[Openswan Users] [Possible Spam] Re: followup

Geert Janssens info at kobaltwit.be
Fri Apr 21 17:34:54 CEST 2006


Just for the record of the list:

The problem described below has been solved as follows:

In order to make it work, I had to configure some kind of ipsec passthrough on 
the servers. The ipsec passthrough should forward protocol 50 (ESP), and UDP 
ports 500 and 4500 to the internal ipsec peers.

And here I got confused: I mixed PROTOCOL 50 with PORT 50. On one firewall 
this forwarding was easily configured as it's a linux server. On the other 
firewall this forwarding was not possible: it's a hardware firewall, that 
only allows to configure TCP/UDP forwardings, or a complete DMZ.
Considering there is only one computer behind this firewall (the IpsecPeer), a 
complete DMZ forwarding would be equal to having no firewall at all, and 
would make the hardware firewall useless anyway.
In the end we choose to move to some kind of roadwarrior setup, like:
Left
IpsecServer/Firewall
192.168.0.1

So the ipsec server and firewall are now on the same machine.

Right
IpsecClient=====Firewall/NAT
192.168.2.2     192.168.2.1
Roadwarrior

It is this roadwarrior that initiates the connection.


I still wonder though if our initial setup (both ipsec peers behind a natting 
firewall) could have worked, if the proper forwardings were possible on the 
hardware firewall. We didn't have the time or resources to fully investigate 
this.

