[Openswan Users] vpn connection
Peter McGill
petermcgill at goco.net
Tue Jan 20 12:36:04 EST 2009
Alfonso,
You shouldn't be using spi=, remove those lines.
They are for manual keying, which should not be used.
The output of ipsec auto --status should have a line including:
"IPsec SA established" for each connection. This indicates
a successful tunnel connection.
You also need to allow the tunnel traffic through your firewall.
Ie) to/from 10.105.0.0/16, 10.105.224.0/22, etc...
You need to exclude ipsec from any nat rules, so if your not doing
any natting your fine, but if you are you need to exclude the ipsec.
Your virtual_private line is wrong it should exclude any local subnets.
But it doesn't appear that your using it anyway.
Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
> -----Original Message-----
> From: Alfonso Viso [mailto:alfonso.viso at selftrade.com]
> Sent: January 20, 2009 11:32 AM
> To: petermcgill at goco.net; users at openswan.org
> Subject: RE: [Openswan Users] vpn connection
>
> sorry Peter,
> i forgot to send you ipsec.conf:
> config setup
> nat_traversal=yes
> forwardcontrol=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
>
> conn pix-velazquez
> type=tunnel
> authby=secret
> left=<public_ip_server>
> leftsubnet=10.105.0.0/16
> right=<public_ip_remote>
> rightsubnet=10.105.224.0/22
> esp=3des-md5
> keyexchange=ike
> pfs=yes
> auto=add
> spi=0x0
>
> conn pix-barcelona
> type=tunnel
> authby=secret
> left=<public_ip_server>
> leftsubnet=10.105.0.0/16
> right=%any
> rightsubnet=10.105.228.0/22
> esp=3des-md5
> keyexchange=ike
> pfs=yes
> auto=add
> spi=0x0
>
> conn pix-barcelona1
> type=tunnel
> authby=secret
> left=<public_ip_server>
> leftsubnet=10.3.241.0/24
> right=%any
> rightsubnet=10.105.228.0/22
> esp=3des-md5
> keyexchange=ike
> pfs=yes
> auto=add
> spi=0x0
>
> conn pix-barcelona2
> type=tunnel
> authby=secret
> left=<public_ip_server>
> leftsubnet=10.2.6.0/24
> right=%any
> rightsubnet=10.105.228.0/22
> esp=3des-md5
> keyexchange=ike
> pfs=yes
> auto=add
> spi=0x0
>
> conn pix-barcelona3
> type=tunnel
> authby=secret
> left=<public_ip_server>
> leftsubnet=172.26.26.0/24
> right=%any
> rightsubnet=10.105.228.0/22
> esp=3des-md5
> keyexchange=ike
> pfs=yes
> auto=add
> spi=0x0
>
> #Disable Opportunistic Encryption
> I have configured four differents connection to "Barcelona"
> because they connect to other network throught our network.
> about iptables rules i permit the traffic of port 50,51,500
> and 4500, and i don't set any nat rules, is this neccesary?.
>
> thanks for the help
>
> Alfonso
> .......
> -----Original Message-----
> From: Peter McGill [mailto:petermcgill at goco.net]
> Sent: lunes, 19 de enero de 2009 17:42
> To: Alfonso Viso; users at openswan.org
> Subject: RE: [Openswan Users] vpn connection
>
>
> Alfonso,
>
> No you don't need KLIPS.
> I don't see anything wrong with the info you sent so far.
> Are you pinging from server to server or from subnet to subnet?
> The two endpoints of your pings must be within the
> left/rightsubnets that you have defined.
> ping -I often does not work, do your ping tests to/from hosts
> in the subnets.
> If you use leftsourceip=<server lan ip> in your config then
> this can also help.
> Showing me your ping output might help here.
> You need to permit the ipsec traffic through your firewall
> both the openswan traffic ike/esp and the tunnel traffic
> (pings, etc...).
> You also cannot nat the tunnel traffic.
> I cannot tell if you've done this without...
