[Openswan Users] vpn connection
Alfonso Viso
alfonso.viso at selftrade.com
Tue Jan 20 11:32:18 EST 2009
sorry Peter,
i forgot to send you ipsec.conf:
config setup
nat_traversal=yes
forwardcontrol=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn pix-velazquez
type=tunnel
authby=secret
left=<public_ip_server>
leftsubnet=10.105.0.0/16
right=<public_ip_remote>
rightsubnet=10.105.224.0/22
esp=3des-md5
keyexchange=ike
pfs=yes
auto=add
spi=0x0
conn pix-barcelona
type=tunnel
authby=secret
left=<public_ip_server>
leftsubnet=10.105.0.0/16
right=%any
rightsubnet=10.105.228.0/22
esp=3des-md5
keyexchange=ike
pfs=yes
auto=add
spi=0x0
conn pix-barcelona1
type=tunnel
authby=secret
left=<public_ip_server>
leftsubnet=10.3.241.0/24
right=%any
rightsubnet=10.105.228.0/22
esp=3des-md5
keyexchange=ike
pfs=yes
auto=add
spi=0x0
conn pix-barcelona2
type=tunnel
authby=secret
left=<public_ip_server>
leftsubnet=10.2.6.0/24
right=%any
rightsubnet=10.105.228.0/22
esp=3des-md5
keyexchange=ike
pfs=yes
auto=add
spi=0x0
conn pix-barcelona3
type=tunnel
authby=secret
left=<public_ip_server>
leftsubnet=172.26.26.0/24
right=%any
rightsubnet=10.105.228.0/22
esp=3des-md5
keyexchange=ike
pfs=yes
auto=add
spi=0x0
#Disable Opportunistic Encryption
I have configured four differents connection to "Barcelona" because they connect to other network throught our network.
about iptables rules i permit the traffic of port 50,51,500 and 4500, and i don't set any nat rules, is this neccesary?.
thanks for the help
Alfonso
.......
-----Original Message-----
From: Peter McGill [mailto:petermcgill at goco.net]
Sent: lunes, 19 de enero de 2009 17:42
To: Alfonso Viso; users at openswan.org
Subject: RE: [Openswan Users] vpn connection
Alfonso,
No you don't need KLIPS.
I don't see anything wrong with the info you sent so far.
Are you pinging from server to server or from subnet to subnet?
The two endpoints of your pings must be within the left/rightsubnets that you have defined.
ping -I often does not work, do your ping tests to/from hosts in the subnets.
If you use leftsourceip=<server lan ip> in your config then this can also help.
Showing me your ping output might help here.
You need to permit the ipsec traffic through your firewall both the openswan traffic ike/esp and the tunnel traffic (pings, etc...).
You also cannot nat the tunnel traffic.
I cannot tell if you've done this without...
iptables -t filter -L -n -v
iptables -t nat -L -n -v
I cannot tell if you have a configuration error without the following:
cat ipsec.conf
ipsec status
Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
> -----Original Message-----
> From: Alfonso Viso [mailto:alfonso.viso at selftrade.com]
> Sent: January 19, 2009 11:17 AM
> To: petermcgill at goco.net; users at openswan.org
> Subject: RE: [Openswan Users] vpn connection
>
> Hello Peter,
>
> i send you the information:
> ipsec verify
> Checking your system to see if IPsec got installed and
> started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.4.13/K2.6.17-1.2142_FC4smp (netkey)
> Checking for IPsec support in kernel [OK]
> Testing against enforced SElinux mode [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Checking for RSA private key (/etc/ipsec.secrets)
> [DISABLED]
> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support
> [DISABLED]
>
> netstat -nr
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS
> Window irtt Iface
> <net_public> 0.0.0.0 255.255.255.240 U 0 0
> 0 eth1
> 10.105.228.0 0.0.0.0 255.255.252.0 U 0 0
> 0 eth1
> 10.105.240.0 0.0.0.0 255.255.252.0 U 0 0
> 0 eth0
> 10.105.0.0 10.105.240.20 255.255.0.0 UG 0 0
> 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
> 0 eth1
> 172.0.0.0 10.105.240.20 255.0.0.0 UG 0 0
> 0 eth0
> 10.0.0.0 10.105.240.20 255.0.0.0 UG 0 0
> 0 eth0
> 0.0.0.0 <gateway internet> 0.0.0.0 UG
> 0 0 0 eth1
>
>
> iptables -t mangle -L -n -v
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> the iptables rules are ok, but we don't have configured any
> nat's rules, perhaps is it the problem?.
> Other thing, i read in an article if there are many vpn it's
> necessary to use klips instead of netkey, is this true?.
>
> thanks
> Alfonso
>
> -----Original Message-----
> From: Peter McGill [mailto:petermcgill at goco.net]
> Sent: lunes, 19 de enero de 2009 16:40
> To: Alfonso Viso; users at openswan.org
> Subject: RE: [Openswan Users] vpn connection
>
>
> Alfonso,
>
> There is several possible causes here.
