Here is the output of ipsec barf on pastebin:<br><br><a href="http://pastebin.com/wBCCYhwi" target="_blank">http://pastebin.com/wBCCYhwi</a><br><br><div class="gmail_quote"><span dir="ltr"></span> Hello everyone,<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<br>I have a NAT and or Firewall problem on my Openswan gateway. The IPsec<br>tunnel works only from the Gateway to the roadwarrior, I can ssh from the<br>gateway to the roadwarrior, but I can't ssh from the roadwarrior to the<br>
gateway or to computers on the behind lying network. I have tried many<br>iptables commands, but they did not seem to work or they were old. I have<br>reset my iptables to the ClearOS default, plus opening some ports that are<br>
listed below.<br><br>My network looks like the following diagram:<br><br>|10.97.10.101| |10.97.10.102, OpenVPN server|<br>....|................../<br><a href="http://10.97.10.0/24" target="_blank">10.97.10.0/24</a> ----------|eth1(10.97.10.1 ) "Openswan Gateway"<br>
eth0(85.145.148.106)|-- Internet -- |(variable IP-address)Netgear router<br>(10.81.9.253)| ---<a href="http://10.81.9.0/24" target="_blank">10.81.9.0/24</a> --- |eth0(10.81.9.204) "Roadwarrior" |<br><br>Now the Openvpn server is having the same problem as the Openswan server, I<br>
can connect, but I cannot send any data from the roadwarrior to the Openvpn<br>server. It has worked till I started using Clearos on the gateway as a<br>replacement of my Linksys router.<br><br>Commands and configuration:<br>
The ip route show command gives the following outputs:<br>Gateway: 10.81.9.204 dev eth0 scope link src<br>10.97.10.1<br> 10.81.9.203 dev eth0 scope link<br>
src 10.97.10.1<br> <a href="http://10.97.10.0/24" target="_blank">10.97.10.0/24</a> dev eth1 proto<br>kernel scope link src 10.97.10.1<br> <a href="http://85.145.148.0/22" target="_blank">85.145.148.0/22</a> dev eth0 proto<br>
kernel scope link src 85.145.148.106<br> default via 85.145.148.1 dev eth0<br>Roadwarrior: <a href="http://10.81.9.0/24" target="_blank">10.81.9.0/24</a> dev eth0 proto kernel<br>
scope link src 10.81.9.204 metric 1<br> <a href="http://10.97.10.0/24" target="_blank">10.97.10.0/24</a> dev eth0 scope<br>link src 10.81.9.204<br> default via 10.81.9.253 dev eth0<br>
proto static<br>Openswan 2.6.28 built from source using NETKEY on ClearOS/Centos 2.6.18<br>kernel<br><br>Iptables on the gateway allow incomming UDP traffic on port 500 and 4500 and<br>allow incoming ESP/AH traffic<br><br>
Traceroute:<br>On the gateway: [root at gateway ~]# traceroute 10.81.9.204<br> traceroute to 10.81.9.204 (10.81.9.204), 30<br>hops max, 40 byte packets<br> 1 10.81.9.204 (10.81.9.204) 43.687 ms<br>
43.729 ms 43.754 ms<br>On the roadwarrior: [root at realfedora bartsmink]# traceroute 10.97.10.1<br> traceroute to 10.97.10.1 (10.97.10.1), 30 hops<br>max, 60 byte packets<br> 1 * * *<br>
2 * * *<br> 3 * * *<br> 4 * * *<br> 5 * * *<br> 6 * * *<br> 7 * * *<br>
8 * * *<br> 9 * * *<br> 10 * * *<br> 11 * * *<br> 12 * * *<br> 13 * * *<br>
14 * * *<br> 15 * * *<br> 16 * * *<br> 17 * * *<br> 18 * * *<br> 19 * * *<br>
20 * * *<br> 21 * * *<br> 22 * * *<br> 23 * * *<br> 24 * * *<br> 25 * * *<br>
26 * * *<br> 27 * * *<br> 28 * * *<br> 29 * * *<br> 30 * * *<br><br><br>
The configuration on the gateway:<br>[root at gateway ~]# cat /etc/ipsec.conf<br># /etc/ipsec.conf - Openswan IPsec configuration file<br><br># This file: /usr/local/share/doc/openswan/ipsec.conf-sample<br>#<br># Manual: ipsec.conf.5<br>
<br><br>version 2.0 # conforms to second version of ipsec.conf specification<br><br># basic configuration<br>config setup<br> # Do not set debug options to debug configuration issues!<br> # plutodebug / klipsdebug = "all", "none" or a combation from below:<br>
# "raw crypt parsing emitting control klips pfkey natt x509 dpd<br>private"<br> # eg:<br> # plutodebug="control parsing"<br> #<br> # enable to get logs per-peer<br>
# plutoopts="--perpeerlog"<br>
#<br> # Again: only enable plutodebug or klipsdebug when asked by a<br>developer<br> #<br> # NAT-TRAVERSAL support, see README.NAT-Traversal<br> nat_traversal=yes<br> # exclude networks used on server side by adding %v4:!a.b.c.0/24<br>
virtual_private=%v4:<br><a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4%3A%2110.97.10.0/24" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!10.97.10.0/24</a><br> # OE is now off by default. Uncomment and change to on, to enable.<br>
oe=off<br> # which IPsec stack to use. auto will try netkey, then klips then<br>mast<br> protostack=netkey<br><br># Add connections here<br><br># sample VPN connection<br># for more examples, see /etc/ipsec.d/examples/<br>
