[Openswan Users] Data from ipsec0 to eth2
Trevor Morrison
demo at hailix.com
Sun Feb 6 12:08:27 CET 2005
Paul,
Thanks for the quick response. I ran ipsec verify and here is the output:
ipsec verify
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) ipsec
showhostkey: no default key in "/etc/ipsec.secrets"
[FAILED]
Checking that pluto is running [OK]
DNS checks.
Looking for forward key for grumpy [NO KEY]
Does the machine have at least one non-private address [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADING
tun0x1014 at xx.xx.xx.xx:0 [FAILED]
REDNAT from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 192.168.2.0/24:0 ->
192.168.111.0/24:0
[FAILED]
POSTPORTFW from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 192.168.2.0/24:0 ->
192.168.111.0/24:0
I see that there is definitely a problem, but I thought that IPCOP took care
of NAT and Masquerading with the iptables rules. What should I look for in
the rules to make sure the killing of the tunnels does not happen?
TIA,
Trevor
PS: I ran an iptables -n -L to show my current rules if that helps to get
to the bottom of this:
tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x16/0x02 limit: avg 10/sec burst 5
CUSTOMINPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
DROP all -- 127.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 0.0.0.0/0 127.0.0.0/8 state NEW
ACCEPT !icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DHCPBLUEINPUT all -- 0.0.0.0/0 0.0.0.0/0
IPSECRED all -- 0.0.0.0/0 0.0.0.0/0
IPSECBLUE all -- 0.0.0.0/0 0.0.0.0/0
WIRELESSINPUT all -- 0.0.0.0/0 0.0.0.0/0
REDINPUT all -- 0.0.0.0/0 0.0.0.0/0
XTACCESS all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2844
ACCEPT udp -- 0.0.0.0/0 172.16.1.1 udp dpt:123
ACCEPT udp -- 172.16.1.20 172.16.1.3 udp dpt:53
ACCEPT tcp -- 172.16.1.20 172.16.1.3 tcp dpt:25
ACCEPT tcp -- 172.16.1.20 172.16.1.3 tcp dpt:110
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `INPUT '
Chain FORWARD (policy DROP)
target prot opt source destination
ipac~fi all -- 0.0.0.0/0 0.0.0.0/0
ipac~fo all -- 0.0.0.0/0 0.0.0.0/0
BADTCP all -- 0.0.0.0/0 0.0.0.0/0
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
CUSTOMFORWARD all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
DROP all -- 127.0.0.0/8 0.0.0.0/0 state NEW
DROP all -- 0.0.0.0/0 127.0.0.0/8 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
WIRELESSFORWARD all -- 0.0.0.0/0 0.0.0.0/0
REDFORWARD all -- 0.0.0.0/0 0.0.0.0/0
DMZHOLES all -- 0.0.0.0/0 0.0.0.0/0 state NEW
PORTFWACCESS all -- 0.0.0.0/0 0.0.0.0/0 state NEW
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ipac~i all -- 0.0.0.0/0 0.0.0.0/0
CUSTOMOUTPUT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 172.16.1.20 172.16.1.3 udp dpt:53
ACCEPT tcp -- 172.16.1.20 172.16.1.3 tcp dpt:25
ACCEPT tcp -- 172.16.1.20 172.16.1.3 tcp dpt:110
Chain BADTCP (2 references)
target prot opt source destination
PSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x29
PSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x00
PSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x3F/0x01
PSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x06
PSCAN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x03/0x03
NEWNOTSYN tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:!0x16/0x02 state NEW
Chain CUSTOMFORWARD (1 references)
target prot opt source destination
Chain CUSTOMINPUT (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:137
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:138
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:135
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:139
Chain CUSTOMOUTPUT (1 references)
target prot opt source destination
Chain DHCPBLUEINPUT (1 references)
target prot opt source destination
Chain DMZHOLES (1 references)
target prot opt source destination
ACCEPT tcp -- 172.16.1.3 192.168.2.10 tcp dpt:2049
ACCEPT udp -- 172.16.1.3 192.168.2.10 udp dpt:2049
ACCEPT udp -- 172.16.1.3 192.168.2.10 udp dpt:622
ACCEPT udp -- 172.16.1.3 192.168.2.10 udp dpt:111
ACCEPT tcp -- 172.16.1.3 192.168.2.10 tcp dpt:111
ACCEPT udp -- 172.16.1.3 192.168.2.10 udp dpt:914
ACCEPT tcp -- 172.16.1.2 192.168.2.10 tcp dpt:2049
ACCEPT udp -- 172.16.1.2 192.168.2.10 udp dpt:2049
ACCEPT udp -- 172.16.1.2 192.168.2.10 udp dpt:665
ACCEPT tcp -- 172.16.1.2 192.168.2.10 tcp dpt:111
ACCEPT udp -- 172.16.1.2 192.168.2.10 udp dpt:111
ACCEPT tcp -- 172.16.1.10 192.168.2.10 tcp dpt:2049
ACCEPT udp -- 172.16.1.10 192.168.2.10 udp dpt:2049
ACCEPT udp -- 172.16.1.10 192.168.2.10 udp dpt:665
ACCEPT tcp -- 172.16.1.10 192.168.2.10 tcp dpt:111
ACCEPT udp -- 172.16.1.10 192.168.2.10 udp dpt:111
ACCEPT udp -- 172.16.1.2 192.168.2.10 udp dpt:764
ACCEPT udp -- 172.16.1.10 192.168.2.10 udp dpt:764
ACCEPT udp -- 172.16.1.10 192.168.2.10 udp dpt:665
