[Openswan Users] vpn connection

Alfonso Viso alfonso.viso at selftrade.com
Thu Jan 22 05:34:07 EST 2009


Hello Peter, 

I allow the traffic between 10.105.0.0/16 and 10.105.224.0/22 with this rules:
iptables -A npc-forward -j ACCEPT -i eth1 -o eth0 -s 10.105.228.0/22 -d 10.105.0.0/16 -m state --state NEW,ESTABLISHED
iptables -A npc-forward -j ACCEPT -i eth0 -o eth1 -s 10.105.0.0/16 -d 10.105.228.0/22 -m state --state NEW,ESTABLISHED

I fear i need to apply other rules, isn't it?.

-----Original Message-----
From: Peter McGill [mailto:petermcgill at goco.net] 
Sent: martes, 20 de enero de 2009 18:36
To: Alfonso Viso; users at openswan.org
Subject: RE: [Openswan Users] vpn connection

Alfonso,

You shouldn't be using spi=, remove those lines.
They are for manual keying, which should not be used.
The output of ipsec auto --status should have a line including:
"IPsec SA established" for each connection. This indicates a successful tunnel connection.

You also need to allow the tunnel traffic through your firewall.
Ie) to/from 10.105.0.0/16, 10.105.224.0/22, etc...

You need to exclude ipsec from any nat rules, so if your not doing any natting your fine, but if you are you need to exclude the ipsec.

Your virtual_private line is wrong it should exclude any local subnets.
But it doesn't appear that your using it anyway.


Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: Alfonso Viso [mailto:alfonso.viso at selftrade.com]
> Sent: January 20, 2009 11:32 AM
> To: petermcgill at goco.net; users at openswan.org
> Subject: RE: [Openswan Users] vpn connection
> 
> sorry Peter,
> i forgot to send you ipsec.conf:
> config setup
>         nat_traversal=yes
>         forwardcontrol=yes
>         
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
> 
> conn pix-velazquez
>         type=tunnel
>         authby=secret
>         left=<public_ip_server>
>         leftsubnet=10.105.0.0/16
>         right=<public_ip_remote>
>         rightsubnet=10.105.224.0/22  
>         esp=3des-md5
>         keyexchange=ike
>         pfs=yes
>         auto=add
>         spi=0x0
> 
> conn pix-barcelona
>         type=tunnel
>         authby=secret
>         left=<public_ip_server>
>         leftsubnet=10.105.0.0/16
>         right=%any
>         rightsubnet=10.105.228.0/22
>         esp=3des-md5
>         keyexchange=ike
>         pfs=yes
>         auto=add
>         spi=0x0
> 
> conn pix-barcelona1
>         type=tunnel
>         authby=secret
>         left=<public_ip_server>
>         leftsubnet=10.3.241.0/24
>         right=%any
>         rightsubnet=10.105.228.0/22
>         esp=3des-md5
>         keyexchange=ike
>         pfs=yes
>         auto=add
>         spi=0x0
> 
> conn pix-barcelona2
>         type=tunnel
>         authby=secret
>         left=<public_ip_server>
>         leftsubnet=10.2.6.0/24
>         right=%any
>         rightsubnet=10.105.228.0/22
>         esp=3des-md5
>         keyexchange=ike
>         pfs=yes
>         auto=add
>         spi=0x0
> 
> conn pix-barcelona3
>         type=tunnel
>         authby=secret
>         left=<public_ip_server>
>         leftsubnet=172.26.26.0/24
>         right=%any
>         rightsubnet=10.105.228.0/22
>         esp=3des-md5
>         keyexchange=ike
>         pfs=yes
>         auto=add
>         spi=0x0
> 
> #Disable Opportunistic Encryption
> I have configured four differents connection to "Barcelona" 
> because they connect to other network throught our network.
> about iptables rules i permit the traffic of port 50,51,500 and 4500, 
> and i don't set any nat rules, is this neccesary?.
> 
> thanks for the help
> 
> Alfonso
> .......
> -----Original Message-----
> From: Peter McGill [mailto:petermcgill at goco.net]
> Sent: lunes, 19 de enero de 2009 17:42
> To: Alfonso Viso; users at openswan.org
> Subject: RE: [Openswan Users] vpn connection
> 
> 
> Alfonso,
> 
> No you don't need KLIPS.
> I don't see anything wrong with the info you sent so far.
> Are you pinging from server to server or from subnet to subnet?
> The two endpoints of your pings must be within the left/rightsubnets 
> that you have defined.
> ping -I often does not work, do your ping tests to/from hosts in the 
> subnets.
> If you use leftsourceip=<server lan ip> in your config then this can 
> also help.
> Showing me your ping output might help here.
> You need to permit the ipsec traffic through your firewall both the 
> openswan traffic ike/esp and the tunnel traffic (pings, etc...).
> You also cannot nat the tunnel traffic.
> I cannot tell if you've done this without...
> iptables -t filter -L -n -v
> iptables -t nat -L -n -v
> I cannot tell if you have a configuration error without the following:
> cat ipsec.conf
> ipsec status
> 
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited
> 
> > -----Original Message-----
> > From: Alfonso Viso [mailto:alfonso.viso at selftrade.com]
> > Sent: January 19, 2009 11:17 AM
> > To: petermcgill at goco.net; users at openswan.org
> > Subject: RE: [Openswan Users] vpn connection
> > 
> > Hello Peter,
> > 
> > i send you the information:
> > ipsec verify
> > Checking your system to see if IPsec got installed and started 
> > correctly:
> > Version check and ipsec on-path                                 [OK]
> > Linux Openswan U2.4.13/K2.6.17-1.2142_FC4smp (netkey)
> > Checking for IPsec support in kernel                            [OK]
> > Testing against enforced SElinux mode                           [OK]
> > NETKEY detected, testing for disabled ICMP send_redirects       [OK]
> > NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
> > Checking for RSA private key (/etc/ipsec.secrets)             
> >   [DISABLED]
> >   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> > Checking that pluto is running                                  [OK]
> > Two or more interfaces found, checking IP forwarding            [OK]
> > Checking NAT and MASQUERADEing
> > Checking for 'ip' command                                       [OK]
> > Checking for 'iptables' command                                 [OK]
> > Opportunistic Encryption Support                              
> >   [DISABLED]
> > 
> > netstat -nr
> > Kernel IP routing table
> > Destination     Gateway         Genmask         Flags   MSS 
> > Window  irtt Iface
> > <net_public>   0.0.0.0         255.255.255.240 U         0 0  
> >         0 eth1
> > 10.105.228.0    0.0.0.0         255.255.252.0   U         0 0 
> >          0 eth1
> > 10.105.240.0    0.0.0.0         255.255.252.0   U         0 0 
> >          0 eth0
> > 10.105.0.0      10.105.240.20   255.255.0.0     UG        0 0 
> >          0 eth0
> > 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0 
> >          0 eth1
> > 172.0.0.0       10.105.240.20   255.0.0.0       UG        0 0 
> >          0 eth0
> > 10.0.0.0        10.105.240.20   255.0.0.0       UG        0 0 
> >          0 eth0
> > 0.0.0.0        <gateway internet>   0.0.0.0         UG        
> > 0 0          0 eth1
> > 
> > 
> > iptables -t mangle -L -n -v
> > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source         
> >       destination
> > 
> > Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source         
> >       destination
> > 
> > Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source         
> >       destination
> > 
> > Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source         
> >       destination
> > 
> > Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> >  pkts bytes target     prot opt in     out     source         
> >       destination
> > 
> > the iptables rules are ok, but we don't have configured any nat's 
> > rules, perhaps is it the problem?.
> > Other thing, i read in an article if there are many vpn it's 
> > necessary to use klips instead of netkey, is this true?.
> > 
> > thanks
> > Alfonso
> > 
> > -----Original Message-----
> > From: Peter McGill [mailto:petermcgill at goco.net]
> > Sent: lunes, 19 de enero de 2009 16:40
> > To: Alfonso Viso; users at openswan.org
> > Subject: RE: [Openswan Users] vpn connection
> > 
> > 
> > Alfonso,
> > 
> > There is several possible causes here.
> > Please send the output of the following commands, to help in 
> > troubleshooting.
> > ipsec verify
> > netstat -nr
> > cat ipsec.conf
> > ipsec status
> > iptables -t filter -L -n -v
