[Openswan Users] Migration from RedHat 7 to SuSE 9.2 problematic

[Bram Bouwens]

Alexander Samad wrote:
> On Sat, Apr 16, 2005 at 04:33:53PM +0200, Bram Bouwens wrote:
> 
>>I've been running an IPSEC connection between my home and the office
>>for years, really brilliant. Using RedHat 7.0 on one and 7.3 at the
>>other side with FreeS/WAN 2.06.
>>
>>Now for various reasons it's time to upgrade my home gateway, and
>>I thought SuSE 9.2 would be nice. I also plugged in a DSL card modem.
>>All seems to go smooth, with almost no changes to the configuration,
>>Openswan U2.2.0/K2.6.8-24.14-default looks similar, except that I
>>see no ipsec0 device appearing, so I'm a little puzzled by the
>>routing.
> 
> 
> ipsec interfaces dissapeared in the 2.6 implementation, using the native
> ipsec stack.  I believe you can still build klips for the 2.6 kernel
> which will giv eyou back the ipsecX interfaces, but they are not needed

After more hours of fiddling and trying to get the stuff working with
racoon, I learned that it's just another paradigm. We used to say: send
this package through that ipsec-device, but now it's: wrap up the packet
in ESP and send it through the normal interface. To me that was a
relevant thing to note.
> 
> 
....
>>
>>The firewall shouldn't be a problem I think:
> 
> 
> you will have to change your firewall, ipsec packets go through the
> netfilter chain twice once as an esp packet and once as a decrypted
> packet.  Which mean you might have to attached a script to your ipsec
> config to automatically update your firewall to allow the unencrypted
> packets through.  or mark them in mangle (the esp packets) and then
> allow them through in the filter table.

You have a point there!

In the end I got racoon to set up a SA as well, with the same result:
no traffic going through the tunnel. Then tcpdump showed that when
I did a ping from 192.168.37.5 to 192.168.0.17 there were ICMP requests
going from the PUBLIC IP to the office LAN IP addres going into the
dsl0 device. So: they got MASQ'd, and therefore not wrapped in an ESP 
packet. Then I saw:

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

which is rather crude if you ask me. After I inserted

ACCEPT     all  --  192.168.37.0/24      192.168.0.0/24

before that rule, it all worked! Now I'll have to convince SuSEFirewall 
to do that for me after the inevitable reboot.

When I figured out which of all the steps I did were relevant I might
write a summary, but that may be off-topic for this mailing list as
I ended up with racoon (yes, using the same RSA keys) instead of
OpenSwan :D

Thanks for your help!

Bram