<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
You can't use the oldoffice conn for connection to the new office.
For a start they have different transport types.<br>
<br>
You do need internal firewall rules. I have one set like this:<br>
<br>
<font face="Courier New">iptables -t nat -I POSTROUTING -m policy
--dir out --pol ipsec -j ACCEPT<br>
</font><br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 20/09/2013 09:39, Paul Young wrote:<br>
</div>
<blockquote
cite="mid:CAAEtRDUiyWC+18Lru7D8RTeKCZDhrRw9a3n_+_FRXafNJL1e8Q@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Nick,
<div><br>
</div>
<div>Yes the new office appears to create the correct xfrm
policies\routing info.</div>
<div><br>
</div>
<div>Part of the complexity here would be that the new office
has no permanent IP or infrastructure. So the path looks like
this from new to old</div>
<div><br>
</div>
<div>server running Openswan in new office------------->Asus
router\switch N55U running DHCP etc------------>4G dongle
acting as modem for the
Asus--------------->INTERNET-------------->outside NIC
of server running Openswan in old office.</div>
<div><br>
</div>
<div>From what I can tell there is some machinations going on
within the 4G dongle so that nmap against the internet
routable address the dongle comes up with always returns "all
1000 scanned ports on <address blah> are filtered" -
which could be making things difficult.</div>
<div><br>
</div>
<div>So today I played some more (I will try your suggestions on
the weekend though) with these configs-</div>
<div><br>
</div>
<div>new office side:</div>
<div><br>
</div>
<div>
<div>conn newoffice</div>
<div> authby=secret</div>
<div> left=192.168.3.3</div>
<div> leftid=@newoffice</div>
<div> leftnexthop=%defaultroute <- the ASUS router</div>
<div> leftsourceip=192.168.3.3</div>
<div> leftsubnet=<a moz-do-not-send="true"
href="http://192.168.3.0/24">192.168.3.0/24</a></div>
<div> right=<outside address of old office></div>
<div> rightsubnet=<a moz-do-not-send="true"
href="http://192.168.1.0/24">192.168.1.0/24</a></div>
<div> type=tunnel</div>
<div> auto=start</div>
<div> pfs=no</div>
<div> salifetime=28800s</div>
<div> ikelifetime=86400s</div>
</div>
<div><br>
</div>
<div>new office side:</div>
<div><br>
</div>
<div>
<div>conn oldoffice</div>
<div> authby=secret</div>
<div> pfs=no</div>
<div> auto=add</div>
<div> keyingtries=3</div>
<div> type=transport</div>
<div> forceencaps=yes</div>
<div> right=%any</div>
<div> rightprotoport=17/%any</div>
<div> # Using the magic port of "0" means "any one
single port". This is</div>
<div> # a work around required for Apple OSX clients
that use a randomly</div>
<div> # high port, but propose "0" instead of their
port. Could also be 17/%any</div>
<div> #leftprotoport=17/1701</div>
<div> left=<outside address of old office></div>
<div> leftnexthop=<outside address of old office
next hop></div>
<div> leftsubnet=<a moz-do-not-send="true"
href="http://192.168.1.0/24">192.168.1.0/24</a></div>
<div>
rightsubnet=<a moz-do-not-send="true"
href="http://192.168.3.0/24">192.168.3.0/24</a></div>
<div> # Apple iOS doesn't send delete notify so we need
dead peer detection</div>
<div> # to detect vanishing clients</div>
<div>
dpddelay=10</div>
<div> dpdtimeout=90</div>
<div> dpdaction=clear</div>
</div>
<div><br>
</div>
<div>In this case once I created a static route on my
workstation like so:</div>
<div><br>
</div>
<div>
<div>Network Destination Netmask Gateway
Interface Metric</div>
<div> 192.168.1.0 255.255.255.0 192.168.3.3
192.168.3.101 11</div>
<div> </div>
</div>
<div>I was able to ping anything on the <a
moz-do-not-send="true" href="http://192.168.1.0/24">192.168.1.0/24</a>
