[Openswan Users] [Bulk] Re: VPN client IP addressing configuration issues
Rolando Zappacosta
zappacor at yahoo.com.ar
Thu Sep 4 12:52:45 EDT 2008
Hi Felipe,
iptables is installed on this PC but, I think, it's not configured:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
RJZ-LNX ipsec #
Even though that, I tried your below command but no luck too.
May be I'm missing any kernel option? This is what barf shows:
# CONFIG_IPC_NS is not set
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
# CONFIG_XFRM_STATISTICS is not set
CONFIG_NET_KEY=m
# CONFIG_NET_KEY_MIGRATE is not set
CONFIG_INET=y
# CONFIG_IP_MULTICAST is not set
# CONFIG_IP_ADVANCED_ROUTER is not set
CONFIG_IP_FIB_HASH=y
# CONFIG_IP_PNP is not set
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=m
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_FILTER=m
# CONFIG_IP_NF_TARGET_REJECT is not set
# CONFIG_IP_NF_TARGET_LOG is not set
# CONFIG_IP_NF_TARGET_ULOG is not set
CONFIG_IP_NF_TARGET_MASQUERADE=m
# CONFIG_IP_NF_MANGLE is not set
# CONFIG_IP_DCCP is not set
# CONFIG_IP_SCTP is not set
# CONFIG_IPX is not set
# CONFIG_IP1000 is not set
# CONFIG_IPW2100 is not set
# CONFIG_IPW2200 is not set
# CONFIG_IPMI_HANDLER is not set
# CONFIG_HW_RANDOM is not set
# CONFIG_IPWIRELESS is not set
and this is what I get loaded:
lsmod
Module Size Used by
iptable_nat 4552 0
nf_nat 13272 1 iptable_nat
nf_conntrack_ipv4 10700 3 iptable_nat,nf_nat
nf_conntrack 42756 3 iptable_nat,nf_nat,nf_conntrack_ipv4
iptable_filter 2432 0
ip_tables 9168 2 iptable_nat,iptable_filter
x_tables 11204 2 iptable_nat,ip_tables
xfrm_user 17344 2
xfrm4_tunnel 1920 0
af_key 22996 0
authenc 4736 2
xfrm4_mode_tunnel 2112 4
deflate 2432 0
zlib_deflate 17192 1 deflate
ctr 3776 0
twofish 6336 0
twofish_common 13312 1 twofish
camellia 17792 0
serpent 16896 0
blowfish 8000 0
cbc 3136 2
xcbc 4040 0
crypto_null 2752 0
tunnel4 2312 1 xfrm4_tunnel
ipcomp 5192 0
esp4 5376 2
aead 5504 2 authenc,esp4
ah4 4224 0
des_generic 16128 2
sha256_generic 11200 0
--- On Thu, 9/4/08, Felipe - Rasputin <felipe.nix at gmail.com> wrote:
> From: Felipe - Rasputin <felipe.nix at gmail.com>
> Subject: Re: [Bulk] Re: [Openswan Users] VPN client IP addressing configuration issues
> To: "Rolando J. Zappacosta" <rzappa at ieee.org>
> Date: Thursday, September 4, 2008, 3:54 PM
> do you have some masq rules? check your firewall rules, the
> traffic of ipsec
> does not be masquerade.
>
> try
> iptables -t nat -I POSTROUTING -s your_ip -d remote_ip -j
> RETURN
>
> On Thu, Sep 4, 2008 at 10:15 AM, Rolando J. Zappacosta
> <zappacor at gmail.com>wrote:
>
> > Hi Felipe,
> >
> > I tried your suggested config but still the same:
> ethereal shows
> > packets from the 3G assigned public assigned address
> to the server I'm
> > pinging as if there were no any tunnel up but just the
> physical connection.
> >
> > Is there any way one can check how the packets are
> flowing within the
> > local PC?
> >
> >
> >
> > ----- Original Message -----
> > *From:* Felipe - Rasputin <felipe.nix at gmail.com>
> > *To:* zappacor at yahoo.com.ar
> > *Sent:* Thursday, September 04, 2008 1:45 PM
> > *Subject:* [Bulk] Re: [Openswan Users] VPN client IP
> addressing
> > configuration issues
> >
> > change the config for:
> >
> > left=%defaultorute
> > leftnexthop=
> >
> > leftnexthop in blank
> >
> > and on your ipsec.secrets change for this:
> >
> > id remote_ip: PSK "key"
> >
> > ex
> >
> > myid 66.66.66.66: PSK "MyKey"
> >
> >
> >
> > On Thu, Sep 4, 2008 at 7:09 AM, Rolando Zappacosta
> <zappacor at yahoo.com.ar>wrote:
> >
> >> Hi all,
> >>
> >> I'm trying to connect a laptop to an IPsec
> secured intranet through the
> >> internet:
> >>
> >> LAPTOP <-> DSL ROUTER OR 3G USB DEVICE
> <=> INTERNET CLOUD <=> IPSEC VPN
> >> SERVER <-> INTRANET
> >>
> >> where the DSL router and the 3G USB device public
> addresses get
> >> dynamically assigned by the respective ISPs while
> the IPSec VPN server one
> >> is fixed.
