[Openswan Users] Net to Net VPN almost configured - but no tunnel established
Peter McGill
petermcgill at goco.net
Fri Sep 26 10:04:43 EDT 2008
Jorge,
I'm not sure if you can have a subnet to subnet tunnel over nat-t,
when the subnet doesn't contain the private unnatted client address.
Normally when setting up a natted connection, rightsubnet is used to
specify which addresses behind nat are allowed to connect. How it can
then be used to also specify a subnet I do not know.
I solve this by avoiding NAT situations. I configure my ADSL routers in
PPPoE passthrough mode, that is my Linux box does the PPPoE work to
connect to the internet and it get's the public internet address. So no
NAT is involved and openswan gets a public internet address, and my
Linux box doubles as the internet router/gateway for the LAN. Usually
the internet provider sets up the ADSL router and asks you if you have
your own router or not. When you say yes, then they configure it this
way for you. The downside, is that when the internet doesn't work, the
first thing they usually do is blame your router and refuse to help you,
saying we only support our routers.
Peter
Jorge Quirós wrote:
> Hi Everyone,
>
>
>
> I’m experiencing problems to connect to networks using openswan on two
> DEBIAN Servers both with two network interfaces, iptables firewall and
> NAT rules.
>
>
>
> VPN connection starts but I’ve got the following message on Firewall B:
>
> packet from 212.170.202.XXX:500: initial Main Mode message received on
> 192.168.3.2:500 but no connection has been authorized
>
>
>
> Please, any suggestion?
>
>
>
> Thanks in advance.
>
> Jorge Quiros
>
>
>
>
>
> Networks topology:
>
>
>
> SUBNET A
>
> 192.168.0.0/24
>
> |
>
> FIREWALL A (NAT ENABLED)
>
> 192.168.0.5(eth3)|192.168.1.2(eth4)
>
> |
>
> ADSL ROUTER A (STATIC PUBLIC IP)
>
> 192.168.1.1 (212.170.202.XXX)
>
> |
>
> |
>
> |
>
> INTERNET
>
> |
>
> |
>
> |
>
> ADSL ROUTER B (STATIC PUBLIC IP)
>
> 192.168.3.1 (88.2.182.XXX)
>
> |
>
> FIREWALL B (NAT ENABLED)
>
> 192.168.3.2(eth0)|192.168.1.3(eth1)
>
> |
>
> SUBNET B
>
> 192.168.1.0/24
>
>
>
> /etc/ipsec.conf:
>
>
>
> # basic configuration
>
> config setup
>
> forwardcontrol=no
>
> nat_traversal=yes
>
> nhelpers=0
>
> plutodebug=none
>
> klipsdebug=all
>
> syslog=auth.debug
>
>
>
> # Add connections here
>
>
>
> # sample VPN connections, see /etc/ipsec.d/examples/
>
>
>
> #Disable Opportunistic Encryption
>
> include /etc/ipsec.d/examples/no_oe.conf
>
>
>
> conn A-B
>
> left=192.168.2.2
>
> leftsubnet=192.168.0.0/24
>
> leftid=@a.conA-B.es
>
> leftrsasigkey=0sAQOaU3oaT1wSGWCzD0yfmYE0QI1toL/baZfy1RGiIdnceM….