subnet in the old office.</div>
<div><br>
</div>
<div>BUT - if I add more subnets to see the networks that are
currently configured as site to site connections in the old
office I am unable to see those in terms of ping and
connectivity.</div>
<div><br>
</div>
<div>Paul</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 19 September 2013 17:25, Nick Howitt
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:n1ck.h0w1tt@gmail.com" target="_blank">n1ck.h0w1tt@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="font-family:Arial,Helvetica,sans-serif">
<p>In conn current your leftsubnet should be a leftsubnets
to match the rightsubnets. While right is not fixed, you
may want to try %any but you will have to use the same
psk as your roadwarriors. You will also want DPD with
dpdaction=clear for when the remote IP changes. I also
prefer pfs=yes (or remove it). I don't think any of
these issues are causing your problem, however, as you
are getting your tunnels.</p>
<p>Can you ping between the two Openswan devices?</p>
<p>In your new office, does your gateway device have
routes redirecting traffic <a moz-do-not-send="true"
href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a>,
<a moz-do-not-send="true" href="http://10.134.210.64/28"
target="_blank">10.134.210.64/28</a> and 10.134.162.59
via 1192.168.3.3?</p>
<p>I'd need to check firewalling when I'm at home. Is
"new" running a firewall. Presumably it is just a
standalone PC on the "new" LAN.</p>
<span class="HOEnZb"><font color="#888888">
<p> </p>
<p>Nick</p>
</font></span>
<div>
<div class="h5">
<p>On 2013-09-19 02:45, Paul Young wrote:</p>
<blockquote type="cite"
style="padding-left:5px;border-left:#1010ff 2px
solid;margin-left:5px">
<div dir="ltr">Hi Nick,
<div> </div>
<div>Thanks for the response. I have confused the
situation as you have suggested.</div>
<div> </div>
<div>So now my configs looks like this:</div>
<div> </div>
<div>In the current office Openswan (one interface
connects directly to the outside world)-</div>
<div> </div>
<div>
<div>conn current</div>
<div> authby=secret</div>
<div> left=<my fixed internet IP></div>
<div> leftid=@current</div>
<div> leftnexthop=<my fixed internet
IP next hop></div>
<div> leftsubnet=<a
moz-do-not-send="true"
href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a></div>
<div> leftsourceip=192.168.1.2</div>
<div> right=<non fixed IP of the new
office router></div>
<div> rightsubnets= { <a
moz-do-not-send="true"
href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a>
}</div>
<div> type=tunnel</div>
<div> auto=start</div>
<div> pfs=no</div>
<div> ikelifetime=86400s</div>
<div> salifetime=28800s</div>
</div>
<div> </div>
<div>note that the new office does not have a
fixed IP address (it will in the future, but
people are moving in before the carrier has that
ready)</div>
<div> </div>
<div>The current config of the new office-</div>
<div> </div>
<div>
<div>conn new</div>
<div> authby=secret</div>
<div> left=192.168.3.3</div>
<div> leftid=@new</div>
<div> leftnexthop=%defaultroute</div>
<div> leftsourceip=192.168.3.3</div>
<div> leftsubnet=<a
moz-do-not-send="true"
href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></div>
<div> right=<my fixed internet IP of
current office></div>
<div> rightsubnets={<a
moz-do-not-send="true"
href="http://10.134.162.59/32"
target="_blank">10.134.162.59/32</a> <a
moz-do-not-send="true"
href="http://10.134.210.64/28"
target="_blank">10.134.210.64/28</a> <a
moz-do-not-send="true"
href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a>}</div>
<div> type=tunnel</div>
<div> auto=start</div>
<div> pfs=no</div>
<div> salifetime=28800s</div>
<div> ikelifetime=86400s</div>
</div>
<div> </div>