Geert

On Friday 30 December 2005 16:17, Geert Janssens wrote:
> Hi,
>
> I have been digging through information about openswan/freeswan on the web
> and locally, but I didn't find a solution for the following problem:
>
> I have a network setup as follows:
>
> IpsecPeer1
> 192.168.0.2
>
>
> 192.168.0.1
> Firewall/nat 1
> 84.x.x.x (dynamic ip, accessible with dyndns "kobaltwit.homelinux.com")
>      .
>      .  (internet)
>      .
> 84.y.y.y (dynamic ip, accessible with dyndns "auxima.homeip.net")
> Firewall/nat 2
> 192.168.2.1
>
>
> 192.168.2.2
> IpsecPeer2
>
> Or described in words: I have two computers in two private networks I would
> like to connect via a secure tunnel. Both are behind a firewall doing NAT,
> and both firewalls' external ip address is dynamically allocated by the
> respective ISP's. For both dynamic ip's, a dyndns name is allocated.
> Additionally, I have created a certificate for both Ipsec peers.
>
> Both IpsecPeers are running Mandrake 2005 LE (kernel 2.6.8.1, openswan
> 2.2.0-2).
>
> I can't figure out how to configure ipsec on the two servers such that I
> can connect to the services on one ipsec peer (for example the mail system)
> from the other peer via a secure tunnel. So for example, I would like to
> connect to the mail server running on IpsecPeer2 with a mail client running
> on IpsecPeer1
>
> The closest I got was with this configuration:
> -------------------------------
> -ipsec.conf on IpsecPeer1
> -------------------------------
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
>
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
>
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots. # klipsdebug=none
>         # plutodebug="control parsing"
>         plutodebug=all
>         interfaces=%defaultroute
>         nat_traversal=yes
>
> # Add connections here
>
> #Disable Opportunistic Encryption
> include /etc/openswan/ipsec.d/examples/no_oe.conf
>
> conn kobaltwit-to-auxima
>      # Left security gateway, subnet behind it, next hop toward right.
>      left=auxima.homeip.net
>      leftsubnet=192.168.2.0/24
>      leftid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=auxima.homeip.net"
>      leftrsasigkey=%cert
>      leftcert=/etc/openswan/ipsec.d/certs/auxima-kobaltwit-vpn.pem
>      # Right security gateway, subnet behind it, next hop toward left.
>      right=%defaultroute
>      rightsubnet=192.168.0.0/24
>      rightid="C=BE, L=Grimbergen, O=Kobalt W.I.T.,
> CN=kobaltwit.homelinux.com" rightrsasigkey=%cert
>      rightcert=/etc/openswan/ipsec.d/certs/kobaltwit-auxima-vpn.pem
>      auto=add
>
> -------------------------------
> -ipsec.conf on IpsecPeer2
> -------------------------------
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
>
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
>
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots. # klipsdebug=none
>         # plutodebug="control parsing"
>         plutodebug=all
>         interfaces=%defaultroute
>         nat_traversal=yes
>
> # Add connections here
>
> #Disable Opportunistic Encryption
> include /etc/openswan/ipsec.d/examples/no_oe.conf
>
> conn kobaltwit-to-auxima
>      # Left security gateway, subnet behind it, next hop toward right.
>      left=%defaultroute
>      leftsubnet=192.168.2.0/24
>      leftid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=auxima.homeip.net"
>      leftrsasigkey=%cert
>      leftcert=/etc/openswan/ipsec.d/certs/auxima-kobaltwit-vpn.pem
>      # Right security gateway, subnet behind it, next hop toward left.
>      right=kobaltwit.homelinux.com
>      rightsubnet=192.168.0.0/24
>      rightid="C=BE, L=Grimbergen, O=Kobalt W.I.T.,
> CN=kobaltwit.homelinux.com" rightrsasigkey=%cert
>      rightcert=/etc/openswan/ipsec.d/certs/kobaltwit-auxima-vpn.pem
>      auto=add
>
> With this setup, a tunnel is established (I get the message "sent QI2,
> IPsec SA established". However, this configuration is for a network to
> network tunnel, and I can't even test if it really works, because there is
> no network behind IpsecPeer2. There is a network behind IpsecPeer1 and in a
> second phase I would like this network to use the tunnel also, but first I
> need the two peers to be able to communicate).
>
> As far as I could understand the ipsec documentation, to setup a peer to
> peer connection, the leftsubnet and rightsubnet entries should be removed.
> However, if I remove the *subnet entries, the connection no longer gets
> established.
>
> Here is the console output on IpsecPeer1, from which the connection setup
> is started:
