[Openswan Users] Data from ipsec0 to eth2

Trevor Morrison demo at hailix.com
Sun Feb 6 12:08:27 CET 2005


Paul,

Thanks for the quick response.  I ran ipsec verify and here is the output:

ipsec verify
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path                             [OK]
Checking for KLIPS support in kernel                        [OK]
Checking for RSA private key (/etc/ipsec.secrets)           ipsec
showhostkey: no default key in "/etc/ipsec.secrets"
[FAILED]
Checking that pluto is running                              [OK]
DNS checks.
Looking for forward key for grumpy                          [NO KEY]
Does the machine have at least one non-private address      [OK]
Two or more interfaces found, checking IP forwarding        [OK]
Checking NAT and MASQUERADING
 tun0x1014 at xx.xx.xx.xx:0                                [FAILED]
REDNAT from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 192.168.2.0/24:0 ->
192.168.111.0/24:0
[FAILED]
POSTPORTFW from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 192.168.2.0/24:0 ->
192.168.111.0/24:0

I see that there is definitely a problem, but I thought that IPCOP took care
of NAT and Masquerading with the iptables rules.  What should I look for in
the rules to make sure the killing of the tunnels does not happen?

TIA,

Trevor

PS:  I ran an iptables -n -L to show my current rules if that helps to get
to the bottom of this:

          tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x16/0x02 limit: avg 10/sec burst 5
CUSTOMINPUT  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW
DROP       all  --  127.0.0.0/8          0.0.0.0/0           state NEW
DROP       all  --  0.0.0.0/0            127.0.0.0/8         state NEW
ACCEPT    !icmp --  0.0.0.0/0            0.0.0.0/0           state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DHCPBLUEINPUT  all  --  0.0.0.0/0            0.0.0.0/0
IPSECRED   all  --  0.0.0.0/0            0.0.0.0/0
IPSECBLUE  all  --  0.0.0.0/0            0.0.0.0/0
WIRELESSINPUT  all  --  0.0.0.0/0            0.0.0.0/0
REDINPUT   all  --  0.0.0.0/0            0.0.0.0/0
XTACCESS   all  --  0.0.0.0/0            0.0.0.0/0           state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:2844
ACCEPT     udp  --  0.0.0.0/0            172.16.1.1          udp dpt:123
ACCEPT     udp  --  172.16.1.20          172.16.1.3          udp dpt:53
ACCEPT     tcp  --  172.16.1.20          172.16.1.3          tcp dpt:25
ACCEPT     tcp  --  172.16.1.20          172.16.1.3          tcp dpt:110
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `INPUT '

Chain FORWARD (policy DROP)
target     prot opt source               destination
ipac~fi    all  --  0.0.0.0/0            0.0.0.0/0
ipac~fo    all  --  0.0.0.0/0            0.0.0.0/0
BADTCP     all  --  0.0.0.0/0            0.0.0.0/0
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
CUSTOMFORWARD  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW
DROP       all  --  127.0.0.0/8          0.0.0.0/0           state NEW
DROP       all  --  0.0.0.0/0            127.0.0.0/8         state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
WIRELESSFORWARD  all  --  0.0.0.0/0            0.0.0.0/0
REDFORWARD  all  --  0.0.0.0/0            0.0.0.0/0
DMZHOLES   all  --  0.0.0.0/0            0.0.0.0/0           state NEW
PORTFWACCESS  all  --  0.0.0.0/0            0.0.0.0/0           state NEW
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT '

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ipac~i     all  --  0.0.0.0/0            0.0.0.0/0
CUSTOMOUTPUT  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  172.16.1.20          172.16.1.3          udp dpt:53
ACCEPT     tcp  --  172.16.1.20          172.16.1.3          tcp dpt:25
ACCEPT     tcp  --  172.16.1.20          172.16.1.3          tcp dpt:110

