[Openswan Users] openswan with a virtual ethernet

ACasella antony.casella at sand.com
Mon May 28 13:11:18 EDT 2007 

Hello,
I am having quite some trouble trying to set up openswan using 2
differently configured servers.

Server 1 is a RH9 2.4 kernel machine with 2 physical ethernet adapters
eth0 and eth1.  This server has a public IP and a subnet behind it with
the value of 192.0.1.0/32 on eth1
Linux Openswan 1.0.3

Server 2 is a FC6 2.6 kernel machine with a single ethernet card
(eth0) .  I am adding a virtual ethernet by using the "ifconfig eth0:1
192.168.1.1" command.  This server does not have a subnet behind it but
does have a public IP address.
Linux Openswan U2.4.5/K2.6.20-1.2948.fc6 (netkey)

I can successfully setup a host to host connection and this can be
verified by seeing the ESP packets with tcpdump when I ping External IP
to External IP.  

I cannot however see any packets trying to ping from a client on the
subnet of server1 to the fake eth0:1 ip 192.168.1.1 or vice versa.  

I have tried various combinations of in my .conf file.  Mt current .conf
file looks like:

conn net-to-net
    left=207.35.xxx.xxx
    leftsubnet=192.0.1.0/32
    leftid=@sand
    leftnexthop=192.0.1.23
    leftrsasigkey=0sAQOCJnWPCDDF...
    right=72.55.xxx.xxx
    rightsubnet=192.168.1.0/32
    rightid=@vdki
    rightrsasigkey=EXFm89tuvl...
    rightnexthop=%defaultroute
    auto=add

I tried changing rightnexthop to 192.168.1.1 and the connection fails
(no route).  My iptables have the following for each respective server:

Server1
-A POSTROUTING -s 192.0.1.0/255.255.255.0 -o eth0 -d ! 192.168.1.0/32 -j
MASQUERADE
-A INPUT -p tcp -m tcp --dport 50 --syn -j ACCEPT
-A INPUT -p tcp -m tcp --dport 51 --syn -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT

Server2
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0  -d ! 192.0.1.0/32
-j MASQUERADE
-A INPUT -p 50 -j ACCEPT
-A INPUT -p 51 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT

I have net.ipv4.ip_forward = 1 in sysctl.conf

Is this scenario even possible?

Perhaps my logic in the setup is flawed as all I want to do is use
server 2 as a remote proxy server for various ports and protocols for
the clients behind server1.  We want to have all traffic encrypted from
the clients behind server1 to server2.

I looked through the archives of this list but I may not know the
correct nomenclature of what i am trying to achieve so I apologize if
this question has been asked before.

Thank you

Antony Casella

More information about the Users mailing list