[Openswan Users] Packets not passing through Tunnel
Hammad
raohammad at gmail.com
Fri Mar 14 07:02:49 EDT 2008
Its working for 10.8.13.113/32 now. And packets are now encapsulated in ESP
Now last problem; when i put 172.18.114.244/32 (actual required remote
private) in this place in both iptables and ipsec.conf; I know this is
pointless - but even tried several things; its not encapsulating any PING to
172.... instead its using general gateway for it??
rgds,
On Thu, Mar 13, 2008 at 7:18 PM, Peter McGill <petermcgill at goco.net> wrote:
> Well, it's not a particularly strong firewall script, but that's another
> issue.
> To fix your ipsec problem, you should change this...
> iptables -A FORWARD -i ${WAN} -d 10.5.0.0/255.255.0.0 -j ACCEPT
> + iptables -t nat -I POSTROUTING -o ${WAN} -d 10.8.13.113/32 -j ACCEPT
> iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
>
> Peter McGill
>
>
> ------------------------------
> *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> *Sent:* March 12, 2008 5:44 PM
>
> *To:* petermcgill at goco.net
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
>
> I tried to make them work again(asper my understanding) but cldnt make
> it happen;
> may be you can help to edit this file :-) (that I've made to configure
> firewall)... this can be a valuable asset to mailing list too...
>
> ##First we flush our current rules
> iptables -F
> iptables -t nat -F
>
> ##Setup default policies to handle unmatched traffic
> iptables -P INPUT ACCEPT
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
>
> ##Copy and paste these examples ...
> export LAN=eth1
> export WAN=eth0
>
> ##Then we lock our services so they only work from the LAN
> iptables -I INPUT 1 -i ${LAN} -j ACCEPT
> iptables -I INPUT 1 -i lo -j ACCEPT
> iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
> iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
>
> ##(Optional) Allow access to our ssh server from the WAN
> iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT
>
> ##Drop TCP / UDP packets to privileged ports
> iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
> iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
>
> ##Finally we add the rules for NAT
> iptables -I FORWARD -i ${LAN} -d 10.5.0.0/255.255.0.0 -j DROP
> iptables -A FORWARD -i ${LAN} -s 10.5.0.0/255.255.0.0 -j ACCEPT
> iptables -A FORWARD -i ${WAN} -d 10.5.0.0/255.255.0.0 -j ACCEPT
> iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
>
> # allow IPsec IKE negotiations
> iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
> # ESP encryption and authentication
> iptables -I INPUT -p 50 -j ACCEPT
> iptables -I OUTPUT -p 50 -j ACCEPT
>
> ##Tell the kernel that ip forwarding is OK
> echo 1 > /proc/sys/net/ipv4/ip_forward
> for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
>
> ##This is so when we boot we don't have to run the rules by hand
> /etc/init.d/iptables save
> rc-update add iptables default
> nano /etc/sysctl.conf
>
> ##Add/Uncomment the following lines:
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 1
>
>
> Regards,
> Hammad
>
> On Thu, Mar 13, 2008 at 2:07 AM, Peter McGill <petermcgill at goco.net>
> wrote:
>
> > Two problems here:
> >
> > First, you cannot MASQ the ipsec packets, so...
> > iptables -t nat -I POSTROUTING -d 10.8.13.113/32 -j ACCEPT
> > before
> > iptables -t nat -A POSTROUTING -s 10.5.0.0/16 -j MASQUERADE
> >
> > Second, you cannot drop all packets to local and expect remote to get
> > through...
> > So, change your forward chain...
> > remove this rule
> > iptables -t filter -A FORWARD -d 10.5.0.0/16 -j DROP
> > (This one might have additional options limiting what it drops, making
> > it ok,
> > but I cannot tell without the -v (--verbose) flag on iptables.)
> >
> > P.S. you didn't actually show us your full rules here, next time you
> > might try this:
> > iptables -t filter -L -n -v
> > iptables -t nat -L -n -v
> > iptables -t mangle -L -n -v
> >
> > Peter McGill
> >
> >
> > ------------------------------
> > *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> > *Sent:* March 12, 2008 4:43 PM
> >
> > *To:* petermcgill at goco.net
> > *Cc:* users at openswan.org
> > *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
> >
> > and what do you comment about my firewall settings?
