[Openswan Users] Possibly some stupid error - anything but ping donot work

Peter McGill petermcgill at goco.net
Fri Jan 25 10:13:12 EST 2008 

Show us your ipsec verify output.

Version check and ipsec on-path                                 [OK]
Linux Openswan 2.4.7 (klips)
If the above reads native or netkey instead of klips then you won't
have an ipsec0 interface, instead the unencrypted packets will appear
on your external interface alongside the encrypted packets.

You may have a firewall problem, one method of firewalling ipsec is...
The following should work with both klips and netkey, since it marks
ipsec packets then allows marked packets instead of relying on ipsec0.
Accept inbound IPSec.
iptables -t filter -A INPUT -p 17 --dport 500 -j ACCEPT # udp/isakmp
iptables -t filter -A INPUT -p 50 -j ACCEPT # esp
iptables -t filter -A INPUT -p 17 --dport 4500 -j ACCEPT # udp/nat-t, only needed with nat-t
Mark IPSec, and allow decrypted IPSec.
iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
iptables -t mangle -A PREROUTING -p 17 --dport 4500 -j MARK --set-mark 1 # udp/nat-t, only needed with nat-t
iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
Accept outbound.
iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A FORWARD -s <local subnet, ie: 192.168.5.0/24> -j ACCEPT
Exempt IPSec from your NAT rules, if any...
Note the -I because this needs to be before any SNAT or MASQUERADE rules.
iptables -t nat -I POSTROUTING -d <remote subnet, ie: 192.168.10.0/24> -j ACCEPT
Feel free to further qualify the above with the appropriate interfaces, etc...

Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Maciej Piechotka
> Sent: January 24, 2008 7:01 PM
> To: users at lists.openswan.org
> Subject: [Openswan Users] Possibly some stupid error - 
> anything but ping donot work
> 
> I have such configuration of ipsec(I try to set up step by step):
> For notebook:
> version 2.0
> 
> config setup
> 
> conn notebook--router
> 	left=192.168.xxx.xxx
> 	leftid=@notebook
> 	leftrsasigkey=...
> 	right=192.168.xxx.yyy
> 	rightid=@router
> 	rightrsasigkey=...
> 	auto=add
> 
> For router:
> version 2.0
> 
> config setup
> 
> conn router--notebook
> 	left=192.168.xxx.yyy
> 	leftid=@router
> 	leftrsasigkey=...
> 	right=192.168.xxx.xxx
> 	rightid=@notebook
> 	rightrsasigkey=...
> 	auto=add
> 
> Firewall(part of script):
> echo "Allow icmp"
> iptables -A INPUT -p icmp -j ACCEPT
> ip6tables -A INPUT -p icmpv6 -j ACCEPT
> echo "Allow ipsec"
> iptables -A INPUT -p ah -j ACCEPT
> ip6tables -A INPUT -p ah -j ACCEPT
> iptables -A INPUT -p esp -j ACCEPT
> ip6tables -A INPUT -p esp -j ACCEPT
> 
> 
> After 
> router # ipsec auto --up router--notebook         
> 104 "router--notebook" #1: STATE_MAIN_I1: initiate
> 003 "router--notebook" #1: received Vendor ID payload [Openswan (this 
> version) 2.4.9  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
> 003 "router--notebook" #1: received Vendor ID payload [Dead 
> Peer Detection]
> 106 "router--notebook" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "router--notebook" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "router--notebook" #1: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 
> group=modp1536}
> 117 "router--notebook" #2: STATE_QUICK_I1: initiate
> 004 "router--notebook" #2: STATE_QUICK_I2: sent QI2, IPsec SA 
> established 
> {ESP=>0xXXXXXXXX <0xXXXXXXXX xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
> notebook # ipsec auto --up notebook--router
> 117 "notebook--router" #3: STATE_QUICK_I1: initiate
> 004 "notebook--router" #3: STATE_QUICK_I2: sent QI2, IPsec SA 
> established 
> {ESP=>0xXXXXXXXX <0xXXXXXXXX xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
> 
> it starts ok showing no error. If I try to ping 192.168.xxx.yyy from 
> notebook I is ok but no other service is working. What may be wrong?
> 
> PS.
> tcpdump shows nothing on interface. ipsec0 is not created as 
> described in 
> http://wiki.openswan.org/index.php/Openswan/DebuggingTCPDump 
> but I heard 
> it is normal in new kernels.
> -- 
> I've probably left my head... somewhere. Please wait untill I find it.
> Homepage (pl_PL): http://uzytkownik.jogger.pl/
> (GNU/)Linux User: #425935 (see http://counter.li.org/)
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list