[Openswan Users] vpn tun0 to where? A routing question.

Charles Tompkins crt at thig.com
Thu May 25 15:27:06 CEST 2006 

I am having trouble moving the "flow" of a tunneled connection beyond the
vpn gateway.
Setup:
              |--------|         |----------|
roadwarrior---|Internet|---PIX---|   core   |---VPNGW
              |--------|         |----------|
                                   	   |	
					       RADIUS		

OS: Centos 4.3  Software: OpenSwan 2.4.5/l2tpns 2.18  MS XP VPN client
	I have routed a part of my public ip block (i.e. Pub.Lic.9.0/24)
into my inside network and it is routable from within (tested).
	I can create an IPsec tunnel to the VPN gateway (ip address
Pub.Lic.9.1), l2tpns receives Auth-Accept from my RADIUS server, l2tpns
gives out an IP (from an unused IP in the Pub.Lic.9.0/24 block), and vpn
client "registers on the network."

The tun0 interface recieves packets from the roadwarrior.  The interfaces
look like so:
eth0      Link encap:Ethernet  HWaddr 00:0F:1F:E7:53:B6
          inet addr:Pub.Lic.9.1  Bcast:Pub.Lic.9.255  Mask:255.255.255.0
          inet6 addr: xxxx::xxx:xxxx:xxxx:xxxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:230 errors:0 dropped:0 overruns:0 frame:0
          TX packets:646 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:23027 (22.4 KiB)  TX bytes:143978 (140.6 KiB)
          Interrupt:11

tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:Pub.Lic.9.1  P-t-P:Pub.Lic.9.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING  MTU:1462  Metric:1
          RX packets:987 errors:0 dropped:0 overruns:0 frame:0
          TX packets:126 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:54483 (53.2 KiB)  TX bytes:680 (680.0 b)

Issue:
Nothing beyond the VPN gateway can be pinged, no names resolved, no
connections of any kind can be made to the internal network.

Questions:
Can this setup work with only one NIC?  I can add another, but that would
introduce more routing issues and I am of the mind to keep it simple.

Is the tun0 interface supposed to have both the "inet addr:" and the
"P-t-P:" addressed the same?

If this setup can work, what kind "iptables" and "route" statements are
needed to get packets from the tun0 interface back out of the eth0
interface?

Other:
We use a basic private subnets within 10.0.0.0/8 internally and a second NIC
and IP pool from this block could be added.
If you have read this far, my newb status must be painfully obvious.  I
would appreciate anything like links to read, example configurations,
iptables in use, route statements, etc. 

l2tpns files: (comments and unset values removed) [root at computer ~]# cat
/etc/l2tpns/startup-config set debug 3 set log_file "/var/log/l2tpns"
set pid_file "/var/run/l2tpns.pid"
set primary_dns Pub.Lic.10.5
set secondary_dns 10.1.1.1
set primary_radius Pub.Lic.14.222
set primary_radius_port 1812
set secondary_radius 10.1.1.30
set secondary_radius_port 1812
set radius_secret "secret"
set radius_authtypes "pap"
set radius_accounting yes
set accounting_dir "/var/run/l2tpns/acct"
set bind_address Pub.Lic.9.1
set peer_address Pub.Lic.9.254

[root at computer ~]# cat /etc/l2tpns/ip_pool
Pub.Lic.9.3

*/etc/l2tpns/users is empty


OpenSwan file: (comments and most unset values removed) [root at computer ~]#
cat /etc/ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        nat_traversal=yes
        #virtual_private=%v4:10.0.0.0/8

conn roadwarrior-a-psk
        type=transport
        authby=secret|rsasig
        pfs=no
        left=Pub.Lic.9.1
        leftnexthop=%defaultroute
        leftprotoport=17/0
        leftrsasigkey=%cert
        right=%any
        rightnexthop=%defaultroute
        rightprotoport=17/0
        rightrsasigkey=%cert
        auto=add
        keyingtries=1
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

Thanks,
-Charles






CONFIDENTIAL NOTICE: This email including any attachments, contains 
confidential information belonging to the sender. It may also be 
privileged or otherwise protected by work product immunity or other 
legal rules. This information is intended only for the use of the 
individual or entity named above.  If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, 
distribution or the taking of any action in reliance on the contents 
of this emailed information is strictly prohibited.  If you have 
received this email in error, please immediately notify us by 
reply email of the error and then delete this email immediately.

More information about the Users mailing list