[Openswan Users]

Pat Fricke sales at prfhome.com
Sat Jan 7 07:54:07 CET 2006 

Thanks to a hint from sean at obstacle9.com I got mine working too.

Had to open ports 137 and 138 udp, and ports 139 and 445 tcp in the firewall
for my remote subnets to get the SAMBA packets through. In my case there are
multiple subnets and users with Windows 98, 2000 and XP (as I understand it
XP and 2000 only need port 445.

-A INPUT -p udp -m udp -i eth0 --dport 137:138 -s 192.168.x.0/24 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 139 -s 192.168.x.0/24 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 445 -s 192.168.x.0/24 -j ACCEPT
(repeat for each subnet)


If there is a better way to do it I would like to know about it.

Pat R. Fricke
PRF Enterprises
(503)520-9757
sales at prfhome.com


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Pat Fricke
Sent: Wednesday, January 04, 2006 3:50 PM
To: 'Paul Wouters'
Cc: users at openswan.org
Subject: RE: [Openswan Users]

Paul,

This is a duplicate message, the first I sent to you directly rather than
sending to the user group. 

My mistake,

Pat




Thank you for your timely response.

I believe have made the adjustments you recommended, but the problem seems
to be unchanged. The tunnels are up, but the remotes cannot authenticate. I
have found that if I open the firewall (-A INPUT -i eth0 -j ACCEPT) the
remotes DO authenticate then route through the tunnel, but then anyone can
access the server with a user name and password. Kind of defeats the whole
purpose of the tunnel.

Here is the complete un-anonimized ipsec.conf

version 2

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found # in
FreeS/WAN's doc/examples file, and in the HTML documentation.
#	interfaces="ipsec0=eth0"



# basic configuration
config setup
	klipsdebug=none
	nat_traversal=yes
	plutodebug=none
	uniqueids=yes




# sample VPN connection
conn %default
    authby=secret
    keyexchange=ike
    ikelifetime=240m
    keylife=60m
    pfs=no
    compress=no

conn aic-vpn
    left=66.213.254.50 
    leftid=66.213.254.50
    leftnexthop=66.213.254.49
    right=%any
    rightnexthop=%defaultroute    
    rightsubnet=192.168.0.0/24
    auto=add                    

conn aicmolalla
    left=66.213.254.50 
    leftid=66.213.254.50
    leftnexthop=66.213.254.49
    right=%any
    rightnexthop=%defaultroute    
    rightsubnet=192.168.1.0/24
    auto=add                    
             
conn aicalbany
    left=66.213.254.50 
    leftid=66.213.254.50
    leftnexthop=66.213.254.49
    right=%any
    rightnexthop=%defaultroute    
    rightsubnet=192.168.2.0/24
    auto=add                    

conn aicsprnfld
    left=66.213.254.50
    leftid=66.213.254.50
    leftnexthop=66.213.254.49
    right=%any
    rightnexthop=%defaultroute    
    rightsubnet=192.168.3.0/24
    auto=add                    

conn aicflorence
    left=66.213.254.50
    leftid=66.213.254.50
    leftnexthop=66.213.254.49
    right=%any
    rightnexthop=%defaultroute
    rightsubnet=192.168.4.0/24
    auto=add                    

conn aicredmond
    left=66.213.254.50 
    leftid=66.213.254.50
    leftnexthop=66.213.254.49
    right=%any
    rightnexthop=%defaultroute    
    rightsubnet=192.168.5.0/24
    auto=add                    

conn aictigard
    left=66.213.254.50
    leftid=66.213.254.50
    leftnexthop=66.213.254.49
    right=%any
    rightnexthop=%defaultroute
    rightsubnet=192.168.6.0/24
    auto=add                    

conn aicleslie
    left=66.213.254.50
    leftid=66.213.254.50
    leftnexthop=66.213.254.49
    right=%any
    rightnexthop=%defaultroute
    rightsubnet=192.168.7.0/24
    auto=add                    

