[Openswan Users]
Greg Scott
GregScott at InfraSupportEtc.com
Sun Jul 23 09:18:29 CEST 2006
Hmmmm -
I compared the .config file with my 2.6.17.2 kernel with the fc5 kernel.
All the relevant options published in Paul Wouter's Openswan book are in
both. Mostly compiled as modules. And it looks like the latest and
greatest fc5 kernel is a few days older than mine.
I went through some netfilter notes and saw a mention about SNAT and
MASQUERADEing. I have firewall rules that MASQ everuthing going out ont
the Internet interface. It never was an issue before - but then we had
KLIPS and those ipsecnn devices. So it's possible with 2.6.17 my
sending firewall is MASQing - and that's why the packets go out in the
clear? So I would need a POSTROUTING rule that would just ACCEPT and
not SNAT or MASQ packets bound for the tunnel. And then on the
receiving side, I'd need a rule about the IP in IP stuff.
Hmmmm - This would explain the symptoms I see. I'm going to grab a few
hours sleep and come back to this. I will post a working ruleset
template if I can come with one.
- Greg
-----Original Message-----
From: Andy Gay [mailto:andy at andynet.net]
Sent: Sunday, July 23, 2006 12:25 AM
To: Greg Scott
Cc: users at openswan.org
Subject: RE: [Openswan Users]
On Sun, 2006-07-23 at 00:09 -0500, Greg Scott wrote:
> Aw nuts, sorry about that. Lakeville is on the right, Roseville on
> the left. I got my diagram backwards and didn't notice until you
> pointed it out. For the record, it's like this:
>
>
> Roseville 10.15.1.75 71.216.115.33 Lakeville 209.130.212.154
> 10.13.1.1
> Left eth1 eth0 Right eth0 eth1
>
>
> The whole problem was, I used a kernel from kernel.org because of some
> other netfilter modules I wanted. Sheesh - I built it about 3 weeks
> ago and it's already obsolete. And I must have built it wrong because
> when I booted my test firewalls using the the original fc5 2.6.15.nnn
> kernel, now I see esp packets going out both interfaces.
>
If you were getting the IPsec SA established, your kernel is probably
OK.
There were some significant changes in the netfilter-ipsec interaction
since 2.6.16. SNAT is rumoured to work properly now, for instance.
One problem I found with 2.6.16+ is if you have an iptables DROP policy
for your INPUT chain, then you'll have to add an ACCEPT rule for
protocol 4 (IP-in-IP). Nobody seems to know just why that is.
> I'll bet by now there's an fc5 2.6.17.nnn kernel, so I'm going to grab
> that and use it.
>
> - Greg
>
>
>
> -----Original Message-----
> From: Andy Gay [mailto:andy at andynet.net]
> Sent: Saturday, July 22, 2006 11:56 PM
> To: Greg Scott
> Cc: users at openswan.org
> Subject: Re: [Openswan Users]
>
> On Sat, 2006-07-22 at 19:01 -0500, Greg Scott wrote:
> > I must be missing something basic here. I am trying to a simple
> > tunnel with 2 subnets. Here is the scenario below. Apologies if an
> > emailer somewhere along the line butchers the line wrapping.
> >
> > Roseville
> > Lakeville
> > Left
> > Right
> > Left Firewall <-Internet--> Right Firewall
> > 10.13.1.0/24 eth1 eth0 eth0 eth1
> > 10.15.1.0/24
> > 10.13.1.1 71.216.115.33 209.130.212.154
10.15.1.75
>
> So here you say that leftsubnet is 10.13.1.0/24, rightsubnet is
> 10.15.1.0/24.
>
> But later on in your config file, you have those the other way around:
>
> > [root at lakeville-fw etc]# more ipsec.d/Roseville-Lakeville.conf
>
> > conn Roseville-Lakeville
> > left=71.216.115.33
> > leftsubnet=10.15.1.0/24
> > leftnexthop=71.216.115.38
> > leftid=@roseville.local
> > # RSA 2192 bits roseville-fw Thu Jul 20 18:47:26 2006
> > leftrsasigkey=0sAQPHZAiDY....
> > #
> > # Right security gateway, subnet behind it, next hop toward
> > left.
> > right=209.130.212.154
> > rightsubnet=10.13.1.0/24
> > rightnexthop=209.130.212.153
> > rightid=@lakeville.local
> > # RSA 2192 bits lakeville-fw Wed Jul 19 21:09:32 2006
> > rightrsasigkey=0sAQNb9diw....
> > #
> > auto=start
> >
>
>
>
More information about the Users
mailing list