<div>So far I can bring up the new office tunnel
but can't ping anything on the other side.</div>
<div> </div>
<div>
<div>000 initiating all conns with alias='new'</div>
<div>104 "new/0x3" #25: STATE_MAIN_I1: initiate</div>
<div>003 "new/0x3" #25: received Vendor ID
payload [Openswan (this version) 2.6.32 ]</div>
<div>003 "new/0x3" #25: received Vendor ID
payload [Dead Peer Detection]</div>
<div>003 "new/0x3" #25: received Vendor ID
payload [RFC 3947] method set to=109</div>
<div>106 "new/0x3" #25: STATE_MAIN_I2: sent MI2,
expecting MR2</div>
<div>003 "new/0x3" #25: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): both are NATed</div>
<div>108 "new/0x3" #25: STATE_MAIN_I3: sent MI3,
expecting MR3</div>
<div>003 "new/0x3" #25: received Vendor ID
payload [CAN-IKEv2]</div>
<div>004 "new/0x3" #25: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp2048}</div>
<div>117 "new/0x1" #26: STATE_QUICK_I1: initiate</div>
<div>117 "new/0x2" #27: STATE_QUICK_I1: initiate</div>
<div>117 "new/0x3" #28: STATE_QUICK_I1: initiate</div>
<div>004 "new/0x1" #26: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode
{ESP=>0x28d68261 <0x554dc93f
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=<my
fixed internet IP of current office>:4500
DPD=none}</div>
<div>004 "new/0x2" #27: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode
{ESP=>0x0021555f <0xa7d4a5fb
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=<my
fixed internet IP of current office>:4500
DPD=none}</div>
<div>004 "new/0x3" #28: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode
{ESP=>0xb1e4e80f <0xa82a3d85
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=<my
fixed internet IP of current office>:4500
DPD=none}</div>
<div> </div>
</div>
<div>I can't bring up the tunnel from the current
office to the new office though - I suspect
IPtables might be involved there but am not sure
as I would of thought these rules would be fine
which are in place for road runner types:</div>
<div> </div>
<div>
<div>-A INPUT -p udp --dport 500 -j ACCEPT</div>
<div>-A INPUT -p udp --dport 4500 -j ACCEPT</div>
</div>
<div> </div>
<div>and on the new office side I have</div>
<div> </div>
<div>
<div>-A INPUT -p udp --dport 500 -s <my fixed
internet IP of current office> -j ACCEPT</div>
<div>-A INPUT -p udp --dport 4500 -s <my
fixed internet IP of current office> -j
ACCEPT</div>
</div>
<div> </div>
<div>Thanks for trying to help me here.</div>
<div> </div>
<div>Paul</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On 18 September 2013
22:25, Nick Howitt <span><<a
moz-do-not-send="true"
href="mailto:n1ck.h0w1tt@gmail.com"
target="_blank">n1ck.h0w1tt@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"><span
style="text-decoration:underline"></span>
<div
style="font-family:Arial,Helvetica,sans-serif">
<p>Your server and aconns do not match at
all. I would rename the server connto
something like roadwarrior and move some
of the settings into conn %default - the
ones which would apply to every conn such
as left, leftnexthop (probably not needed)
possibly pfs and auto and add leftsourceip
(the server's LAN IP). Create a new conn
which you could call aconn if you wanted.
The server's aconn should pretty much
match the remote's aconn with left and
right reversed. (Generally wou don't need
to reverse left and right at each end but
the use of conn %default means you must).
I would also suggest enabling PFS for
aconn.</p>
<div>
<div>
<p>On 2013-09-18 09:49, Paul Young
wrote:</p>
</div>
</div>
<blockquote
style="padding-left:5px;border-left:#1010ff
2px solid;margin-left:5px">
<div>
<div>
<div dir="ltr">Hi Everyone,
<div> </div>
<div>I am in the deep end with
Openswan and possibly the
following will show that.