> >>
> >> In a first stage I'd like to have all the
> laptop's outgoing traffic sent
> >> out through the IPSec tunnel but once it's up
> I can see the ICMP packets
> >> destinated to an IP address within the intranet
> sent unencapsulated (not
> >> through the tunnel).
> >>
> >> I googled a lot and tried several different
> configurations for
> >> left/rightsubnet, left/right, etc but no luck.
> >>
> >> How can I debug this or trace the packets flows?
> >> How can I handle the fact that the DSL router and
> the USB stick public IP
> >> addresses are different and change (each time I
> connect for the later)?
> >>
> >> My current configuration is:
> >> ******* ipsec.conf BEGIN *****
> >> version 2.0
> >> config setup
> >> nat_traversal=yes
> >> interfaces=%defaultroute
> >>
> >> conn Intranet
> >> ike=3des-sha1-modp1024
> >> esp=3des-sha1
> >> aggrmode=yes
> >> xauth=yes
> >> keyexchange=ike
> >> keylife=24h
> >> ikelifetime=24h
> >> auth=esp
> >> type=tunnel
> >> authby=secret
> >> # *********** This is for the PC (local):
> >> left=<The 3G stick public IP address it
> gets each time>
> >> leftxauthclient=yes
> >> leftid="!@#$%"
> >> # *********** This is for the GW (remote):
> >> right=<The IPsec server public IP
> address>
> >> rightxauthserver=yes
> >> rightmodecfgserver=yes
> >> pfs=no
> >> #compress=no
> >> auto=add
> >>
> >> #Disable Opportunistic Encryption
> >> include /etc/ipsec/ipsec.d/examples/no_oe.conf
> >> ******* ipsec.conf END *****
> >>
> >> and this is the output for what I could debug:
> >> ******* ipsec verify BEGIN *****
> >> Checking your system to see if IPsec got installed
> and started correctly:
> >> Version check and ipsec on-path
> [OK]
> >> Linux Openswan U2.4.13/K2.6.26-tuxonice (netkey)
> >> Checking for IPsec support in kernel
> [OK]
> >> NETKEY detected, testing for disabled ICMP
> send_redirects [OK]
> >> NETKEY detected, testing for disabled ICMP
> accept_redirects [OK]
> >> Checking for RSA private key
> (/etc/ipsec/ipsec.secrets) [OK]
> >> Checking that pluto is running
> [OK]
> >> Two or more interfaces found, checking IP
> forwarding [OK]
> >> Checking NAT and MASQUERADEing
> [N/A]
> >> Checking for 'ip' command
> [OK]
> >> Checking for 'iptables' command
> [OK]
> >> Opportunistic Encryption Support
> [DISABLED]
> >> ******* ipsec verify END *****
> >>
> >> ******* ipsec look BEGIN (connected by means of a
> 3G USB device though)
> >> *****
> >> Destination Gateway Genmask
> Flags MSS Window irtt
> >> Iface
> >> 0.0.0.0 10.64.64.64 0.0.0.0 UG
> 0 0 0
> >> ppp0
> >> 0.0.0.0 <The IPsec server public IP
> address> 0.0.0.0 UG
> >> 0 0 0 ppp0
> >> 10.64.64.64 0.0.0.0 255.255.255.255 UH
> 0 0 0
> >> ppp0
> >> <The IPsec server public IP address subnet>
> <The IPsec server public
> >> IP address> 255.0.0.0 UG 0 0
> 0 ppp0
> >> <The IPsec server public IP address>
> 0.0.0.0 255.255.255.255 UH
> >> 0 0 0 ppp0
> >> ******* ipsec look END *****
> >>
> >>
> >>
> >> _______________________________________________
> >> Users at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/users
> >> Building and Integrating Virtual Private Networks
> with Openswan:
> >>
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >>
> >
> >
> >
> > --
> > #========================#
> > Felipe Santos '<\( Rasputin )/>'
> > felipe.nix at gmail.com
> > LPI ID: LPI000123744
> > http://br.groups.yahoo.com/group/openswan-br
> > #========================#
> >
> >
>
>
> --
> #========================#
> Felipe Santos '<\( Rasputin )/>'
> felipe.nix at gmail.com
> LPI ID: LPI000123744
> http://br.groups.yahoo.com/group/openswan-br
> #========================#
More information about the Users
mailing list