> > Attached is more Formatted one... thanking in anticipation
> >
> >
> > Table: nat
> > Chain PREROUTING (policy ACCEPT)
> > num target prot opt source destination
> > Chain POSTROUTING (policy ACCEPT)
> > num target prot opt source destination
> > 1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
> > Chain OUTPUT (policy ACCEPT)
> > num target prot opt source destination
> > Table: filter
> > Chain INPUT (policy ACCEPT)
> > num target prot opt source destination
> > 1 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> > 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> > spt:500 dpt:500
> > 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> > 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> > 5 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> > dpt:67 reject-with icmp-port-unreachable
> > 6 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> > dpt:53 reject-with icmp-port-unreachable
> > 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> > dpt:22
> > 8 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> > dpts:0:1023
> > 9 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp
> > dpts:0:1023
> > Chain FORWARD (policy DROP)
> > num target prot opt source destination
> > 1 DROP all -- 0.0.0.0/0 10.5.0.0/16
> > 2 ACCEPT all -- 10.5.0.0/16 0.0.0.0/0
> > 3 ACCEPT all -- 0.0.0.0/0 10.5.0.0/16
> > Chain OUTPUT (policy ACCEPT)
> > num target prot opt source destination
> > 1 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> > 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> > spt:500 dpt:500
> >
> >
> >
> > On Wed, Mar 12, 2008 at 8:56 PM, Peter McGill <petermcgill at goco.net>
> > wrote:
> >
> > > No, that should be working if ISAKMP SA and IPSec SA established.
> > >
> > > > A ping from 10.5.125.105 to 10.8.13.113 and vise-versa should work.
> > >
> > > Peter McGill
> > >
> > >
> > > ------------------------------
> > > *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> > > *Sent:* March 12, 2008 11:48 AM
> > >
> > > *To:* petermcgill at goco.net
> > > *Cc:* users at openswan.org
> > > *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
> > >
> > > ok thanks but if i dont want my gateway to talk to remote private.
> > > Instead I just want to access remote private from my-private; will I be
> > > required to make changes even in that case?
> > >
> > > rgds,
> > > Hammad
> > >
> > > On Wed, Mar 12, 2008 at 7:47 PM, Peter McGill <petermcgill at goco.net>
> > > wrote:
> > >
> > > > You cannot use route add or ip route add with openswan, you
> > > > must specify the traffic which uses the tunnel in
> > > > left/rightsubnet(s).
> > > > To clarify where are you pinging/telneting from?
> > > > A ping from 10.5.125.105 to 10.8.13.113 and vise-versa should work.
> > > > A ping from 10.5.125.100 or 58.58.58.58 will not work because you
> > > > have not included them in leftsubnet.
> > > > Likewise a ping from 202.202.202.202 or ?.?.?.? to 10.5.. will not
> > > > work.
> > > > Pings to 58... and 202... will work but not encrypted, plain
> > > > internet.
> > > > If you want your gateway to be able to communicate with remote
> > > > private
> > > > also, then change your conn as follows:
> > > > leftsourceip=10.5.125.100 # gw will use this instead of 58... to
> > > > talk to rem. priv.
