[Openswan Users] FW: VPN works, but you can't eBay ;-)

Miguel Dilaj mdilaj at nccglobal.com
Tue May 17 13:11:16 CEST 2005 

Hi all,

This is the current output of ipsec auto --status (anonymized), note the
line at the very end:

000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 {external IP}
000 interface eth0/eth0 {external IP}
000 interface eth1/eth1 {internal IP}
000 interface eth1/eth1 {internal IP}
000 %myid = (none)
000 debug none
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0} 
000  
000 "roadwarrior": 0.0.0.0/0==={external IP}[C=xx, ST=xx, L=xx, O=xx, OU=xx,
CN={VPN GW id}]...%any[C=xx, ST=xx, L=xx, O=xx, OU=xx, CN=*]; unrouted;
eroute owner: #0
000 "roadwarrior":     srcip=unset; dstip=unset
000 "roadwarrior":   CAs: 'C=xx, ST=xx, L=xx, O=xx, OU=xx, CN={CA
id}'...'%any'
000 "roadwarrior":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "roadwarrior":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,32;
interface: eth0; 
000 "roadwarrior":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "roadwarrior"[8]: 0.0.0.0/0==={external IP}[C=xx, ST=xx, L=xx, O=xx,
OU=xx, CN={VPN GW id}]...{RW1 IP}[C=xx, ST=xx, L=xx, O=xx, OU=xx, CN={RW1
id}]; erouted; eroute owner: #53
000 "roadwarrior"[8]:     srcip=unset; dstip=unset
000 "roadwarrior"[8]:   CAs: 'C=xx, ST=xx, L=xx, O=xx, OU=xx, CN={CA
id}'...'%any'
000 "roadwarrior"[8]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "roadwarrior"[8]:   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
0,32; interface: eth0; 
000 "roadwarrior"[8]:   newest ISAKMP SA: #55; newest IPsec SA: #53; 
000 "roadwarrior"[8]:   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "roadwarrior"[10]: 0.0.0.0/0==={external IP}[C=xx, ST=xx, L=xx, O=xx,
OU=xx, CN={VPN GW id}]...{RW2 IP}[C=xx, ST=xx, L=xx, O=xx, OU=xx, CN={RW2
id}]; erouted; eroute owner: #49
000 "roadwarrior"[10]:     srcip=unset; dstip=unset
000 "roadwarrior"[10]:   CAs: 'C=xx, ST=xx, L=xx, O=xx, OU=xx, CN={CA
id}'...'%any'
000 "roadwarrior"[10]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "roadwarrior"[10]:   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
0,32; interface: eth0; 
000 "roadwarrior"[10]:   newest ISAKMP SA: #56; newest IPsec SA: #49; 
000 "roadwarrior"[10]:   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000  
000 #53: "roadwarrior"[8] {RW1 IP} STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 11837s; newest IPSEC; eroute owner
000 #53: "roadwarrior"[8] {RW1 IP} esp.48c4c795@{RW1 IP}
esp.a76c1b56@{external IP} comp.65de@{RW1 IP} comp.b580@{external IP}
tun.0@{RW1 IP} tun.0@{external IP}
000 #45: "roadwarrior"[8] {RW1 IP} STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 9129s
000 #45: "roadwarrior"[8] {RW1 IP} esp.4e73c6be@{RW1 IP}
esp.17620e40@{external IP} comp.8f2f@{RW1 IP} comp.1b71@{external IP}
tun.0@{RW1 IP} tun.0@{external IP}
000 #55: "roadwarrior"[8] {RW1 IP} STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 296s; newest ISAKMP; nodpd
000 #49: "roadwarrior"[10] {RW2 IP} STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 10217s; newest IPSEC; eroute owner
000 #49: "roadwarrior"[10] {RW2 IP} esp.d963d947@{RW2 IP}
esp.5ebc916@{external IP} comp.64c@{RW2 IP} comp.8570@{external IP}
tun.0@{RW2 IP} tun.0@{external IP}
000 #56: "roadwarrior"[10] {RW2 IP} STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1473s; newest ISAKMP; nodpd
000  
000 {eBay IP}/32:0 -6-> {RW2 IP}/32:0 => %hold 0    %acquire-netlink


RW1 was me, I can go to eBay and the other offending sites, login to MSN,
etc. RW2 can't browse to eBay or login to MSN. Both of use have a MTU of
1300. His machine was freshly installed yesterday, so it's WinXP SP2 with
SafeNet 8.0.2. Mine is similar, but with a lot of garbage ;-)

I would like this opportunity to post my ipsec.conf, for sure there are
things that can be corrected by the experts here.

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version	2.0	# conforms to second version of ipsec.conf specification

config setup
    interfaces="ipsec0=eth0"
    nat_traversal=yes
    forwardcontrol=yes
    uniqueids=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!{re
ad note below}/24

conn %default
    keyingtries=3
    compress=yes
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert

conn roadwarrior
    left={external IP}
    leftcert={VPN GW certificate}
    leftid="C=xx, ST=xx, L=xx, O=xx, OU=xx, CN={VPN GW id}"
    leftsubnet=0.0.0.0/0
    leftupdown=/etc/ipsec.d/ipsec.masquerade
    right=%any
    rightid="C=xx, ST=xx, L=xx, O=xx, OU=xx, CN=*"
    auto=add
    pfs=yes

include /etc/ipsec.d/examples/no_oe.conf

I'm avoiding to identify a partial private range as private (in the
virtual_private directive) because it's used for a special purpose. The
internal interface of the Openswan box is in that special range. I don't
really know if this is needed, and I don't see (in principle) any relation
with the problem I have.
The leftid and rightid directives were added yesterday and didn't broke
anything. Before I just allowed Openswan to figure the id by itself, but I
read somewhere that this can potentially cause some problems with
roadwarriors, because if IP is used as the id, beforehand it is always
0.0.0.0 (don't know if this is true, and in fact everything worked before as
well, with the same problem).
The leftupdown script is simply flushing the nat table and creating a rule
to masquerade traffic going out.


The configuration of SafeNet on the Windows boxes is as follows:

1) a rule non encrypted to direct traffic to some local resources, using one
network card
	range (some private range that's local)
	no encryption
	all protocols
	interface: the 1st interface

2) the VPN configuration, using a second network card:
	range 0.0.0.0-255.255.255.255 (note that a partial range is used
locally by the first rule, this works)
	all protocols
	secure gateway tunnel
	use certificate
	gw IP address: {external IP} in the Openswan box
	My identity: certificate
	no use of virtual adapter
	interface: the 2nd interface
	phase 1 negotiation: main mode
	enable PFS
	DH group 2
	enable replay detection (I still wonder what's that ;-)
	Phase 1:
		auth by RSA signatures
		encryption 3DES
		hashing MD5
		SA life 18000 seconds
		DH group 2
	Phase 2:
		SA life 18000 seconds
		deflate compression
		ESP:
			encryption 3DES
			hashing MD5
			encapsulation tunnel
		no AH


Any suggestions?

Thank you in advance.
Kind regards,

Miguel


***********************************************************************************************************
DISCLAIMER:                                                                                                
This e-mail contains proprietary information, some or all of which may be legally privileged.              
It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, 
please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,
disclose, distribute, copy, print or rely on this e-mail.                                                  
***********************************************************************************************************

More information about the Users mailing list