[Openswan Users] Problems with OpenSwan, Shorewall and NATting

Davide Ferrari davide.ferrari at atrapalo.com
Fri Nov 17 07:19:13 EST 2006 

Hi

I'm trying to establish a vpn tunnel between a Linux firewall (2.6.17 and 
openswan 2.4.4) and a remote Cisco VPN3000.

Til now, i've managed to get openswan configured and correctly bringing up a 
tunnel with the remote Cisco concentrator.

LEGEND:
XXX.XXX.XXX.XXX = local public IP address 
YYY.YYY.YYY.YYY = remote public IP address

This is the output of ipsec auto --status

000 #2: "my-tunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 26855s; newest IPSEC; eroute owner
000 #2: "my-tunnel" esp.607e0b4c at YYY.YYY.YYY.YYY esp.d0fe092 at XXX.XXX.XXX.XXX 
tun.0 at YYY.YYY.YYY.YYY tun.0 at XXX.XXX.XXX.XXX
000 #1: "my-tunnel":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 84745s; newest ISAKMP; lastdpd=7s(seq in:25141 out:0)

anyway, this is my ipsec.conf

conn my-tunnel
       type=           tunnel
       left=           XXX.XXX.XXX.XXX   #
       leftsubnet=     172.23.92.13/32  #
       leftsourceip=   172.23.92.13  #
       right=          YYY.YYY.YYY.YYY  #
       rightsubnet=    7.2.1.0/24      #
       authby=         secret  #
       esp=            3des-sha1-96    #
       #ah=             hmac-sha1-96    #
       keyexchange=    ike
       ikelifetime=    24h      #
       keylife=        8h     #
       dpddelay=       10      #
       pfs=            no
       auto=           start

** ip addr show
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:b3:3b:36:b3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:b3:c2:0c:bc brd ff:ff:ff:ff:ff:ff
    inet XXX.XXX.XXX.XXX/24 brd 80.34.171.255 scope global eth1
    inet 172.23.92.13/32 scope global eth1

** ip route show
XXX.XXX.XXX.0/24 dev eth1  proto kernel  scope link  src XXX.XXX.XXX.XXX
192.168.3.0/24 dev eth3  proto kernel  scope link  src 192.168.3.1
192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.1
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
127.0.0.0/8 dev lo  scope link
default via XXX.XXX.XXX.1 dev eth1

this is my conf in shorewall:

** zones:
fw      firewall
net     ipv4
loc     ipv4
vpn     ipsec

** interfaces
loc     eth0            detect
net     eth1            detect

** hosts:
vpn     eth1:7.2.1.0/24,YYY.YYY.YYY.YYY          ipsec

** tunnels
ipsec                   net     YYY.YYY.YYY.YYY  vpn

** zones
ACCEPT          loc                     vpn                     tcp     8050
(I have to connect to a remote server on this port)

note:
the "fw" zone has everything opened to the "net" zone.

** nat
172.23.92.13    eth1            192.168.1.220


the last file is "nat" and I use it cause my idea is that all the traffic that 
goes from 192.168.1.220 and points to a vpn address (7.2.1.0/24) should pass 
through the vpn.
And this works (pings, telnets etc) BUT there is a huge problem: shorewall 
considers all the traffic coming from 192.168.1.220 to 7.2.1.0/24 has to obey  
the "net" zone rules, not the "vpn" zone ones.
Moreover, 192.168.1.220 cannot go through the *real* "net" zone (the 
internet).
I'm assuming there is some routing problem but I cannot get it...and why 
shorewall does consider the remote vpn address as a "net" address for the 
NATted local IP?

Thanks in advance

-- 
Davide Ferrari
System Administrator
http://www.atrapalo.com

More information about the Users mailing list