[Openswan Users] Access (routing) problems
Damir Dezeljin
programing at mbss.org
Fri Oct 15 20:25:01 CEST 2004
Hi.
> /usr/local/lib/ipsec/_updown: doroute `ip route add 10.0.200.201/32 via
> 193.88.99.33 dev ipsec0 ' failed (RTNETLINK answers: Network is
> unreachable)
This problem was caused by the incorectly configured 'leftnexthop'. As I
know the default is '%defaultroute' which is not correct in my situation.
After setting it to:
----
leftnexthop=193.2.2.1
----
the error disapeared and the route is added sucesfully.
Now if I try to connect, the IPSec tunnel is build sucesfully, however
nothing is going to the L2TPd daemon.
I can't understand why my iptables rules doesn't display any package
comming from ipsec0 as tcpdump does.
iptables rule:
----
iptables -I INPUT 1 -i ipsec0 -j LOG --log-level info \
--log-prefix "[IPSEC] "
----
tcpdump output:
----
# tcpdump -i ipsec0
tcpdump: listening on ipsec0
20:03:56.292728 tcpdump -i ipsec0
tcpdump: listening on ipsec0
20:03:56.292728 193.88.99.33.1701 > 193.2.2.10.1701:
l2tp:[TLS](0/0)Ns=0,Nr=0 *MSGTYPE(SCCRQ) *PROTO_VER(1.0) *FRAMING_CAP(S)
*BEARER_CAP() |...|...|...|...|...
----
I spent lot of time troubleshooting the problem, but unfortunately I
didn't find it. Does anyone have an idea why the tunnel is not working?
BTW: Is it correct that 'leftsubnet' is not defined (empty)? Because if I
add it, even the first part (IPSec negotiation) fails?
Best regards,
Dezo
> Hi.
>
> I'm trying to configure OpenSWan as an IPSec L2TP VPN gateway for my
> road-warriors. They will mostly access my network from NAT-ed networks
> using WinXP build in IPSec / L2TP client.
>
> VPN GW configuration:
> - Debian Woody;
> - Valina kernel 2.4.27;
> - OpenSWan 2.2.0 + NAT-T patc;
> - L2TPD 0.69-9;
> - OpenSSL based CA.
>
> I.m using this machine as Firewall for my network. It has two network
> cards. .eth0. is the external one connected to Cisco router (I.m using
> real IP-s on external interface). The internal interface uses network
> 10.0.0.0/24.
>
> I tried to connect to my VPN from a NAT-ed WinXP with sp1.
>
> Image:
> WinXP_(client) 10.0.200.201/24
> |
> Linux GW (2.4.27) 10.0.200.1/24
> Iptables . NAT
> | ADSL (PPPoE) 193.88.99.33
> |
> ...
> |
> Cisco router 193.2.2.1
> |
> | 193.2.2.10/26
> Debian VPN GW
> | 10.0.0.1/24
> |
> LAN 10.0.0.0/24
>
>
> I set up an CA and issued certificates for Win client and OpenSWan. I
> suppose that the certificate is imported correctly in WinXP as the IPSec
> part of the IKE connection part finish sucesfully.
>
> Ipsec.conf:
> ----
> version 2.0
>
> config setup
> interfaces="ipsec0=eth0"
> nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.0.0.0/24
>
> conn winxp
> keyingtries=3
> compress=yes
> disablearrivalcheck=no
> authby=rsasig # Use RSA certs
> pfs=no # No PFS
> # Local
> leftrsasigkey=%cert
> leftcert=gw.mydom.com.pem
> left=193.2.2.10 # Local - mydom
> leftprotoport=17/0
> # Remote
> rightrsasigkey=%cert
> rightcert=test.mydom.com.pem
> right=%any
> rightsubnet=vhost:%no,%priv
> rightprotoport=17/1701
> #
> auto=add
> ----
>
> ipsec.secrets:
> ----
> : RSA fw.mydom.com.key "password"
> ----
>
>
>
> Problem description:
> It seams that packages from Win client don.t reach the GW (L2TP daemon). I
> found a strange warning / error related to routing in the auth.log.
> Unfortunately I didn.t find any useful information for my problem on the
> internet. Log:
> ----
> Oct 14 20:55:33 FW ipsec__plutorun: Starting Pluto subsystem...