>
> leftnexthop=212.170.202.XXX
>
> right=88.2.182.XXX
>
> rightsubnet=192.168.1.0/24
>
> rightid=@b.conA-B.es
>
> rightrsasigkey=0sAQPBm59puhrn6MUGY3ZbNX8ovBWK4uNuwRyrTHIdk…
>
> rightnexthop=192.168.3.2
>
> auto=add
>
>
>
>
>
> Firewall A:
>
> # Generated by iptables-save v1.3.6 on Fri May 9 19:24:55 2008
>
> *nat
>
> :PREROUTING ACCEPT [0:0]
>
> :OUTPUT ACCEPT [0:0]
>
> :POSTROUTING ACCEPT [0:0]
>
> # Escritorio Remoto
>
> -A PREROUTING -p tcp -m tcp -s YYY.YYY.YYY.YYY-i eth4 --dport 3389 -j
> DNAT --to-destination 192.168.0.2
>
> -A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.1.0/24 -o eth3 -j MASQUERADE
>
> -A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.1.0/24 -o eth4 -j MASQUERADE
>
> COMMIT
>
> # Completed on Fri May 9 19:24:55 2008
>
> # Generated by iptables-save v1.3.6 on Fri May 9 19:24:55 2008
>
> *mangle
>
> :PREROUTING ACCEPT [25:1951]
>
> :INPUT ACCEPT [24:1911]
>
> :FORWARD ACCEPT [0:0]
>
> :OUTPUT ACCEPT [21:6351]
>
> :POSTROUTING ACCEPT [21:6351]
>
> COMMIT
>
> # Completed on Fri May 9 19:24:55 2008
>
> # Generated by iptables-save v1.3.6 on Fri May 9 19:24:55 2008
>
> *filter
>
> :FORWARD ACCEPT [0:0]
>
> :INPUT DROP [0:0]
>
> :OUTPUT ACCEPT [0:0]
>
> :LOG_ACCEPT - [0:0]
>
> -A INPUT -p icmp -j ACCEPT
>
> -A INPUT -s 127.0.0.1/8 -j ACCEPT
>
> -A INPUT -s 88.2.182.XXX -j ACCEPT
>
> -A INPUT -s 192.168.0.0/24 -j ACCEPT
>
> -A INPUT -s 192.168.1.0/24 -j ACCEPT
>
> -A INPUT -s 192.168.3.0/24 -j ACCEPT
>
> -A INPUT -p tcp -m tcp -i eth4 --dport 80 -j ACCEPT
>
> -A INPUT -p esp -j ACCEPT
>
> -A INPUT -p ah -j ACCEPT
>
> -A INPUT -p udp -m udp -m multiport --ports 500 -j ACCEPT
>
> -A INPUT -p udp -m udp -m multiport --ports 4500 -j ACCEPT
>
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> -A LOG_ACCEPT -j LOG --log-prefix "LOG_ACCEPT " --log-level 4
> --log-ip-options --log-tcp-options --log-tcp-sequence
>
> -A LOG_ACCEPT -j ACCEPT
>
> -A OUTPUT ! -p icmp -j ACCEPT
>
> -A OUTPUT -p esp -j LOG_ACCEPT
>
> -A OUTPUT -p ah -j LOG_ACCEPT
>
> -A OUTPUT -p udp -m udp --sport 500 -j LOG_ACCEPT
>
> -A OUTPUT -p udp -m udp --sport 4500 -j LOG_ACCEPT
>
> COMMIT
>
> # Completed on Fri May 9 19:24:55 2008
>
>
>
> Firewall B:
>
> # Generated by iptables-save v1.3.6 on Tue Aug 26 15:57:57 2008
>
> *nat
>
> :PREROUTING ACCEPT [0:0]
>
> :OUTPUT ACCEPT [0:0]
>
> :POSTROUTING ACCEPT [0:0]
>
> -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.0.0/24 -o eth0 -j MASQUERADE
>
> -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.0.0/24 -o eth1 -j MASQUERADE
>
> COMMIT
>
> # Completed on Tue Aug 26 15:57:57 2008
>
> # Generated by iptables-save v1.3.6 on Tue Aug 26 15:57:57 2008
>
> *mangle
>
> :PREROUTING ACCEPT [11:1820]
>
> :INPUT ACCEPT [11:1820]
>
> :FORWARD ACCEPT [0:0]
>
> :OUTPUT ACCEPT [10:3637]
>
> :POSTROUTING ACCEPT [10:3637]
>
> COMMIT
>
> # Completed on Tue Aug 26 15:57:57 2008
>
> # Generated by iptables-save v1.3.6 on Tue Aug 26 15:57:57 2008
>
> *filter
>
> :FORWARD ACCEPT [0:0]
>
> :INPUT DROP [0:0]
>
> :OUTPUT ACCEPT [0:0]
>
> :LOG_ACCEPT - [0:0]
>
> -A INPUT -p icmp -j ACCEPT
>
> -A INPUT -s 127.0.0.1/18 -j ACCEPT
>
> -A INPUT -s 212.170.202.150 -j LOG_ACCEPT
>
> -A INPUT -s 192.168.2.0/24 -j LOG_ACCEPT
>
> -A INPUT -s 192.168.0.0/24 -j LOG_ACCEPT
>
> -A INPUT -p udp -m udp -m multiport -s 212.170.202.XXX --ports 500 -j ACCEPT
>
> -A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
>
> -A INPUT -p esp -j ACCEPT
>
> -A OUTPUT -p esp -j ACCEPT
>
> -A OUTPUT -p ah -j ACCEPT
>
> -A LOG_ACCEPT -j LOG --log-prefix "LOG_ACCEPT " --log-level 4
> --log-ip-options --log-tcp-options --log-tcp-sequence
>
> -A LOG_ACCEPT -j ACCEPT
>
> -A INPUT -p ah -j ACCEPT
>
> -A INPUT -p udp -m udp --dport 4500 -j LOG_ACCEPT
>
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> COMMIT
>
> # Completed on Tue Aug 26 15:57:57 2008
>
>
>
> A’s auth.log:
>
> Sep 26 10:14:52 bastion ipsec_setup: KLIPS ipsec0 on eth4
> 192.168.2.2/255.255.255.0 broadcast 192.168.2.255
>
> Sep 26 10:14:52 bastion ipsec__plutorun: Starting Pluto subsystem...
