[Openswan Users] VPN client IP addressing configuration issues

Rolando J. Zappacosta zappacor at yahoo.com.ar
Fri Sep 5 14:13:15 EDT 2008 

Hi all,



    I sniffed again what a Windows client does when connecting to the SGW I 
want to connect to by means of OSW:

No. Time Source Destination Protocol Info

7 17.177861 192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Aggressive

8 17.269798 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Aggressive

9 17.273487 192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Aggressive

10 17.368693 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Informational

11 17.368956 192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Informational

13 20.669004 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Informational

15 20.682181 192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Quick Mode

16 20.873717 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Quick Mode

17 20.874288 192.168.1.236 AAA.SGW.SGW.SGW ISAKMP Quick Mode

18 20.975815 AAA.SGW.SGW.SGW 192.168.1.236 ISAKMP Informational

21 21.535865 Intel_b1:d7:95 Broadcast ARP Gratuitous ARP for AAA.PC.PC.PC 
(Request)

28 22.420799 Intel_b1:d7:95 Broadcast ARP Gratuitous ARP for AAA.PC.PC.PC 
(Request)

31 23.420795 Intel_b1:d7:95 Broadcast ARP Gratuitous ARP for AAA.PC.PC.PC 
(Request)

37 27.431043 Intel_b1:d7:95 Broadcast ARP Who has AAA.SRV.SRV.SRV? Tell 
192.168.1.236

38 27.431083 Comtrend_f6:b7:3d Intel_b1:d7:95 ARP AAA.SRV.SRV.SRV is at 
00:30:da:f6:b7:3d

39 27.431095 AAA.PC.PC.PC AAA.SRV.SRV.SRV ICMP Echo (ping) request

42 27.939265 AAA.SRV.SRV.SRV AAA.PC.PC.PC ICMP Echo (ping) reply

43 28.436479 AAA.PC.PC.PC AAA.SRV.SRV.SRV ICMP Echo (ping) request

44 28.860815 AAA.SRV.SRV.SRV AAA.PC.PC.PC ICMP Echo (ping) reply

Note I send a ping from my PC (AAA.PC.PC.PC) to a server on the Intranet I 
connect to (AAA.SRV.SRV.SRV).

And as per the Windows client log, it's:

09/05/08 19:28:58 IKE/IKE Started Enable Secure Access to TEP: 
MyIntranetConnection (AAA.SGW.SGW.SGW) for user <MyUser>

19:28:59 IKE/IKE Source IP Address, Port for IKE : 192.168.1.236, 1659

19:28:59 IKE/IKE Contacted VPN gateway (AAA.SGW.SGW.SGW)

19:29:02 IKE/IKE User Authentication Successful.

19:29:02 IKE/IKE Tunnel Parameters received from gateway are:

Encryption : TRIPLE DES Authentication : SHA1

Tunnel transport method: UDP-Encapsulated on Port 501

Authentication Timeout: 1440 Minutes

Heartbeat Interval: 60 Seconds

Internal IP for local presence :AAA.PC.PC.PC

Pri. DNS :<DNS 1 IP addr> Sec. DNS :<DNS 2 IP addr>

Pri. WINS :<WINS 1 IP addr> Sec. WINS :<WINS 2 IP addr>

HostList: *

Tunnel administrator does not allow you to save password

Orig Pri. WINS :0.0.0.0 Orig Sec. WINS :0.0.0.0

Firewall Policy: Block All Clear Text Traffic

09/05/08 19:29:03 IKE/IKE IPSec SA SPIs: Inbound: 0x 91bd, Outbound: 0x 
2fd7e2ff

09/05/08 19:29:03 IKE/IKE Successfully established VPN Tunnel to TEP 
AAA.SGW.SGW.SGW for User zappacos



Does it give any hint on what can I be missing on OSW config below?



----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Rolando Zappacosta" <zappacor at yahoo.com.ar>
Cc: <users at openswan.org>
Sent: Thursday, September 04, 2008 3:56 PM
Subject: Re: [Openswan Users] VPN client IP addressing configuration issues


> On Thu, 4 Sep 2008, Rolando Zappacosta wrote:
>
>> LAPTOP <-> DSL ROUTER OR 3G USB DEVICE <=> INTERNET CLOUD <=> IPSEC VPN 
>> SERVER <-> INTRANET
>
>>  In a first stage I'd like to have all the laptop's outgoing traffic sent 
>> out through the IPSec tunnel but once it's up I can see the ICMP packets 
>> destinated to an IP address within the intranet sent unencapsulated (not 
>> through the tunnel).
>
> since you use NETKEY, you cannot see the encrypted traffic with tcpdump on 
> the client.
>
>> How can I debug this or trace the packets flows?
>
> That's not needed at this point, but there is one debug option in 
> ipsec.cond (plutodebug)
>
>> How can I handle the fact that the DSL router and the USB stick public IP 
>> addresses are different and change (each time I connect for the later)?
>
> left=%defaultroute will pick the IP from your dynamic assignment.
>
> To tunnel all traffic (if the remote allows that), then you should
> configure rightsubnet=0.0.0.0/0
>
>> conn Intranet
>>        ike=3des-sha1-modp1024
>>        esp=3des-sha1
>>        aggrmode=yes
>>        xauth=yes
>>        keyexchange=ike
>>        keylife=24h
>>        ikelifetime=24h
>>        auth=esp
>>        type=tunnel
>>        authby=secret
>>        # *********** This is for the PC (local):
>>        left=<The 3G stick public IP address it gets each time>
>>        leftxauthclient=yes
>>        leftid="!@#$%"
>>        # *********** This is for the GW (remote):
>>        right=<The IPsec server public IP address>
>>        rightxauthserver=yes
>>        rightmodecfgserver=yes
>>        pfs=no
>>        #compress=no
>>        auto=add
>
> I'll assume this is not openswan, since xauth is being used?
>
> Paul

More information about the Users mailing list