> iptables -t filter -L -n -v
> iptables -t nat -L -n -v
> I cannot tell if you have a configuration error without the following:
> cat ipsec.conf
> ipsec status
>
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited
>
> > -----Original Message-----
> > From: Alfonso Viso [mailto:alfonso.viso at selftrade.com]
> > Sent: January 19, 2009 11:17 AM
> > To: petermcgill at goco.net; users at openswan.org
> > Subject: RE: [Openswan Users] vpn connection
> >
> > Hello Peter,
> >
> > i send you the information:
> > ipsec verify
> > Checking your system to see if IPsec got installed and
> > started correctly:
> > Version check and ipsec on-path [OK]
> > Linux Openswan U2.4.13/K2.6.17-1.2142_FC4smp (netkey)
> > Checking for IPsec support in kernel [OK]
> > Testing against enforced SElinux mode [OK]
> > NETKEY detected, testing for disabled ICMP send_redirects [OK]
> > NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> > Checking for RSA private key (/etc/ipsec.secrets)
> > [DISABLED]
> > ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> > Checking that pluto is running [OK]
> > Two or more interfaces found, checking IP forwarding [OK]
> > Checking NAT and MASQUERADEing
> > Checking for 'ip' command [OK]
> > Checking for 'iptables' command [OK]
> > Opportunistic Encryption Support
> > [DISABLED]
> >
> > netstat -nr
> > Kernel IP routing table
> > Destination Gateway Genmask Flags MSS
> > Window irtt Iface
> > <net_public> 0.0.0.0 255.255.255.240 U 0 0
> > 0 eth1
> > 10.105.228.0 0.0.0.0 255.255.252.0 U 0 0
> > 0 eth1
> > 10.105.240.0 0.0.0.0 255.255.252.0 U 0 0
> > 0 eth0
> > 10.105.0.0 10.105.240.20 255.255.0.0 UG 0 0
> > 0 eth0
> > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
> > 0 eth1
> > 172.0.0.0 10.105.240.20 255.0.0.0 UG 0 0
> > 0 eth0
> > 10.0.0.0 10.105.240.20 255.0.0.0 UG 0 0
> > 0 eth0
> > 0.0.0.0 <gateway internet> 0.0.0.0 UG
> > 0 0 0 eth1
> >
> >
> > iptables -t mangle -L -n -v
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> > destination
> >
> > Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> > destination
> >
> > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> > destination
> >
> > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> > destination
> >
> > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> > destination
> >
> > the iptables rules are ok, but we don't have configured any
> > nat's rules, perhaps is it the problem?.
> > Other thing, i read in an article if there are many vpn it's
> > necessary to use klips instead of netkey, is this true?.
> >
> > thanks
> > Alfonso
> >
> > -----Original Message-----
> > From: Peter McGill [mailto:petermcgill at goco.net]
> > Sent: lunes, 19 de enero de 2009 16:40
> > To: Alfonso Viso; users at openswan.org
> > Subject: RE: [Openswan Users] vpn connection
> >
> >
> > Alfonso,
> >
> > There is several possible causes here.
> > Please send the output of the following
> > commands, to help in troubleshooting.
> > ipsec verify
> > netstat -nr
> > cat ipsec.conf
> > ipsec status
> > iptables -t filter -L -n -v
> > iptables -t nat -L -n -v
> > iptables -t mangle -L -n -v
> >
> > Peter McGill
> > IT Systems Analyst
> > Gra Ham Energy Limited
> >
> > > -----Original Message-----
> > > From: users-bounces at openswan.org
> > > [mailto:users-bounces at openswan.org] On Behalf Of Alfonso Viso
> > > Sent: January 17, 2009 7:08 AM
> > > To: users at openswan.org
> > > Subject: [Openswan Users] vpn connection
> > >
> > > hi all,
> > >
> > > i can set openswan between Pix Cisco and Linux Server FC4. I
> > > use NETKEY version and PSK.
> > > the remote site can connect to our intranet, and i see that
> > > the tunnel is up and the traffic is coming throught the
> > > tunnel. The problem is when i try to ping the other side, the
> > > traffic from local side don't go throught tunnel, i mean the
> > > traffic generated by our side, for example. i only see
> > > traffic response by our side.
> > > Any body could be help us?
> > > thanks in advanced and sorry for my english.