> > > > leftsubnet=10.5.125.96/28 # you'll need to change subnet on
> > > > cisco too
> > > >
> > > > Peter McGill
> > > >
> > > >
> > > > ------------------------------
> > > > *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> > > > *Sent:* March 12, 2008 2:11 AM
> > > > *To:* petermcgill at goco.net
> > > > *Cc:* users at openswan.org
> > > > *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
> > > >
> > > > I already have enabled ip forwarding;
> > > > My Setup is like;
> > > >
> > > > my private my gateway
> > > > <<public>> remote gw (cisco vpn 3000) remote
> > > > private
> > > > --------
> > > > -----------------------------------------
> > > > ------------------------------- ----------------------
> > > > |
> > > > | |
> > > > | | | |
> > > > 10.5.125.105 === 10.5.125.100(eth1) (eth0)58.58.58.58 >>*>
> > > > <*<< 202.202.202.202 ?.?.?.? ==== 10.8.13.113 |
> > > > |
> > > > | |
> > > > | | | |
> > > > -------
> > > > -----------------------------------------
> > > > ------------------------------ ----------------------
> > > >
> > > >
> > > > *My Config file*
> > > > config setup
> > > > interfaces="ipsec0=eth0"
> > > > plutodebug="all"
> > > > nat_traversal=yes
> > > >
> > > > conn nattelenor
> > > > type=tunnel
> > > > authby=secret # secret key
> > > > auth=esp
> > > > pfs=no
> > > > keylife=28800
> > > > keyingtries=3
> > > > auto=add
> > > > ike=3des-md5-modp1024
> > > > esp=3des-md5
> > > > left=58.58.58.58 # my external,
> > > > internet-routable ip address, provided by NAT box=
> > > > leftsubnet=10.5.125.105/32
> > > > right=202.202.202.202 # my peer's external,
> > > > internet-routable ip address=
> > > > rightsubnet=10.8.13.113/32
> > > >
> > > > #Disable Opportunistic Encryption
> > > > include /etc/ipsec.d/examples/no_oe.conf
> > > >
> > > > *My ipsec verify result*
> > > >
> > > > Checking your system to see if IPsec got installed and started
> > > > correctly:
> > > > Version check and ipsec on-path [OK]
> > > > Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)
> > > > Checking for IPsec support in kernel [OK]
> > > > NETKEY detected, testing for disabled ICMP send_redirects
> > > > [FAILED]
> > > >
> > > > Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> > > > or NETKEY will cause the sending of bogus ICMP redirects!
> > > >
> > > > NETKEY detected, testing for disabled ICMP accept_redirects
> > > > [FAILED]
> > > >
> > > > Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
> > > > or NETKEY will accept bogus ICMP redirects!
> > > >
> > > > Checking for RSA private key (/etc/ipsec.secrets) [OK]
> > > > Checking that pluto is running [OK]
> > > > Two or more interfaces found, checking IP forwarding [OK]
> > > > Checking NAT and MASQUERADEing [OK]
> > > > Checking for 'ip' command [OK]
> > > > Checking for 'iptables' command [OK]
> > > > Opportunistic Encryption Support
> > > > [DISABLED]
> > > >
> > > >
> > > > Regards,
> > > > Hammad
> > > >
> > > >
> > > > On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <petermcgill at goco.net>
> > > > wrote:
> > > >
> > > > > Did you add leftsourceip=leftlanip and rightsourceip=rightlanip?
> > > > > Without them you can only ping hosts other than the ipsec gateway,
> > > > > on the remote lan, and only from hosts on the local lan not the
> > > > > local
> > > > > ipsec gateway.
> > > > > Show us your ipsec.conf and ipsec verify.
> > > > >
> > > > > Peter McGill
> > > > >
> > > > >
> > > > > ------------------------------
> > > > > *From:* users-bounces at openswan.org [mailto:
> > > > > users-bounces at openswan.org] *On Behalf Of *Khan, Hammad Aslam
> > > > > *Sent:* March 11, 2008 1:45 PM
> > > > > *To:* users at openswan.org
> > > > > *Subject:* [Openswan Users] Packets not passing through Tunnel
> > > > >
> > > > > Hello everyone,
> > > > > My tunnel has been successfully established (both ISAKMP and IPSEC
> > > > > are UP);
> > > > > but when I try to ping/telnet remote end's private network PC i
> > > > > dont get any response.,
> > > > >
> > > > > Using *tcpdump -i eth0 *(which is my public interface of GW) it
> > > > > shows that GW is querying internet for remote-private-nw using ARP. No ESP
> > > > > packets are seen...
> > > > >
> > > > > I added a route of
> > > > > # route add <remote-private-ip> gw <remote-public-ip>
> > > > > ...but still, i see the same result?
> > > > >
> > > > > Please help.
> > > > >
> > > > > Regards,
> > > > > Hammad
> > > > >
> > > > >
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080314/a84acb4a/attachment-0001.html
More information about the Users
mailing list