> > iptables -t nat -L -n -v
> > iptables -t mangle -L -n -v
> > 
> > Peter McGill
> > IT Systems Analyst
> > Gra Ham Energy Limited
> > 
> > > -----Original Message-----
> > > From: users-bounces at openswan.org
> > > [mailto:users-bounces at openswan.org] On Behalf Of Alfonso Viso
> > > Sent: January 17, 2009 7:08 AM
> > > To: users at openswan.org
> > > Subject: [Openswan Users] vpn connection
> > > 
> > > hi all,
> > >  
> > > i can set openswan between Pix Cisco and Linux Server FC4. I use 
> > > NETKEY version and PSK.
> > > the remote site can connect to our intranet, and i see that the 
> > > tunnel is up and the traffic is coming throught the tunnel. The 
> > > problem is when i try to ping the other side, the traffic from 
> > > local side don't go throught tunnel, i mean  the traffic generated 
> > > by our side, for example. i only see traffic response by our side.
> > > Any body could be help us?
> > > thanks in advanced and sorry for my english.
> > >  
> > > regards
> > > Alfonso
> > > ________________________________
> > > 
> > > 
> > > Ce message contient des informations confidentielles ou 
> > > appartenant à Boursorama et est établi à l'intention exclusive de 
> > > ses destinataires. Toute divulgation, utilisation, diffusion ou 
> > > reproduction (totale ou partielle) de ce message, ou des 
> > > informations qu'il contient, doit être préalablement autorisée. 
> > > Tout message électronique est susceptible d'altération et son 
> > > intégrité ne peut être assurée.
> > > Boursorama décline toute responsabilité au titre de ce message 
> > > s'il a été modifié ou falsifié. Si vous n'êtes pas destinataire de 
> > > ce message, merci de le détruire immédiatement et d'avertir 
> > > l'expéditeur de l'erreur de distribution et de la destruction du 
> > > message.
> > > 
> > > ________________________________
> > > 
> > > This e-mail contains confidential information or information 
> > > belonging to Boursorama and is intended solely for the addressees. 
> > > The unauthorised disclosure, use, dissemination or copying (either 
> > > whole or partial) of this e-mail, or any information it contains, 
> > > is prohibited. E-mails are susceptible to alteration and their 
> > > integrity cannot be guaranteed. Boursorama shall not be liable for 
> > > this e-mail if modified or falsified. If you are not the intended 
> > > recipient of this e-mail, please delete it immediately from your 
> > > system and notify the sender of the wrong delivery and the mail
> deletion. 
> > > 
> > > ________________________________
> > > 
> > > 
> > 
> > 
> > 
> > 
> > ___________________________________
> > 
> > Ce message contient des informations confidentielles ou
> appartenant à
> > Boursorama et est établi à l'intention exclusive de ses 
> > destinataires. Toute divulgation, utilisation, diffusion ou 
> > reproduction (totale ou partielle) de ce message, ou des 
> > informations qu'il contient, doit être préalablement autorisée. Tout 
> > message électronique est susceptible d'altération et son intégrité 
> > ne peut être assurée. Boursorama décline toute responsabilité au 
> > titre de ce message s'il a été modifié ou falsifié. Si vous
> n'êtes pas
> > destinataire de ce message, merci de le détruire immédiatement et 
> > d'avertir l'expéditeur de l'erreur de distribution et de la 
> > destruction du message.
> > ___________________________________
> > 
> > This e-mail contains confidential information or information 
> > belonging to Boursorama and is intended solely for the addressees. 
> > The
> unauthorised
> > disclosure, use, dissemination or copying (either whole or
> > partial) of this
> > e-mail, or any information it contains, is prohibited. 
> > E-mails are susceptible
> > to alteration and their integrity cannot be guaranteed. 
> > Boursorama shall not be
> > liable for this e-mail if modified or falsified. If you are not the 
> > intended recipient of this e-mail, please delete it immediately from 
> > your system and notify the sender of the wrong delivery and the mail 
> > deletion.
> > ___________________________________
> > 
> 
> 
> 
> ___________________________________
> 
> Ce message contient des informations confidentielles ou appartenant à 
> Boursorama et est établi à l'intention exclusive de ses destinataires. 
> Toute divulgation, utilisation, diffusion ou reproduction (totale ou 
> partielle) de ce message, ou des informations qu'il contient, doit 
> être préalablement autorisée. Tout message électronique est 
> susceptible d'altération et son intégrité ne peut être assurée. 
> Boursorama décline toute responsabilité au titre de ce message s'il a 
> été modifié ou falsifié. Si vous n'êtes pas destinataire de ce 
> message, merci de le détruire immédiatement et d'avertir l'expéditeur 
> de l'erreur de distribution et de la destruction du message.
> ___________________________________
> 
> This e-mail contains confidential information or information belonging 
> to Boursorama and is intended solely for the addressees. The 
> unauthorised disclosure, use, dissemination or copying (either whole 
> or
> partial) of this
> e-mail, or any information it contains, is prohibited. 
> E-mails are susceptible
> to alteration and their integrity cannot be guaranteed. 
> Boursorama shall not be
> liable for this e-mail if modified or falsified. If you are not the 
> intended recipient of this e-mail, please delete it immediately from 
> your system and notify the sender of the wrong delivery and the mail 
> deletion.
> ___________________________________



___________________________________

Ce message contient des informations confidentielles ou appartenant à
Boursorama et est établi à l'intention exclusive de ses destinataires. Toute
divulgation, utilisation, diffusion ou reproduction (totale ou partielle) de ce
message, ou des informations qu'il contient, doit être préalablement
autorisée. Tout message électronique est susceptible d'altération et son
intégrité ne peut être assurée. Boursorama décline toute responsabilité au
titre de ce message s'il a été modifié ou falsifié. Si vous n'êtes pas
destinataire de ce message, merci de le détruire immédiatement et d'avertir
l'expéditeur de l'erreur de distribution et de la destruction du message.
___________________________________

This e-mail contains confidential information or information belonging to
Boursorama and is intended solely for the addressees. The unauthorised
disclosure, use, dissemination or copying (either whole or partial) of this
e-mail, or any information it contains, is prohibited. E-mails are susceptible
to alteration and their integrity cannot be guaranteed. Boursorama shall not be
liable for this e-mail if modified or falsified. If you are not the intended
recipient of this e-mail, please delete it immediately from your system and
notify the sender of the wrong delivery and the mail deletion.
___________________________________


More information about the Users mailing list