#conn sample<br># # Left security gateway, subnet behind it, nexthop toward<br>right.<br># left=10.0.0.1<br># leftsubnet=<a href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a><br>
# leftnexthop=10.22.33.44<br>
# # Right security gateway, subnet behind it, nexthop toward<br>left.<br># right=10.12.12.1<br># rightsubnet=<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a><br>
# rightnexthop=10.101.102.103<br>
# # To authorize this connection, but not actually start it,<br># # at startup, uncomment this.<br># #auto=add<br>conn LAN<br> left=85.145.148.106<br> leftsourceip=10.97.10.1<br>
leftsubnet=<a href="http://10.97.10.0/24" target="_blank">10.97.10.0/24</a><br> leftrsasigkey=%cert<br> leftcert="Left1024-cert.pem"<br> leftid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing<br>
Corporation/OU=Research and Development/CN=Left1024/emailAddress=<br>admin at <a href="http://testingcorporation.nl" target="_blank">testingcorporation.nl</a>"<br> right=%any<br> rightsubnet=vhost:%priv,%no<br>
rightrsasigkey=%cert<br> rightid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing<br>Corporation/OU=Research and Development/CN=Right1024/emailAddress=<br>admin at <a href="http://testingcorporation.nl" target="_blank">testingcorporation.nl</a>"<br>
rightca=%same<br> auto=add<br><br><br><br><br>Configuration on the roadwarrior:<br>[root at realfedora bartsmink]# cat /etc/ipsec.conf<br># /etc/ipsec.conf - Openswan IPsec configuration file<br>
<br># This file: /usr/local/share/doc/openswan/ipsec.conf-sample<br>#<br># Manual: ipsec.conf.5<br><br><br>version 2.0 # conforms to second version of ipsec.conf specification<br><br># basic configuration<br>config setup<br>
# Do not set debug options to debug configuration issues!<br> # plutodebug / klipsdebug = "all", "none" or a combation from below:<br> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"<br>
# eg:<br> # plutodebug="control parsing"<br> #<br> # enable to get logs per-peer<br> # plutoopts="--perpeerlog"<br> #<br> # Again: only enable plutodebug or klipsdebug when asked by a developer<br>
#<br> # NAT-TRAVERSAL support, see README.NAT-Traversal<br> nat_traversal=yes<br> # exclude networks used on server side by adding %v4:!a.b.c.0/24<br> virtual_private=%v4:<br><a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:%2110.97.10.0/24" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.97.10.0/24</a><br>
# OE is now off by default. Uncomment and change to on, to enable.<br> oe=off<br> # which IPsec stack to use. auto will try netkey, then klips then mast<br> protostack=netkey<br><br><br># Add connections here<br>
<br># sample VPN connection<br># for more examples, see /etc/ipsec.d/examples/<br>#conn sample<br># # Left security gateway, subnet behind it, nexthop toward right.<br># left=10.0.0.1<br># leftsubnet=<a href="http://172.16.0.0/24" target="_blank">172.16.0.0/24</a><br>
# leftnexthop=10.22.33.44<br># # Right security gateway, subnet behind it, nexthop toward left.<br># right=10.12.12.1<br># rightsubnet=<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a><br>
# rightnexthop=10.101.102.103<br>
# # To authorize this connection, but not actually start it,<br># # at startup, uncomment this.<br># #auto=add<br>conn LAN<br> left=%defaultroute<br> leftsourceip=10.81.9.204<br> leftid="C=NL, ST=Utrecht, L=Utrecht, O=Testing Corporation,<br>
OU=Research and Development, CN=Right1024, E=admin at <a href="http://testingcorporation.nl" target="_blank">testingcorporation.nl</a>"<br> leftrsasigkey=%cert<br> leftcert=Right1024-cert.pem<br> leftca=%same<br>
right=85.145.148.106<br> rightid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing<br>Corporation/OU=Research and Development/CN=Left1024/emailAddress=<br>admin at <a href="http://testingcorporation.nl" target="_blank">testingcorporation.nl</a>"<br>
rightca=%same<br> rightrsasigkey=%cert<br> keyingtries=%forever<br> rightsubnet=<a href="http://10.97.10.0/24" target="_blank">10.97.10.0/24</a><br> auto=add<br><br>I hope someone can give me a solution for this problem. It would be nice to<br>
see this VPN working.<br><br>Greetings,<br><font color="#888888"><br>Bart Smink<br>-------------- next part --------------<br>An HTML attachment was scrubbed...<br>URL: <a href="http://lists.openswan.org/pipermail/users/attachments/20100826/28e774be/attachment-0001.html" target="_blank">http://lists.openswan.org/pipermail/users/attachments/20100826/28e774be/attachment-0001.html</a>
</font></blockquote></div><br>