> > >
> > > regards
> > > Alfonso
> > > ________________________________
> > >
> > >
> > > Ce message contient des informations confidentielles ou
> > > appartenant à Boursorama et est établi à l'intention
> > > exclusive de ses destinataires. Toute divulgation,
> > > utilisation, diffusion ou reproduction (totale ou partielle)
> > > de ce message, ou des informations qu'il contient, doit être
> > > préalablement autorisée. Tout message électronique est
> > > susceptible d'altération et son intégrité ne peut être assurée.
> > > Boursorama décline toute responsabilité au titre de ce
> > > message s'il a été modifié ou falsifié. Si vous n'êtes pas
> > > destinataire de ce message, merci de le détruire
> > > immédiatement et d'avertir l'expéditeur de l'erreur de
> > > distribution et de la destruction du message.
> > >
> > > ________________________________
> > >
> > > This e-mail contains confidential information or information
> > > belonging to Boursorama and is intended solely for the
> > > addressees. The unauthorised disclosure, use, dissemination
> > > or copying (either whole or partial) of this e-mail, or any
> > > information it contains, is prohibited. E-mails are
> > > susceptible to alteration and their integrity cannot be
> > > guaranteed. Boursorama shall not be liable for this e-mail if
> > > modified or falsified. If you are not the intended recipient
> > > of this e-mail, please delete it immediately from your system
> > > and notify the sender of the wrong delivery and the mail
> deletion.
> > >
> > > ________________________________
> > >
> > >
> >
> >
> >
> >
> > ___________________________________
> >
> > Ce message contient des informations confidentielles ou
> appartenant à
> > Boursorama et est établi à l'intention exclusive de ses
> > destinataires. Toute
> > divulgation, utilisation, diffusion ou reproduction (totale
> > ou partielle) de ce
> > message, ou des informations qu'il contient, doit être préalablement
> > autorisée. Tout message électronique est susceptible
> > d'altération et son
> > intégrité ne peut être assurée. Boursorama décline toute
> > responsabilité au
> > titre de ce message s'il a été modifié ou falsifié. Si vous
> n'êtes pas
> > destinataire de ce message, merci de le détruire
> > immédiatement et d'avertir
> > l'expéditeur de l'erreur de distribution et de la destruction
> > du message.
> > ___________________________________
> >
> > This e-mail contains confidential information or information
> > belonging to
> > Boursorama and is intended solely for the addressees. The
> unauthorised
> > disclosure, use, dissemination or copying (either whole or
> > partial) of this
> > e-mail, or any information it contains, is prohibited.
> > E-mails are susceptible
> > to alteration and their integrity cannot be guaranteed.
> > Boursorama shall not be
> > liable for this e-mail if modified or falsified. If you are
> > not the intended
> > recipient of this e-mail, please delete it immediately from
> > your system and
> > notify the sender of the wrong delivery and the mail deletion.
> > ___________________________________
> >
>
>
>
> ___________________________________
>
> Ce message contient des informations confidentielles ou appartenant à
> Boursorama et est établi à l'intention exclusive de ses
> destinataires. Toute
> divulgation, utilisation, diffusion ou reproduction (totale
> ou partielle) de ce
> message, ou des informations qu'il contient, doit être préalablement
> autorisée. Tout message électronique est susceptible
> d'altération et son
> intégrité ne peut être assurée. Boursorama décline toute
> responsabilité au
> titre de ce message s'il a été modifié ou falsifié. Si vous n'êtes pas
> destinataire de ce message, merci de le détruire
> immédiatement et d'avertir
> l'expéditeur de l'erreur de distribution et de la destruction
> du message.
> ___________________________________
>
> This e-mail contains confidential information or information
> belonging to
> Boursorama and is intended solely for the addressees. The unauthorised
> disclosure, use, dissemination or copying (either whole or
> partial) of this
> e-mail, or any information it contains, is prohibited.
> E-mails are susceptible
> to alteration and their integrity cannot be guaranteed.
> Boursorama shall not be
> liable for this e-mail if modified or falsified. If you are
> not the intended
> recipient of this e-mail, please delete it immediately from
> your system and
> notify the sender of the wrong delivery and the mail deletion.
> ___________________________________
More information about the Users
mailing list