[Openswan Users] ipsec tunneling + openswam + mac os x + ping

Stefan Miklosovic miklosovic at gmail.com
Mon Apr 19 08:23:25 EDT 2010


Good day,

i've trouble to connect my mac os x roadwarrior host to openswan server, which
runs under Slackware Linux 13. I am trying to figure out the most
essential thing - ping from my roadwarrior to the subnet behind linux
gateway. I try to described it througth picture

openswan
mac os x 10.6.3 snow leopard
[10.0.0.1-12.34.56.78]<->[95.52.32.100-192.168.0.1]

behind 10.0.0.1 there is server 10.0.2.1
behind 192.168.0.1 there is my road warrior 192.168.0.168
there is router 12.34.56.1 througth which traffic from 12.34.56.78 goes first.

10.0.0.0/16
192.168.0.0/24

so, there are some infos about system
======================
# uname -a
Linux charon1 2.6.29.6-smp #2 SMP Mon Aug 17 00:52:54 CDT 2009 i686
Intel(R) Celeron(R) CPU        E1500  @ 2.20GHz GenuineIntel GNU/Linux
======================
# ifconfig
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
         inet addr:10.0.0.1  Bcast:10.0.255.255  Mask:255.255.0.0
         inet6 addr: fe80::226:18ff:fecd:db6b/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:5430 errors:0 dropped:0 overruns:0 frame:0
         TX packets:3540 errors:0 dropped:0 overruns:0 carrier:2
         collisions:0 txqueuelen:1000
         RX bytes:859576 (839.4 KiB)  TX bytes:282959 (276.3 KiB)
         Interrupt:26

eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
         inet addr:10.1.2.5  Bcast:10.1.2.255  Mask:255.255.255.0
         inet6 addr: fe80::2e0:50ff:febc:43/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:26581 errors:0 dropped:0 overruns:0 frame:0
         TX packets:646 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:2628293 (2.5 MiB)  TX bytes:42126 (41.1 KiB)
         Interrupt:19 Base address:0xec00

eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
         inet addr:12.34.56.78  Bcast:255.255.255.255  Mask:
255.255.255.0
         UP BROADCAST RUNNING MULTICAST  MTU:576  Metric:1
         RX packets:978535 errors:0 dropped:0 overruns:0 frame:0
         TX packets:94598 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:62210195 (59.3 MiB)  TX bytes:18615397 (17.7 MiB)
         Interrupt:16 Base address:0xe800

ipsec0    Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
         inet addr:12.34.56.78  Mask:255.255.255.0
         inet6 addr: blablabla Scope:Link
         UP RUNNING NOARP  MTU:16260  Metric:1
         RX packets:236 errors:0 dropped:4 overruns:0 frame:0
         TX packets:474 errors:0 dropped:2341 overruns:0 carrier:0
         collisions:0 txqueuelen:10
         RX bytes:14340 (14.0 KiB)  TX bytes:21256 (20.7 KiB)

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:100 errors:0 dropped:0 overruns:0 frame:0
         TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:8400 (8.2 KiB)  TX bytes:8400 (8.2 KiB)
======================
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref
Use Iface
12.34.56.0    0.0.0.0         255.255.255.0   U     0      0        0
eth2
12.34.56.0    0.0.0.0         255.255.255.0   U     0      0        0
ipsec0
10.1.2.0        0.0.0.0         255.255.255.0   U     0      0
0 eth1
10.0.0.0        0.0.0.0         255.255.0.0     U     0      0
0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0
0 lo
0.0.0.0         85.216.130.1    0.0.0.0         UG    0      0
0 eth2
======================
# cat /etc/ipsec.secrets
10.0.0.1 %any: PSK "thiskeyisshit"
======================
# ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path                              [OK]
Linux Openswan 2.6.25 (klips)
Checking for IPsec support in kernel                         [OK]
KLIPS detected, checking for NAT Traversal support           [OK]
Checking for RSA private key (/etc/ipsec.secrets)            [OK]
Checking that pluto is running                               [OK]
Pluto listening for IKE on udp 500                           [OK]
Pluto listening for NAT-T on udp 4500                        [OK]
Two or more interfaces found, checking IP forwarding         [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                    [OK]
Checking for 'iptables' command                              [OK]
Opportunistic Encryption Support
[DISABLED]

