[Openswan Users] VPN established, but don't tunneling.
Luciano Edson Mertins
mertins at tpi.inf.br
Thu Apr 6 11:59:09 CEST 2006
Hi, all!
I'm having a firewall Fedora Core 2 (kernel 2.6.9) with Openswan 2.2.0.
There was
four tunnels with it. Two with Cisco IPX(I think!) and two with Symantec
Firewall (I think too!). Every thing worked ok!
This weak the machine crash! I put another machine with Fedora Core 5
(kernel 2.6.15) and Openswan (2.4.5rc6 and 2.4.5rc7).
The configuration files was going on backup. Well, the negociation of ipsec
done ok and all vpn's
stay up ( STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe31ae354
<0x3d111da6 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none})
But when try to access of my internal net, the firewall don't tunneling the
package into ESP. It is going to external interface (eth0). So, anyone vpn
works!!
I will put configuration files and just change the extenal ip's. Either try
to up just one vpn.
Firewall Linux
eth1: 192.168.0.224/27 (Local Network)
eth0: xxx.xxx.xxx.xxx (Internet)
gateway: xxx.xxx.xxx.ggg
net: xxx.xxx.xxx.nnn
Firewall Symantec
10.50.15.0/24 (Local Network)
yyy.yyy.yyy.yyy (Internet)
ipsec.conf:
config setup
nat_traversal=yes
conn otherside
right=yyy.yyy.yyy.yyy
rightsubnet=10.50.15.0/24
left=xxx.xxx.xxx.xxx
leftsubnet=192.168.0.224/27
leftnexthop=xxx.xxx.xxx.ggg
esp=3des-md5-96
pfs=yes
auth=esp
authby=secret
auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
-------
[root at svr etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.5rc7/K2.6.15-1.2054_FC5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
-------
[root at svr etc]# ipsec look
svr.domain Thu Apr 6 10:23:40 BRT 2006
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 xxx.xxx.xxx.ggg 0.0.0.0 UG 0 0 0
eth0
10.50.15.0 xxx.xxx.xxx.ggg 255.255.255.0 UG 0 0 0
eth0
xxx.xxx.xxx.nnn 0.0.0.0 255.255.255.248 U 0 0 0
eth0
-------
[root at 201-35-65-18 etc]# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 xxx.xxx.xxx.xxx
000 interface eth0/eth0 xxx.xxx.xxx.xxx
000 interface eth1/eth1 192.168.0.1
000 interface eth1/eth1 192.168.0.1
000 interface eth1:0/eth1:0 172.18.0.1
000 interface eth1:0/eth1:0 172.18.0.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
trans={0,2,336} attrs={0,2,224}
000
000 "otherside":
192.168.0.224/27===xxx.xxx.xxx.xxx---xxx.xxx.xxx.ggg...yyy.yyy.yyy.yyy===10.
50.15.0/24; erouted; eroute owner: #2
000 "otherside": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "otherside": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "otherside": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 27,24;
interface: eth0;
000 "otherside": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "otherside": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "otherside": ESP algorithms wanted: 3_000-1, flags=strict
000 "otherside": ESP algorithms loaded: 3_000-1, flags=strict
000 "otherside": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #2: "otherside":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 28247s; newest IPSEC; eroute owner
000 #2: "otherside" esp.5f709c3c at yyy.yyy.yyy.yyy
esp.1b56a831 at xxx.xxx.xxx.xxx tun.0 at yyy.yyy.yyy.yyy tun.0 at xxx.xxx.xxx.xxx
000 #1: "otherside":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2667s; newest ISAKMP; nodpd
000
-------
[root at svr etc]# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.5rc7...
ipsec_setup: insmod /lib/modules/2.6.15-1.2054_FC5/kernel/net/key/af_key.ko
ipsec_setup: insmod
/lib/modules/2.6.15-1.2054_FC5/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod
/lib/modules/2.6.15-1.2054_FC5/kernel/drivers/char/hw_random.ko
ipsec_setup: FATAL: Error inserting hw_random
(/lib/modules/2.6.15-1.2054_FC5/kernel/drivers/char/hw_random.ko): No such
device
ipsec_setup: insmod
/lib/modules/2.6.15-1.2054_FC5/kernel/drivers/crypto/padlock.ko
ipsec_setup: FATAL: Error inserting padlock
(/lib/modules/2.6.15-1.2054_FC5/kernel/drivers/crypto/padlock.ko): No such
device
-------
/var/log/secure
Apr 6 10:35:03 svr ipsec__plutorun: Starting Pluto subsystem...
