<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body style='font-family: Arial,Helvetica,sans-serif'>
<p>OK that shows the tunnel is up. Is that with or without the firewall (and btw it is using NAT-T so you should not need protocols 50 and 51 through your firewall).</p>
<p>When you are pinging end to end, is that from the openswan device or from another LAN device?</p>
<p>On 2013-11-19 14:03, Fred Weston wrote:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">This is what I see in the log; it looks like it’s encrypting traffic but that doesn’t seem to be the case based upon the behavior I’m seeing. If it is encrypting then the firewall in front of openswan should have no effect on the traffic I can pass over the tunnel as long as the tunnel is up.</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Nov 19 14:00:55 ip-10-0-0-82 pluto[12517]: "vpc1-to-vpc2" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Nov 19 14:00:55 ip-10-0-0-82 pluto[12517]: "vpc1-to-vpc2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Nov 19 14:00:55 ip-10-0-0-82 pluto[12517]: "vpc1-to-vpc2" #1: STATE_MAIN_I3: sent MI3, expecting MR3</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Nov 19 14:00:55 ip-10-0-0-82 pluto[12517]: "vpc1-to-vpc2" #1: received Vendor ID payload [CAN-IKEv2]</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Nov 19 14:00:55 ip-10-0-0-82 pluto[12517]: "vpc1-to-vpc2" #1: Main mode peer ID is ID_IPV4_ADDR: '50.18.211.121'</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Nov 19 14:00:55 ip-10-0-0-82 pluto[12517]: "vpc1-to-vpc2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Nov 19 14:00:55 ip-10-0-0-82 pluto[12517]: "vpc1-to-vpc2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Nov 19 14:00:55 ip-10-0-0-82 pluto[12517]: "vpc1-to-vpc2" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:463435ec proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Nov 19 14:00:56 ip-10-0-0-82 pluto[12517]: "vpc1-to-vpc2" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Nov 19 14:00:56 ip-10-0-0-82 pluto[12517]: "vpc1-to-vpc2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x54dd12fe <0x2bb3e074 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=50.18.211.121:4500 DPD=none}</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<div>
<div style="border: none; border-top: solid #B5C4DF 1.0pt; padding: 3.0pt 0in 0in 0in;">
<p class="MsoNormal"><strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';">From:</span></strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';"> Nick Howitt [mailto:n1ck.h0w1tt@gmail.com] <br /><strong>Sent:</strong> Tuesday, November 19, 2013 8:21 AM<br /><strong>To:</strong> Fred Weston<br /><strong>Cc:</strong> users@lists.openswan.org<br /><strong>Subject:</strong> RE: [Openswan Users] Firewall rules for openswan behind NAT</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p><span style="font-family: 'Arial','sans-serif';">What are you getting in /var/log/secure - just the bit where the tunnel is negotiating, not the bit where ipsec loads?</span></p>
<p><span style="font-family: 'Arial','sans-serif';">Also what do you have in the "config setup" sections of your conf files?</span></p>
<p><span style="font-family: 'Arial','sans-serif';">On 2013-11-19 13:14, Fred Weston wrote:</span></p>
<blockquote style="border: none; border-left: solid #1010FF 1.5pt; padding: 0in 0in 0in 4.0pt; margin-left: 3.75pt; margin-top: 5.0pt; margin-bottom: 5.0pt;">
<div>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">So here’s something interesting…this morning just for the heck of it, I added ICMP to the permit list and that immediately got ping working.</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Since the tunnel shouldn’t require ICMP, that got me thinking that the traffic isn’t actually being encrypted. I verified that by trying to remote desktop to a host on the far side of the tunnel. It didn’t work when I have the firewall rules set to only allow the few ports/protocols the tunnel should need, but as soon as I changed the ruleset to permit all traffic RDP worked, so it seems the problem is actually that the tunnel isn’t encrypting the traffic.</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">I’m not quite sure why this is.</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Here are the configs from each side, can someone comment as to what I need to add to get the traffic to be encrypted?</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">conn vpc1-to-vpc2</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> type=tunnel</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> authby=secret</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> left=%defaultroute</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> leftid=107.21.17.86</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> leftnexthop=%defaultroute</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> leftsubnet=10.0.0.0/16</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> leftsourceip=10.0.0.82</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> right=50.18.211.121</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> rightsubnet=10.1.0.0/16</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> pfs=yes</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> auto=start</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> phase2=esp</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">conn