R: [Openswan Users] OpensWan and Iptables

Giovanni gio_ton at tiscali.it
Thu Oct 28 02:36:40 CEST 2004


No problem for give my lan ip address and log!!! :-)

 

Oct 27 17:38:51 duro pluto[31478]: packet from 81.kkk.zzz.xxx:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]

Oct 27 17:38:51 duro pluto[31478]: packet from 81.kkk.zzz.xxx:500: ignoring
Vendor ID payload [FRAGMENTATION]

Oct 27 17:38:51 duro pluto[31478]: packet from 81.kkk.zzz.xxx:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

Oct 27 17:38:51 duro pluto[31478]: packet from 81.kkk.zzz.xxx:500: ignoring
Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]

Oct 27 17:38:51 duro pluto[31478]: "titti" #1: responding to Main Mode

Oct 27 17:38:51 duro pluto[31478]: "titti" #1: transition from state (null)
to state STATE_MAIN_R1

Oct 27 17:38:52 duro pluto[31478]: "titti" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed

Oct 27 17:38:52 duro pluto[31478]: "titti" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2

Oct 27 17:38:52 duro pluto[31478]: "titti" #1: Peer ID is ID_DER_ASN1_DN:
'C=IT, ST=yyyyy, L=yyyyy, O=yyyyy, CN=yyyyy.yyyy.yyyyy, E=yyyyy at yyyyyyyy

Oct 27 17:38:52 duro pluto[31478]: "titti" #1: crl update for "C=IT,
ST=yyyyy, L=yyyyy, O=yyyyy, CN=CA, E=yyyyy at yyyyyyyy" is overdue since Apr 24
18:05:12 UTC 2004

Oct 27 17:38:52 duro pluto[31478]: "titti" #1: I am sending my cert

Oct 27 17:38:52 duro pluto[31478]: "titti" #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3

Oct 27 17:38:52 duro pluto[31478]: | NAT-T: new mapping
81.kkk.zzz.xxx:500/4500)

Oct 27 17:38:52 duro pluto[31478]: "titti" #1: sent MR3, ISAKMP SA
established

Oct 27 17:38:52 duro pluto[31478]: "titti" #1: cannot respond to IPsec SA
request because no connection is known for
172.16.1.0/24===217.fff.kkk.yyy:4500[C=IT, ST=yyyyy, L=yyyyy, O=yyyyy,
CN=yyyyy.yyyy.yyy, E=yyyyyyyyyyyy]...81.kkk.zzz.xxx:4500[C=IT, ST=YYYYYYYY,
L=YYYYYYY, O=YYYYYYYY, CN=yyyyy.yyyyy.yyy,
E=yyyyy at yyyyyyyy]===192.168.2.10/32

Oct 27 17:38:52 duro pluto[31478]: "titti" #1: sending encrypted
notification INVALID_ID_INFORMATION to 81.kkk.zzz.xxx:4500

 

My Network:

 

 Local ip: 192.168.2.10---Router / nat--Public IP----- internet ----- ip
public –router—ip public --- firewall/vpn---- lan 172.16.1.0/24 

 

Thanks

  _____  

Da: Giovanni [mailto:gio_ton at tiscali.it] 
Inviato: mercoledì 27 ottobre 2004 23.56
A: 'users at openswan.org'
Oggetto: R: [Openswan Users] OpensWan and Iptables

 

 

 

 

I did modifications on my firewall and now it operates almost well. There
are two problems:

First of all , the firewall drop all requests which are destined to private
ip of my firewall/openswan while it operates perfectly for those which are
destined to all other addresses of the same network .

Secondly, I can't active a "natted" pc. It operates perfectly only if the
client isn't natted.

The error message is:"“cannont respond ipsec because no connection is know
for 172.16.1.0/24== i plan public”.

At the moment my configuration server in ipsec.conf is the following:

config setup

            interfaces=”ipsec0=eth2”

            forwardcontrol=yes

            klipsdebug=all

            nat_traversal=yes

            plutodebug=none

            uniqueids=yes

            virtual_private=%v4:172.16.0.0/12

 

conn prova

            auto=add

            authbt=rsasig

            left=ip public server vpn

            leftsubnet=172.16.1.0/24

            leftid=myid

            leftcert=mycert

            right=%any

            rightid=myid

            rightcert=mycert

            pfs=yes

            keyingtries=3

 

thanks to all for the support

 

 

  _____  

Da: Giovanni [mailto:gio_ton at tiscali.it] 
Inviato: mercoledì 27 ottobre 2004 1.31
A: 'users at openswan.org'
Oggetto: R: [Openswan Users] OpensWan and Iptables

 

Now works very well!!!

Thanks again

 

 

 

Hi 

This should give you an idea:

 [ #Allow IKE ]

# Allow ESP Traffic from/to Gateway
iptables -A INPUT -i $EXTERNAL_INTERFACE -p esp -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p esp -j ACCEPT

# Tag Incoming IPSec Traffic. 'mark' sticks after processing.
iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -p esp -j MARK
--set-mark 1

# Forward Authenticated Traffic to LAN.
iptables -A FORWARD -i $EXTERNAL_INTERFACE -m mark --mark 1 -d
$LAN_ADDRESSES -j ACCEPT 

 

# Allow established connections to communicate back.

iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m state
--state ESTABLISHED,RELATED -j ACCEPT

 

# SRC nat everything apart from esp traffic.

iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p ! esp -j SNAT
--to-source $EXTERNAL_IPADDR 

 

I hope this helps.

 

Cheers,

Daniel.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041028/4939c026/attachment-0001.htm


More information about the Users mailing list