[Openswan Users] Packets not passing through Tunnel
Khan, Hammad Aslam
raohammad at gmail.com
Wed Mar 12 17:44:07 EDT 2008
I tried to make them work again(asper my understanding) but cldnt make it
happen;
may be you can help to edit this file :-) (that I've made to configure
firewall)... this can be a valuable asset to mailing list too...
##First we flush our current rules
iptables -F
iptables -t nat -F
##Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
##Copy and paste these examples ...
export LAN=eth1
export WAN=eth0
##Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
##(Optional) Allow access to our ssh server from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
##Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
##Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 10.5.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 10.5.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 10.5.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# allow IPsec IKE negotiations
iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
##Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
##This is so when we boot we don't have to run the rules by hand
/etc/init.d/iptables save
rc-update add iptables default
nano /etc/sysctl.conf
##Add/Uncomment the following lines:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
Regards,
Hammad
On Thu, Mar 13, 2008 at 2:07 AM, Peter McGill <petermcgill at goco.net> wrote:
> Two problems here:
>
> First, you cannot MASQ the ipsec packets, so...
> iptables -t nat -I POSTROUTING -d 10.8.13.113/32 -j ACCEPT
> before
> iptables -t nat -A POSTROUTING -s 10.5.0.0/16 -j MASQUERADE
>
> Second, you cannot drop all packets to local and expect remote to get
> through...
> So, change your forward chain...
> remove this rule
> iptables -t filter -A FORWARD -d 10.5.0.0/16 -j DROP
> (This one might have additional options limiting what it drops, making it
> ok,
> but I cannot tell without the -v (--verbose) flag on iptables.)
>
> P.S. you didn't actually show us your full rules here, next time you might
> try this:
> iptables -t filter -L -n -v
> iptables -t nat -L -n -v
> iptables -t mangle -L -n -v
>
> Peter McGill
>
>
> ------------------------------
> *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> *Sent:* March 12, 2008 4:43 PM
>
> *To:* petermcgill at goco.net
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
>
> and what do you comment about my firewall settings?
> Attached is more Formatted one... thanking in anticipation
>
>
> Table: nat
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination
> Chain POSTROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> 1 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spt:500 dpt:500
> 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> 5 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:67 reject-with icmp-port-unreachable
> 6 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:53 reject-with icmp-port-unreachable
> 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpt:22
> 8 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpts:0:1023
> 9 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpts:0:1023
> Chain FORWARD (policy DROP)
> num target prot opt source destination
> 1 DROP all -- 0.0.0.0/0 10.5.0.0/16
> 2 ACCEPT all -- 10.5.0.0/16 0.0.0.0/0
> 3 ACCEPT all -- 0.0.0.0/0 10.5.0.0/16
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> 1 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> spt:500 dpt:500
>
>
>
> On Wed, Mar 12, 2008 at 8:56 PM, Peter McGill <petermcgill at goco.net>
> wrote:
>
> > No, that should be working if ISAKMP SA and IPSec SA established.
> >
> > > A ping from 10.5.125.105 to 10.8.13.113 and vise-versa should work.
> >
> > Peter McGill
> >
> >
> > ------------------------------
> > *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> > *Sent:* March 12, 2008 11:48 AM
> >
> > *To:* petermcgill at goco.net
> > *Cc:* users at openswan.org
> > *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
> >
> > ok thanks but if i dont want my gateway to talk to remote private.
> > Instead I just want to access remote private from my-private; will I be
> > required to make changes even in that case?
> >
> > rgds,
> > Hammad
> >
> > On Wed, Mar 12, 2008 at 7:47 PM, Peter McGill <petermcgill at goco.net>
> > wrote:
> >
> > > You cannot use route add or ip route add with openswan, you
> > > must specify the traffic which uses the tunnel in left/rightsubnet(s).
> > > To clarify where are you pinging/telneting from?
> > > A ping from 10.5.125.105 to 10.8.13.113 and vise-versa should work.
> > > A ping from 10.5.125.100 or 58.58.58.58 will not work because you
> > > have not included them in leftsubnet.
> > > Likewise a ping from 202.202.202.202 or ?.?.?.? to 10.5.. will not
> > > work.
> > > Pings to 58... and 202... will work but not encrypted, plain internet.
> > > If you want your gateway to be able to communicate with remote private
> > > also, then change your conn as follows:
> > > leftsourceip=10.5.125.100 # gw will use this instead of 58... to
> > > talk to rem. priv.
