[Openswan Users] OpenSWAN 2.4.9 with fc8 does not want to route

Greg Scott GregScott at InfraSupportEtc.com
Wed Apr 2 04:00:31 EDT 2008 

Nevermind . . .  Chalk it up to lack of sleep I guess.  The kernel is
just fine, my mind is messed up.  Although I still don't understand why
the iptables accounting was weird.  

My outbound box was MASQUERADEing when it wasn't supposed to.  I had
rules in place to skip that for ESP, AH, and UDP 500 and 4500.  It turns
out, I also need a rule for the IP Addresses on the other side of the
tunnel.  

Duh...

Here are the firewall rules I have in place:  

echo "Skipping SNAT for tunneled packets"
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -p udp --sport 500
--dport 500 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -p udp --sport 4500
--dport 4500 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -p ah -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -p esp -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -d $PRIVATE_IPSEC_RANGE1
-j ACCEPT
# With the Linux 2.6 netkey IPSEC stack, we need to make sure that
# tunneled packets are not NATed.  IPSEC tunnels will go out to
# many places.

That last rule with the address range is the one that did the trick.  

Now I think I'll go get some sleep...

- Greg



-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Greg Scott
Sent: Wednesday, April 02, 2008 2:13 AM
To: users at openswan.org
Subject: Re: [Openswan Users] OpenSWAN 2.4.9 with fc8 does not want to
route

After staring at this thing for the past several hours I may be closer
to an answer.  I disabled all firewall rules and zeroed all chains and
then my pings worked properly.  My left and right sides communicated
over the tunnel as advertised.  Go figure.  Digging deeper, I see an
interaction with iptables I don't understand.  

I sent 2 sets of 10 pings from the right side to the left side in my
testbed.  Here is the output of the FORWARD chain from iptables -L -v -n
on the left side.  This is going to wrap, so it will look ugly - but
here goes.  Notice the packet accounting at the top - 0 packets, 0
bytes.  That makes no sense - it should say 20 packets.  Right
underneath that, the very first rule, I log everything that hits the
FORWARD chain.  And there are the 20 ICMP packets.  Those 20 packets are
also logged in /var/log/messages.  I will paste in an extract below.
And then a little farther down, I ACCEPT everything coming in on eth1,
the trusted LAN interface.  

But for some reason I still don't understand, this stuff tries to go
outside the tunnel - but only when iptables rules are loaded.

And how can I log and ACCEPT 20 packets, but the accounting at the top
says 0 packets?

There has to be some goofy kernel stuff going on here...

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
   20  1200 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 4 prefix `FWD '
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       67.107.38.9
0.0.0.0/0
    0     0 ACCEPT     all  --  ppp+   *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       66.173.97.0/27
0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       74.94.87.89
0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           MARK match 0x32
   20  1200 ACCEPT     all  --  eth1   *       0.0.0.0/0
0.0.0.0/0
    0     0 ACCEPT     all  --  eth2   *       0.0.0.0/0
0.0.0.0/0
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.251       tcp dpt:25
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.253       tcp dpt:25
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.180       tcp dpt:25
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.180       tcp dpt:80
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.180       tcp dpt:443
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.248       tcp dpt:88
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.208       tcp dpt:9000
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.250       tcp dpt:5900
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.89        tcp dpt:6112
    0     0 allowed    tcp  --  *      *       0.0.0.0/0
192.168.0.253       tcp dpt:80
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0           LOG flags 0 level 4
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0


Here is an extract from /var/log/messages with the logs of my outbound
ICMP packets:

[root at hq-fw firewall-scripts]# tail /var/log/messages Apr  2 01:45:21
localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13622 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33541 Apr  2 01:45:24
localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13623 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33797 Apr  2 01:45:27
localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13624 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=34053 Apr  2 01:45:30
localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13625 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=34309 Apr  2 01:45:33
localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13626 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=34565 Apr  2 01:45:36
localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13627 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=34821 Apr  2 01:45:39
localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13628 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=35077 Apr  2 01:45:42
localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13629 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=35333 Apr  2 01:45:45
localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13630 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=35589 Apr  2 01:45:48
localmotion-fw kernel: FWD IN=eth1 OUT=eth0
SRC=192.168.0.2 DST=192.168.13.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=13631 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=35845

- Greg Scott

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list