Hello everyone,<br><br>I have a NAT and or Firewall problem on my Openswan gateway. The IPsec tunnel works only from the Gateway to the roadwarrior, I can ssh from the gateway to the roadwarrior, but I can't ssh from the roadwarrior to the gateway or to computers on the behind lying network. I have tried many iptables commands, but they did not seem to work or they were old. I have reset my iptables to the ClearOS default, plus opening some ports that are listed below.<br>
<br>My network looks like the following diagram:<br><br>|10.97.10.101| |10.97.10.102, OpenVPN server|<br>....|................../<br><a href="http://10.97.10.0/24">10.97.10.0/24</a> ----------|eth1(10.97.10.1 ) "Openswan Gateway" eth0(85.145.148.106)|-- Internet -- |(variable IP-address)Netgear router (10.81.9.253)| ---<a href="http://10.81.9.0/24">10.81.9.0/24</a> --- |eth0(10.81.9.204) "Roadwarrior" |<br>
<br>Now the Openvpn server is having the same problem as the Openswan server, I can connect, but I cannot send any data from the roadwarrior to the Openvpn server. It has worked till I started using Clearos on the gateway as a replacement of my Linksys router.<br>
<br>Commands and configuration:<br>The ip route show command gives the following outputs:<br>Gateway: 10.81.9.204 dev eth0 scope link src 10.97.10.1 <br> 10.81.9.203 dev eth0 scope link src 10.97.10.1 <br>
<a href="http://10.97.10.0/24">10.97.10.0/24</a> dev eth1 proto kernel scope link src 10.97.10.1 <br> <a href="http://85.145.148.0/22">85.145.148.0/22</a> dev eth0 proto kernel scope link src 85.145.148.106 <br>
default via 85.145.148.1 dev eth0<br>Roadwarrior: <a href="http://10.81.9.0/24">10.81.9.0/24</a> dev eth0 proto kernel scope link src 10.81.9.204 metric 1 <br>
<a href="http://10.97.10.0/24">10.97.10.0/24</a> dev eth0 scope link src 10.81.9.204 <br> default via 10.81.9.253 dev eth0 proto static<br>
Openswan 2.6.28 built from source using NETKEY on ClearOS/Centos 2.6.18 kernel<br><br>Iptables on the gateway allow incomming UDP traffic on port 500 and 4500 and allow incoming ESP/AH traffic<br><br>Traceroute:<br>On the gateway: [root@gateway ~]# traceroute 10.81.9.204<br>
traceroute to 10.81.9.204 (10.81.9.204), 30 hops max, 40 byte packets<br> 1 10.81.9.204 (10.81.9.204) 43.687 ms 43.729 ms 43.754 ms<br>On the roadwarrior: [root@realfedora bartsmink]# traceroute 10.97.10.1<br>
traceroute to 10.97.10.1 (10.97.10.1), 30 hops max, 60 byte packets<br> 1 * * *<br> 2 * * *<br> 3 * * *<br>
4 * * *<br> 5 * * *<br> 6 * * *<br> 7 * * *<br> 8 * * *<br> 9 * * *<br>
10 * * *<br> 11 * * *<br> 12 * * *<br> 13 * * *<br> 14 * * *<br> 15 * * *<br>
16 * * *<br> 17 * * *<br> 18 * * *<br> 19 * * *<br> 20 * * *<br> 21 * * *<br>
22 * * *<br> 23 * * *<br> 24 * * *<br> 25 * * *<br> 26 * * *<br> 27 * * *<br>
28 * * *<br> 29 * * *<br> 30 * * *<br><br><br>The configuration on the gateway:<br>[root@gateway ~]# cat /etc/ipsec.conf<br># /etc/ipsec.conf - Openswan IPsec configuration file<br>
<br># This file: /usr/local/share/doc/openswan/ipsec.conf-sample<br>#<br># Manual: ipsec.conf.5<br><br><br>version 2.0 # conforms to second version of ipsec.conf specification<br><br># basic configuration<br>config setup<br>
# Do not set debug options to debug configuration issues!<br> # plutodebug / klipsdebug = "all", "none" or a combation from below:<br> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"<br>
# eg:<br> # plutodebug="control parsing"<br> #<br> # enable to get logs per-peer<br> # plutoopts="--perpeerlog"<br> #<br> # Again: only enable plutodebug or klipsdebug when asked by a developer<br>
#<br> # NAT-TRAVERSAL support, see README.NAT-Traversal<br> nat_traversal=yes<br> # exclude networks used on server side by adding %v4:!a.b.c.0/24<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!10.97.10.0/24">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!10.97.10.0/24</a><br>
