[Openswan Users] Help required: Trouble setting up openswan
Phil Wild
philwild at gmail.com
Thu Nov 29 09:00:40 EST 2007
Hi Peter,
Thanks for your help!
I completely shut down the firewalls for a few seconds tonight to test the
configuration and bang, everything works. So my issue is with the
restrictiveness of my shorewall firewall.
I will start digging in this direction now.
Many thanks
Phil
On 29/11/2007, Phil Wild <philwild at gmail.com> wrote:
>
> Hi Peter,
>
> Thanks for the help :-)
>
> It is good to know that the connection is active, just have to figure out
> where it is failing.
>
> I am using shorewall as a firewall and it is running on the hosts that I
> am trying to tie together. Because the connection appears to be established
> from your comments I am assuming I have the rules set correctly for the
> connection.
>
> I have tried pinging and ssh'ing between the hosts using the internal
> addresses and get no response. I have also now tried doing the same thing
> from hosts in each of the private networks and get the same result.
>
> I have cleared the shorewall configuration of all zones/interfaces that
> related to a vpn based on your comment about the data going to the external
> interface.
>
> My shorewall configuration looks like the below:
>
> root at zulu:/etc/shorewall# cat zones
> fwall firewall #
> loc ipv4 #
> net ipv4 #
>
>
> root at zulu:/etc/shorewall# cat interfaces
> net ppp0 detect
> dhcp,norfc1918,routefilter,blacklist,tcpflags,logmartians,nosmurfs
> loc eth1 detect tcpflags
>
> root at zulu:/etc/shorewall# cat policy
> fwall net ACCEPT
> fwall loc ACCEPT
> loc fwall ACCEPT
> net $FW DROP info
> net all REJECT info
> # The FOLLOWING POLICY MUST BE LAST
> all all DROP info
>
> root at zulu:/etc/shorewall# cat rules
> LOG:info fwall net: 192.168.10.0/24 all
> LOG:info net:192.168.10.0/24 $FW all
> ACCEPT net:202.72.167.27 all all
> ACCEPT net: 202.72.167.27 fwall 50
> ...other stuff deleted...
>
> I am not seeing any dropped packets
>
> If I ping from 10.3.0.3 to 192.168.10.2 I get the following in syslog on
> the sending host
>
> Nov 29 01:40:14 zulu kernel: [867825.734164] Shorewall:fwall2net:LOG:IN=
> OUT=ppp0 SRC=10.3.0.3 DST=192.168.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64
> ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28735 SEQ=1
> Nov 29 01:40:15 zulu kernel: [867826.732619] Shorewall:fwall2net:LOG:IN=
> OUT=ppp0 SRC=10.3.0.3 DST=192.168.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64
> ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28735 SEQ=2
> Nov 29 01:40:16 zulu kernel: [867827.731115] Shorewall:fwall2net:LOG:IN=
> OUT=ppp0 SRC=10.3.0.3 DST=192.168.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64
> ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=28735 SEQ=3
>
> but nothing on the receiving host.
>
> I have added the following to the config file at each side
>
> leftsourceip=192.168.10.2
> rightsourceip= 10.3.0.3
>
>
> Cheers
>
> Phil
>
>
>
> On 29/11/2007, Peter McGill <petermcgill at goco.net> wrote:
> >
> > This in a line in your status or logs indicates that you have a phase 1
> > connection:
> > STATE_MAIN_I4 (ISAKMP SA established)
> > This in a line in you status or logs indicates that you have a phase 2
> > connection:
> > STATE_QUICK_I2 (sent QI2, IPsec SA established)
> > Once you've received the IPsec SA established message you know the
> > connection is connected.
> > If you cannot ping the remote side, it could be due to firewall rules or
> > your conn settings, among other things.
> >
> > You only get an ipsec0 interface if your using KLIPS, which you only get
> > if you specifically install it and turn of NETKEY,
> > since NETKEY is enabled by default in most modern kernels. NETKEY is
> > also sometimes known as NATIVE and does not
> > have ipsec0 interface instead it reuses the public interface whatever it
> > is, in your case ppp0.
> > ipsec version or ipsec verify will tell you which one your using, and
> > are also good info to send to the list with your problem.
> >
> > Are your ping tests being done to and from the servers themselves or
> > from hosts on the subnets.
> > Either do your ping tests to and from hosts on the subnets or add
> > leftsourceip=<left server LAN ip> and rightsourceip to your conn.
> > If you've done this and still can't ping, it may be your firewall, are
> > you running firewall software or iptables on either server or between them?
> > If you you need to allow the ipsec traffic as follows:
> > protocol 17 (udp), port 500 (isakmp)
> > protocol 50 (esp)
> > protocol 17 (udp), port 4500 (nat-t) if your using nat traversal to get
> > through network address translation routers between the hosts.
> > You also need to allow the ping and other traffic that utilizes the
> > tunnels.
> > And you cannot NAT any of this traffic if your SNATing or MASQUERADEing
> > your LAN(s) to the internet.
> >
> > Peter McGill
> >
> >
> > ------------------------------
> > *From:* Phil Wild [mailto:philwild at gmail.com]
> > *Sent:* November 28, 2007 10:14 AM
> > *To:* Paul Wouters; petermcgill at goco.net; Users at openswan.org
> > *Subject:* Re: [Openswan Users] Help required: Trouble setting up
> > openswan
> >
> > Hi
> >
> > I have fixed the routing table and I think I have progressed a little
> > further. I have also turned off the plutodebug.