Apologies!</div>
<div> </div>
<div>So far I have been relying
heavily on this - <a
moz-do-not-send="true"
href="http://www.jacco2.dds.nl/networking/openswan-l2tp.html"
target="_blank">http://www.jacco2.dds.nl/networking/openswan-l2tp.html</a></div>
<div> </div>
<div>A little bit of background
first. We have a just opened a new
office and not all the
infrastructure is in place as yet.</div>
<div> </div>
<div>So the idea is to use a site to
site VPN back to the current
office so that all resources can
be reached.</div>
<div> </div>
<div>There is a server acting as the
openswan VPN\gateway etc in both
offices - current office and new
office.</div>
<div> </div>
<div>The current office has a number
of site to site configs already in
place to third parties. I have
configured a server side which
looks like this:</div>
<div> </div>
<div>
<div><em>conn server</em></div>
<div><em> authby=secret</em></div>
<div><em> pfs=no</em></div>
<div><em> auto=add</em></div>
<div><em> keyingtries=3</em></div>
<div><em> type=transport</em></div>
<div><em> forceencaps=yes</em></div>
<div><em> right=%any</em></div>
<div><em>
#rightsubnet=vhost:%priv,%no</em></div>
<div><em>
rightprotoport=17/%any</em></div>
<div><em> # Using the magic
port of "0" means "any one
single port". This is</em></div>
<div><em> # a work around
required for Apple OSX clients
that use a randomly</em></div>
<div><em> # high port, but
propose "0" instead of their
port. Could also be 17/%any</em></div>
<div><em> left=<my
outside fixed IP address></em></div>
<div><em>
leftnexthop=<my outside
fixed IP address next hop></em></div>
<div><em>
leftprotoport=17/1701</em></div>
<div><em> # Apple iOS
doesn't send delete notify so
we need dead peer detection</em></div>
<div><em> # to detect
vanishing clients</em></div>
<div><em> dpddelay=10</em></div>
<div><em> dpdtimeout=90</em></div>
<div><em> dpdaction=clear</em></div>
</div>
<div> </div>
<div>behind that is some ppp and
xl2tp settings that work well for
some of our remote types. but I am
looking at pure Ipsec at this
point.</div>
<div> </div>
<div>In the new office I have set up
a conn like this:</div>
<div> </div>
<div>
<div><em>conn aconn</em></div>
<div><em> authby=secret</em></div>
<div><em> left=192.168.3.3</em></div>
<div><em> #left=%any</em></div>
<div><em> leftid=@vpn</em></div>
<div><em>
leftnexthop=%defaultroute</em></div>
<div><em>
leftsourceip=192.168.3.3</em></div>
<div><em> leftsubnet=<a
moz-do-not-send="true"
href="http://192.168.3.0/24"
target="_blank">192.168.3.0/24</a></em></div>
<div><em> right=</em><em><my
outside fixed IP address></em></div>
<div><em> rightsubnets={<a
moz-do-not-send="true"
href="http://10.134.162.59/32"
target="_blank">10.134.162.59/32</a>
<a moz-do-not-send="true"
href="http://10.134.210.64/28"
target="_blank">10.134.210.64/28</a>
<a moz-do-not-send="true"
href="http://192.168.1.0/24"
target="_blank">192.168.1.0/24</a>}</em></div>
<div><em> type=tunnel</em></div>
<div><em> auto=start</em></div>
<div><em> pfs=no</em></div>
<div><em> salifetime=28800s</em></div>
<div><em>
ikelifetime=86400s</em></div>
</div>
<div> </div>
<div>It sits behind a router so left
is the local interface. And the
subnets are back in the current
office.</div>
<div> </div>
<div>It comes up ok:</div>
<div> </div>
<div>
<div><em># service ipsec status</em></div>
<div><em>IPsec running - pluto
pid: 11869</em></div>
<div><em>pluto pid 11869</em></div>
<div><em>3 tunnels up</em></div>
<div><em>some eroutes exist</em></div>
</div>
<div> </div>
<div>I see the routes come up ok on
the new office side:</div>
<div> </div>
<div>
<div><em># ip xfrm policy</em></div>
<div><em>src <a
moz-do-not-send="true"
href="http://192.168.3.0/24"
target="_blank">192.168.3.0/24</a>
dst <a moz-do-not-send="true"
href="http://10.134.162.59/32" target="_blank">10.134.162.59/32</a></em></div>
<div><em> dir out priority
2336 ptype main</em></div>
<div><em> tmpl src
192.168.3.3 dst
203.215.150.142</em></div>
<div><em> proto esp
reqid 16385 mode tunnel</em></div>
<div><em>src <a
moz-do-not-send="true"
href="http://10.134.162.59/32"
target="_blank">10.134.162.59/32</a>
dst <a moz-do-not-send="true"
href="http://192.168.3.0/24"
