[Openswan Users] FC6 iptables problem

Xunhua Wang wangxx at jmu.edu
Fri Mar 23 12:57:07 EDT 2007 

Ok, I made the changes (I also added "iptables -t mangle -A INPUT -p udp
--dport 4500 -j MARK --set-mark 50" as my Windows client is behind a NAT)
and it got better but the problem persists.

Here is what I have from /var/log/secure

---------- /var/log/secure -----
Mar 23 11:47:13 Newton pluto[2816]: packet from 76.104.101.6:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000002]
Mar 23 11:47:13 Newton pluto[2816]: packet from 76.104.101.6:500: ignoring
Vendor ID payload [FRAGMENTATION]
Mar 23 11:47:13 Newton pluto[2816]: packet from 76.104.101.6:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[1] 76.104.101.6 #1:
responding to Main Mode from unknown peer 76.104.101.6
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[1] 76.104.101.6 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[1] 76.104.101.6 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[1] 76.104.101.6 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[1] 76.104.101.6 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[1] 76.104.101.6 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[1] 76.104.101.6 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=US, ... CN=IPsec VPN Client 001'
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[1] 76.104.101.6 #1: crl
update for "C=US, ..., CN=Crypto CA" is overdue since Jun 04 01:53:24 UTC
2006
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[1] 76.104.101.6 #1:
switched from "roadwarrior" to "roadwarrior"
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[2] 76.104.101.6 #1:
deleting connection "roadwarrior" instance with peer 76.104.101.6
{isakmp=#0/ipsec=#0}
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[2] 76.104.101.6 #1: I am
sending my cert
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[2] 76.104.101.6 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 23 11:47:13 Newton pluto[2816]: | NAT-T: new mapping
76.104.101.6:500/1300)
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior"[2] 76.104.101.6 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior-l2tp-updatedwin"[1]
76.104.101.6 #2: responding to Quick Mode {msgid:d78e8449}
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior-l2tp-updatedwin"[1]
76.104.101.6 #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior-l2tp-updatedwin"[1]
76.104.101.6 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior-l2tp-updatedwin"[1]
76.104.101.6 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Mar 23 11:47:13 Newton pluto[2816]: "roadwarrior-l2tp-updatedwin"[1]
76.104.101.6 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x9c9d09ad
<0x4175cada xfrm=3DES_0-HMAC_MD5 NATD=76.104.101.6:1300 DPD=none}
Mar 23 11:47:18 Newton pluto[2816]: ERROR: asynchronous network error report
on eth1 (sport=4500) for message to 76.104.101.6 port 1300, complainant
134.126.34.124: No route to host [errno 113, origin ICMP type 3 code 1 (not
authenticated)]
Mar 23 11:47:40 Newton last message repeated 15 times
Mar 23 11:47:48 Newton pluto[2816]: "roadwarrior"[2] 76.104.101.6 #1:
received Delete SA(0x9c9d09ad) payload: deleting IPSEC State #2
Mar 23 11:47:48 Newton pluto[2816]: "roadwarrior"[2] 76.104.101.6 #1:
deleting connection "roadwarrior-l2tp-updatedwin" instance with peer
76.104.101.6 {isakmp=#0/ipsec=#0}
Mar 23 11:47:48 Newton pluto[2816]: "roadwarrior"[2] 76.104.101.6 #1:
received and ignored informational message
Mar 23 11:47:48 Newton pluto[2816]: "roadwarrior"[2] 76.104.101.6 #1:
received Delete SA payload: deleting ISAKMP State #1
Mar 23 11:47:48 Newton pluto[2816]: "roadwarrior"[2] 76.104.101.6: deleting
connection "roadwarrior" instance with peer 76.104.101.6
{isakmp=#0/ipsec=#0}
Mar 23 11:47:48 Newton pluto[2816]: packet from 76.104.101.6:1300: received
and ignored informational message
Mar 23 11:47:51 Newton pluto[2816]: ERROR: asynchronous network error report
on eth1 (sport=4500) for message to 76.104.101.6 port 1300, complainant
134.126.34.124: No route to host [errno 113, origin ICMP type 3 code 1 (not
authenticated)]
Mar 23 11:47:51 Newton pluto[2816]: ERROR: asynchronous network error report
on eth1 (sport=4500) for message to 76.104.101.6 port 1300, complainant
134.126.34.124: No route to host [errno 113, origin ICMP type 3 code 1 (not
authenticated)]
Mar 23 11:48:14 Newton sshd[3480]: pam_unix(sshd:session): session closed
for user root
Mar 23 11:48:48 Newton sshd[3569]: Accepted password for root from
76.104.101.6 port 3046 ssh2
Mar 23 11:48:48 Newton sshd[3569]: pam_unix(sshd:session): session opened
for user root by (uid=0)
----- End of /var/log/secure -----

Here is what I got in /var/log/messages
----- Start of /var/log/messages -----
Mar 23 11:47:20 Newton xl2tpd[3510]: Maximum retries exceeded for tunnel
31605.  Closing. 
Mar 23 11:47:20 Newton xl2tpd[3510]: Connection 9 closed to 76.104.101.6,
port 1701 (Timeout) 
Mar 23 11:47:35 Newton xl2tpd[3510]: Maximum retries exceeded for tunnel
44457.  Closing. 
Mar 23 11:47:35 Newton xl2tpd[3510]: Connection 9 closed to 76.104.101.6,
port 1701 (Timeout)
----- End of /var/log/messages -----

What have I forgot?

Thanks,

Steve

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, March 22, 2007 11:13 PM
> To: Xunhua Wang
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] FC6 iptables problem
> 
> On Thu, 22 Mar 2007, Xunhua Wang wrote:
> 
> > > You must allow all decrypted packets, which means using the MARK
> facility
> > > to mark the encrypted packets, and then using the mark to ACCEPT them
> > > after decryption. This is due to netkey not having seperate
interfaces.
> >
> > What commands should I use? With the following command to mark ESP
> packets?
> > iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
> 
> > How to accept them after decryption?
> 
> iptables -A INPUT -m mark --mark 50 -j ACCEPT
> 
> > One weird thing is that I do _not_ have to do this on our RedHat
> Enterprise
> > Linux 4 box ("Linux Openswan U2.4.5/K2.6.9-5.ELsmp (netkey)"), which has
> > iptables v1.2.11. What makes FC6 different? (The FC6 box has iptables
> > v1.3.5)
> 
> The amount of changes to the XFRM and the NAT subsystem between 2.6.9 and
> 2.6.20 are huge. Patrick McHardy's code changed a lot.
> 
> > > did you run ipsec verify ?
> > Yes. The output is as follows, which looks normal.
> 
> Indeed.
> 
> Paul
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list