Fwd: Re: [Openswan Users] Cannot ping hosts behind OpenSWAN host
Jason Martin
jason.martin at metrixmatrix.com
Tue Feb 21 09:56:39 CET 2006
Hello again,
I am still unable to get a successful connection to the intranet behind my
OpenS/WAN test box. I did notice the typoes in the virtual_private line and
fixed that, and I've also set up KLIPS in order to get the ipsec0 interfave
for additional debugging, however I still have had no success. My boss would
like a VPN setup by 3/1, so any help would be greatly appreciated.
Thank you.
---------- Forwarded Message ----------
Subject: Re: [Openswan Users] Cannot ping hosts behind OpenSWAN host
Date: Tuesday 14 February 2006 10:35 am
From: Jason Martin <jason.martin at metrixmatrix.com>
To: users at openswan.org
Thanks Paul. Here's the openswan machine's ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v:192.168.0.0/16,
%v:!192.168.1.0/24
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=192.168.1.0/24
also=roadwarrior
conn roadwarrior
left=%defaultroute
leftcert=server.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
include /etc/ipsec.d/examples/no_oe.conf
And the Windows ipsec.conf:
conn roadwarrior
left=%any
right=1.1.1.1
rightca=(ca-info)
network=auto
auto=start
pfs=yes
conn roadwarrior-net
left=%any
right=1.1.1.1
rightsubnet=192.168.1.0/24
rightca=(ca-info)
network=auto
auto=start
pfs=yes
Results of ipsec verify:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.5rc4/K2.6.9-22.0.2.EL (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
I did notice that if I don't have any iptable rules, the "Checking NAT and
MASQUERADEing line says [OK], however when I start adding rules, then there
is no [OK], just a blank like above.
I am using Centos 4.2 with the stock 2.6.9 kernel, are there any issues with
that kernel at this time?
I do believe that the iptable rules are not configured correctly for this
setup, and I have not been able to find any reference as to how they should
be set up for forwarding packets from openswan to the internal network on a
2.6 kernel without an ipsec0 interface, and unfortunately I do not have
enough experience with iptables to set proper rules up. So any help with that
would be greatly appreciated.
Thanks!
On Monday 13 February 2006 05:21 pm, Paul Wouters wrote:
> On Mon, 13 Feb 2006, Jason Martin wrote:
> > Intranet---OpenSWAN machine-- "Public" Windows XP machine
> >
> > Intranet settings - 192.168.1.0/24
> > OpenSWAN settings - eth0: 192.168.1.212; eth1: 1.1.1.1 ("public"
> > interface) Windows XP machine - 1.1.1.2
> >
> > The OpenSWAN and XP machines are directly connected with a crossover
> > cable for now. (Maybe this is where my problem is? Should I try this on
> > an established network?)
>
> That should work.
>
> > (http://www.natecarlson.com/linux/ipsec-x509.php). I've set up the
> > "roadwarrior" and "roadwarrior-net" connections on both machines, as in
> > his instructions. Currently, I can connect from the roadwarrior to the
> > OpenSWAN after pinging 1.1.1.1 from 1.1.1.2 (it does say "Negotiating IP
> > Security" once or twice, then I get ping replies). However, if I try
> > pinging anything on the intranet, then I see "Negotiating IP Security",
> > then Request timed out.
>
> Check the openswan end. If you see an error, then the roadwarrior-net
> connection is wrong. It should be identical the the conn roadwarrios,
> except for the entry for leftsubnet=192.168.1.0/24
> If the openswan end logs no error, then you are likely not forwarding the
> packets to the internal lan. This could be a disabled IP forwarding setting
> or a NAT/MASQ/firewall rule that prohibits or mangles packets. Run ipsec
> verify to have a look.
>
> > One thing I am confused about is if OpenSWAN handles all NAT transversal
> > and knows how to route traffic to the proper interface on its own, or if
> > iptables does need to be set up to do ipmasqing, because that appears to
> > be the problem, although I've set up basic ipmasqing and it still does
> > not work properly.
>
> So far, you are not using nat_traversal yet, so this should not be an
> issue. But the only difference would be adding to config setup:
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/24,%v4:192.168.0.0/16;%v4:!192.168.1.0/24
>
> and add to you conns:
> rightsubnet=vhost:%no,%priv
>
>
> Paul
--
Jason Martin
Metrix Matrix, Inc.
785 Elmgrove Road, Building 1, Rochester, NY 14624
Office: 888-865-0065 Ext. 202
Mobile: (585) 721-8679
-------------------------------------------------------
--
Jason Martin
Metrix Matrix, Inc.
785 Elmgrove Road, Building 1, Rochester, NY 14624
Office: 888-865-0065 Ext. 202
Mobile: (585) 721-8679
More information about the Users
mailing list