Apr 6 10:35:03 svr pluto[1810]: Starting Pluto (Openswan Version 2.4.5rc7
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE}csNbGqGTI)
Apr 6 10:35:03 svr pluto[1810]: Setting NAT-Traversal port-4500 floating to
on
Apr 6 10:35:03 svr pluto[1810]: port floating activation criteria
nat_t=1/port_fload=1
Apr 6 10:35:03 svr pluto[1810]: including NAT-Traversal patch (Version
0.6c)
Apr 6 10:35:03 svr pluto[1810]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Apr 6 10:35:03 svr pluto[1810]: starting up 1 cryptographic helpers
Apr 6 10:35:03 svr pluto[1810]: started helper pid=1811 (fd:6)
Apr 6 10:35:03 svr pluto[1810]: Using Linux 2.6 IPsec interface code on
2.6.15-1.2054_FC5
Apr 6 10:35:03 svr pluto[1810]: Changing to directory
'/etc/ipsec.d/cacerts'
Apr 6 10:35:03 svr pluto[1810]: Changing to directory
'/etc/ipsec.d/aacerts'
Apr 6 10:35:03 svr pluto[1810]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Apr 6 10:35:03 svr pluto[1810]: Changing to directory '/etc/ipsec.d/crls'
Apr 6 10:35:03 svr pluto[1810]: Warning: empty directory
Apr 6 10:35:04 svr pluto[1810]: added connection description "otherside"
Apr 6 10:35:04 svr pluto[1810]: listening for IKE messages
Apr 6 10:35:04 svr pluto[1810]: adding interface eth1:0/eth1:0
172.18.0.1:500
Apr 6 10:35:04 svr pluto[1810]: adding interface eth1:0/eth1:0
172.18.0.1:4500
Apr 6 10:35:04 svr pluto[1810]: adding interface eth1/eth1 192.168.0.1:500
Apr 6 10:35:04 svr pluto[1810]: adding interface eth1/eth1 192.168.0.1:4500
Apr 6 10:35:04 svr pluto[1810]: adding interface eth0/eth0
xxx.xxx.xxx.xxx:500
Apr 6 10:35:04 svr pluto[1810]: adding interface eth0/eth0
xxx.xxx.xxx.xxx:4500
Apr 6 10:35:04 svr pluto[1810]: adding interface lo/lo 127.0.0.1:500
Apr 6 10:35:04 svr pluto[1810]: adding interface lo/lo 127.0.0.1:4500
Apr 6 10:35:04 svr pluto[1810]: adding interface lo/lo ::1:500
Apr 6 10:35:04 svr pluto[1810]: loading secrets from "/etc/ipsec.secrets"
Apr 6 10:35:04 svr pluto[1810]: "otherside" #1: initiating Main Mode
Apr 6 10:35:05 svr pluto[1810]: "otherside" #1: ignoring unknown Vendor ID
payload [526170746f7220506f77657256706e20536572766572205b56372e305d]
Apr 6 10:35:05 svr pluto[1810]: "otherside" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Apr 6 10:35:05 svr pluto[1810]: "otherside" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Apr 6 10:35:05 svr pluto[1810]: "otherside" #1: I did not send a
certificate because I do not have one.
Apr 6 10:35:05 svr pluto[1810]: "otherside" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Apr 6 10:35:05 svr pluto[1810]: "otherside" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Apr 6 10:35:06 svr pluto[1810]: "otherside" #1: Main mode peer ID is
ID_IPV4_ADDR: 'yyy.yyy.yyy.yyy'
Apr 6 10:35:06 svr pluto[1810]: "otherside" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 6 10:35:06 svr pluto[1810]: "otherside" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Apr 6 10:35:06 svr pluto[1810]: "otherside" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Apr 6 10:35:07 svr pluto[1810]: "otherside" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Apr 6 10:35:07 svr pluto[1810]: "otherside" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x11b71e58 <0x04f56a05 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
--------
iptables (resume)
iptables -P INPUT DROP -t filter
iptables -P OUTPUT DROP -t filter
iptables -P FORWARD DROP -t filter
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -o eth0 -p esp -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 4500 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
xxx.xxx.xxx.xxx ! -p esp
--------
ping local machine(192.168.0.227/24 - gateway 192.168.0.1)
C:\>ping 10.50.15.9
Disparando contra 10.50.15.9 com 32 bytes de dados:
Esgotado o tempo limite do pedido. <-- (timeout)
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.
Estatísticas do Ping para 10.50.15.9:
Pacotes: Enviados = 4, Recebidos = 0, Perdidos = 4 (100% de perda),
-------
two tcpdump at same time
[root at svr etc]# tcpdump -i eth0 -n -nn host yyy.yyy.yyy.yyy
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
[root at svr etc]# tcpdump -i eth0 -n -nn host 10.50.15.9
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:43:36.625385 IP xxx.xxx.xxx.xxx > 10.50.15.9: ICMP echo request, id 512,
seq 15104, length 40
10:43:41.794533 IP xxx.xxx.xxx.xxx > 10.50.15.9: ICMP echo request, id 512,
seq 15360, length 40
10:43:47.294573 IP xxx.xxx.xxx.xxx > 10.50.15.9: ICMP echo request, id 512,
seq 15616, length 40
10:43:52.794598 IP xxx.xxx.xxx.xxx > 10.50.15.9: ICMP echo request, id 512,
seq 15872, length 40
-------
So the ping isn't tunnelling! Can anyone help me??
Thanks a lot!
Luciano Edson Mertins
More information about the Users
mailing list