[Openswan Users] Packets not passing through Tunnel
Peter McGill
petermcgill at goco.net
Thu Mar 13 10:18:53 EDT 2008
Well, it's not a particularly strong firewall script, but that's another issue.
To fix your ipsec problem, you should change this...
iptables -A FORWARD -i ${WAN} -d 10.5.0.0/255.255.0.0 -j ACCEPT
+ iptables -t nat -I POSTROUTING -o ${WAN} -d 10.8.13.113/32 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
Peter McGill
_____
From: Khan, Hammad Aslam [mailto:raohammad at gmail.com]
Sent: March 12, 2008 5:44 PM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Packets not passing through Tunnel
I tried to make them work again(asper my understanding) but cldnt make it happen;
may be you can help to edit this file :-) (that I've made to configure firewall)... this can be a valuable asset to mailing list
too...
##First we flush our current rules
iptables -F
iptables -t nat -F
##Setup default policies to handle unmatched traffic
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
##Copy and paste these examples ...
export LAN=eth1
export WAN=eth0
##Then we lock our services so they only work from the LAN
iptables -I INPUT 1 -i ${LAN} -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
##(Optional) Allow access to our ssh server from the WAN
iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
##Drop TCP / UDP packets to privileged ports
iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
##Finally we add the rules for NAT
iptables -I FORWARD -i ${LAN} -d 10.5.0.0/255.255.0.0 -j DROP
iptables -A FORWARD -i ${LAN} -s 10.5.0.0/255.255.0.0 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 10.5.0.0/255.255.0.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# allow IPsec IKE negotiations
iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# ESP encryption and authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
##Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
##This is so when we boot we don't have to run the rules by hand
/etc/init.d/iptables save
rc-update add iptables default
nano /etc/sysctl.conf
##Add/Uncomment the following lines:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
Regards,
Hammad
On Thu, Mar 13, 2008 at 2:07 AM, Peter McGill <petermcgill at goco.net> wrote:
Two problems here:
First, you cannot MASQ the ipsec packets, so...
iptables -t nat -I POSTROUTING -d 10.8.13.113/32 -j ACCEPT
before
iptables -t nat -A POSTROUTING -s 10.5.0.0/16 -j MASQUERADE
Second, you cannot drop all packets to local and expect remote to get through...
So, change your forward chain...
remove this rule
iptables -t filter -A FORWARD -d 10.5.0.0/16 -j DROP
(This one might have additional options limiting what it drops, making it ok,
but I cannot tell without the -v (--verbose) flag on iptables.)
P.S. you didn't actually show us your full rules here, next time you might try this:
iptables -t filter -L -n -v
iptables -t nat -L -n -v
iptables -t mangle -L -n -v
Peter McGill
_____
From: Khan, Hammad Aslam [mailto:raohammad at gmail.com]
Sent: March 12, 2008 4:43 PM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Packets not passing through Tunnel
and what do you comment about my firewall settings?
Attached is more Formatted one... thanking in anticipation
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67 reject-with icmp-port-unreachable
6 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 reject-with icmp-port-unreachable
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
8 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023
9 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023
Chain FORWARD (policy DROP)
num target prot opt source destination
1 DROP all -- 0.0.0.0/0 10.5.0.0/16
2 ACCEPT all -- 10.5.0.0/16 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 10.5.0.0/16
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
On Wed, Mar 12, 2008 at 8:56 PM, Peter McGill <petermcgill at goco.net> wrote:
No, that should be working if ISAKMP SA and IPSec SA established.
> A ping from 10.5.125.105 <http://10.5.125.105/> to 10.8.13.113 <http://10.8.13.113/> and vise-versa should work.
Peter McGill
_____
From: Khan, Hammad Aslam [mailto:raohammad at gmail.com]
Sent: March 12, 2008 11:48 AM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Packets not passing through Tunnel
ok thanks but if i dont want my gateway to talk to remote private. Instead I just want to access remote private from my-private;
will I be required to make changes even in that case?
rgds,
Hammad
On Wed, Mar 12, 2008 at 7:47 PM, Peter McGill <petermcgill at goco.net> wrote:
You cannot use route add or ip route add with openswan, you
must specify the traffic which uses the tunnel in left/rightsubnet(s).
To clarify where are you pinging/telneting from?
A ping from 10.5.125.105 <http://10.5.125.105/> to 10.8.13.113 <http://10.8.13.113/> and vise-versa should work.
A ping from 10.5.125.100 <http://10.5.125.100/> or 58.58.58.58 <http://58.58.58.58/> will not work because you
have not included them in leftsubnet.
Likewise a ping from 202.202.202.202 <http://202.202.202.202/> or ?.?.?.? to 10.5.. will not work.
Pings to 58... and 202... will work but not encrypted, plain internet.
If you want your gateway to be able to communicate with remote private
also, then change your conn as follows:
leftsourceip=10.5.125.100 <http://10.5.125.100/> # gw will use this instead of 58... to talk to rem. priv.
leftsubnet=10.5.125.96/28 # you'll need to change subnet on cisco too
Peter McGill
_____
From: Khan, Hammad Aslam [mailto:raohammad at gmail.com]
Sent: March 12, 2008 2:11 AM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Packets not passing through Tunnel
I already have enabled ip forwarding;
My Setup is like;
my private my gateway <<public>> remote gw (cisco vpn 3000) remote
private
-------- -----------------------------------------
------------------------------- ----------------------
| | | |
| | |
10.5.125.105 <http://10.5.125.105/> === 10.5.125.100(eth1) (eth0)58.58.58.58 >>><<< 202.202.202.202
<http://202.202.202.202/> ?.?.?.? ==== 10.8.13.113 <http://10.8.13.113/> |
| | | |
| | |
------- -----------------------------------------
------------------------------ ----------------------
My Config file
config setup
interfaces="ipsec0=eth0"
plutodebug="all"
nat_traversal=yes
conn nattelenor
type=tunnel
authby=secret # secret key
auth=esp
pfs=no
keylife=28800
keyingtries=3
auto=add
ike=3des-md5-modp1024
esp=3des-md5
left=58.58.58.58 <http://58.58.58.58/> # my external, internet-routable ip address, provided by NAT box=
leftsubnet=10.5.125.105/32
right=202.202.202.202 <http://202.202.202.202/> # my peer's external, internet-routable ip address=
rightsubnet=10.8.13.113/32
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
My ipsec verify result
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Regards,
Hammad
On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <petermcgill at goco.net> wrote:
Did you add leftsourceip=leftlanip and rightsourceip=rightlanip?
Without them you can only ping hosts other than the ipsec gateway,
on the remote lan, and only from hosts on the local lan not the local
ipsec gateway.
Show us your ipsec.conf and ipsec verify.
Peter McGill
_____
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Khan, Hammad Aslam
Sent: March 11, 2008 1:45 PM
To: users at openswan.org
Subject: [Openswan Users] Packets not passing through Tunnel
Hello everyone,
My tunnel has been successfully established (both ISAKMP and IPSEC are UP);
but when I try to ping/telnet remote end's private network PC i dont get any response.,
Using tcpdump -i eth0 (which is my public interface of GW) it shows that GW is querying internet for remote-private-nw using ARP. No
ESP packets are seen...
I added a route of
# route add <remote-private-ip> gw <remote-public-ip>
...but still, i see the same result?
Please help.
Regards,
Hammad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080313/d52cb19f/attachment-0001.html
More information about the Users
mailing list