[Openswan Users] beginner help

Peter McGill petermcgill at goco.net
Fri Jul 24 10:17:42 EDT 2009


> iptables -A INPUT -i eth1 -p 50 -j ACCEPT
> iptables -A INPUT -i eth1 -p 51 -j ACCEPT
> iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT

You don't need the 51 line (middle).

Are you allowing these on output as well?

-A OUTPUT -o eth1 -p 50 -j ACCEPT
-A OUTPUT -o eth1 -p udp --dport 500 -j ACCEPT

> 000 #2: "net-to-net":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
> established); EVENT_SA_REPLACE in 3295s; lastdpd=-1s(seq in:0 out:0)
> 000 #4: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_REPLACE in 27952s; newest IPSEC; eroute owner

This indicates a connection.

> /sbin/iptables -t nat -A POSTROUTING -o eth1 -s 
> 192.168.0.0/24 -d \! 192.168.1.0/24 -j MASQUERADE (left host 
> masquerade rule)

Good your not masqing ipsec tunnel traffic.

> /sbin/iptables -t nat -A POSTROUTING -o eth1 -s 
> 192.168.1.0/24 -d \! 192.168.1.0/24 -j MASQUERADE (right host 
> masquerade rule)

This is incorrect should be -d \! 192.168.0.0/24
This will break the connection.

Did you allow the the ipsec tunnel traffic?

-A FORWARD -i eth1 -o eth2 -s 192.168.1.0/24 -d 192.168.0.0/24 -j ACCEPT
(And the reverse on the right side)

Or better yet mark the ipsec traffic and allow it.

-t mangle -A PREROUTING -i eth1 -p 50 -j MARK --set-mark 1
-t mangle -A PREROUTING -i eth1 -p udp --dport 500 -j MARK --set-mark 1
-A INPUT --mark 1 -j ACCEPT
-A FORWARD --mark 1 -j ACCEPT