ACCEPT udp -- 172.16.1.2 192.168.2.10 udp dpt:717
ACCEPT udp -- 172.16.1.3 192.168.2.10 udp dpt:800
ACCEPT udp -- 172.16.1.3 192.168.2.10 udp dpt:771
ACCEPT udp -- 172.16.1.2 192.168.2.10 udp dpt:796
ACCEPT udp -- 172.16.1.3 192.168.2.10 udp dpt:796
Chain IPSECBLUE (1 references)
target prot opt source destination
Chain IPSECRED (1 references)
target prot opt source destination
ACCEPT 47 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500
dpt:500
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
Chain LOG_DROP (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LOG_REJECT (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
Chain NEWNOTSYN (1 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `NEW not SYN? '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain PORTFWACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.16.1.3 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 172.16.1.3 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 172.16.1.3 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 172.16.1.3 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 172.16.1.2 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 192.168.2.7 tcp dpt:1720
ACCEPT tcp -- 0.0.0.0/0 192.168.2.7 tcp dpt:1503
ACCEPT tcp -- 0.0.0.0/0 172.16.1.2 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 172.16.1.3 udp dpt:25
ACCEPT tcp -- xx.xx.xx.xx 172.16.1.2 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.2.6 tcp dpt:1723
ACCEPT tcp -- 0.0.0.0/0 172.16.1.5 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 172.16.1.5 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 172.16.1.3 tcp dpt:443
ACCEPT 47 -- 0.0.0.0/0 192.168.2.6
ACCEPT tcp -- 0.0.0.0/0 192.168.2.6 tcp dpt:1520
Chain PSCAN (5 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `TCP Scan? '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `UDP Scan? '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `ICMP Scan? '
LOG all -f 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5 LOG flags 0 level 4 prefix `FRAG Scan? '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain REDFORWARD (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0
Chain REDINPUT (1 references)
target prot opt source destination
Chain WIRELESSFORWARD (1 references)
target prot opt source destination
Chain WIRELESSINPUT (1 references)
target prot opt source destination
Chain XTACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 xx.xx.xx.xx tcp dpt:222
ACCEPT tcp -- xx.xx.xx.xx xx.xx.xx.xx tcp dpt:4
Chain ipac~fi (1 references)
target prot opt source destination
all -- 0.0.0.0/0 0.0.0.0/0
all -- 0.0.0.0/0 0.0.0.0/0
all -- 0.0.0.0/0 0.0.0.0/0
Chain ipac~fo (1 references)
target prot opt source destination
all -- 0.0.0.0/0 0.0.0.0/0
all -- 0.0.0.0/0 0.0.0.0/0
all -- 0.0.0.0/0 0.0.0.0/0
Chain ipac~i (1 references)
target prot opt source destination
all -- 0.0.0.0/0 0.0.0.0/0
all -- 0.0.0.0/0 0.0.0.0/0
all -- 0.0.0.0/0 0.0.0.0/0
Chain ipac~o (1 references)
target prot opt source destination
all -- 0.0.0.0/0 0.0.0.0/0
all -- 0.0.0.0/0 0.0.0.0/0
all -- 0.0.0.0/0 0.0.0.0/0
root at grumpy:/var/ipcop/vpn #
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Sunday, February 06, 2005 10:43 AM
To: Trevor Morrison
Cc: users at openswan.org
Subject: Re: [Openswan Users] Data from ipsec0 to eth2
On Sun, 6 Feb 2005, Trevor Morrison wrote:
> I am running IPCOP 1.4.2 which uses OpenSwan 1.0.7. My problem is that
the
> net-to-net tunnel shows as up on both ends both from the GUI as well as
> using tail -f /var/log/messages, but when I try to ping a machine on the
> other subnet I do not get any replies. Now, I ran tcpdump -i on both
ipsec0
> and eth2 at the same time and I do not see the traffic flowing from ipsec0
> to the eth2 interface. This the case for both tunnel endpoints. I know
> that I am missing something, but what? I am including my ipsec.conf file
> below:
That all looks fine. Are you pinging from the net to the net, and host from
the gateway to somewhere or from somewhere to gateway?
> conn Hailix
> right=xx.xx.xx.xx
> rightsubnet=192.168.2.0/255.255.255.0
> rightnexthop=%defaultroute
> left=xx.xx.xx.xx
> leftsubnet=192.168.111.0/24
> leftnexthop=%defaultroute
> dpddelay=30
> dpdtimeout=120
> dpdaction=hold
> authby=secret
> auto=start
You can try and add leftsourceip=192.168.2.X and rightsourceip=192.168.111.Y
where those IP's are the internal IP's of the security gateways. Then you
will be able to ping if using it from or to a gateway.
Other problems could be:
- NAT breaking packets
- no IP Forwarding enabled
- rp_filter anti-spoof protection enabled
Run 'ipsec verify' if that is available on ipcop to detect this.
Paul
--
"At best it is a theory, at worst a fantasy" -- Michael Crichton
More information about the Users
mailing list