include /etc/ipsec.d/examples/no_oe.conf                   



and the current iptables

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -i eth0 -j ACCEPT

-A INPUT -p gre -i eth0 -j ACCEPT
# ESP
-A INPUT -p esp -i eth0 -j ACCEPT
# HAW Images
-A INPUT -p tcp -m tcp -s 66.213.254.50 -j ACCEPT
# IKE
-A INPUT -p udp -m udp -i eth0 --dport 500 -j ACCEPT
# IKE accross NAT
-A INPUT -p udp -m udp -i eth0 --dport 4500 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 -d 0/0 -i eth0 --dport 67:68
--sport 67:68 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 -d 0/0
-i eth1 --dport 67:68 --sport 67:68 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo
-j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 -j REJECT
--syn 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 -j REJECT  --syn 
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT -A
RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT -A
RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 -j REJECT  --syn 
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 -j REJECT  --syn 
-A INPUT -i ipsec0 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p udp -m udp --dport 23 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -m state --dport 110 --state NEW -j ACCEPT -A INPUT
-p tcp -m tcp -m state --dport 113 --state NEW -j ACCEPT -A INPUT -p tcp -m
tcp -i eth0 --sport 1723 -j ACCEPT # IKE -A OUTPUT -p udp -m udp -o eth0
--dport 500 -j ACCEPT # IKE accross NAT -A OUTPUT -p udp -m udp -o eth0
--dport 4500 -j ACCEPT -A OUTPUT -p 50 -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o ipsec0 -j ACCEPT -A OUTPUT -p tcp -m tcp -o eth0 --dport 21 -j
ACCEPT -A OUTPUT -p tcp -m tcp -o eth0 --dport 1723 -j ACCEPT -A FORWARD -p
tcp -m tcp -d 192.168.100.2 -i eth0 --dport 3389 -j ACCEPT -A INPUT -p tcp
-m tcp -i eth0 --dport 3389 -j ACCEPT -A INPUT -p tcp -m tcp -i eth0 --dport
3390 -j ACCEPT -A FORWARD -p tcp -m tcp -d 192.168.100.3 -i eth0 --dport
3390 -j ACCEPT -A INPUT -p tcp -m tcp -i eth0 --dport 3391 -j ACCEPT -A
FORWARD -p tcp -m tcp -d 192.168.100.4 -i eth0 --dport 3391 -j ACCEPT -A
INPUT -p tcp -m tcp -m state --sport 3500:4000 --state NEW -j ACCEPT -A
INPUT -j RH-Lokkit-0-50-INPUT COMMIT # Generated by webmin *mangle :FORWARD
ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT
[0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed # Generated by webmin
*nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE -A PREROUTING -p tcp -m tcp -i eth0
--sport 21 -j DNAT --to-destination 192.168.100.1-192.168.100.98:21 -A
PREROUTING -p tcp -m tcp -i eth0 --dport 3389 -j DNAT --to-destination
192.168.100.2:3389 -A PREROUTING -p tcp -m tcp -i eth0 --dport 3390 -j DNAT
--to-destination 192.168.100.3:3390 -A PREROUTING -p tcp -m tcp -i eth0
--dport 3391 -j DNAT --to-destination 192.168.100.4:3391 COMMIT # Completed


ipsec barf is located at http://dungeon.homeip.net/danger_files/barf.txt

When I try to run "tcpdump -i eth0" I get "Couldn't find user 'pcap'.
Doesn't matter what user I use "tcpdump -Z root -i eth0" I get "Couldn't
find user 'root'. 
Probably operator error but not sure what to do differently.

Thanks again for your time,

Pat R. Fricke
PRF Enterprises
(503)520-9757
sales at prfhome.com


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Friday, December 30, 2005 11:31 AM
To: Pat Fricke
Cc: users at openswan.org
Subject: Re: [Openswan Users]

On Thu, 29 Dec 2005, Pat Fricke wrote:

> Long and short of it is I have a tunnel established by a road warrior
> LinkSys router but the workstations cannot connect to the SAMBA shares.
Both
> the secure log on the Fedora box and the LinkSys router show the tunnel is
> connected (STATE_QUICK_R2: IPsec SA established {ESP=>0xadec39d6
<0x77944d7f
> xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

> -A INPUT -p udp -m udp -i eth0 --dport 4500 -j ACCEPT

> -A OUTPUT -p udp -m udp -o eth0 --dport 4500 -j ACCEPT

That is not correct. The originating port is not neccessarily 4500. It could
be
a random high port (since the client could be behind a NAT gateway).

> config setup
>             interfaces=%defaultroute
>             klipsdebug=none
>             plutodebug=none
>             uniqueids=yes

You did not enable nat traversal on purpose?

> conn %default
>     authby=secret
>
> conn vpn
>     left=xxx.xxx.xxx.xxx (real world ip)
>     leftid= xxx.xxx.xxx.xxx (real world ip)
>     leftnexthop= xxx.xxx.xxx.xxx (real world gateway ip)
>     right=%any
>     rightnexthop=%defaultroute
>     rightsubnet=192.168.0.0/24
>         keyexchange=ike
>         ikelifetime=240m
>         keylife=60m
>         pfs=yes
>         compress=no
>     auto=add

You should be very careful playying with these layouts like that. The parser
is very dumb. It looks ok otherwise

Check with ipsec verify and otherwise post a link to your ipsec barf output.
Please do not anonimize, since it will be next to impossible to detect
configuration mistakes.

Paul

_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list