>
> Sep 26 10:14:52 bastion pluto[4554]: Starting Pluto (Openswan Version
> 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor
> ID OElLO]RdWNRD)
>
> Sep 26 10:14:52 bastion pluto[4554]: Setting NAT-Traversal port-4500
> floating to on
>
> Sep 26 10:14:52 bastion pluto[4554]: port floating activation
> criteria nat_t=1/port_fload=1
>
> Sep 26 10:14:52 bastion pluto[4554]: including NAT-Traversal patch
> (Version 0.6c)
>
> Sep 26 10:14:52 bastion pluto[4554]: WARNING: Open of /dev/hw_random
> failed in init_rnd_pool(), trying alternate sources of random
>
> Sep 26 10:14:52 bastion pluto[4554]: WARNING: Using /dev/urandom as the
> source of random
>
> Sep 26 10:14:52 bastion pluto[4554]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
>
> Sep 26 10:14:52 bastion pluto[4554]: no helpers will be started, all
> cryptographic operations will be done inline
>
> Sep 26 10:14:52 bastion pluto[4554]: Using Linux 2.6 IPsec interface
> code on 2.6.18-6-686
>
> Sep 26 10:14:52 bastion pluto[4554]: Changing to directory
> '/etc/ipsec.d/cacerts'
>
> Sep 26 10:14:52 bastion pluto[4554]: Changing to directory
> '/etc/ipsec.d/aacerts'
>
> Sep 26 10:14:52 bastion pluto[4554]: Changing to directory
> '/etc/ipsec.d/ocspcerts'
>
> Sep 26 10:14:52 bastion pluto[4554]: Changing to directory
> '/etc/ipsec.d/crls'
>
> Sep 26 10:14:52 bastion pluto[4554]: Warning: empty directory
>
> Sep 26 10:14:52 bastion ipsec_setup: ...Openswan IPsec started
>
> Sep 26 10:14:52 bastion ipsec_setup: Starting Openswan IPsec 2.4.6...
>
> Sep 26 10:14:52 bastion ipsec_setup: insmod
> /lib/modules/2.6.18-6-686/kernel/net/key/af_key.ko
>
> Sep 26 10:14:52 bastion ipsec_setup: insmod
> /lib/modules/2.6.18-6-686/kernel/net/ipv4/xfrm4_tunnel.ko
>
> Sep 26 10:14:52 bastion ipsec_setup: insmod
> /lib/modules/2.6.18-6-686/kernel/net/xfrm/xfrm_user.ko
>
> Sep 26 10:14:52 bastion pluto[4554]: added connection description "A-B"
>
> Sep 26 10:14:52 bastion pluto[4554]: listening for IKE messages
>
> Sep 26 10:14:52 bastion pluto[4554]: adding interface eth3/eth3
> 192.168.0.5:500
>
> Sep 26 10:14:52 bastion pluto[4554]: adding interface eth3/eth3
> 192.168.0.5:4500
>
> Sep 26 10:14:52 bastion pluto[4554]: adding interface eth4/eth4
> 192.168.2.2:500
>
> Sep 26 10:14:52 bastion pluto[4554]: adding interface eth4/eth4
> 192.168.2.2:4500
>
> Sep 26 10:14:52 bastion pluto[4554]: adding interface lo/lo 127.0.0.1:500
>
> Sep 26 10:14:52 bastion pluto[4554]: adding interface lo/lo 127.0.0.1:4500
>
> Sep 26 10:14:52 bastion pluto[4554]: adding interface lo/lo ::1:500
>
> Sep 26 10:14:52 bastion pluto[4554]: loading secrets from
> "/etc/ipsec.secrets"
>
>
>
> B’s auth.log:
>
> Sep 26 10:14:04 bastion2 ipsec_setup: KLIPS ipsec0 on eth0
> 192.168.3.2/255.255.255.0 broadcast 192.168.3.255
>
> Sep 26 10:14:04 bastion2 ipsec__plutorun: Starting Pluto subsystem...