vpc2-to-vpc1</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> type=tunnel</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> authby=secret</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> left=%defaultroute</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> leftid=50.18.211.121</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> leftnexthop=%defaultroute</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> leftsubnet=10.1.0.0/16</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> leftsourceip=10.1.0.67</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> right=107.21.17.86</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> rightsubnet=10.0.0.0/16</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> pfs=yes</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> auto=start</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> phase2=esp</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<div>
<div style="border: none; border-top: solid #B5C4DF 1.0pt; padding: 3.0pt 0in 0in 0in;">
<p class="MsoNormal"><strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';">From:</span></strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';"> Nick Howitt [<a href="mailto:n1ck.h0w1tt@gmail.com">mailto:n1ck.h0w1tt@gmail.com</a>] <br /><strong><span style="font-family: 'Tahoma','sans-serif';">Sent:</span></strong> Tuesday, November 19, 2013 5:19 AM<br /><strong><span style="font-family: 'Tahoma','sans-serif';">To:</span></strong> Fred Weston<br /><strong><span style="font-family: 'Tahoma','sans-serif';">Cc:</span></strong> <a href="mailto:users@lists.openswan.org"> users@lists.openswan.org</a><br /><strong><span style="font-family: 'Tahoma','sans-serif';">Subject:</span></strong> RE: [Openswan Users] Firewall rules for openswan behind NAT</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p><span style="font-family: 'Arial','sans-serif';">Yes, I was picturing firewalling in the hosts.</span></p>
<p><span style="font-family: 'Arial','sans-serif';">Have a look in the logs and see if Openswan is connecting with or without NAT-T when your firewall is not up. Then, with your firewalling, try forceencaps=yes in the conn and nat_traversal=yes in config setup.</span></p>
<p><span style="font-family: 'Arial','sans-serif';">For minor tunnel info I use "service ipsec status", but it depends on your distro and the information is almost useless. You can also have a look at "ip xfrm" and "ip route".</span></p>
<p><span style="font-family: 'Arial','sans-serif';">Nick</span></p>
<p><span style="font-family: 'Arial','sans-serif';">On 2013-11-19 10:03, Fred Weston wrote:</span></p>
<blockquote style="border: none; border-left: solid #1010FF 1.5pt; padding: 0in 0in 0in 4.0pt; margin-left: 3.75pt; margin-top: 5.0pt; margin-bottom: 5.0pt;">
<div>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">I think you’re picturing the firewalling taking place on the openswan hosts, which isn’t the case. There isn’t a firewall on either openswan box (other than any standard firewall that may be enabled by default). The firewall rules I am manipulating are in the network / NAT device in front of openswan. Since the tunnel works when I permit all traffic to openswan, that would seem to discount the possibility of any firewall issues on the hosts themselves.</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">I’ll take a look at the logs to see if they show anything interesting. Is there a utility that will show tunnel status?</span></p>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<div>
<div style="border: none; border-top: solid #B5C4DF 1.0pt; padding: 3.0pt 0in 0in 0in;">
<p class="MsoNormal"><strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';">From:</span></strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';"> Nick Howitt [<a href="mailto:n1ck.h0w1tt@gmail.com">mailto:n1ck.h0w1tt@gmail.com</a>] <br /><strong><span style="font-family: 'Tahoma','sans-serif';">Sent:</span></strong> Tuesday, November 19, 2013 3:44 AM<br /><strong><span style="font-family: 'Tahoma','sans-serif';">To:</span></strong> Fred Weston<br /><strong><span style="font-family: 'Tahoma','sans-serif';">Cc:</span></strong> <a href="mailto:users@lists.openswan.org"> users@lists.openswan.org</a><br /><strong><span style="font-family: 'Tahoma','sans-serif';">Subject:</span></strong> RE: [Openswan Users] Firewall rules for openswan behind NAT</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p><span style="font-family: 'Arial','sans-serif';">For your rules, I was hoping for something like the output to "iptables -L -n -v" and "iptables -t nat -L -n -v" rather than a description of the rules.</span></p>
<p><span style="font-family: 'Arial','sans-serif';">Forceencaps is unlikely but can be useful</span></p>
<p><span style="font-family: 'Arial','sans-serif';">Openswan/ipsec logs are typically found in /var/log/secure depending on your system. If you have dpd enabled you should see constant tunnel renegotiation if the tunnel has gone down. You'll see nothing odd if the tunnel is up but no traffic is passing. When the tunnel is up you should see in the logs something like "IPSec SA Established". Available status information is not particulrly helpful.</span></p>
<p><span style="font-family: 'Arial','sans-serif';">Can you also try adding a firewall rule something like:</span></p>
<p><span style="font-family: 'Arial','sans-serif';">iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT</span></p>
