[Openswan Users] 2 ip ranges in our end with OpenSwan
Indunil Jayasooriya
indunil75 at gmail.com
Wed Sep 3 04:53:44 EDT 2008
Hi Peter,
Thanx for your help given out of compasion. I got it working successfully.
I would like to give VPN setup configurations on my side.
THIS IS THE HOW TO - BY Indunil Jayasooriya
my side is Colombo - Sri Lanka.
I am runnig Centos 5 with iptables firewall and OpenSWAN
The other side is Los Angeles,USA. they use Cisco VPN concentrator
3000 series.
Here are configurations on my side.
I have assigned 2 ip addresses to eth0.
One is primary (192.168.1.1/24) .
The other is 10.48.0.1/16
Pls see below
[root at firewall ~]# ip addr |grep eth0
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
inet 10.48.0.1/16 brd 10.48.255.255 scope global eth0
here is my full /etc/sysctl.conf file
[root at firewall ~]# cat /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
#net.ipv4.ip_forward = 0
# Controls source route verification
#net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
#net.ipv4.conf.default.accept_source_route = 0
#FOR VPN SETUP
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
#END OF VPN SETUP
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 4294967295
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 268435456
Here is /etc/ipsec.conf .
I can NOT give you the real ips of my side and other side.
So, I use 1.2.3.4 as the real ip of my side and 5.6.7.8 as the real ip
of the other side. Pls change them accordingly.
[root at firewall ~]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
#klipsdebug=all
#plutodebug=all
nat_traversal=yes
conn tunnelipsec1
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=196.4.49.0/24
esp=3des
authby=secret
keyexchange=ike
pfs=no
auto=start
conn tunnelipsec2
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=196.4.51.0/24
esp=3des
authby=secret
keyexchange=ike
pfs=no
auto=start
conn tunnelipsec3
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=10.10.99.0/24
esp=3des
authby=secret
keyexchange=ike
pfs=no
auto=start
conn tunnelipsec4
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=10.10.250.0/24
esp=3des
authby=secret
keyexchange=ike
pfs=no
auto=start
conn tunnelipsec5
type=tunnel
left=1.2.3.4
leftsubnet=10.48.0.0/16
right=5.6.7.8
rightsubnet=196.4.49.0/24
esp=3des
authby=secret
keyexchange=ike
pfs=no
auto=start
conn tunnelipsec6
type=tunnel
left=1.2.3.4
leftsubnet=10.48.0.0/16
right=5.6.7.8
rightsubnet=196.4.51.0/24
esp=3des
authby=secret
keyexchange=ike
pfs=no
auto=start
conn tunnelipsec7
type=tunnel
left=1.2.3.4
leftsubnet=10.48.0.0/16
right=5.6.7.8
rightsubnet=10.10.99.0/24
esp=3des
authby=secret
keyexchange=ike
pfs=no
auto=start
conn tunnelipsec8
type=tunnel
left=1.2.3.4
leftsubnet=10.48.0.0/16
right=5.6.7.8
rightsubnet=10.10.250.0/24
esp=3des
authby=secret
keyexchange=ike
pfs=no
auto=start
conn tunnelipsec9
type=tunnel
left=1.2.3.4
leftsubnet=10.48.0.0/16
right=5.6.7.8
rightsubnet=10.254.0.0/16
esp=3des
authby=secret
keyexchange=ike
pfs=no
auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
Here is my /etc/ipsec.secrets, I can NOT give you the real PSK. So, I
use it as secret. Pls change it accordingly.
[root at firewall ~]# cat /etc/ipsec.secrets
1.2.3.4 5.6.7.8 : PSK "secret"
Below are firewall rules
#FOR VPN SETUP
iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.254.0.0/16 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 10.48.0.0/16 -j SNAT
--to-source 220.247.213.202
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT
--to-source 220.247.213.202
#END OF VPN SETUP
Have a look at Below commands
[root at firewall ~]# /etc/init.d/ipsec status
IPsec running - pluto pid: 6252
pluto pid 6252
9 tunnels up
[root at firewall ~]# ipsec look
firewall.pership.com Wed Sep 3 13:43:31 IST 2008
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 220.247.213.193 0.0.0.0 UG 0 0 0 eth1
10.10.250.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.10.99.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
196.4.49.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
196.4.51.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
[root at firewall ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.18-8.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
That's it. again, Thanx for your help given out of compassion.
I hope you will enjoy.
GOOD LUCK
On Tue, Sep 2, 2008 at 8:27 PM, Peter McGill <petermcgill at goco.net> wrote:
> Indunil,
>
> The problem is that SNAT is done postrouting, meaning that the decision to
> put the packets in the tunnel is done before you SNAT them. So the tunnel
> must allow 192.168.1.0/24 and 10.48.0.0/16 for it to work. Even
> then I'm not sure it will work. Please let us know if it does, I have not
> seen a confirmed working setup on this list for NATed tunnel traffic. The
> only other choices are a) NAT the traffic before it reaches
> the openswan server on your network, or b) setup the tunnel for
> 192.168.1.0/24 and have the remote end do the NATing after they receive it.
> I'd really like to know if you get this working how you did it. I had a
> similar request from a business partner, but we gave up trying to get it to
> work and just used the tunnel without NATing the traffic.