> [root at aragorn openswan]# ipsec auto --verbose --up kobaltwit-to-auxima
> 002 "kobaltwit-to-auxima" #1: initiating Main Mode
> 104 "kobaltwit-to-auxima" #1: STATE_MAIN_I1: initiate
> 003 "kobaltwit-to-auxima" #1: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03]
> 002 "kobaltwit-to-auxima" #1: enabling possible NAT-traversal with method
> RFC XXXX (NAT-Traversal)
> 002 "kobaltwit-to-auxima" #1: transition from state STATE_MAIN_I1 to state
> STATE_MAIN_I2
> 106 "kobaltwit-to-auxima" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "kobaltwit-to-auxima" #1: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
> 002 "kobaltwit-to-auxima" #1: I am sending my cert
> 002 "kobaltwit-to-auxima" #1: I am sending a certificate request
> 002 "kobaltwit-to-auxima" #1: transition from state STATE_MAIN_I2 to state
> STATE_MAIN_I3
> 108 "kobaltwit-to-auxima" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 010 "kobaltwit-to-auxima" #1: STATE_MAIN_I3: retransmission; will wait 20s
> for response
> 002 "kobaltwit-to-auxima" #1: Peer ID is ID_DER_ASN1_DN: 'C=BE,
> L=Grimbergen, O=Kobalt W.I.T., CN=auxima.homeip.net'
> 002 "kobaltwit-to-auxima" #1: no crl from issuer "C=BE, L=Grimbergen,
> O=Kobalt W.I.T., CN=Geert Janssens, E=info at kobaltwit.be" found (strict=no)
> 002 "kobaltwit-to-auxima" #1: transition from state STATE_MAIN_I3 to state
> STATE_MAIN_I4
> 002 "kobaltwit-to-auxima" #1: ISAKMP SA established
> 004 "kobaltwit-to-auxima" #1: STATE_MAIN_I4: ISAKMP SA established
> 002 "kobaltwit-to-auxima" #2: initiating Quick Mode
> RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> 112 "kobaltwit-to-auxima" #2: STATE_QUICK_I1: initiate
> 010 "kobaltwit-to-auxima" #2: STATE_QUICK_I1: retransmission; will wait 20s
> for response
> 010 "kobaltwit-to-auxima" #2: STATE_QUICK_I1: retransmission; will wait 40s
> for response
> 031 "kobaltwit-to-auxima" #2: max number of retransmissions (2) reached
> STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
> perhaps peer likes no proposal
> 000 "kobaltwit-to-auxima" #2: starting keying attempt 2 of at most 2, but
> releasing whack
>
> In the QUICK_I1 phase, the log on IpsecPeer2 (the "receiving end") these
> messages pop up:
> pluto[3724]: | peer client is subnet 192.168.0.2/32
> pluto[3724]: | peer client protocol/port is 0/0
> pluto[3724]: | our client is subnet 81.83.108.106/32
> pluto[3724]: | our client protocol/port is 0/0
> pluto[3724]: | find_client_connection starting with kobaltwit-to-auxima
> pluto[3724]: |   looking for 81.83.108.106/32:0/0 -> 192.168.0.2/32:0/0
> pluto[3724]: |   concrete checking against sr#0 192.168.2.2/32 ->
>                  84.195.167.62/32
> pluto[3724]: |    match_id a=C=BE, L=Grimbergen, O=Kobalt W.I.T.,
>                            CN=kobaltwit.homelinux.com b=C=BE,
>                            L=Grimbergen, O=Kobalt W.I.T., C
>                            N=kobaltwit.homelinux.com
> pluto[3724]: |   match_id called with a=C=BE, L=Grimbergen, O=Kobalt
> W.I.T., CN=kobaltwit.homelinux.com b=C=BE,
>                            L=Grimbergen, O=Kobalt W.I.T.,
>                            CN=kobaltwit.homelinux.com
> pluto[3724]: |   trusted_ca called with a=(empty) b=(empty)
> pluto[3724]: |   fc_try trying kobaltwit-to-auxima:81.83.108.106/32:0/0 ->
>                      192.168.0.2/32:0/0 vs
>                  kobaltwit-to-auxima:192.168.2.2/32:0/0 ->
>                      84.195.167.62/32:0/0
> pluto[3724]: |   fc_try concluding with none [0]
> pluto[3724]: |   fc_try kobaltwit-to-auxima gives none
> pluto[3724]: |   checking hostpair 192.168.2.2/32 -> 84.195.167.62/32 is
> not found
> pluto[3724]: |   concluding with d = none
> pluto[3724]: "kobaltwit-to-auxima" #1: cannot respond to IPsec SA request
>               because no connection is known for
>      81.83.108.106/32===192.168.2.2:4500[C=BE, L=Grimbergen, O=Kobalt
> W.I.T., CN=auxima.homeip.net]...84.195.167.62:4500[C=BE, L=Grimbergen,
> O=Kobalt W.I.T., CN=kobaltwit.homelinux.com]===192.168.0.2/32
> pluto[3724]: "kobaltwit-to-auxima" #1: sending encrypted notification
>              INVALID_ID_INFORMATION to 84.195.167.62:4500
>
> I can see the network chain ipsec is looking for doesn't match my chain,
> but I can't figure out what's needed to fix this.
>
> Can anybody help here ? If needed, I'll gladly provide more information.
>
>
> Thank you,
>
> Geert Janssens
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

-- 
Kobalt W.I.T.
Web & Information Technology
Brusselsesteenweg 152
1850 Grimbergen

Tel  : +32 479 339 655
Email: info at kobaltwit.be


More information about the Users mailing list