[Openswan Users] NAT problem??

Peter McGill petermcgill at goco.net
Thu Jul 12 09:25:22 EDT 2007


Your tunnel is up, I can't think of anything that would cause packets to
not use it, except the kernel networking, forward and iptables.
I'm resending to the list in case anyone else has another idea.
 
ipsec verify says forwarding is on but we can verify manually with:
cat /proc/sys/net/ipv4/ip_forward
should be 1
 
We can check iptables for problems by listing all rules and policies.
iptables -t filter -n -L -v
iptables -t nat -n -L -v
iptables -t mangle -n -L -v
 
The tunnel is up but maybe there is a hint of the problem in the logs.
egrep -e 'pluto' /var/log/*

 
Peter McGill
 


________________________________

	From: Rafał Radecki [mailto:radecki.rafal at gmail.com] 
	Sent: July 12, 2007 3:13 AM
	To: petermcgill at goco.net
	Subject: Re: [Openswan Users] NAT problem??
	
	
	The default policies are set to ACCEPT. I can ping gateways' interfaces mentioned earlier from laptops. 
	
	Rafał Radecki
	
	
	2007/7/10, Peter McGill < petermcgill at goco.net <mailto:petermcgill at goco.net> >: 

		iptables can still drop packets with no rules if the default policy is set to drop.
		Can you ping the local linux boxes directly from the connected laptops?
		 
		ie)
		Laptop 1 ( 172.16.2.2 <http://172.16.2.2/>  , Win2K): ping 172.16.2.1
		Laptop 2 ( 172.16.1.2 <http://172.16.1.2/> , Win2K): ping 172.16.1.1
		
		Peter McGill
		 


________________________________

			From: Rafał Radecki [mailto:radecki.rafal at gmail.com] 
			Sent: July 10, 2007 9:43 AM
			To: petermcgill at goco.net
			Subject: Re: [Openswan Users] NAT problem??
			
			
						Hi. These two gateways are connected to one switch, only for testing. There are no
rules defined in iptables.
			
			
			2007/7/10, Peter McGill <petermcgill at goco.net <mailto:petermcgill at goco.net> >: 

				> -----Original Message-----
				> Date: Tue, 10 Jul 2007 14:40:21 +0200 
				> From: " Rafa? Radecki " <radecki.rafal at gmail.com>
				> Subject: [Openswan Users] NAT problem??
				> To: users at openswan.org <mailto:users at openswan.org> 
				>
				> Hello. I have two gateways which have Openswan installed on
				> them. My config
				> file is like this:
				>
				> # basic configuration
				> config setup
				>         # plutodebug / klipsdebug = "all", "none" or a 
				> combation from below:
				>         # "raw crypt parsing emitting control klips pfkey
				> natt x509 private"
				>         # eg:
				>         # plutodebug="control parsing"
				>         # 
				>         # Only enable klipsdebug=all if you are a developer
				>         #
				>         # NAT-TRAVERSAL support, see README.NAT-Traversal
				>         nat_traversal=yes
				>
				> virtual_private=%v4: 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0
<http://10.0.0.0/8,%25v4:192.168.0.0/16,%25v4:172.16.0> 
				> .0/12<http://10.0.0.0/8,%25v4:192.168.0.0/16,%25v4:172.16.0.0/12
<http://10.0.0.0/8,%25v4:192.168.0.0/16,%25v4:172.16.0.0/12> >
				>         #
				>         # enable this if you see "failed to find any available worker"
				>         nhelpers=0
				>
				> # Add connections here
				> conn gda-war
				>         left= 192.168.2.133
				>         leftsubnet= 172.16.1.0/24
				>         leftid=@vpn2
				>         leftrsasigkey=0sAQ...
				>         leftnexthop=%defaultroute 
				>         #leftnexthop= 172.16.2.1
				>         right=192.168.2.183
				>         rightsubnet=172.16.2.0/24 
				>         rightid=@vpn1
				>         rightrsasigkey=0sAQ...
				>         rightnexthop=%defaultroute
				>         #rightnexthop= 172.16.1.1
				>         keyingtries=2
				>         auto=start 
				> # sample VPN connections, see /etc/ipsec.d/examples/
				>
				> #Disable Opportunistic Encryption
				> include /etc/ipsec.d/examples/no_oe.conf
				>
				> Gateway 1 (vpn1): eth0: 192.168.2.183    eth1: 172.16.1.1
				> laptop-connected-to-eth0: 172.16.1.2
				> Gateway 2 (vpn2): eth0: 192.168.2.133    eth1: 172.16.2.1
				> laptop-connected-to-eth0: 172.16.2.2
				> Output of command ipsec verify:
				>
				> Checking your system to see if IPsec got installed and 
				> started correctly:
				> Version check and ipsec on-path                                 [OK]
				> Linux Openswan U2.4.6/K2.6.18-4-686 (netkey)
				> Checking for IPsec support in kernel                            [OK] 
				> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
				> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
				> Checking for RSA private key (/etc/ipsec.secrets)               [OK] 
				> Checking that pluto is running                                  [OK]
				> Two or more interfaces found, checking IP forwarding            [OK]
				> Checking NAT and MASQUERADEing
				> Checking for 'ip' command                                       [OK] 
				> Checking for 'iptables' command                                 [OK]
				> Opportunistic Encryption Support
				>   [DISABLED]
				>
				> Output of command ipsec auto --up gda-war:
				>
				> vpn2:/usr/share/doc/openswan/doc# ipsec auto --up gda-war 
				> 117 "gda-war" #3: STATE_QUICK_I1: initiate
				> 004 "gda-war" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
				> {ESP=>0xae5372fe <0xb05cebcf xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none} 
				> vpn2:/usr/share/doc/openswan/doc#
				>
				> Output of command route:
				>
				> vpn2:/etc/apt# route
				> Kernel IP routing table
				> Destination     Gateway         Genmask         Flags Metric 
				> Ref    Use
				> Iface
				> 172.16.2.0      tygrys.olimp.dg 255.255.255.0   UG    0
				> 0        0 eth0
				> 192.168.2.0     *               255.255.255.0   U     0
				> 0        0 eth0
				> 172.16.1.0      *               255.255.255.0   U     0
				> 0        0 eth1
				> default         tygrys.olimp.dg 0.0.0.0         UG    0
				> 0        0 eth0
				> vpn2:/etc/apt#
				>
				> The problem is that two laptops connected to eth1 interfaces on both 
				> gateways can't ping each other. When i use tcpdump -n -i eth0
				> there are no
				> ESP packets in the output despite the fact that the ping
				> command is active
				> all the time.
				>
				> Laptop 1 ( 172.16.2.2 , Win2K): ping -t 172.16.1.2
				> Laptop 2 (172.16.1.2, Win2K): ping -t 172.16.2.2 
				>
				> I tried many things but can't find the bug. Every help will be greatly
				> appreciated;-)
				
				Alright, from you configs, it looks like your connecting the both to
				The 192.168.2.x LAN for testing, and not using internet connections? 
				Is that correct, or do you have 192.168.2.x behind two different internet
				Routers?
				
				Are you allowing traffic through your firewall, I'd guess that iptables
				Is dropping the packets.
				You need to allow -p 50, -p udp --dport 500 and -p udp --sport 500. 
				(ESP and ISAKMP; IPSec)
				You'll also need to allow the LAN to LAN traffic (the pings) and not NAT it.
				There is plenty of examples of how to do this, just search the list for them.
				
				Peter
				
				


			



More information about the Users mailing list