>
> Peter
>
> Indunil Jayasooriya wrote:
>>
>> Hi Peter,
>>
>>
>> 192.168.1.1/24 is the primary ip.
>> 10.48.0.1/16 is the secondary ip to the same interface.
>>
>> I have done SNAT. That is the situation on the firewall runnig openswan.
>>
>> in that case, Will it be possible?
>>
>>
>>
>>
>> On 9/2/08, Peter McGill <petermcgill at goco.net> wrote:
>>>
>>> Indunil,
>>>
>>> Openswan does not NAT addresses, you cannot have a working conn
>>> with 10.48.0.0/16 on your side when your addresses are 192.168.1.0/24.
>>> You must use 192.168.1.0/24 which matches your lan. Unless your saying
>>> that you've added a second lan using 10.48.0.0/16. The output of ifconfig
>>> would help clarify your situation.
>>>
>>> And please turn these off, they produce a mountain of useless logs:
>>> #klipsdebug=none
>>> #plutodebug=none
>>>
>>> Peter
>>>
>>>
>>> Indunil Jayasooriya wrote:
>>>>
>>>> Hi,
>>>>
>>>> I am running Openswan on Centos 5 firewall. On my side, I have only
>>>> one subnet that is 192.168.1.0/24. On the other side there are 4
>>>> subnets. We can conncect to those each other. it works fine.
>>>>
>>>> Now, The other side has added another subnet. They asked to use a
>>>> diffrent ip range to access it. they have given 10.48.0.0/16 to use
>>>> as the other ip range for ourt side.
>>>>
>>>> But, New ip range still cant access the other side.
>>>>
>>>> pls see my ipsec.conf file .
>>>>
>>>> [root at firewall ~]# cat /etc/ipsec.conf
>>>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>>> #
>>>> # Manual: ipsec.conf.5
>>>> #
>>>> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>>>>
>>>> version 2.0 # conforms to second version of ipsec.conf specification
>>>>
>>>> # basic configuration
>>>> config setup
>>>> interfaces=%defaultroute
>>>> # Debug-logging controls: "none" for (almost) none, "all" for
>>>
>>> lots.
>>>>
>>>> klipsdebug=all
>>>> plutodebug=all
>>>> nat_traversal=yes
>>>>
>>>> conn tunnelipsec1
>>>> type=tunnel
>>>> left=220.247.213.202
>>>> leftsubnet=192.168.1.0/24
>>>> right=196.4.52.10
>>>> rightsubnet=196.4.49.0/24
>>>> esp=3des
>>>> authby=secret
>>>> keyexchange=ike
>>>> pfs=no
>>>> auto=start
>>>>
>>>> conn tunnelipsec2
>>>> type=tunnel
>>>> left=220.247.213.202
>>>> leftsubnet=192.168.1.0/24
>>>> right=196.4.52.10
>>>> rightsubnet=196.4.51.0/24
>>>> esp=3des
>>>> authby=secret
>>>> keyexchange=ike
>>>> pfs=no
>>>> auto=start
>>>>
>>>> conn tunnelipsec3
>>>> type=tunnel
>>>> left=220.247.213.202
>>>> leftsubnet=192.168.1.0/24
>>>> right=196.4.52.10
>>>> rightsubnet=10.10.99.0/24
>>>> esp=3des
>>>> authby=secret
>>>> keyexchange=ike
>>>> pfs=no
>>>> auto=start
>>>>
>>>> conn tunnelipsec4
>>>> type=tunnel
>>>> left=220.247.213.202
>>>> leftsubnet=192.168.1.0/24
>>>> right=196.4.52.10
>>>> rightsubnet=10.10.250.0/24
>>>> esp=3des
>>>> authby=secret
>>>> keyexchange=ike
>>>> pfs=no
>>>> auto=start
>>>>
>>>> conn tunnelipsec5
>>>> type=tunnel
>>>> left=220.247.213.202
>>>> leftsubnet=10.48.0.0/16
>>>> right=196.4.52.10
>>>> rightsubnet=10.254.0.0/16
>>>> esp=3des
>>>> authby=secret
>>>> keyexchange=ike
>>>> pfs=no
>>>> auto=start
>>>>
>>>> #Disable Opportunistic Encryption
>>>> include /etc/ipsec.d/examples/no_oe.conf
>>>>
>>>> I have addes belwo ip tables rules as well.
>>>>
>>>>
>>>> iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
>>>> iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
>>>> iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
>>>> iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
>>>> iptables -t nat -A POSTROUTING -o eth1 -d 10.254.0.0/16 -j ACCEPT
>>>>
>>>>
>>>> $IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j SNAT
>>>> --to-source 220.247.213.202
>>>> $IPTABLES -t nat -A POSTROUTING -o eth1 -s 10.48.0.0/16 -j SNAT
>>>> --to-source 220.247.213.202
>>>>
>>>> We can access first 4 subnets of the other side with 192.168.1.0/24 ip
>>>> range. But, We ca not access the last subnet of the other side with
>>>> 10.48.0.0/16 ?
>>>>
>>>> Could you pls expalin why?
>>>>
>>>>
>>>>
>>>>
>>
>>
>
--
Thank you
Indunil Jayasooriya
More information about the Users
mailing list