> Please send the output of the following
> commands, to help in troubleshooting.
> ipsec verify
> netstat -nr
> cat ipsec.conf
> ipsec status
> iptables -t filter -L -n -v
> iptables -t nat -L -n -v
> iptables -t mangle -L -n -v
>
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited
>
> > -----Original Message-----
> > From: users-bounces at openswan.org
> > [mailto:users-bounces at openswan.org] On Behalf Of Alfonso Viso
> > Sent: January 17, 2009 7:08 AM
> > To: users at openswan.org
> > Subject: [Openswan Users] vpn connection
> >
> > hi all,
> >
> > i can set openswan between Pix Cisco and Linux Server FC4. I
> > use NETKEY version and PSK.
> > the remote site can connect to our intranet, and i see that
> > the tunnel is up and the traffic is coming throught the
> > tunnel. The problem is when i try to ping the other side, the
> > traffic from local side don't go throught tunnel, i mean the
> > traffic generated by our side, for example. i only see
> > traffic response by our side.
> > Any body could be help us?
> > thanks in advanced and sorry for my english.
> >
> > regards
> > Alfonso
> > ________________________________
> >
> >
> > Ce message contient des informations confidentielles ou
> > appartenant à Boursorama et est établi à l'intention
> > exclusive de ses destinataires. Toute divulgation,
> > utilisation, diffusion ou reproduction (totale ou partielle)
> > de ce message, ou des informations qu'il contient, doit être
> > préalablement autorisée. Tout message électronique est
> > susceptible d'altération et son intégrité ne peut être assurée.
> > Boursorama décline toute responsabilité au titre de ce
> > message s'il a été modifié ou falsifié. Si vous n'êtes pas
> > destinataire de ce message, merci de le détruire
> > immédiatement et d'avertir l'expéditeur de l'erreur de
> > distribution et de la destruction du message.
> >
> > ________________________________
> >
> > This e-mail contains confidential information or information
> > belonging to Boursorama and is intended solely for the
> > addressees. The unauthorised disclosure, use, dissemination
> > or copying (either whole or partial) of this e-mail, or any
> > information it contains, is prohibited. E-mails are
> > susceptible to alteration and their integrity cannot be
> > guaranteed. Boursorama shall not be liable for this e-mail if
> > modified or falsified. If you are not the intended recipient
> > of this e-mail, please delete it immediately from your system
> > and notify the sender of the wrong delivery and the mail deletion.
> >
> > ________________________________
> >
> >
>
>
>
>
> ___________________________________
>
> Ce message contient des informations confidentielles ou appartenant à
> Boursorama et est établi à l'intention exclusive de ses
> destinataires. Toute
> divulgation, utilisation, diffusion ou reproduction (totale
> ou partielle) de ce
> message, ou des informations qu'il contient, doit être préalablement
> autorisée. Tout message électronique est susceptible
> d'altération et son
> intégrité ne peut être assurée. Boursorama décline toute
> responsabilité au
> titre de ce message s'il a été modifié ou falsifié. Si vous n'êtes pas
> destinataire de ce message, merci de le détruire
> immédiatement et d'avertir
> l'expéditeur de l'erreur de distribution et de la destruction
> du message.
> ___________________________________
>
> This e-mail contains confidential information or information
> belonging to
> Boursorama and is intended solely for the addressees. The unauthorised
> disclosure, use, dissemination or copying (either whole or
> partial) of this
> e-mail, or any information it contains, is prohibited.
> E-mails are susceptible
> to alteration and their integrity cannot be guaranteed.
> Boursorama shall not be
> liable for this e-mail if modified or falsified. If you are
> not the intended
> recipient of this e-mail, please delete it immediately from
> your system and
> notify the sender of the wrong delivery and the mail deletion.
> ___________________________________
>
___________________________________
Ce message contient des informations confidentielles ou appartenant à
Boursorama et est établi à l'intention exclusive de ses destinataires. Toute
divulgation, utilisation, diffusion ou reproduction (totale ou partielle) de ce
message, ou des informations qu'il contient, doit être préalablement
autorisée. Tout message électronique est susceptible d'altération et son
intégrité ne peut être assurée. Boursorama décline toute responsabilité au
titre de ce message s'il a été modifié ou falsifié. Si vous n'êtes pas
destinataire de ce message, merci de le détruire immédiatement et d'avertir
l'expéditeur de l'erreur de distribution et de la destruction du message.
___________________________________
This e-mail contains confidential information or information belonging to
Boursorama and is intended solely for the addressees. The unauthorised
disclosure, use, dissemination or copying (either whole or partial) of this
e-mail, or any information it contains, is prohibited. E-mails are susceptible
to alteration and their integrity cannot be guaranteed. Boursorama shall not be
liable for this e-mail if modified or falsified. If you are not the intended
recipient of this e-mail, please delete it immediately from your system and
notify the sender of the wrong delivery and the mail deletion.
___________________________________
More information about the Users
mailing list