>
> Sep 26 10:14:04 bastion2 pluto[23887]: Starting Pluto (Openswan Version
> 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor
> ID OElLO]RdWNRD)
>
> Sep 26 10:14:05 bastion2 pluto[23887]: Setting NAT-Traversal port-4500
> floating to on
>
> Sep 26 10:14:05 bastion2 pluto[23887]: port floating activation
> criteria nat_t=1/port_fload=1
>
> Sep 26 10:14:05 bastion2 pluto[23887]: including NAT-Traversal patch
> (Version 0.6c)
>
> Sep 26 10:14:05 bastion2 pluto[23887]: WARNING: Open of /dev/hw_random
> failed in init_rnd_pool(), trying alternate sources of random
>
> Sep 26 10:14:05 bastion2 pluto[23887]: WARNING: Using /dev/urandom as
> the source of random
>
> Sep 26 10:14:05 bastion2 pluto[23887]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
>
> Sep 26 10:14:05 bastion2 pluto[23887]: no helpers will be started, all
> cryptographic operations will be done inline
>
> Sep 26 10:14:05 bastion2 pluto[23887]: Using Linux 2.6 IPsec interface
> code on 2.6.18-6-686
>
> Sep 26 10:14:05 bastion2 ipsec_setup: ...Openswan IPsec started
>
> Sep 26 10:14:05 bastion2 ipsec_setup: Starting Openswan IPsec 2.4.6...
>
> Sep 26 10:14:05 bastion2 ipsec_setup: insmod
> /lib/modules/2.6.18-6-686/kernel/net/key/af_key.ko
>
> Sep 26 10:14:05 bastion2 ipsec_setup: insmod
> /lib/modules/2.6.18-6-686/kernel/net/ipv4/xfrm4_tunnel.ko
>
> Sep 26 10:14:05 bastion2 ipsec_setup: insmod
> /lib/modules/2.6.18-6-686/kernel/net/xfrm/xfrm_user.ko
>
> Sep 26 10:14:05 bastion2 pluto[23887]: Changing to directory
> '/etc/ipsec.d/cacerts'
>
> Sep 26 10:14:05 bastion2 pluto[23887]: Changing to directory
> '/etc/ipsec.d/aacerts'
>
> Sep 26 10:14:05 bastion2 pluto[23887]: Changing to directory
> '/etc/ipsec.d/ocspcerts'
>
> Sep 26 10:14:05 bastion2 pluto[23887]: Changing to directory
> '/etc/ipsec.d/crls'
>
> Sep 26 10:14:05 bastion2 pluto[23887]: Warning: empty directory
>
> Sep 26 10:14:05 bastion2 pluto[23887]: added connection description "A-B"
>
> Sep 26 10:14:05 bastion2 pluto[23887]: listening for IKE messages
>
> Sep 26 10:14:05 bastion2 pluto[23887]: adding interface eth0/eth0
> 192.168.3.2:500
>
> Sep 26 10:14:05 bastion2 pluto[23887]: adding interface eth0/eth0
> 192.168.3.2:4500
>
> Sep 26 10:14:05 bastion2 pluto[23887]: adding interface eth1/eth1
> 192.168.1.3:500
>
> Sep 26 10:14:05 bastion2 pluto[23887]: adding interface eth1/eth1
> 192.168.1.3:4500
>
> Sep 26 10:14:05 bastion2 pluto[23887]: adding interface lo/lo 127.0.0.1:500
>
> Sep 26 10:14:05 bastion2 pluto[23887]: adding interface lo/lo 127.0.0.1:4500
>
> Sep 26 10:14:05 bastion2 pluto[23887]: adding interface lo/lo ::1:500
>
> Sep 26 10:14:05 bastion2 pluto[23887]: loading secrets from
> "/etc/ipsec.secrets"
>
> Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
> received Vendor ID payload [Openswan (this version) 2.4.6 X.509-1.5.4
> LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
>
> Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
> received Vendor ID payload [Dead Peer Detection]
>
> Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
> received Vendor ID payload [RFC 3947] method set to=110
>
> Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
> already using method 110
>
> Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
> already using method 110
>
> Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
> but already using method 110
>
> Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>
> Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
> initial Main Mode message received on 192.168.3.2:500 but no connection
> has been authorized
>
>
>
> That’s all …
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list