<p><span style="font-family: 'Arial','sans-serif';">Either that or somthing in the post routing chain which allows traffic between the local and remote subnets, but this rule is more flexible as you don't need to specify the subnets.</span></p>
<p><span style="font-family: 'Arial','sans-serif';">Nick</span></p>
<p><span style="font-family: 'Arial','sans-serif';">On 2013-11-18 23:28, Fred Weston wrote:</span></p>
<blockquote style="border: none; border-left: solid #1010FF 1.5pt; padding: 0in 0in 0in 4.0pt; margin-left: 3.75pt; margin-top: 5.0pt; margin-bottom: 5.0pt;">
<div>
<p class="MsoNormal"><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"> </span></p>
<div>
<div style="border: none; border-top: solid #B5C4DF 1.0pt; padding: 3.0pt 0in 0in 0in;">
<p class="MsoNormal"><strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';">From:</span></strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';"> <a href="mailto:users-bounces@lists.openswan.org">users-bounces@lists.openswan.org</a> [<a href="mailto:users-bounces@lists.openswan.org">mailto:users-bounces@lists.openswan.org</a>] <strong><span style="font-family: 'Tahoma','sans-serif';">On Behalf Of </span></strong>Nick Howitt<br /></span><span style="font-family: 'Arial','sans-serif'; color: #1f497d;"><br /></span><span style="font-family: 'Arial','sans-serif';">Can you post the exact rules you are using?</span></p>
</div>
</div>
<p><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">I included those in my original message. </span><span style="font-family: 'Arial','sans-serif';"></span></p>
<p class="MsoNormal">*:* > UDP 500</p>
<p class="MsoNormal">*:* > UDP 4500</p>
<p class="MsoNormal">* > IP Protocol 50</p>
<p class="MsoNormal">* > IP Protocol 51</p>
<p><span style="font-family: 'Arial','sans-serif';">Also have you tried forcing encapsulation with forceencaps=yes in your conns?</span></p>
<p><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">No, I haven’t tried that.</span><span style="font-family: 'Arial','sans-serif';"></span></p>
<p><span style="font-family: 'Arial','sans-serif';">When you say "things stop working" does the tunnel come down, or does traffic just fail to pass?</span></p>
<p><span style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">I’m not sure how to tell the difference, my test methodology was to ping a host on the far side of the tunnel and when I change the firewall rules from wide open to those above the ping starts timing out. How can I tell what state the tunnel is in?</span><span style="font-family: 'Arial','sans-serif';"></span></p>
<p><span style="font-family: 'Arial','sans-serif';">Regards,</span></p>
<p><span style="font-family: 'Arial','sans-serif';">Nick</span></p>
<p><span style="font-family: 'Arial','sans-serif';">On 2013-11-17 17:13, Fred Weston wrote:</span></p>
<blockquote style="border: none; border-left: solid #1010FF 1.5pt; padding: 0in 0in 0in 4.0pt; margin-left: 3.75pt; margin-top: 5.0pt; margin-bottom: 5.0pt;">
<div>
<p class="MsoNormal"><span style="color: #1f497d;">Does anyone else have any suggestions? I would like to implement this in production but I am hesitant to do so when the only way I can get it to work is permit all traffic from the Internet into the openswan boxes.</span></p>
<p class="MsoNormal"><span style="color: #1f497d;"> </span></p>
<div>
<div style="border: none; border-top: solid #B5C4DF 1.0pt; padding: 3.0pt 0in 0in 0in;">
<p class="MsoNormal"><strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';">From:</span></strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';"> <a href="mailto:users-bounces@lists.openswan.org">users-bounces@lists.openswan.org</a> [<a href="mailto:users-bounces@lists.openswan.org">mailto:users-bounces@lists.openswan.org</a>] <strong><span style="font-family: 'Tahoma','sans-serif';">On Behalf Of </span></strong>Fred Weston<br /><strong><span style="font-family: 'Tahoma','sans-serif';">Sent:</span></strong> Wednesday, November 13, 2013 11:49 AM<br /><strong><span style="font-family: 'Tahoma','sans-serif';">To:</span></strong> Leto<br /><strong><span style="font-family: 'Tahoma','sans-serif';">Cc:</span></strong> <a href="mailto:users@lists.openswan.org"> users@lists.openswan.org</a><br /><strong><span style="font-family: 'Tahoma','sans-serif';">Subject:</span></strong> Re: [Openswan Users] Firewall rules for openswan behind NAT</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal"><span style="color: #1f497d;">Let me clarify – when I reference ports/protocols that I’m allowing inbound, I’m allowing it from the opposite host and not specifying a source port.</span></p>
<p class="MsoNormal"><span style="color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="color: #1f497d;">Thanks,</span></p>
<p class="MsoNormal"><span style="color: #1f497d;">FW</span></p>
<p class="MsoNormal"><span style="color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="color: #1f497d;"> </span></p>
<p class="MsoNormal"><span style="color: #1f497d;"> </span></p>
<div>
<div style="border: none; border-top: solid #B5C4DF 1.0pt; padding: 3.0pt 0in 0in 0in;">
