Fwd: Re: [Openswan Users] Cannot ping hosts behind OpenSWAN host

Jason Martin jason.martin at metrixmatrix.com
Tue Feb 21 09:56:39 CET 2006 

Hello again,

I am still unable to get a successful connection to the intranet behind my 
OpenS/WAN test box. I did notice the typoes in the virtual_private line and 
fixed that, and I've also set up KLIPS in order to get the ipsec0 interfave 
for additional debugging, however I still have had no success. My boss would 
like a VPN setup by 3/1, so any help would be greatly appreciated.

Thank you.

----------  Forwarded Message  ----------

Subject: Re: [Openswan Users] Cannot ping hosts behind OpenSWAN host
Date: Tuesday 14 February 2006 10:35 am
From: Jason Martin <jason.martin at metrixmatrix.com>
To: users at openswan.org

Thanks Paul. Here's the openswan machine's ipsec.conf:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v:192.168.0.0/16,
%v:!192.168.1.0/24

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=192.168.1.0/24
        also=roadwarrior

conn roadwarrior
        left=%defaultroute
        leftcert=server.pem
	right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes

include /etc/ipsec.d/examples/no_oe.conf

And the Windows ipsec.conf:

conn roadwarrior
	left=%any
	right=1.1.1.1
	rightca=(ca-info)
	network=auto
	auto=start
	pfs=yes

conn roadwarrior-net
	left=%any
	right=1.1.1.1
	rightsubnet=192.168.1.0/24
	rightca=(ca-info)
	network=auto
	auto=start
	pfs=yes

Results of ipsec verify:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.5rc4/K2.6.9-22.0.2.EL (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

I did notice that if I don't have any iptable rules, the "Checking NAT and
MASQUERADEing line says [OK], however when I start adding rules, then there
is no [OK], just a blank like above.

I am using Centos 4.2 with the stock 2.6.9 kernel, are there any issues with
that kernel at this time?

I do believe that the iptable rules are not configured correctly for this
setup, and I have not been able to find any reference as to how they should
be set up for forwarding packets from openswan to the internal network on a
2.6 kernel without an ipsec0 interface, and unfortunately I do not have
enough experience with iptables to set proper rules up. So any help with that
would be greatly appreciated.

Thanks!

On Monday 13 February 2006 05:21 pm, Paul Wouters wrote:
> On Mon, 13 Feb 2006, Jason Martin wrote:
> > Intranet---OpenSWAN machine-- "Public" Windows XP machine
> >
> > Intranet settings - 192.168.1.0/24
> > OpenSWAN settings - eth0: 192.168.1.212; eth1: 1.1.1.1 ("public"
> > interface) Windows XP machine - 1.1.1.2
> >
> > The OpenSWAN and XP machines are directly connected with a crossover
> > cable for now. (Maybe this is where my problem is? Should I try this on
> > an established network?)
>
> That should work.
>
> > (http://www.natecarlson.com/linux/ipsec-x509.php). I've set up the
> > "roadwarrior" and "roadwarrior-net" connections on both machines, as in
> > his instructions. Currently, I can connect from the roadwarrior to the
> > OpenSWAN after pinging 1.1.1.1 from 1.1.1.2 (it does say "Negotiating IP
> > Security" once or twice, then I get ping replies). However, if I try
> > pinging anything on the intranet, then I see "Negotiating IP Security",
> > then Request timed out.
>
> Check the openswan end. If you see an error, then the roadwarrior-net
> connection is wrong. It should be identical the the conn roadwarrios,
> except for the entry for leftsubnet=192.168.1.0/24
> If the openswan end logs no error, then you are likely not forwarding the
> packets to the internal lan. This could be a disabled IP forwarding setting
> or a NAT/MASQ/firewall rule that prohibits or mangles packets. Run ipsec
> verify to have a look.
>
> > One thing I am confused about is if OpenSWAN handles all NAT transversal
> > and knows how to route traffic to the proper interface on its own, or if
> > iptables does need to be set up to do ipmasqing, because that appears to
> > be the problem, although I've set up basic ipmasqing and it still does
> > not work properly.
>
> So far, you are not using nat_traversal yet, so this should not be an
> issue. But the only difference would be adding to config setup:
> 	nat_traversal=yes
> 	virtual_private=%v4:10.0.0.0/24,%v4:192.168.0.0/16;%v4:!192.168.1.0/24
>
> and add to you conns:
> 	rightsubnet=vhost:%no,%priv
>
>
> Paul

--
Jason Martin
Metrix Matrix, Inc.
785 Elmgrove Road, Building 1, Rochester, NY 14624
Office: 888-865-0065 Ext. 202
Mobile: (585) 721-8679

-------------------------------------------------------

-- 
Jason Martin
Metrix Matrix, Inc.
785 Elmgrove Road, Building 1, Rochester, NY 14624
Office: 888-865-0065 Ext. 202
Mobile: (585) 721-8679

More information about the Users mailing list