br /> <br /> <br /> <br /> conn sonicwall<br /> left=(leftip)<br /> leftsubnet=10.1.1.0/24<br /> leftid=(leftid)<br /> right=(rightip)<br /> rightsubnet=10.10.12.0/24<br /> rightid=(rightid)<br /> keyingtries=0<br /> pfs=no<br /> aggrmode=yes<br /> auto=add<br /> auth=esp<br /> esp=3des-sha1<br /> ike=3des-sha1<br /> authby=secret<br /> xauth=no<br /> keyexchange=ike<br /> <br /> <br /> <br /> And I can get it up just fine:<br /> <br /> fortissimo linux # ipsec auto --up sonicwall<br /> 003 "sonicwall" #5: multiple transforms were set in aggressive mode. Only first one used.<br /> 003 "sonicwall" #5: transform (5,2,2,0) ignored.<br /> 003 "sonicwall" #5: multiple transforms were set in aggressive mode. Only first one used.<br /> 003 "sonicwall" #5: transform (5,2,2,0) ignored.<br /> 112 "sonicwall" #5: STATE_AGGR_I1: initiate<br /> 003 "sonicwall" #5: ignoring unknown Vendor ID payload [404bf439522ca3f6]<br /> 003 "sonicwall" #5: ignoring unknown Vendor ID payload [5b362bc820f60007]<br /> 003 "sonicwall" #5: received Vendor ID payload [RFC 3947] method set to=109<br /> 003 "sonicwall" #5: received Vendor ID payload [Dead Peer Detection]<br /> 003 "sonicwall" #5: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected<br /> 004 "sonicwall" #5: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}<br /> 117 "sonicwall" #6: STATE_QUICK_I1: initiate<br /> 004 "sonicwall" #6: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x97b8d6ff <0x0eb44887 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}<br /> <br /> <br /> 000 interface lo/lo 127.0.0.1 <br /> 000 interface lo/lo 127.0.0.1 <br /> 000 interface eth0/eth0 (leftip) <br /> 000 interface eth0/eth0 (leftip) <br /> 000 interface br0/br0 10.1.1.1 <br /> 000 interface br0/br0 10.1.1.1 <br /> 000 %myid = (none) <br /> 000 debug none <br /> 000 <br /> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 <br /> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 <br /> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 <br /> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 <br /> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 <br /> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256 <br /> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 <br /> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 <br /> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 <br /> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 <br /> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 <br /> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 <br /> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 <br /> 000 <br /> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 <br /> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 <br /> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 <br /> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 <br /> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 <br /> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 <br /> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 <br /> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 <br /> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 <br /> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 <br /> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 <br /> 000 <br /> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,64} trans={0,4,960} attrs={0,4,320} <br /> 000<br /> 000 "sonicwall": 10.1.1.0/24===(leftip)...(rightip)===10.10.12.0/24; erouted; eroute owner: #6<br /> 000 "sonicwall": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br /> 000 "sonicwall": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br /> 000 "sonicwall": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE; prio: 24,24; interface: eth0; encap: esp;<br /> 000 "sonicwall": newest ISAKMP SA: #5; newest IPsec SA: #6;<br /> 000 "sonicwall": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict<br /> 000 "sonicwall": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)<br /> 000 "sonicwall": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536<br /> 000 "sonicwall": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=strict<br /> 000 "sonicwall": ESP algorithms loaded: 3DES(3)_000-SHA1(2); flags=strict<br /> 000 "sonicwall": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=<N/A><br /> 000<br /> 000 #6: "sonicwall":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28036s; newest IPSEC; eroute owner<br /> 000 #6: "sonicwall" esp.97b8d6ff@(rightip) esp.eb44887@72.68.153.122 tun.0@(rightip) tun.0@(leftip)<br /> 000 #5: "sonicwall":500 STATE_AGGR_I2 (sent AI2, ISAKMP SA established); EVENT_SA_REPLACE in 2554s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)<br /> 000<br /> <br /> <br /> When I try to reach anything in the network:<br /> <br /> fortissimo linux # ping 10.10.12.199<br /> PING 10.10.12.199 (10.10.12.199) 56(84) bytes of data.<br /> >From 130.81.12.202 icmp_seq=6 Destination Net Unreachable<br /> >From 130.81.12.202 icmp_seq=12 Destination Net Unreachable<br /> <br /> <br /> But I can reach:<br /> <br /> fortissimo linux # ping 10.10.12.1<br /> PING 10.10.12.1 (10.10.12.1) 56(84) bytes of data.<br /> 64 bytes from 10.10.12.1: icmp_seq=1 ttl=243 time=21.1 ms<br /> 64 bytes from 10.10.12.1: icmp_seq=2 ttl=243 time=12.2 ms<br /> <br /> <br /> But the problem is that when I stop ipsec I can still ping 10.10.12.1 even though it's not defined anywhere else :X. I'm actually not even sure if I got an IP on the remote side. DHCP isn't even enabled on the remote side so I'm not sure what IP I'd get or if I even need one.<br /> <br /> <br /> <br /> Thanks.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> </font></p> </blockquote>
</body>
</html>