<p class="MsoNormal"><strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';">From:</span></strong><span style="font-size: 10.0pt; font-family: 'Tahoma','sans-serif';"> Leto [<a href="mailto:letoams@gmail.com">mailto:letoams@gmail.com</a>] <br /><strong><span style="font-family: 'Tahoma','sans-serif';">Sent:</span></strong> Wednesday, November 13, 2013 11:27 AM<br /><strong><span style="font-family: 'Tahoma','sans-serif';">To:</span></strong> Fred Weston<br /><strong><span style="font-family: 'Tahoma','sans-serif';">Cc:</span></strong> <a href="mailto:users@lists.openswan.org"> users@lists.openswan.org</a><br /><strong><span style="font-family: 'Tahoma','sans-serif';">Subject:</span></strong> Re: [Openswan Users] Firewall rules for openswan behind NAT</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal"><br /><br /> sent from a tiny device </p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom: 12.0pt;"><br /> On 2013-11-13, at 10:44, Fred Weston <<a href="mailto:fred.weston@lpga.com">fred.weston@lpga.com</a>> wrote:</p>
</div>
<blockquote style="margin-top: 5.0pt; margin-bottom: 5.0pt;">
<div>
<div>
<p class="MsoNormal">Hello All,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I’m using OpenSwan with AWS to link two private VPC networks in different regions.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I’m having trouble getting my firewall ACLs right. Everything works if I permit all traffic to the OpenSwan boxes, however when I try to get more restrictive and permit only the necessary ports things stop working.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">One side has all traffic permitted inbound for the time being and I’m making ACL changes trying to restrict traffic to certain ports/protocols on the other side.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Both endpoints are behind 1:1 NAT. Everything is permitted outbound on both sides.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">From reading online, I understand that the following ports and protocols should be all I need:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">UDP 500</p>
<p class="MsoNormal">UDP 4500</p>
<p class="MsoNormal">IP Protocol 50</p>
<p class="MsoNormal">IP Protocol 51</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I tried the above and had no luck. As soon as I change from permitting all inbound to permitting only the above list the tunnel comes down.</p>
</div>
</div>
</blockquote>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">You should really allow icmp.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Note that you need to accept from a random high port to dest udp 4500, not just 4500 <-> 4500. Same for 500</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<p class="MsoNormal" style="margin-bottom: 12.0pt;"> </p>
<div>
<div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I also tried permitting tcp/1721 and tcp/1723 and IP Protocol 47.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I am using AWS ‘security groups’ to control filtering and according to the docs (and my observations) security groups are stateful, so I am not sure why this isn’t working. </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Can anyone offer any suggestions?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Thanks,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><strong><span style="font-family: 'Verdana','sans-serif';">Fred Weston</span></strong></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
</div>
<p class="MsoNormal">The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No employee is authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You.</p>
</div>
<blockquote style="margin-top: 5.0pt; margin-bottom: 5.0pt;">
<div>
<p class="MsoNormal">_______________________________________________<br /><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br /><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br /> Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br /> Building and Integrating Virtual Private Networks with Openswan:<br /><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></p>
</div>
</blockquote>
</div>
<p class="MsoNormal">The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No employee is authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You.</p>
</div>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif';">The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No employee is authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You.</span></p>
<pre>_______________________________________________</pre>
<pre><a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a></pre>
<pre><a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a></pre>
<pre>Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></pre>
<pre>Building and Integrating Virtual Private Networks with Openswan:</pre>
<pre><a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></pre>
</blockquote>
</div>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif';">The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No employee is authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You.</span></p>
</blockquote>
</div>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif';">The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No employee is authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You.</span></p>
</blockquote>
</div>
<p class="MsoNormal"><span style="font-family: 'Arial','sans-serif';">The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No employee is authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You.</span></p>
</blockquote>
</div>
The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No employee is authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You.</blockquote>
</body></html>