[Openswan Users] OpenSWAN 2.4.9 with fc8 does not want to route

Greg Scott GregScott at InfraSupportEtc.com
Wed Apr 2 03:12:46 EDT 2008 

After staring at this thing for the past several hours I may be closer
to an answer.  I disabled all firewall rules and zeroed all chains and
then my pings worked properly.  My left and right sides communicated
over the tunnel as advertised.  Go figure.  Digging deeper, I see an
interaction with iptables I don't understand.  

I sent 2 sets of 10 pings from the right side to the left side in my
testbed.  Here is the output of the FORWARD chain from iptables -L -v -n
on the left side.  This is going to wrap, so it will look ugly - but
here goes.  Notice the packet accounting at the top - 0 packets, 0
bytes.  That makes no sense - it should say 20 packets.  Right
underneath that, the very first rule, I log everything that hits the
FORWARD chain.  And there are the 20 ICMP packets.  Those 20 packets are
also logged in /var/log/messages.  I will paste in an extract below.
And then a little farther down, I ACCEPT everything coming in on eth1,
the trusted LAN interface.  

But for some reason I still don't understand, this stuff tries to go
outside the tunnel - but only when iptables rules are loaded.

And how can I log and ACCEPT 20 packets, but the accounting at the top
says 0 packets?

There has to be some goofy kernel stuff going on here...

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
   20  1200 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 4 prefix `FWD '
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       67.107.38.9
0.0.0.0/0
    0     0 ACCEPT     all  --  ppp+   *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       66.173.97.0/27
0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       74.94.87.89
0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK match 0x32
   20  1200 ACCEPT     all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0
0.0.0.0/0
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.251       tcp dpt:25
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.253       tcp dpt:25
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.180       tcp dpt:25
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.180       tcp dpt:80
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.180       tcp dpt:443
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.248       tcp dpt:88
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.208       tcp dpt:9000
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.250       tcp dpt:5900
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.89        tcp dpt:6112
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.253       tcp dpt:80
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 4
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0


Here is an extract from /var/log/messages with the logs of my outbound
ICMP packets:

[root at hq-fw firewall-scripts]# tail /var/log/messages
Apr  2 01:45:21 localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13622 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33541
Apr  2 01:45:24 localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13623 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33797
Apr  2 01:45:27 localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13624 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=34053
Apr  2 01:45:30 localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13625 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=34309
Apr  2 01:45:33 localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13626 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=34565
Apr  2 01:45:36 localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13627 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=34821
Apr  2 01:45:39 localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13628 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=35077
Apr  2 01:45:42 localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13629 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=35333
Apr  2 01:45:45 localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13630 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=35589
Apr  2 01:45:48 localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13631 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=35845

- Greg Scott

More information about the Users mailing list