[Openswan Users] Access (routing) problems

Damir Dezeljin programing at mbss.org
Thu Oct 14 22:37:41 CEST 2004 

Hi.

I'm trying to configure OpenSWan as an IPSec L2TP VPN gateway for my
road-warriors. They will mostly access my network from NAT-ed networks
using WinXP build in IPSec / L2TP client.

VPN GW configuration:
- Debian Woody;
- Valina kernel 2.4.27;
- OpenSWan 2.2.0 + NAT-T patc;
- L2TPD 0.69-9;
- OpenSSL based CA.

I.m using this machine as Firewall for my network. It has two network
cards. .eth0. is the external one connected to Cisco router (I.m using
real IP-s on external interface). The internal interface uses network
10.0.0.0/24.

I tried to connect to my VPN from a NAT-ed WinXP with sp1.

Image:
    WinXP_(client)    10.0.200.201/24
      |
   Linux GW (2.4.27)  10.0.200.1/24
    Iptables . NAT
      |  ADSL (PPPoE)  193.88.99.33
      |
     ...
      |
 Cisco router         193.2.2.1
      |
      |               193.2.2.10/26
 Debian VPN GW
      |               10.0.0.1/24
      |
     LAN              10.0.0.0/24


I set up an CA and issued certificates for Win client and OpenSWan. I
suppose that the certificate is imported correctly in WinXP as the IPSec
part of the IKE connection part finish sucesfully.

Ipsec.conf:
----
version 2.0

config setup
    interfaces="ipsec0=eth0"
    nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.0.0/24

conn winxp
  keyingtries=3
  compress=yes
  disablearrivalcheck=no
  authby=rsasig                   # Use RSA certs
  pfs=no                          # No PFS
  # Local
  leftrsasigkey=%cert
  leftcert=gw.mydom.com.pem
  left=193.2.2.10                 # Local - mydom
  leftprotoport=17/0
  # Remote
  rightrsasigkey=%cert
  rightcert=test.mydom.com.pem
  right=%any
  rightsubnet=vhost:%no,%priv
  rightprotoport=17/1701
  #
  auto=add
----

ipsec.secrets:
----
: RSA fw.mydom.com.key "password"
----



Problem description:
It seams that packages from Win client don.t reach the GW (L2TP daemon). I
found a strange warning / error related to routing in the auth.log.
Unfortunately I didn.t find any useful information for my problem on the
internet. Log:
----
Oct 14 20:55:33 FW ipsec__plutorun: Starting Pluto subsystem...
GW pluto[23102]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4
PLUTO_USES_KEYRR)
GW pluto[23102]:   including NAT-Traversal patch (Version 0.6c)
GW pluto[23102]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
(ret=0)
GW pluto[23102]: Using KLIPS IPsec interface code
GW pluto[23102]: Changing to directory '/etc/ipsec.d/cacerts'
GW pluto[23102]:   loaded CA cert file 'cacert.pem' (1294 bytes)
GW pluto[23102]: Could not change to directory '/etc/ipsec.d/aacerts'
GW pluto[23102]: Changing to directory '/etc/ipsec.d/ocspcerts'
GW pluto[23102]: Changing to directory '/etc/ipsec.d/crls'
GW pluto[23102]:   loaded crl file 'crl.pem' (520 bytes)
GW pluto[23102]:   loaded host cert file
'/etc/ipsec.d/certs/gw.mydom.com.pem' (3676 bytes)
GW pluto[23102]:   loaded host cert file
'/etc/ipsec.d/certs/test.mydom.com.pem' (3678 bytes)
GW pluto[23102]: added connection description "winxp"
GW pluto[23102]: listening for IKE messages
GW pluto[23102]: adding interface ipsec0/eth0 193.2.2.10
GW pluto[23102]: adding interface ipsec0/eth0 193.2.2.10:4500
GW pluto[23102]: loading secrets from "/etc/ipsec.secrets"
GW pluto[23102]:   loaded private key file
'/etc/ipsec.d/private/gw.mydom.com.key' (1683 bytes)
GW pluto[23102]: packet from 193.88.99.33:500: ignoring Vendor ID payload
[MS NT5 ISAKMPOAKLEY 00000003]
GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: responding to Main Mode from
unknown peer 193.88.99.33
GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: transition from state (null)
to state STATE_MAIN_R1
GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: Peer ID is ID_DER_ASN1_DN:
'C=SI, ST=Lj, L=Lj, O=MyOrg, OU=MyOu, CN=client.mydom.com,
E=root at mydom.com'
GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: I am sending my cert
GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: sent MR3, ISAKMP SA
established
GW pluto[23102]: "winxp"[1] 193.88.99.33 #2: responding to Quick Mode
GW pluto[23102]: "winxp"[1] 193.88.99.33 #2: transition from state (null)
to state STATE_QUICK_R1
GW pluto[23102]: "winxp"[1] 193.88.99.33 #2: route-host output:
/usr/local/lib/ipsec/_updown: doroute `ip route add 10.0.200.201/32 via
193.88.99.33 dev ipsec0 ' failed (RTNETLINK answers: Network is
unreachable)
GW pluto[23102]: "winxp"[1] 193.88.99.33 #2: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
GW pluto[23102]: "winxp"[1] 193.88.99.33 #2: IPsec SA established
{ESP=>0x12a9ec41 <0xb9e9d30d}
GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: received Delete
SA(0x12a9ec41) payload: deleting IPSEC State #2
GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: received and ignored
informational message
GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: received Delete SA payload:
deleting ISAKMP State #1
GW pluto[23102]: "winxp"[1] 193.88.99.33: deleting connection "winxp"
instance with peer 193.88.99.33 {isakmp=#0/ipsec=#0}
GW pluto[23102]: "winxp": unroute-host output:
/usr/local/lib/ipsec/_updown: doroute `ip route delete 10.0.200.201/32 via
193.88.99.33 dev ipsec0 ' failed
 (RTNETLINK answers: No such process)
GW pluto[23102]: packet from 193.88.99.33:500: received and ignored
informational message
GW pluto[23102]: shutting down
GW pluto[23102]: forgetting secrets
GW pluto[23102]: "winxp": deleting connection
GW pluto[23102]: shutting down interface ipsec0/eth0 193.2.2.10
GW pluto[23102]: shutting down interface ipsec0/eth0 193.2.2.10
----



I noticed also two different problems . one is related to OpenSWan, whiles
the second one isn.t ;):

1. If I add below rules to my firewall, it doesn.t display anything in the
log . why (.tcpdump .i ipsec0. shows that some packages are trying to
reach L2TPd daemon):
----
iptables -I INPUT 1 .i ipsec+ -j LOG --log-level info --log-prefix
"[IPSEC] "
iptables -I INPUT 2 .s 193.88.99.33 -j LOG --log-level info --log-prefix
"[IPSEC] "
----

2. I.m unable to use .owner. match support in my iptables firewall after I
upgrading the kernel to 2.4.27. E.g. of the rule:
----
iptables -A OUTPUT --dst 10.0.0.40 --proto tcp --destination-port 22 -m
owner --uid-owner username01 -j ACCEPT
iptables: Invalid argument
----


Any idea.


Thanks in advance ;) Regards,
Dezo

More information about the Users mailing list