> GW pluto[23102]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4
> PLUTO_USES_KEYRR)
> GW pluto[23102]: including NAT-Traversal patch (Version 0.6c)
> GW pluto[23102]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
> (ret=0)
> GW pluto[23102]: Using KLIPS IPsec interface code
> GW pluto[23102]: Changing to directory '/etc/ipsec.d/cacerts'
> GW pluto[23102]: loaded CA cert file 'cacert.pem' (1294 bytes)
> GW pluto[23102]: Could not change to directory '/etc/ipsec.d/aacerts'
> GW pluto[23102]: Changing to directory '/etc/ipsec.d/ocspcerts'
> GW pluto[23102]: Changing to directory '/etc/ipsec.d/crls'
> GW pluto[23102]: loaded crl file 'crl.pem' (520 bytes)
> GW pluto[23102]: loaded host cert file
> '/etc/ipsec.d/certs/gw.mydom.com.pem' (3676 bytes)
> GW pluto[23102]: loaded host cert file
> '/etc/ipsec.d/certs/test.mydom.com.pem' (3678 bytes)
> GW pluto[23102]: added connection description "winxp"
> GW pluto[23102]: listening for IKE messages
> GW pluto[23102]: adding interface ipsec0/eth0 193.2.2.10
> GW pluto[23102]: adding interface ipsec0/eth0 193.2.2.10:4500
> GW pluto[23102]: loading secrets from "/etc/ipsec.secrets"
> GW pluto[23102]: loaded private key file
> '/etc/ipsec.d/private/gw.mydom.com.key' (1683 bytes)
> GW pluto[23102]: packet from 193.88.99.33:500: ignoring Vendor ID payload
> [MS NT5 ISAKMPOAKLEY 00000003]
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: responding to Main Mode from
> unknown peer 193.88.99.33
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: transition from state (null)
> to state STATE_MAIN_R1
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: Peer ID is ID_DER_ASN1_DN:
> 'C=SI, ST=Lj, L=Lj, O=MyOrg, OU=MyOu, CN=client.mydom.com,
> E=root at mydom.com'
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: I am sending my cert
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: sent MR3, ISAKMP SA
> established
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #2: responding to Quick Mode
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #2: transition from state (null)
> to state STATE_QUICK_R1
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #2: route-host output:
> /usr/local/lib/ipsec/_updown: doroute `ip route add 10.0.200.201/32 via
> 193.88.99.33 dev ipsec0 ' failed (RTNETLINK answers: Network is
> unreachable)
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #2: transition from state
> STATE_QUICK_R1 to state STATE_QUICK_R2
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #2: IPsec SA established
> {ESP=>0x12a9ec41 <0xb9e9d30d}
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: received Delete
> SA(0x12a9ec41) payload: deleting IPSEC State #2
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: received and ignored
> informational message
> GW pluto[23102]: "winxp"[1] 193.88.99.33 #1: received Delete SA payload:
> deleting ISAKMP State #1
> GW pluto[23102]: "winxp"[1] 193.88.99.33: deleting connection "winxp"
> instance with peer 193.88.99.33 {isakmp=#0/ipsec=#0}
> GW pluto[23102]: "winxp": unroute-host output:
> /usr/local/lib/ipsec/_updown: doroute `ip route delete 10.0.200.201/32 via
> 193.88.99.33 dev ipsec0 ' failed
> (RTNETLINK answers: No such process)
> GW pluto[23102]: packet from 193.88.99.33:500: received and ignored
> informational message
> GW pluto[23102]: shutting down
> GW pluto[23102]: forgetting secrets
> GW pluto[23102]: "winxp": deleting connection
> GW pluto[23102]: shutting down interface ipsec0/eth0 193.2.2.10
> GW pluto[23102]: shutting down interface ipsec0/eth0 193.2.2.10
> ----
>
>
>
> I noticed also two different problems . one is related to OpenSWan, whiles
> the second one isn.t ;):
>
> 1. If I add below rules to my firewall, it doesn.t display anything in the
> log . why (.tcpdump .i ipsec0. shows that some packages are trying to
> reach L2TPd daemon):
> ----
> iptables -I INPUT 1 .i ipsec+ -j LOG --log-level info --log-prefix
> "[IPSEC] "
> iptables -I INPUT 2 .s 193.88.99.33 -j LOG --log-level info --log-prefix
> "[IPSEC] "
> ----
>
> 2. I.m unable to use .owner. match support in my iptables firewall after I
> upgrading the kernel to 2.4.27. E.g. of the rule:
> ----
> iptables -A OUTPUT --dst 10.0.0.40 --proto tcp --destination-port 22 -m
> owner --uid-owner username01 -j ACCEPT
> iptables: Invalid argument
> ----
>
>
> Any idea.
>
>
> Thanks in advance ;) Regards,
> Dezo
>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
More information about the Users
mailing list