# OE is now off by default. Uncomment and change to on, to enable.<br> oe=off<br> # which IPsec stack to use. auto will try netkey, then klips then mast<br> protostack=netkey<br><br># Add connections here<br>
<br># sample VPN connection<br># for more examples, see /etc/ipsec.d/examples/<br>#conn sample<br># # Left security gateway, subnet behind it, nexthop toward right.<br># left=10.0.0.1<br># leftsubnet=<a href="http://172.16.0.0/24">172.16.0.0/24</a><br>
# leftnexthop=10.22.33.44<br># # Right security gateway, subnet behind it, nexthop toward left.<br># right=10.12.12.1<br># rightsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br>
# rightnexthop=10.101.102.103<br># # To authorize this connection, but not actually start it,<br># # at startup, uncomment this.<br># #auto=add<br>conn LAN<br> left=85.145.148.106<br>
leftsourceip=10.97.10.1<br> leftsubnet=<a href="http://10.97.10.0/24">10.97.10.0/24</a><br> leftrsasigkey=%cert<br> leftcert="Left1024-cert.pem"<br> leftid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing Corporation/OU=Research and Development/CN=Left1024/emailAddress=<a href="mailto:admin@testingcorporation.nl">admin@testingcorporation.nl</a>"<br>
right=%any<br> rightsubnet=vhost:%priv,%no<br> rightrsasigkey=%cert<br> rightid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing Corporation/OU=Research and Development/CN=Right1024/emailAddress=<a href="mailto:admin@testingcorporation.nl">admin@testingcorporation.nl</a>"<br>
rightca=%same<br> auto=add<br><br><br><br><br>Configuration on the roadwarrior:<br>[root@realfedora bartsmink]# cat /etc/ipsec.conf<br># /etc/ipsec.conf - Openswan IPsec configuration file<br>
<br># This file: /usr/local/share/doc/openswan/ipsec.conf-sample<br>#<br># Manual: ipsec.conf.5<br><br><br>version 2.0 # conforms to second version of ipsec.conf specification<br><br># basic configuration<br>config setup<br>
# Do not set debug options to debug configuration issues!<br> # plutodebug / klipsdebug = "all", "none" or a combation from below:<br> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"<br>
# eg:<br> # plutodebug="control parsing"<br> #<br> # enable to get logs per-peer<br> # plutoopts="--perpeerlog"<br> #<br> # Again: only enable plutodebug or klipsdebug when asked by a developer<br>
#<br> # NAT-TRAVERSAL support, see README.NAT-Traversal<br> nat_traversal=yes<br> # exclude networks used on server side by adding %v4:!a.b.c.0/24<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.97.10.0/24">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.97.10.0/24</a><br>
# OE is now off by default. Uncomment and change to on, to enable.<br> oe=off<br> # which IPsec stack to use. auto will try netkey, then klips then mast<br> protostack=netkey<br><br><br># Add connections here<br>
<br># sample VPN connection<br># for more examples, see /etc/ipsec.d/examples/<br>#conn sample<br># # Left security gateway, subnet behind it, nexthop toward right.<br># left=10.0.0.1<br># leftsubnet=<a href="http://172.16.0.0/24">172.16.0.0/24</a><br>
# leftnexthop=10.22.33.44<br># # Right security gateway, subnet behind it, nexthop toward left.<br># right=10.12.12.1<br># rightsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br># rightnexthop=10.101.102.103<br>
# # To authorize this connection, but not actually start it,<br># # at startup, uncomment this.<br># #auto=add<br>conn LAN<br> left=%defaultroute<br> leftsourceip=10.81.9.204<br> leftid="C=NL, ST=Utrecht, L=Utrecht, O=Testing Corporation, OU=Research and Development, CN=Right1024, E=<a href="mailto:admin@testingcorporation.nl">admin@testingcorporation.nl</a>"<br>
leftrsasigkey=%cert<br> leftcert=Right1024-cert.pem<br> leftca=%same<br> right=85.145.148.106<br> rightid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing Corporation/OU=Research and Development/CN=Left1024/emailAddress=<a href="mailto:admin@testingcorporation.nl">admin@testingcorporation.nl</a>"<br>
rightca=%same<br> rightrsasigkey=%cert<br> keyingtries=%forever<br> rightsubnet=<a href="http://10.97.10.0/24">10.97.10.0/24</a><br> auto=add<br><br>I hope someone can give me a solution for this problem. It would be nice to see this VPN working.<br>
<br>Greetings,<br><br>Bart Smink<br><br>