[Openswan Users] Tunnel up but packets not forwarded to internal iface. Please help.
Piotr Isajew
p.isajew at telecommedia.pl
Tue Jan 6 05:13:47 EST 2009
Hi,
I'm trying to set up an ipsec connection using openswan (linux 2.6 on
one gateway linux 2.4 on another).
The goal is to have something like this:
192.168.3.0/24===62.89.67.100---62.89.67.97...217.8.185.140===192.168.1.0/24
^ ^
| |
fw2 fw1
I've configured the left side of that, so it connects to the right
side. It looks like the tunnel is established, routing and iptables configured
correctly. Outgoing packets go to the other side, reply packets are
received and decrypted, but not forwarded to internal interface.
The same machine serves as a firewall and nat for local network. Now,
if I try to ping a host in 192.168.1.0/24 from a client in
192.168.3.0/24 it does not receive any reply. Running tcpdump on fw2
shows both outgoing ICMP Echo Requests on fw2's internal interface,
and ICMP Echo Responses on it's external interface, so it looks like
the tunnel is working. The problem is I do not receive any ICMP
Replies on the host, from which I ping the other side.
I thought that this may be nat related issue, but if I simplify
iptables (i.e. set default policy to accept and flush any nat rules)
the result is the same. I will appreciate any help as I ran out of
ideas what can cause this behaviour. Configuration and diagnostic
output for this case is included below.
Regards,
Piotr
ipsec auto --status shows that connection is established:
000 "biuro-gts":
192.168.3.0/24===62.89.67.100---62.89.67.97...217.8.185.140===192.168.1.0/24;
erouted; eroute owner: #4
000 "biuro-gts": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "biuro-gts": ike_life: 28800s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "biuro-gts": policy:
PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+UP; prio: 24,24; interface:
eth1:2; encap: esp;
000 "biuro-gts": dpd: action:hold; delay:30; timeout:1200;
000 "biuro-gts": newest ISAKMP SA: #1; newest IPsec SA: #4;
000 "biuro-gts": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "biuro-gts": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "biuro-gts": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "biuro-gts": ESP algorithms wanted: 3DES(3)_000-MD5(1);
pfsgroup=MODP1024(2); flags=strict
000 "biuro-gts": ESP algorithms loaded: 3DES(3)_000-MD5(1);
pfsgroup=MODP1024(2); flags=strict
000 "biuro-gts": ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=MODP1024
000
000 #4: "biuro-gts":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 18810s; newest IPSEC; eroute owner
000 #4: "biuro-gts" esp.73237bc6 at 217.8.185.140
esp.5fc61f2d at 62.89.67.100 tun.0 at 217.8.185.140 tun.0 at 62.89.67.100
000 #3: "biuro-gts":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 18333s
000 #3: "biuro-gts" esp.73237bc7 at 217.8.185.140
esp.f856c776 at 62.89.67.100 tun.0 at 217.8.185.140 tun.0 at 62.89.67.100
000 #2: "biuro-gts":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 18003s
000 #2: "biuro-gts" esp.73237bc5 at 217.8.185.140
esp.bcfbfb91 at 62.89.67.100 tun.0 at 217.8.185.140 tun.0 at 62.89.67.100
000 #1: "biuro-gts":500 STATE_MAIN_I4 (ISAKMP SA established); none in
-1s; newest ISAKMP; lastdpd=1s(seq in:14762 out:0)
If I try to ping remote side from a host in my local network it looks
like below:
mbp:~ pki$ ping -c 3 192.168.1.200
PING 192.168.1.200 (192.168.1.200): 56 data bytes
--- 192.168.1.200 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
tcpdump on fw2's internal interface shows that packets are going out:
tcpdump -i eth0 -n host 192.168.1.200
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:58:06.987232 IP 192.168.3.254 > 192.168.1.200: ICMP echo request, id 10006, seq 0, length 64
09:58:07.986826 IP 192.168.3.254 > 192.168.1.200: ICMP echo request, id 10006, seq 1, length 64
09:58:08.987121 IP 192.168.3.254 > 192.168.1.200: ICMP echo request, id 10006, seq 2, length 64
and it's external interface shows the incoming replies:
tcpdump -i eth1 -n host 192.168.1.200
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
09:58:07.006507 IP 192.168.1.200 > 192.168.3.254: ICMP echo reply, id 10006, seq 0, length 64
09:58:07.997158 IP 192.168.1.200 > 192.168.3.254: ICMP echo reply, id 10006, seq 1, length 64
09:58:08.996905 IP 192.168.1.200 > 192.168.3.254: ICMP echo reply, id 10006, seq 2, length 64
Some diagnostic output and config are included below:
sh-3.2$ sudo ipsec auto --version
Linux Openswan U2.4.12/K2.6.24.7-grsec (netkey)
See `ipsec --copyright' for copyright information.
sh-3.2$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.12/K2.6.24.7-grsec (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
sh-3.2$ cat /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
klipsdebug = "all"
plutodebug = "all"
uniqueids = "yes"
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn biuro-gts
left=62.89.67.100
leftsubnet=192.168.3.0/24
leftnexthop=62.89.67.97
right=217.8.185.140
rightsubnet=192.168.1.0/24
authby=secret
auth=esp
pfs=yes
pfsgroup=modp1024
auto=start
ikelifetime=28800
keylife=28800
disablearrivalcheck=yes
ike=3des-sha-modp1024
esp=3des-md5
dpdtimeout=200
keyingtries=0
sh-3.2$ cat /proc/sys/net/ipv4/ip_forward
1
sh-3.2$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.3.0/24 192.168.3.1
ACCEPT all -- 172.17.86.0/24 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535
ACCEPT esp -- 217.8.185.140 62.89.67.100
ACCEPT udp -- 217.8.185.140 62.89.67.100 udp spt:500 dpt:500
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:138
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 192.168.3.5 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 192.168.3.5 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 172.17.86.5 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 172.17.86.5 tcp dpt:110
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:138
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.3.1 192.168.3.0/24
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535
ACCEPT esp -- 62.89.67.100 217.8.185.140
ACCEPT udp -- 62.89.67.100 217.8.185.140 udp spt:500 dpt:500
sh-3.2$ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 62.89.67.98 tcp dpt:110 to:172.17.86.5
DNAT tcp -- 0.0.0.0/0 62.89.67.98 tcp dpt:25 to:172.17.86.5
DNAT tcp -- 0.0.0.0/0 62.89.88.188 tcp dpt:53 to:192.168.3.5
DNAT udp -- 0.0.0.0/0 62.89.88.188 udp dpt:53 to:192.168.3.5
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- 192.168.3.5 0.0.0.0/0 to:62.89.88.188
SNAT udp -- 192.168.3.5 0.0.0.0/0 to:62.89.88.188
SNAT all -- 192.168.3.0/24 !192.168.1.0/24 to:62.89.67.98
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Btw. iptables logging doesn't show any packets related to my problem
to be dropped.
More information about the Users
mailing list