Does it work with the firewall off?
Not that you shouldn't permanently run without firewall but it's a good test.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of The Archer
> Sent: July 24, 2009 1:22 AM
> To: Users at openswan.org
> Subject: [Openswan Users] beginner help
> 
> Hello, I'm trying to setup a pretty straightforward vpn 
> tunnel from my house to my friend's house. We both have 
> debian machines of the same release and both have the same 
> version openswan. I've dug through every tutorial and such 
> that I can find and everything LOOKS right to me but it's 
> just not picking up and going. 
> 
> Both machines have two NIC's - one connected to the cable 
> modem which gets a real world IP (eth1 in both cases) and one 
> that gets the private IP (eth0 - 192.168.0.3 for left, eth2 - 
> 192.168.1.3 for right).
> 
> IP masquerading is running on both machines so that the 
> private networks can spoof out behind the public IP's on 
> eth1, and iptables is setup on both to drop all packets (very 
> last rule is to drop anything not specifically allowed higher 
> up) that do not have an explicit 'accept' statement in the 
> rules, with an 'established' clause at the very beginning of the set.
> 
> I'm stumped... I'm hoping a few more sets of eyes looking at 
> this will get me back on track.
> 
> So, that as a preliminary, here's the meat of the matter
> 
> ------------config file (identical on both machines)-----------
> config setup
>         nat_traversal=no
>         nhelpers=0
> 
> conn net-to-net
>   left=69.x.x.x
>   leftsubnet=192.168.0.0/24
>   leftid=@user-12l.x.x.x
>   leftrsasigkey=0sAQN0kZV......
>   leftnexthop=%defaultroute
>   right=70.x.x.x
>   rightsubnet=192.168.1.0/24
>   rightid=@cpe-70-x.x.x
>   rightrsasigkey=0sAQOOk......
>   rightnexthop=%defaultroute
>   auto=start
> 
> include /etc/ipsec.d/examples/no_oe.conf
> -------------------------------
> 
> Iptables rules that I've put in place on both machines 
> relating to try and accept all traffic for ipsec:
> -------
> iptables -A INPUT -i eth1 -p 50 -j ACCEPT
> iptables -A INPUT -i eth1 -p 51 -j ACCEPT
> iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT
> 
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -s 
> 192.168.0.0/24 -d \! 192.168.1.0/24 -j MASQUERADE (left host 
> masquerade rule)
> /sbin/iptables -t nat -A POSTROUTING -o eth1 -s 
> 192.168.1.0/24 -d \! 192.168.1.0/24 -j MASQUERADE (right host 
> masquerade rule)
> 
> output rules that may or may not be related:
> iptables -A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth0 -j 
> ACCEPT  (192.168.1 and eth2 on right host)
> iptables -A OUTPUT -s 255.255.255.255 -o eth1 -j ACCEPT
> -------
> 
> When I go to start ipsec, this is what I see:
> -----------------
> /etc/init.d/ipsec start
> ipsec_setup: NETKEY on eth1 70.112.22.94/255.255.240.0 
> broadcast 255.255.255.255 
> ipsec_setup: ...Openswan IPsec started
> ipsec_setup: Starting Openswan IPsec 2.4.12...
> ipsec_setup: Starting Openswan IPsec 2.4.12...
> ipsec__plutorun: 104 "net-to-net" #1: STATE_MAIN_I1: initiate
> ipsec__plutorun: ...could not start conn "net-to-net"
> ------------------
> 
> Here's my route table (right host) after starting up ipsec:
> ---------
> netstat -rn
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS 
> Window  irtt Iface
> 192.168.1.0     0.0.0.0         255.255.255.0   U          0 
> 0          0 eth2
> 192.168.0.0     70.x.x.1       255.255.255.0   UG        0 0  
>         0 eth1
> 70.x.x.0          0.0.0.0         255.255.240.0   U           
> 0 0          0 eth1
> 0.0.0.0            70.x.x.1       0.0.0.0              UG     
>    0 0          0 eth1
> ----------
> 
> And finally this is what I get from a --status check on the 
> right host (the left host is similar in all respects to this 
> for routing and status)
> 
> ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth1/eth1 70.x.x.x
> 000 interface eth2/eth2 192.168.1.3
> 000 %myid = (none)
> 000 debug none
> 000  
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, 
> keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, 
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, 
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, 
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, 
> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), 
> keysizemin=0, keysizemax=0
> 000  
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, 
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, 
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, 
> bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, 
> bits=1536
> 000 algorithm IKE dh group: id=14, 
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, 
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, 
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, 
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, 
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000  
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} 
> :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
> 000  
> 000 "net-to-net": 
> 192.168.1.0/24===70.x.x.x[@cpe-70-x.x.x]---70.x.x.1...70.x.x.1
---69.x.x.48[@user-12l.x.x.x]===192.168.0.0/24; erouted; eroute > owner: #4
> 000 "net-to-net":     srcip=unset; dstip=unset; srcup=ipsec 
> _updown; dstup=ipsec _updown;
> 000 "net-to-net":   ike_life: 3600s; ipsec_life: 28800s; 
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "net-to-net":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; 
> prio: 24,24; interface: eth1; encap: esp;
> 000 "net-to-net":   newest ISAKMP SA: #1; newest IPsec SA: #4; 
> 000 "net-to-net":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000  
> 000 #3: "net-to-net":500 STATE_QUICK_R2 (IPsec SA 
> established); EVENT_SA_REPLACE in 28496s
> 000 #3: "net-to-net" esp.33b504ac at 69.x.x.x 
> esp.ffa99974 at 70.x.x.x tun.0 at 69.x.x.x tun.0 at 70.x.x.x
> 000 #2: "net-to-net":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
> established); EVENT_SA_REPLACE in 3295s; lastdpd=-1s(seq in:0 out:0)
> 000 #4: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_REPLACE in 27952s; newest IPSEC; eroute owner
> 000 #4: "net-to-net" esp.27529dc9 at 69.x.x.x 
> esp.c086da7 at 70.x.x.x tun.0 at 69.x.x.x tun.0 at 70.x.x.x
> 000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA 
> established); EVENT_SA_REPLACE in 2979s; newest ISAKMP; 
> lastdpd=-1s(seq in:0 out:0)
> 000  
> 
> 



More information about the Users mailing list