[Openswan Users]
Pat Fricke
sales at prfhome.com
Wed Jan 4 15:49:30 CET 2006
Paul,
This is a duplicate message, the first I sent to you directly rather than
sending to the user group.
My mistake,
Pat
Thank you for your timely response.
I believe have made the adjustments you recommended, but the problem seems
to be unchanged. The tunnels are up, but the remotes cannot authenticate. I
have found that if I open the firewall (-A INPUT -i eth0 -j ACCEPT) the
remotes DO authenticate then route through the tunnel, but then anyone can
access the server with a user name and password. Kind of defeats the whole
purpose of the tunnel.
Here is the complete un-anonimized ipsec.conf
version 2
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found # in
FreeS/WAN's doc/examples file, and in the HTML documentation.
# interfaces="ipsec0=eth0"
# basic configuration
config setup
klipsdebug=none
nat_traversal=yes
plutodebug=none
uniqueids=yes
# sample VPN connection
conn %default
authby=secret
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=no
compress=no
conn aic-vpn
left=66.213.254.50
leftid=66.213.254.50
leftnexthop=66.213.254.49
right=%any
rightnexthop=%defaultroute
rightsubnet=192.168.0.0/24
auto=add
conn aicmolalla
left=66.213.254.50
leftid=66.213.254.50
leftnexthop=66.213.254.49
right=%any
rightnexthop=%defaultroute
rightsubnet=192.168.1.0/24
auto=add
conn aicalbany
left=66.213.254.50
leftid=66.213.254.50
leftnexthop=66.213.254.49
right=%any
rightnexthop=%defaultroute
rightsubnet=192.168.2.0/24
auto=add
conn aicsprnfld
left=66.213.254.50
leftid=66.213.254.50
leftnexthop=66.213.254.49
right=%any
rightnexthop=%defaultroute
rightsubnet=192.168.3.0/24
auto=add
conn aicflorence
left=66.213.254.50
leftid=66.213.254.50
leftnexthop=66.213.254.49
right=%any
rightnexthop=%defaultroute
rightsubnet=192.168.4.0/24
auto=add
conn aicredmond
left=66.213.254.50
leftid=66.213.254.50
leftnexthop=66.213.254.49
right=%any
rightnexthop=%defaultroute
rightsubnet=192.168.5.0/24
auto=add
conn aictigard
left=66.213.254.50
leftid=66.213.254.50
leftnexthop=66.213.254.49
right=%any
rightnexthop=%defaultroute
rightsubnet=192.168.6.0/24
auto=add
conn aicleslie
left=66.213.254.50
leftid=66.213.254.50
leftnexthop=66.213.254.49
right=%any
rightnexthop=%defaultroute
rightsubnet=192.168.7.0/24
auto=add
include /etc/ipsec.d/examples/no_oe.conf
and the current iptables
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p gre -i eth0 -j ACCEPT
# ESP
-A INPUT -p esp -i eth0 -j ACCEPT
# HAW Images
-A INPUT -p tcp -m tcp -s 66.213.254.50 -j ACCEPT
# IKE
-A INPUT -p udp -m udp -i eth0 --dport 500 -j ACCEPT
# IKE accross NAT
-A INPUT -p udp -m udp -i eth0 --dport 4500 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 -d 0/0 -i eth0 --dport 67:68
--sport 67:68 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 -d 0/0
-i eth1 --dport 67:68 --sport 67:68 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo
-j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 -j REJECT
--syn
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT -A
RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT -A
RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 -j REJECT --syn
-A INPUT -i ipsec0 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p udp -m udp --dport 23 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT -A INPUT
-p tcp -m tcp -m state --dport 113 --state NEW -j ACCEPT -A INPUT -p tcp -m
tcp -i eth0 --sport 1723 -j ACCEPT # IKE -A OUTPUT -p udp -m udp -o eth0