Chain BADTCP (2 references)
target     prot opt source               destination
PSCAN      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x3F/0x29
PSCAN      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x3F/0x00
PSCAN      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x3F/0x01
PSCAN      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x06/0x06
PSCAN      tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:0x03/0x03
NEWNOTSYN  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
flags:!0x16/0x02 state NEW

Chain CUSTOMFORWARD (1 references)
target     prot opt source               destination

Chain CUSTOMINPUT (1 references)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:445
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:135
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:137
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:138
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:139
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:445
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:135
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:137
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:138
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:139

Chain CUSTOMOUTPUT (1 references)
target     prot opt source               destination

Chain DHCPBLUEINPUT (1 references)
target     prot opt source               destination

Chain DMZHOLES (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  172.16.1.3           192.168.2.10        tcp dpt:2049
ACCEPT     udp  --  172.16.1.3           192.168.2.10        udp dpt:2049
ACCEPT     udp  --  172.16.1.3           192.168.2.10        udp dpt:622
ACCEPT     udp  --  172.16.1.3           192.168.2.10        udp dpt:111
ACCEPT     tcp  --  172.16.1.3           192.168.2.10        tcp dpt:111
ACCEPT     udp  --  172.16.1.3           192.168.2.10        udp dpt:914
ACCEPT     tcp  --  172.16.1.2           192.168.2.10        tcp dpt:2049
ACCEPT     udp  --  172.16.1.2           192.168.2.10        udp dpt:2049
ACCEPT     udp  --  172.16.1.2           192.168.2.10        udp dpt:665
ACCEPT     tcp  --  172.16.1.2           192.168.2.10        tcp dpt:111
ACCEPT     udp  --  172.16.1.2           192.168.2.10        udp dpt:111
ACCEPT     tcp  --  172.16.1.10          192.168.2.10        tcp dpt:2049
ACCEPT     udp  --  172.16.1.10          192.168.2.10        udp dpt:2049
ACCEPT     udp  --  172.16.1.10          192.168.2.10        udp dpt:665
ACCEPT     tcp  --  172.16.1.10          192.168.2.10        tcp dpt:111
ACCEPT     udp  --  172.16.1.10          192.168.2.10        udp dpt:111
ACCEPT     udp  --  172.16.1.2           192.168.2.10        udp dpt:764
ACCEPT     udp  --  172.16.1.10          192.168.2.10        udp dpt:764
ACCEPT     udp  --  172.16.1.10          192.168.2.10        udp dpt:665
ACCEPT     udp  --  172.16.1.2           192.168.2.10        udp dpt:717
ACCEPT     udp  --  172.16.1.3           192.168.2.10        udp dpt:800
ACCEPT     udp  --  172.16.1.3           192.168.2.10        udp dpt:771
ACCEPT     udp  --  172.16.1.2           192.168.2.10        udp dpt:796
ACCEPT     udp  --  172.16.1.3           192.168.2.10        udp dpt:796

Chain IPSECBLUE (1 references)
target     prot opt source               destination

Chain IPSECRED (1 references)
target     prot opt source               destination
ACCEPT     47   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp spt:500
dpt:500
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:4500

Chain LOG_DROP (0 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg
10/min burst 5 LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain LOG_REJECT (0 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg
10/min burst 5 LOG flags 0 level 4
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with
icmp-port-unreachable

Chain NEWNOTSYN (1 references)
target     prot opt source               destination
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `NEW not SYN? '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain PORTFWACCESS (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            172.16.1.3          tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            172.16.1.3          tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            172.16.1.3          tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            172.16.1.3          udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            172.16.1.2          tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.7         tcp dpt:1720
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.7         tcp dpt:1503
ACCEPT     tcp  --  0.0.0.0/0            172.16.1.2          tcp dpt:80
ACCEPT     udp  --  0.0.0.0/0            172.16.1.3          udp dpt:25
ACCEPT     tcp  --  xx.xx.xx.xx	     172.16.1.2          tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.6         tcp dpt:1723
ACCEPT     tcp  --  0.0.0.0/0            172.16.1.5          tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            172.16.1.5          tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            172.16.1.3          tcp dpt:443
ACCEPT     47   --  0.0.0.0/0            192.168.2.6
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.6         tcp dpt:1520

