R: [Openswan Users] OpensWan and Iptables
John A. Sullivan III
john.sullivan at nexusmgmt.com
Wed Oct 27 21:20:08 CEST 2004
Where is your rightsubnet defined for the connection? You will also want
to make sure that your IDs match exactly. There is a slightly dated
slide show which includes setting up NAT traversal in the training
section on http://iscs.sourceforge.net There's even a section on using
iproute2 so that the network VPN connection can be used to speak to the
gateway through the private interface eliminating the need for extra
connection definitions.
By the way, does your gateway allow the traffic destined for the gateway
bound traffic on the INPUT chain? It will use that rather than the
FORWARD chain for traffic destined for the gateway.
Good luck - John
On Wed, 2004-10-27 at 19:36, Giovanni wrote:
> No problem for give my lan ip address and log!!! J
>
>
>
> Oct 27 17:38:51 duro pluto[31478]: packet from 81.kkk.zzz.xxx:500:
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
>
> Oct 27 17:38:51 duro pluto[31478]: packet from 81.kkk.zzz.xxx:500:
> ignoring Vendor ID payload [FRAGMENTATION]
>
> Oct 27 17:38:51 duro pluto[31478]: packet from 81.kkk.zzz.xxx:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>
> Oct 27 17:38:51 duro pluto[31478]: packet from 81.kkk.zzz.xxx:500:
> ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
>
> Oct 27 17:38:51 duro pluto[31478]: "titti" #1: responding to Main Mode
>
> Oct 27 17:38:51 duro pluto[31478]: "titti" #1: transition from state
> (null) to state STATE_MAIN_R1
>
> Oct 27 17:38:52 duro pluto[31478]: "titti" #1: NAT-Traversal: Result
> using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
>
> Oct 27 17:38:52 duro pluto[31478]: "titti" #1: transition from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
>
> Oct 27 17:38:52 duro pluto[31478]: "titti" #1: Peer ID is
> ID_DER_ASN1_DN: 'C=IT, ST=yyyyy, L=yyyyy, O=yyyyy,
> CN=yyyyy.yyyy.yyyyy, E=yyyyy at yyyyyyyy
>
> Oct 27 17:38:52 duro pluto[31478]: "titti" #1: crl update for "C=IT,
> ST=yyyyy, L=yyyyy, O=yyyyy, CN=CA, E=yyyyy at yyyyyyyy" is overdue since
> Apr 24 18:05:12 UTC 2004
>
> Oct 27 17:38:52 duro pluto[31478]: "titti" #1: I am sending my cert
>
> Oct 27 17:38:52 duro pluto[31478]: "titti" #1: transition from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
>
> Oct 27 17:38:52 duro pluto[31478]: | NAT-T: new mapping
> 81.kkk.zzz.xxx:500/4500)
>
> Oct 27 17:38:52 duro pluto[31478]: "titti" #1: sent MR3, ISAKMP SA
> established
>
> Oct 27 17:38:52 duro pluto[31478]: "titti" #1: cannot respond to IPsec
> SA request because no connection is known for
> 172.16.1.0/24===217.fff.kkk.yyy:4500[C=IT, ST=yyyyy, L=yyyyy, O=yyyyy,
> CN=yyyyy.yyyy.yyy, E=yyyyyyyyyyyy]...81.kkk.zzz.xxx:4500[C=IT,
> ST=YYYYYYYY, L=YYYYYYY, O=YYYYYYYY, CN=yyyyy.yyyyy.yyy,
> E=yyyyy at yyyyyyyy]===192.168.2.10/32
>
> Oct 27 17:38:52 duro pluto[31478]: "titti" #1: sending encrypted
> notification INVALID_ID_INFORMATION to 81.kkk.zzz.xxx:4500
>
>
>
> My Network:
>
>
>
> Local ip: 192.168.2.10---Router / nat--Public IP----- internet -----
> ip public –router—ip public --- firewall/vpn---- lan 172.16.1.0/24
>
>
>
> Thanks
>
>
> ______________________________________________________________________
>
> Da: Giovanni [mailto:gio_ton at tiscali.it]
> Inviato: mercoledì 27 ottobre 2004 23.56
> A: 'users at openswan.org'
> Oggetto: R: [Openswan Users] OpensWan and Iptables
>
>
>
>
>
>
>
>
>
>
> I did modifications on my firewall and now it operates almost well.
> There are two problems:
>
> First of all , the firewall drop all requests which are destined to
> private ip of my firewall/openswan while it operates perfectly for
> those which are destined to all other addresses of the same network .
>
> Secondly, I can't active a "natted" pc. It operates perfectly only if
> the client isn't natted.
>
> The error message is:"“cannont respond ipsec because no connection is
> know for 172.16.1.0/24== i plan public”.
>
> At the moment my configuration server in ipsec.conf is the following:
>
> config setup
>
> interfaces=”ipsec0=eth2”
>
> forwardcontrol=yes
>
> klipsdebug=all
>
> nat_traversal=yes
>
> plutodebug=none
>
> uniqueids=yes
>
> virtual_private=%v4:172.16.0.0/12
>
>
>
> conn prova
>
> auto=add
>
> authbt=rsasig
>
> left=ip public server vpn
>
> leftsubnet=172.16.1.0/24
>
> leftid=myid
>
> leftcert=mycert
>
> right=%any
>
> rightid=myid
>
> rightcert=mycert
>
> pfs=yes
>
> keyingtries=3
>
>
>
> thanks to all for the support
>
>
>
>
>
>
> ______________________________________________________________________
>
> Da: Giovanni [mailto:gio_ton at tiscali.it]
> Inviato: mercoledì 27 ottobre 2004 1.31
> A: 'users at openswan.org'
> Oggetto: R: [Openswan Users] OpensWan and Iptables
>
>
>
>
> Now works very well!!!
>
> Thanks again
>
>
>
>
>
>
>
> Hi
>
> This should give you an idea:
>
> [ #Allow IKE ]
>
> # Allow ESP Traffic from/to Gateway
> iptables -A INPUT -i $EXTERNAL_INTERFACE -p esp -j ACCEPT
> iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p esp -j ACCEPT
>
> # Tag Incoming IPSec Traffic. 'mark' sticks after processing.
> iptables -t mangle -A PREROUTING -i $EXTERNAL_INTERFACE -p esp -j MARK
> --set-mark 1
>
> # Forward Authenticated Traffic to LAN.
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -m mark --mark 1 -d
> $LAN_ADDRESSES -j ACCEPT
>
>
>
> # Allow established connections to communicate back.
>
> iptables -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -m state
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m state
> --state ESTABLISHED,RELATED -j ACCEPT
>
>
>
>
> # SRC nat everything apart from esp traffic.
>
>
> iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -p ! esp -j SNAT
> --to-source $EXTERNAL_IPADDR
>
>
>
>
>
> I hope this helps.
>
>
>
>
>
> Cheers,
>
>
> Daniel.
>
>
>
>
>
>
> ______________________________________________________________________
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com
More information about the Users
mailing list