> > > leftsubnet=10.5.125.96/28 # you'll need to change subnet on cisco
> > > too
> > >
> > > Peter McGill
> > >
> > >
> > > ------------------------------
> > > *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> > > *Sent:* March 12, 2008 2:11 AM
> > > *To:* petermcgill at goco.net
> > > *Cc:* users at openswan.org
> > > *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
> > >
> > > I already have enabled ip forwarding;
> > > My Setup is like;
> > >
> > > my private my gateway
> > > <<public>> remote gw (cisco vpn 3000) remote
> > > private
> > > --------
> > > -----------------------------------------
> > > ------------------------------- ----------------------
> > > |
> > > | |
> > > | | | |
> > > 10.5.125.105 === 10.5.125.100(eth1) (eth0)58.58.58.58 >>*><*<<
> > > 202.202.202.202 ?.?.?.? ==== 10.8.13.113 |
> > > |
> > > | |
> > > | | | |
> > > -------
> > > -----------------------------------------
> > > ------------------------------ ----------------------
> > >
> > >
> > > *My Config file*
> > > config setup
> > > interfaces="ipsec0=eth0"
> > > plutodebug="all"
> > > nat_traversal=yes
> > >
> > > conn nattelenor
> > > type=tunnel
> > > authby=secret # secret key
> > > auth=esp
> > > pfs=no
> > > keylife=28800
> > > keyingtries=3
> > > auto=add
> > > ike=3des-md5-modp1024
> > > esp=3des-md5
> > > left=58.58.58.58 # my external, internet-routable
> > > ip address, provided by NAT box=
> > > leftsubnet=10.5.125.105/32
> > > right=202.202.202.202 # my peer's external,
> > > internet-routable ip address=
> > > rightsubnet=10.8.13.113/32
> > >
> > > #Disable Opportunistic Encryption
> > > include /etc/ipsec.d/examples/no_oe.conf
> > >
> > > *My ipsec verify result*
> > >
> > > Checking your system to see if IPsec got installed and started
> > > correctly:
> > > Version check and ipsec on-path [OK]
> > > Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)
> > > Checking for IPsec support in kernel [OK]
> > > NETKEY detected, testing for disabled ICMP send_redirects
> > > [FAILED]
> > >
> > > Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> > > or NETKEY will cause the sending of bogus ICMP redirects!
> > >
> > > NETKEY detected, testing for disabled ICMP accept_redirects
> > > [FAILED]
> > >
> > > Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
> > > or NETKEY will accept bogus ICMP redirects!
> > >
> > > Checking for RSA private key (/etc/ipsec.secrets) [OK]
> > > Checking that pluto is running [OK]
> > > Two or more interfaces found, checking IP forwarding [OK]
> > > Checking NAT and MASQUERADEing [OK]
> > > Checking for 'ip' command [OK]
> > > Checking for 'iptables' command [OK]
> > > Opportunistic Encryption Support
> > > [DISABLED]
> > >
> > >
> > > Regards,
> > > Hammad
> > >
> > >
> > > On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <petermcgill at goco.net>
> > > wrote:
> > >
> > > > Did you add leftsourceip=leftlanip and rightsourceip=rightlanip?
> > > > Without them you can only ping hosts other than the ipsec gateway,
> > > > on the remote lan, and only from hosts on the local lan not the
> > > > local
> > > > ipsec gateway.
> > > > Show us your ipsec.conf and ipsec verify.
> > > >
> > > > Peter McGill
> > > >
> > > >
> > > > ------------------------------
> > > > *From:* users-bounces at openswan.org [mailto:
> > > > users-bounces at openswan.org] *On Behalf Of *Khan, Hammad Aslam
> > > > *Sent:* March 11, 2008 1:45 PM
> > > > *To:* users at openswan.org
> > > > *Subject:* [Openswan Users] Packets not passing through Tunnel
> > > >
> > > > Hello everyone,
> > > > My tunnel has been successfully established (both ISAKMP and IPSEC
> > > > are UP);
> > > > but when I try to ping/telnet remote end's private network PC i dont
> > > > get any response.,
> > > >
> > > > Using *tcpdump -i eth0 *(which is my public interface of GW) it
> > > > shows that GW is querying internet for remote-private-nw using ARP. No ESP
> > > > packets are seen...
> > > >
> > > > I added a route of
> > > > # route add <remote-private-ip> gw <remote-public-ip>
> > > > ...but still, i see the same result?
> > > >
> > > > Please help.
> > > >
> > > > Regards,
> > > > Hammad
> > > >
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080313/d6f71a5e/attachment-0001.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: GW Firewall Config
Url: http://lists.openswan.org/pipermail/users/attachments/20080313/d6f71a5e/attachment-0001.pl
More information about the Users
mailing list