Chain PSCAN (5 references)
target     prot opt source               destination
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `TCP Scan? '
LOG        udp  --  0.0.0.0/0            0.0.0.0/0           limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `UDP Scan? '
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `ICMP Scan? '
LOG        all  -f  0.0.0.0/0            0.0.0.0/0           limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `FRAG Scan? '
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain REDFORWARD (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0

Chain REDINPUT (1 references)
target     prot opt source               destination

Chain WIRELESSFORWARD (1 references)
target     prot opt source               destination

Chain WIRELESSINPUT (1 references)
target     prot opt source               destination

Chain XTACCESS (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            xx.xx.xx.xx      tcp dpt:222
ACCEPT     tcp  --  xx.xx.xx.xx      xx.xx.xx.xx      tcp dpt:4

Chain ipac~fi (1 references)
target     prot opt source               destination
           all  --  0.0.0.0/0            0.0.0.0/0
           all  --  0.0.0.0/0            0.0.0.0/0
           all  --  0.0.0.0/0            0.0.0.0/0

Chain ipac~fo (1 references)
target     prot opt source               destination
           all  --  0.0.0.0/0            0.0.0.0/0
           all  --  0.0.0.0/0            0.0.0.0/0
           all  --  0.0.0.0/0            0.0.0.0/0

Chain ipac~i (1 references)
target     prot opt source               destination
           all  --  0.0.0.0/0            0.0.0.0/0
           all  --  0.0.0.0/0            0.0.0.0/0
           all  --  0.0.0.0/0            0.0.0.0/0

Chain ipac~o (1 references)
target     prot opt source               destination
           all  --  0.0.0.0/0            0.0.0.0/0
           all  --  0.0.0.0/0            0.0.0.0/0
           all  --  0.0.0.0/0            0.0.0.0/0
root at grumpy:/var/ipcop/vpn #


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Sunday, February 06, 2005 10:43 AM
To: Trevor Morrison
Cc: users at openswan.org
Subject: Re: [Openswan Users] Data from ipsec0 to eth2


On Sun, 6 Feb 2005, Trevor Morrison wrote:

> I am running IPCOP 1.4.2 which uses OpenSwan 1.0.7.  My problem is that
the
> net-to-net tunnel shows as up on both ends both from the GUI as well as
> using tail -f /var/log/messages, but when I try to ping a machine on the
> other subnet I do not get any replies.  Now, I ran tcpdump -i on both
ipsec0
> and eth2 at the same time and I do not see the traffic flowing from ipsec0
> to  the eth2 interface.  This the case for both tunnel endpoints.  I  know
> that I am missing something, but what?  I am including my ipsec.conf file
> below:

That all looks fine. Are you pinging from the net to the net, and host from
the gateway to somewhere or from somewhere to gateway?

> conn Hailix
>        right=xx.xx.xx.xx
>        rightsubnet=192.168.2.0/255.255.255.0
>        rightnexthop=%defaultroute
>        left=xx.xx.xx.xx
>        leftsubnet=192.168.111.0/24
>        leftnexthop=%defaultroute
>        dpddelay=30
>        dpdtimeout=120
>        dpdaction=hold
>        authby=secret
>        auto=start

You can try and add leftsourceip=192.168.2.X and rightsourceip=192.168.111.Y
where those IP's are the internal IP's of the security gateways. Then you
will be able to ping if using it from or to a gateway.

Other problems could be:
- NAT breaking packets
- no IP Forwarding enabled
- rp_filter anti-spoof protection enabled

Run 'ipsec verify' if that is available on ipcop to detect this.

Paul
--

"At best it is a theory, at worst a fantasy" -- Michael Crichton



More information about the Users mailing list