======================
ipsec.conf
config setup
       nat_traversal=yes
       interfaces="ipsec0=eth2"
#       virtual_private=
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
       keyingtries=1
       compress=yes
       disablearrivalcheck=no
       type=tunnel
       authby=secret

conn roadwarrior-net
       leftsubnet=10.0.0.0/16
       also=roadwarrior

conn roadwarrior-l2tp
       pfs=no
       leftprotoport=17/1701
       rightprotoport=17/%any
       also=roadwarrior

conn roadwarrior-l2tp-updatewin
       pfs=no
       leftprotoport=17/1701
       rightprotoport=17/1701
       also=roadwarrior

conn roadwarrior-all
       leftsubnet=0.0.0.0/0
       also=roadwarrior

conn roadwarrior
       left=12.34.56.78
       leftnexthop=12.34.56.1
       right=%any
       rightsubnet=192.168.0.0/24
       forceencaps=yes
       ike=3des-md5;modp1024
       phase2=esp
       phase2alg=3des-md5;modp1024
       auto=add

conn block
       auto=ignore

conn private
       auto=ignore

conn private-or-clear
       auto=ignore

conn clear-or-private
       auto=ignore

conn packetdefault
       auto=ignore

#include /etc/ipsec.d/examples/oe-exclude-dns.conf

======================
po spusteni openswanu cez /etc/rc.d/init.d/ipsec start a po prihlaseni
z mac os x ako roadwarriora je vo /var/og/secure toto

Apr 19 10:39:01 charon1 ipsec__plutorun: Starting Pluto subsystem...
Apr 19 10:39:01 charon1 pluto[22429]: Starting Pluto (Openswan Version
2.6.25; Vendor ID OEC`nT{wo^XH) pid:22429
Apr 19 10:39:01 charon1 pluto[22429]: Setting NAT-Traversal port-4500
floating to on
Apr 19 10:39:01 charon1 pluto[22429]:    port floating activation
criteria nat_t=1/port_float=1
Apr 19 10:39:01 charon1 pluto[22429]:    NAT-Traversal support
[enabled]
Apr 19 10:39:01 charon1 pluto[22429]: using /dev/urandom as source of
random entropy
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: starting up 1 cryptographic
helpers
Apr 19 10:39:01 charon1 pluto[22432]: using /dev/urandom as source of
random entropy
Apr 19 10:39:01 charon1 pluto[22429]: started helper pid=22432 (fd:7)
Apr 19 10:39:01 charon1 pluto[22429]: Using KLIPS IPsec interface code
on 2.6.29.6-smp
Apr 19 10:39:01 charon1 pluto[22429]: Changed path to directory '/etc/
ipsec.d/cacerts'
Apr 19 10:39:01 charon1 pluto[22429]:   loaded CA cert file
'cacert.pem' (1456 bytes)
Apr 19 10:39:01 charon1 pluto[22429]: Changed path to directory '/etc/
ipsec.d/aacerts'
Apr 19 10:39:01 charon1 pluto[22429]: Changed path to directory '/etc/
ipsec.d/ocspcerts'
Apr 19 10:39:01 charon1 pluto[22429]: Changing to directory '/etc/
ipsec.d/crls'
Apr 19 10:39:01 charon1 pluto[22429]:   loaded crl file 'crl.pem' (593
bytes)
Apr 19 10:39:01 charon1 pluto[22429]: added connection description
"roadwarrior-net"
Apr 19 10:39:01 charon1 pluto[22429]: added connection description
"roadwarrior-l2tp"
Apr 19 10:39:01 charon1 pluto[22429]: added connection description
"roadwarrior-l2tp-updatewin"
Apr 19 10:39:01 charon1 pluto[22429]: added connection description
"roadwarrior-all"
Apr 19 10:39:01 charon1 pluto[22429]: added connection description
"roadwarrior"
Apr 19 10:39:01 charon1 pluto[22429]: listening for IKE messages
Apr 19 10:39:01 charon1 pluto[22429]: NAT-Traversal: Trying new style
NAT-T
Apr 19 10:39:01 charon1 pluto[22429]: adding interface ipsec0/eth2
12.34.56.78:500
Apr 19 10:39:01 charon1 pluto[22429]: adding interface ipsec0/eth2
12.34.56.78:4500
Apr 19 10:39:01 charon1 pluto[22429]: loading secrets from "/etc/
ipsec.secrets"
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [RFC 3947] method set to=109
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108,
but already using method 109
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,
but already using method 109
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring Vendor ID payload [FRAGMENTATION 80000000]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [Dead Peer Detection]
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: responding to Main Mode from unknown peer
147.175.183.89
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: NAT-Traversal: Result using RFC 3947 (NAT-
Traversal): both are NATed
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.168'
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: new NAT mapping for #1, was 147.175.183.89:500, now
192.168.0.168:4500
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}

Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: received and ignored informational message
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: the peer proposed: 10.0.0.2/32:0/0 ->
192.168.0.168/32:0/0
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: responding to Quick Mode proposal {msgid:4c56b781}
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2:     us:
10.0.0.0/16===12.34.56.78<12.34.56.78>[+S=C]---12.34.56.1
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2:   them: 192.168.0.168[+S=C]===192.168.0.0/24
Apr 19 10:41:53 charon1 pluto[22429]: | NAT-OA: 32 tunnel: 0
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP/NAT=>0x0b6204fa <0xd6474be5 xfrm=3DES_0-HMAC_MD5 NATOA=none
NATD=192.168.0.168:4500 DPD=none}
Apr 19 11:37:22 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #3: initiating Main Mode to replace #1
Apr 19 11:38:32 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #3: max number of retransmissions (2) reached
STATE_MAIN_I1.  No response (or no acceptable response) to our first
IKE message
Apr 19 11:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: ISAKMP SA expired (LATEST!)
==================

firewall (not complete but relevant chains i think)
========
###############################################################################
# IP MASQUERADE/SNAT
###############################################################################

$IPTABLES -t nat -A POSTROUTING -o $INET1_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INET2_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INET2_IFACE -j MASQUERADE

$IPTABLES -A INPUT -i ipsec0 -j ACCEPT

$IPTABLES -A INPUT -i $INET1_IFACE -p esp -j ACCEPT
$IPTABLES -A INPUT -i $INET2_IFACE -p esp -j ACCEPT

$IPTABLES -A INPUT -i $INET1_IFACE -p udp --dport 500 -j ACCEPT
$IPTABLES -A INPUT -i $INET2_IFACE -p udp --dport 500 -j ACCEPT

$IPTABLES -A INPUT -i $INET1_IFACE -p udp --dport 4500 -j ACCEPT
$IPTABLES -A INPUT -i $INET2_IFACE -p udp --dport 4500 -j ACCEPT

$IPTABLES -A INPUT -i $INET1_IFACE -p udp --dport 1701 -j ACCEPT
$IPTABLES -A INPUT -i $INET2_IFACE -p udp --dport 1701 -j ACCEPT

===============
from mac os x, I connect with ipsecuritas v3.4, after logging, status
of connection is "green" and logs are just like mentioned above.

there is also new device gif0 througth mac should send packets.

firewall doesnt block it, in /var/log/syslog there is nothing (and it used to be
until we open firewall to appropriate connections)

If my config is ok and everything seems to be ok, what I shoud to try?

Huge thanks to you in advance

Stefan Miklosovic


More information about the Users mailing list