[Openswan Users] VPN established, but don't tunneling.

Luciano Edson Mertins mertins at tpi.inf.br
Thu Apr 6 11:59:09 CEST 2006


Hi, all!

I'm having a firewall Fedora Core 2 (kernel 2.6.9) with Openswan 2.2.0.
There was 
four tunnels with it. Two with Cisco IPX(I think!) and two with Symantec
Firewall (I think too!). Every thing worked ok!

This weak the machine crash! I put another machine with Fedora Core 5
(kernel 2.6.15) and Openswan (2.4.5rc6 and 2.4.5rc7).

The configuration files was going on backup. Well, the negociation of ipsec
done ok and all vpn's 
stay up ( STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe31ae354
<0x3d111da6 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none})

But when try to access of my internal net, the firewall don't tunneling the
package into ESP. It is going to external interface (eth0). So, anyone vpn
works!! 

I will put configuration files and just change the extenal ip's. Either try
to up just one vpn.

Firewall Linux
eth1: 192.168.0.224/27 (Local Network)
eth0: xxx.xxx.xxx.xxx (Internet)
gateway: xxx.xxx.xxx.ggg
net: xxx.xxx.xxx.nnn

Firewall Symantec 
10.50.15.0/24 (Local Network)
yyy.yyy.yyy.yyy (Internet)


ipsec.conf:

config setup
                nat_traversal=yes

conn otherside
                right=yyy.yyy.yyy.yyy
                rightsubnet=10.50.15.0/24
                left=xxx.xxx.xxx.xxx
                leftsubnet=192.168.0.224/27
                leftnexthop=xxx.xxx.xxx.ggg
                esp=3des-md5-96
                pfs=yes
                auth=esp
                authby=secret
                auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
-------

[root at svr etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.5rc7/K2.6.15-1.2054_FC5 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                              
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
-------

[root at svr etc]# ipsec look
svr.domain Thu Apr  6 10:23:40 BRT 2006
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
0.0.0.0         xxx.xxx.xxx.ggg    0.0.0.0         UG        0 0          0
eth0
10.50.15.0      xxx.xxx.xxx.ggg    255.255.255.0   UG        0 0          0
eth0
xxx.xxx.xxx.nnn    0.0.0.0         255.255.255.248 U         0 0          0
eth0
-------

[root at 201-35-65-18 etc]# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 xxx.xxx.xxx.xxx
000 interface eth0/eth0 xxx.xxx.xxx.xxx
000 interface eth1/eth1 192.168.0.1
000 interface eth1/eth1 192.168.0.1
000 interface eth1:0/eth1:0 172.18.0.1
000 interface eth1:0/eth1:0 172.18.0.1
000 %myid = (none)
000 debug none
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
trans={0,2,336} attrs={0,2,224} 
000  
000 "otherside":
192.168.0.224/27===xxx.xxx.xxx.xxx---xxx.xxx.xxx.ggg...yyy.yyy.yyy.yyy===10.
50.15.0/24; erouted; eroute owner: #2
000 "otherside":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "otherside":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "otherside":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 27,24;
interface: eth0; 
000 "otherside":   newest ISAKMP SA: #1; newest IPsec SA: #2; 
000 "otherside":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "otherside":   ESP algorithms wanted: 3_000-1, flags=strict
000 "otherside":   ESP algorithms loaded: 3_000-1, flags=strict
000 "otherside":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000  
000 #2: "otherside":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 28247s; newest IPSEC; eroute owner
000 #2: "otherside" esp.5f709c3c at yyy.yyy.yyy.yyy
esp.1b56a831 at xxx.xxx.xxx.xxx tun.0 at yyy.yyy.yyy.yyy tun.0 at xxx.xxx.xxx.xxx
000 #1: "otherside":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2667s; newest ISAKMP; nodpd
000  
-------

[root at svr etc]# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.5rc7...
ipsec_setup: insmod /lib/modules/2.6.15-1.2054_FC5/kernel/net/key/af_key.ko 
ipsec_setup: insmod
/lib/modules/2.6.15-1.2054_FC5/kernel/net/ipv4/xfrm4_tunnel.ko 
ipsec_setup: insmod
/lib/modules/2.6.15-1.2054_FC5/kernel/drivers/char/hw_random.ko 
ipsec_setup: FATAL: Error inserting hw_random
(/lib/modules/2.6.15-1.2054_FC5/kernel/drivers/char/hw_random.ko): No such
device
ipsec_setup: insmod
/lib/modules/2.6.15-1.2054_FC5/kernel/drivers/crypto/padlock.ko 
ipsec_setup: FATAL: Error inserting padlock
(/lib/modules/2.6.15-1.2054_FC5/kernel/drivers/crypto/padlock.ko): No such
device
-------
/var/log/secure