> >
> > netstat -rn shows
> >
> > root at zulu:~# netstat -rn
> > Kernel IP routing table
> > Destination Gateway Genmask Flags MSS Window irtt
> > Iface
> > 203.161.90.1 0.0.0.0 255.255.255.255 UH 0 0 0
> > ppp0
> > 10.3.0.0 0.0.0.0 255.255.255.0 U 0 0
> > 0 eth1
> > 192.168.10.0 203.161.90.1 255.255.255.0 UG 0 0
> > 0 ppp0
> > 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0
> > ppp0
> >
> >
> > Should I see an ipsec interface here?
> >
> > I am still unsure if I am actually getting a valid connection. What I do
> > know is that I can not ping through the vpn
> >
> > running ipsec auto --status gives me:
> >
> > root at bravo:/var/log# ipsec auto --status
> > 000 interface lo/lo ::1
> > 000 interface lo/lo 127.0.0.1
> > 000 interface eth0/eth0 192.168.10.2
> > 000 interface eth1/eth1 202.72.167.27
> > 000 interface eth1:1/eth1:1 202.72.167.29
> > 000 %myid = (none)
> > 000 debug none
> > 000
> > 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> > keysizemax=64
> > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> > keysizemax=192
> > 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> > keysizemin=40, keysizemax=448
> > 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> > keysizemax=0
> > 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> > keysizemax=256
> > 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> > keysizemin=128, keysizemax=128
> > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> > keysizemin=160, keysizemax=160
> > 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> > keysizemin=256, keysizemax=256
> > 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> > keysizemin=128, keysizemax=128
> > 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> > keysizemax=0
> > 000
> > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> > keydeflen=192
> > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> > keydeflen=128
> > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> > 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> > 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> > 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> >
> > 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> > 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> > 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> >
> > 000
> > 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> > trans={0,0,0} attrs={0,0,0}
> > 000
> > 000 "bravo-zulu":
> > 192.168.10.0/24===202.72.167.27[@bravo.gastech.com.au]---202.72.167.25...203.161.90.1---203.161.71.190[@zulu]===10.3.0.0/24<http://192.168.10.0/24===202.72.167.27%5B@bravo.gastech.com.au%5D---202.72.167.25...203.161.90.1---203.161.71.190%5B@zulu%5D===10.3.0.0/24>;
> > erouted; eroute owner: #3
> > 000 "bravo-zulu": srcip=unset; dstip=unset; srcup=ipsec _updown;
> > dstup=ipsec _updown;
> > 000 "bravo-zulu": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> > 540s; rekey_fuzz: 100%; keyingtries: 0
> > 000 "bravo-zulu": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
> > interface: eth1;
> > 000 "bravo-zulu": newest ISAKMP SA: #1; newest IPsec SA: #3;
> > 000 "bravo-zulu": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> > 000
> > 000 #3: "bravo-zulu":500 STATE_QUICK_I2 (sent QI2, IPsec SA
> > established); EVENT_SA_REPLACE in 28026s; newest IPSEC; eroute owner
> > 000 #3: "bravo-zulu" esp.2549d809 at 203.161.71.190
> > esp.f6c5b82a at 202.72.167.27 tun.0 at 203.161.71.190 tun.0 at 202.72.167.27
> > 000 #2: "bravo-zulu":500 STATE_QUICK_I2 (sent QI2, IPsec SA
> > established); EVENT_SA_REPLACE in 26858s
> > 000 #2: "bravo-zulu" esp.b72ad41a at 203.161.71.190
> > esp.e40902a at 202.72.167.27 tun.0 at 203.161.71.190 tun.0 at 202.72.167.27
> > 000 #1: "bravo-zulu":500 STATE_MAIN_I4 (ISAKMP SA established);
> > EVENT_SA_REPLACE in 1543s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> > 000
> >
> >
> > ifconfig -a does not show an ipsec0 interface, should I see an ipsec
> > interface on the hosts?
> >
> > Cheers
> >
> > Phil
> >
> > On 27/11/2007, Paul Wouters <paul at xelerance.com> wrote:
> > >
> > > On Mon, 26 Nov 2007, Phil Wild wrote:
> > >
> > > > I posted the below to the list about a week ago and did not get any
> > > > responses. Does anyone have any ideas what is going wrong with my
> > > > configuration as I have not been able to get any further.
> > >
> > > > > Nov 20 14:25:15 bravo ipsec__plutorun: ...could not start conn
> > > "bravo-zulu"
> > > > > netstat -rn on host zulu shows:
> > > > >
> > > > > Destination Gateway Genmask Flags MSS
> > > Window irtt Iface
> > > > > 203.161.90.1 0.0.0.0 255.255.255.255 UH 0
> > > 0 0 ppp0
> > > > > 10.3.0.0 0.0.0.0 255.255.255.0 U 0
> > > 0 0 eth1
> > > > > 192.168.10.0 203.161.90.1 255.255.255.0 UG 0
> > > 0 0 ppp0
> > > > > 0.0.0.0 0.0.0.0 0.0.0.0 U 0
> > > 0 0 ppp0
> > >
> > > Blame your ISP if that is really the default route you got. Try
> > > changing to
> > > something that might make sense. Run a traceroute and check what your
> > > real gateway
> > > is, then do a "route add -host ipofgw dev ppp0" and "route add default
> > > gw ipofgw"
> > >
> > > Paul
> > >
> >
> >
> >
> > --
> > Tel: 0400 466 952
> > Fax: 0433 123 226
> > email: philwild at gmail.com
> >
> >
>
>
> --
> Tel: 0400 466 952
> Fax: 0433 123 226
> email: philwild at gmail.com
>
--
Tel: 0400 466 952
Fax: 0433 123 226
email: philwild at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071129/f048b3af/attachment-0001.html
More information about the Users
mailing list