[Openswan Users] one way tunnel

[Peter McGill]

> -----Original Message-----
> From: Bruce Ferrell [mailto:bferrell at baywinds.org] 
> Sent: June 21, 2007 10:16 AM
> To: petermcgill at goco.net
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] one way tunnel
> 
> 
> 
> Peter McGill wrote:
> >>-----Original Message-----
> >>Date: Wed, 20 Jun 2007 09:37:54 -0700
> >>From: Bruce Ferrell <bferrell at baywinds.org>
> >>Subject: [Openswan Users] one way tunnel
> >>To: users at openswan.org
> >>
> >>I'm new to openswan and I've been digging through the available 
> >>documentation for the last week for a problem that is 
> making me nuts.
> >>
> >>I'm trying to do a subnet-subnet tunnel and can from the 
> >>right subnet to 
> >>the left subnet but I can't ping from the left to the right.  
> >>Is there 
> >>something wrong in the config below?
> >>
> >>Thanks in advance
> >>
> >>conn NYCPOP
> >>         auth=esp
> >>         authby=secret
> >>         auto=start
> >>         esp=3des-sha1
> >>         ike=3des-sha1
> >>         keyexchange=ike
> >>         keyingtries=0
> >>         left=66.92.17.98
> >>         leftid=@bruce
> >>         leftsubnet=192.0.2.0/24
> >>         pfs=no
> >>         right=64.74.247.1
> >>         rightid=@0006B138EF44
> >>         rightsubnet=192.168.10.0/24
> >>         type=tunnel
> > 
> > 
> > Are you sure your leftsubnet is 192.0.2.0/24, 
> 192.168.2.0/24 makes more sense.
> > 
> > Otherwise, looks fine, tunnels work both ways, so I would 
> guess you likely
> > Have a firewall problem dropping the packets.
> > Make sure you have firewall rules in iptables to allow the
> > Private traffic from the other site.
> > 
> > Do you have openswan on both sides or just one side?
> > If one which side and what is on the other side?
> > 
> > Are you pinging from a host on the subnet or from the ipsec router?
> > If from the router add leftsourceip=192.0.2.? (router lan ip.) and
> > rightsourceip=192.168.10.? (other router lan ip)
> > 
> > ipsec --version should tell you if your using klips or 
> netkey (native),
> > ipsec in the kernel. You need to know this because the 
> firewall rules
> > Differ depending on which.
> > 
> > Be sure to add FORWARD and possibly INPUT rules for -s 
> 192.0.2.0/24 (or 192.168.2.0/24).
> > 
> > Peter
> 
> Only one side is openswan.  The other is a sonicwall firewall 
> appliance. 
>   ipsec --version says I'm using netkey.  what might the ruls 
> look like 
> for my masquerade firewall?  I didn't need them when I used a cipe 
> tunnel before.
> 
> Thanks for you help
> 
> Bruce

Assuming the openswan is on the left side. If your using iptables
Firewalling at all, then you'll need to set these to allow ipsec through.

iptables -t mangle -I PREROUTING -p 17 --dport 500 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -p 50 -j MARK --set-mark 1
If your using NAT-T(raversal) then you'll also need.
iptables -t mangle -I PREROUTING -p 17 --dport 4500 -j MARK --set-mark 1

iptables -t filter -I INPUT -m mark --mark 1 -j ACCEPT
iptables -t filter -I OUTPUT -m mark --mark 1 -j ACCEPT
iptables -t filter -I FORWARD -m mark --mark 1 -j ACCEPT
iptables -t filter -I OUTPUT -d 192.168.10.0/24 -j ACCEPT
iptables -t filter -I FORWARD -d 192.168.10.0/24 -j ACCEPT

These are in addition to any firewall rules you already have.
You may also need to adjust your masquerade rule, which probably looks like
This.
iptables -t nat -A POSTROUTING -s 192.0.2.0/24 -j SNAT --to-source 66.92.17.98
You'll need to change it to...
iptables -t nat -A POSTROUTING -s 192.0.2.0/24 -m mark --mark 0 -j SNAT --to-source 66.92.17.98

Also again if your pinging from the openswan machine itself you'll also
Need leftsourceip=192.0.2.? (your private lan ip) in your conn.

192.0.2.0/24 is not in the private lan address space but in the public
Internet address space, are you sure that is your correct lan, or is
It 192.168.2.0/24? That also needs to be correct.

Peter