--dport 500 -j ACCEPT # IKE accross NAT -A OUTPUT -p udp -m udp -o eth0
--dport 4500 -j ACCEPT -A OUTPUT -p 50 -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o ipsec0 -j ACCEPT -A OUTPUT -p tcp -m tcp -o eth0 --dport 21 -j
ACCEPT -A OUTPUT -p tcp -m tcp -o eth0 --dport 1723 -j ACCEPT -A FORWARD -p
tcp -m tcp -d 192.168.100.2 -i eth0 --dport 3389 -j ACCEPT -A INPUT -p tcp
-m tcp -i eth0 --dport 3389 -j ACCEPT -A INPUT -p tcp -m tcp -i eth0 --dport
3390 -j ACCEPT -A FORWARD -p tcp -m tcp -d 192.168.100.3 -i eth0 --dport
3390 -j ACCEPT -A INPUT -p tcp -m tcp -i eth0 --dport 3391 -j ACCEPT -A
FORWARD -p tcp -m tcp -d 192.168.100.4 -i eth0 --dport 3391 -j ACCEPT -A
INPUT -p tcp -m tcp -m state --sport 3500:4000 --state NEW -j ACCEPT -A
INPUT -j RH-Lokkit-0-50-INPUT COMMIT # Generated by webmin *mangle :FORWARD
ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT
[0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed # Generated by webmin
*nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE -A PREROUTING -p tcp -m tcp -i eth0
--sport 21 -j DNAT --to-destination 192.168.100.1-192.168.100.98:21 -A
PREROUTING -p tcp -m tcp -i eth0 --dport 3389 -j DNAT --to-destination
192.168.100.2:3389 -A PREROUTING -p tcp -m tcp -i eth0 --dport 3390 -j DNAT
--to-destination 192.168.100.3:3390 -A PREROUTING -p tcp -m tcp -i eth0
--dport 3391 -j DNAT --to-destination 192.168.100.4:3391 COMMIT # Completed
ipsec barf is located at http://dungeon.homeip.net/danger_files/barf.txt
When I try to run "tcpdump -i eth0" I get "Couldn't find user 'pcap'.
Doesn't matter what user I use "tcpdump -Z root -i eth0" I get "Couldn't
find user 'root'.
Probably operator error but not sure what to do differently.
Thanks again for your time,
Pat R. Fricke
PRF Enterprises
(503)520-9757
sales at prfhome.com
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Friday, December 30, 2005 11:31 AM
To: Pat Fricke
Cc: users at openswan.org
Subject: Re: [Openswan Users]
On Thu, 29 Dec 2005, Pat Fricke wrote:
> Long and short of it is I have a tunnel established by a road warrior
> LinkSys router but the workstations cannot connect to the SAMBA shares.
Both
> the secure log on the Fedora box and the LinkSys router show the tunnel is
> connected (STATE_QUICK_R2: IPsec SA established {ESP=>0xadec39d6
<0x77944d7f
> xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> -A INPUT -p udp -m udp -i eth0 --dport 4500 -j ACCEPT
> -A OUTPUT -p udp -m udp -o eth0 --dport 4500 -j ACCEPT
That is not correct. The originating port is not neccessarily 4500. It could
be
a random high port (since the client could be behind a NAT gateway).
> config setup
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
> uniqueids=yes
You did not enable nat traversal on purpose?
> conn %default
> authby=secret
>
> conn vpn
> left=xxx.xxx.xxx.xxx (real world ip)
> leftid= xxx.xxx.xxx.xxx (real world ip)
> leftnexthop= xxx.xxx.xxx.xxx (real world gateway ip)
> right=%any
> rightnexthop=%defaultroute
> rightsubnet=192.168.0.0/24
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> pfs=yes
> compress=no
> auto=add
You should be very careful playying with these layouts like that. The parser
is very dumb. It looks ok otherwise
Check with ipsec verify and otherwise post a link to your ipsec barf output.
Please do not anonimize, since it will be next to impossible to detect
configuration mistakes.
Paul
More information about the Users
mailing list