Apr  6 10:35:03 svr ipsec__plutorun: Starting Pluto subsystem...
Apr  6 10:35:03 svr pluto[1810]: Starting Pluto (Openswan Version 2.4.5rc7
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE}csNbGqGTI)
Apr  6 10:35:03 svr pluto[1810]: Setting NAT-Traversal port-4500 floating to
on
Apr  6 10:35:03 svr pluto[1810]:    port floating activation criteria
nat_t=1/port_fload=1
Apr  6 10:35:03 svr pluto[1810]:   including NAT-Traversal patch (Version
0.6c)
Apr  6 10:35:03 svr pluto[1810]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Apr  6 10:35:03 svr pluto[1810]: starting up 1 cryptographic helpers
Apr  6 10:35:03 svr pluto[1810]: started helper pid=1811 (fd:6)
Apr  6 10:35:03 svr pluto[1810]: Using Linux 2.6 IPsec interface code on
2.6.15-1.2054_FC5
Apr  6 10:35:03 svr pluto[1810]: Changing to directory
'/etc/ipsec.d/cacerts'
Apr  6 10:35:03 svr pluto[1810]: Changing to directory
'/etc/ipsec.d/aacerts'
Apr  6 10:35:03 svr pluto[1810]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Apr  6 10:35:03 svr pluto[1810]: Changing to directory '/etc/ipsec.d/crls'
Apr  6 10:35:03 svr pluto[1810]:   Warning: empty directory
Apr  6 10:35:04 svr pluto[1810]: added connection description "otherside"
Apr  6 10:35:04 svr pluto[1810]: listening for IKE messages
Apr  6 10:35:04 svr pluto[1810]: adding interface eth1:0/eth1:0
172.18.0.1:500
Apr  6 10:35:04 svr pluto[1810]: adding interface eth1:0/eth1:0
172.18.0.1:4500
Apr  6 10:35:04 svr pluto[1810]: adding interface eth1/eth1 192.168.0.1:500
Apr  6 10:35:04 svr pluto[1810]: adding interface eth1/eth1 192.168.0.1:4500
Apr  6 10:35:04 svr pluto[1810]: adding interface eth0/eth0
xxx.xxx.xxx.xxx:500
Apr  6 10:35:04 svr pluto[1810]: adding interface eth0/eth0
xxx.xxx.xxx.xxx:4500
Apr  6 10:35:04 svr pluto[1810]: adding interface lo/lo 127.0.0.1:500
Apr  6 10:35:04 svr pluto[1810]: adding interface lo/lo 127.0.0.1:4500
Apr  6 10:35:04 svr pluto[1810]: adding interface lo/lo ::1:500
Apr  6 10:35:04 svr pluto[1810]: loading secrets from "/etc/ipsec.secrets"
Apr  6 10:35:04 svr pluto[1810]: "otherside" #1: initiating Main Mode
Apr  6 10:35:05 svr pluto[1810]: "otherside" #1: ignoring unknown Vendor ID
payload [526170746f7220506f77657256706e20536572766572205b56372e305d]
Apr  6 10:35:05 svr pluto[1810]: "otherside" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Apr  6 10:35:05 svr pluto[1810]: "otherside" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Apr  6 10:35:05 svr pluto[1810]: "otherside" #1: I did not send a
certificate because I do not have one.
Apr  6 10:35:05 svr pluto[1810]: "otherside" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Apr  6 10:35:05 svr pluto[1810]: "otherside" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Apr  6 10:35:06 svr pluto[1810]: "otherside" #1: Main mode peer ID is
ID_IPV4_ADDR: 'yyy.yyy.yyy.yyy'
Apr  6 10:35:06 svr pluto[1810]: "otherside" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Apr  6 10:35:06 svr pluto[1810]: "otherside" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Apr  6 10:35:06 svr pluto[1810]: "otherside" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Apr  6 10:35:07 svr pluto[1810]: "otherside" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Apr  6 10:35:07 svr pluto[1810]: "otherside" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x11b71e58 <0x04f56a05 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}

--------
iptables (resume)

        iptables -P INPUT  DROP -t filter
        iptables -P OUTPUT DROP -t filter
        iptables -P FORWARD DROP -t filter

        iptables -A INPUT -p icmp -j ACCEPT
        iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
        iptables -A INPUT -i eth0 -p esp -j ACCEPT
        iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT

        iptables -A OUTPUT -p icmp -j ACCEPT
        iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        iptables -A OUTPUT -o eth0 -p udp --dport 500 -j ACCEPT
        iptables -A OUTPUT -o eth0 -p esp -j ACCEPT
        iptables -A OUTPUT -o eth0 -p udp --dport 4500 -j ACCEPT
 
        iptables -A FORWARD -i eth1 -j ACCEPT
        iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
        iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
xxx.xxx.xxx.xxx ! -p esp

--------

ping local machine(192.168.0.227/24 - gateway 192.168.0.1)

C:\>ping 10.50.15.9

Disparando contra 10.50.15.9 com 32 bytes de dados:

Esgotado o tempo limite do pedido.                  <-- (timeout)
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.

Estatísticas do Ping para 10.50.15.9:
    Pacotes: Enviados = 4, Recebidos = 0, Perdidos = 4 (100% de perda),

-------
two tcpdump at same time

[root at svr etc]# tcpdump -i eth0 -n -nn host yyy.yyy.yyy.yyy
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

[root at svr etc]#  tcpdump -i eth0 -n -nn host 10.50.15.9
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:43:36.625385 IP xxx.xxx.xxx.xxx > 10.50.15.9: ICMP echo request, id 512,
seq 15104, length 40
10:43:41.794533 IP xxx.xxx.xxx.xxx > 10.50.15.9: ICMP echo request, id 512,
seq 15360, length 40
10:43:47.294573 IP xxx.xxx.xxx.xxx > 10.50.15.9: ICMP echo request, id 512,
seq 15616, length 40
10:43:52.794598 IP xxx.xxx.xxx.xxx > 10.50.15.9: ICMP echo request, id 512,
seq 15872, length 40
-------

So the ping isn't tunnelling! Can anyone help me??

Thanks a lot!

Luciano Edson Mertins




More information about the Users mailing list