target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir fwd priority
2336 ptype main</em></div>
<div><em> tmpl src
203.215.150.142 dst
192.168.3.3</em></div>
<div><em> proto esp
reqid 16385 mode tunnel</em></div>
<div><em>src <a
moz-do-not-send="true"
href="http://10.134.162.59/32"
target="_blank">10.134.162.59/32</a>
dst <a moz-do-not-send="true"
href="http://192.168.3.0/24"
target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir in priority
2336 ptype main</em></div>
<div><em> tmpl src
203.215.150.142 dst
192.168.3.3</em></div>
<div><em> proto esp
reqid 16385 mode tunnel</em></div>
<div><em>src <a
moz-do-not-send="true"
href="http://192.168.3.0/24"
target="_blank">192.168.3.0/24</a>
dst <a moz-do-not-send="true"
href="http://10.134.210.64/28" target="_blank">10.134.210.64/28</a></em></div>
<div><em> dir out priority
2340 ptype main</em></div>
<div><em> tmpl src
192.168.3.3 dst
203.215.150.142</em></div>
<div><em> proto esp
reqid 16389 mode tunnel</em></div>
<div><em>src <a
moz-do-not-send="true"
href="http://10.134.210.64/28"
target="_blank">10.134.210.64/28</a>
dst <a moz-do-not-send="true"
href="http://192.168.3.0/24"
target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir fwd priority
2340 ptype main</em></div>
<div><em> tmpl src
203.215.150.142 dst
192.168.3.3</em></div>
<div><em> proto esp
reqid 16389 mode tunnel</em></div>
<div><em>src <a
moz-do-not-send="true"
href="http://10.134.210.64/28"
target="_blank">10.134.210.64/28</a>
dst <a moz-do-not-send="true"
href="http://192.168.3.0/24"
target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir in priority
2340 ptype main</em></div>
<div><em> tmpl src
203.215.150.142 dst
192.168.3.3</em></div>
<div><em> proto esp
reqid 16389 mode tunnel</em></div>
<div><em>src <a
moz-do-not-send="true"
href="http://192.168.3.0/24"
target="_blank">192.168.3.0/24</a>
dst <a moz-do-not-send="true"
href="http://192.168.1.0/24"
target="_blank">192.168.1.0/24</a></em></div>
<div><em> dir out priority
2344 ptype main</em></div>
<div><em> tmpl src
192.168.3.3 dst
203.215.150.142</em></div>
<div><em> proto esp
reqid 16393 mode tunnel</em></div>
<div><em>src <a
moz-do-not-send="true"
href="http://192.168.1.0/24"
target="_blank">192.168.1.0/24</a>
dst <a moz-do-not-send="true"
href="http://192.168.3.0/24"
target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir fwd priority
2344 ptype main</em></div>
<div><em> tmpl src
203.215.150.142 dst
192.168.3.3</em></div>
<div><em> proto esp
reqid 16393 mode tunnel</em></div>
<div><em>src <a
moz-do-not-send="true"
href="http://192.168.1.0/24"
target="_blank">192.168.1.0/24</a>
dst <a moz-do-not-send="true"
href="http://192.168.3.0/24"
target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir in priority
2344 ptype main</em></div>
<div><em> tmpl src
203.215.150.142 dst
192.168.3.3</em></div>
<div><em> proto esp
reqid 16393 mode tunnel</em></div>
</div>
<div> </div>
<div>Can't ping anything back in the
current office from the new office
even though I can see encapsulated
traffic going across at the time
of my ping - nothing comes back.</div>
<div> </div>
<div>I also don't see anything being
created in the xfrm policy for the
current office and if I add a
rightsubnet(s) line to the current
office config then the road
runners types can't connect.</div>
<div> </div>
<div>Is what I am trying to do even
possible?</div>
<div> </div>
<div>Thanks,</div>
<div>Paul</div>
</div>
</div>
</div>
<pre>_______________________________________________
<a moz-do-not-send="true" href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>
<a moz-do-not-send="true" href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
</div>
<br>
_______________________________________________<br>
<a moz-do-not-send="true"
href="mailto:Users@lists.openswan.org"
target="_blank">Users@lists.openswan.org</a><br>
<a moz-do-not-send="true"
href="https://lists.openswan.org/mailman/listinfo/users"
target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a moz-do-not-send="true"
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private
Networks with Openswan:<br>
<a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>