[Openswan Users] ipsec tunneling + openswam + mac os x + ping
Stefan Miklosovic
miklosovic at gmail.com
Mon Apr 19 08:23:25 EDT 2010
Good day,
i've trouble to connect my mac os x roadwarrior host to openswan server, which
runs under Slackware Linux 13. I am trying to figure out the most
essential thing - ping from my roadwarrior to the subnet behind linux
gateway. I try to described it througth picture
openswan
mac os x 10.6.3 snow leopard
[10.0.0.1-12.34.56.78]<->[95.52.32.100-192.168.0.1]
behind 10.0.0.1 there is server 10.0.2.1
behind 192.168.0.1 there is my road warrior 192.168.0.168
there is router 12.34.56.1 througth which traffic from 12.34.56.78 goes first.
10.0.0.0/16
192.168.0.0/24
so, there are some infos about system
======================
# uname -a
Linux charon1 2.6.29.6-smp #2 SMP Mon Aug 17 00:52:54 CDT 2009 i686
Intel(R) Celeron(R) CPU E1500 @ 2.20GHz GenuineIntel GNU/Linux
======================
# ifconfig
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:10.0.0.1 Bcast:10.0.255.255 Mask:255.255.0.0
inet6 addr: fe80::226:18ff:fecd:db6b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5430 errors:0 dropped:0 overruns:0 frame:0
TX packets:3540 errors:0 dropped:0 overruns:0 carrier:2
collisions:0 txqueuelen:1000
RX bytes:859576 (839.4 KiB) TX bytes:282959 (276.3 KiB)
Interrupt:26
eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:10.1.2.5 Bcast:10.1.2.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:50ff:febc:43/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26581 errors:0 dropped:0 overruns:0 frame:0
TX packets:646 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2628293 (2.5 MiB) TX bytes:42126 (41.1 KiB)
Interrupt:19 Base address:0xec00
eth2 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:12.34.56.78 Bcast:255.255.255.255 Mask:
255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:576 Metric:1
RX packets:978535 errors:0 dropped:0 overruns:0 frame:0
TX packets:94598 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:62210195 (59.3 MiB) TX bytes:18615397 (17.7 MiB)
Interrupt:16 Base address:0xe800
ipsec0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:12.34.56.78 Mask:255.255.255.0
inet6 addr: blablabla Scope:Link
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:236 errors:0 dropped:4 overruns:0 frame:0
TX packets:474 errors:0 dropped:2341 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:14340 (14.0 KiB) TX bytes:21256 (20.7 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:100 errors:0 dropped:0 overruns:0 frame:0
TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8400 (8.2 KiB) TX bytes:8400 (8.2 KiB)
======================
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref
Use Iface
12.34.56.0 0.0.0.0 255.255.255.0 U 0 0 0
eth2
12.34.56.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
10.1.2.0 0.0.0.0 255.255.255.0 U 0 0
0 eth1
10.0.0.0 0.0.0.0 255.255.0.0 U 0 0
0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
0 lo
0.0.0.0 85.216.130.1 0.0.0.0 UG 0 0
0 eth2
======================
# cat /etc/ipsec.secrets
10.0.0.1 %any: PSK "thiskeyisshit"
======================
# ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.6.25 (klips)
Checking for IPsec support in kernel [OK]
KLIPS detected, checking for NAT Traversal support [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support
[DISABLED]
======================
ipsec.conf
config setup
nat_traversal=yes
interfaces="ipsec0=eth2"
# virtual_private=
%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
type=tunnel
authby=secret
conn roadwarrior-net
leftsubnet=10.0.0.0/16
also=roadwarrior
conn roadwarrior-l2tp
pfs=no
leftprotoport=17/1701
rightprotoport=17/%any
also=roadwarrior
conn roadwarrior-l2tp-updatewin
pfs=no
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior
left=12.34.56.78
leftnexthop=12.34.56.1
right=%any
rightsubnet=192.168.0.0/24
forceencaps=yes
ike=3des-md5;modp1024
phase2=esp
phase2alg=3des-md5;modp1024
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
#include /etc/ipsec.d/examples/oe-exclude-dns.conf
======================
po spusteni openswanu cez /etc/rc.d/init.d/ipsec start a po prihlaseni
z mac os x ako roadwarriora je vo /var/og/secure toto
Apr 19 10:39:01 charon1 ipsec__plutorun: Starting Pluto subsystem...
Apr 19 10:39:01 charon1 pluto[22429]: Starting Pluto (Openswan Version
2.6.25; Vendor ID OEC`nT{wo^XH) pid:22429
Apr 19 10:39:01 charon1 pluto[22429]: Setting NAT-Traversal port-4500
floating to on
Apr 19 10:39:01 charon1 pluto[22429]: port floating activation
criteria nat_t=1/port_float=1
Apr 19 10:39:01 charon1 pluto[22429]: NAT-Traversal support
[enabled]
Apr 19 10:39:01 charon1 pluto[22429]: using /dev/urandom as source of
random entropy
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr 19 10:39:01 charon1 pluto[22429]: starting up 1 cryptographic
helpers
Apr 19 10:39:01 charon1 pluto[22432]: using /dev/urandom as source of
random entropy
Apr 19 10:39:01 charon1 pluto[22429]: started helper pid=22432 (fd:7)
Apr 19 10:39:01 charon1 pluto[22429]: Using KLIPS IPsec interface code
on 2.6.29.6-smp
Apr 19 10:39:01 charon1 pluto[22429]: Changed path to directory '/etc/
ipsec.d/cacerts'
Apr 19 10:39:01 charon1 pluto[22429]: loaded CA cert file
'cacert.pem' (1456 bytes)
Apr 19 10:39:01 charon1 pluto[22429]: Changed path to directory '/etc/
ipsec.d/aacerts'
Apr 19 10:39:01 charon1 pluto[22429]: Changed path to directory '/etc/
ipsec.d/ocspcerts'
Apr 19 10:39:01 charon1 pluto[22429]: Changing to directory '/etc/
ipsec.d/crls'
Apr 19 10:39:01 charon1 pluto[22429]: loaded crl file 'crl.pem' (593
bytes)
Apr 19 10:39:01 charon1 pluto[22429]: added connection description
"roadwarrior-net"
Apr 19 10:39:01 charon1 pluto[22429]: added connection description
"roadwarrior-l2tp"
Apr 19 10:39:01 charon1 pluto[22429]: added connection description
"roadwarrior-l2tp-updatewin"
Apr 19 10:39:01 charon1 pluto[22429]: added connection description
"roadwarrior-all"
Apr 19 10:39:01 charon1 pluto[22429]: added connection description
"roadwarrior"
Apr 19 10:39:01 charon1 pluto[22429]: listening for IKE messages
Apr 19 10:39:01 charon1 pluto[22429]: NAT-Traversal: Trying new style
NAT-T
Apr 19 10:39:01 charon1 pluto[22429]: adding interface ipsec0/eth2
12.34.56.78:500
Apr 19 10:39:01 charon1 pluto[22429]: adding interface ipsec0/eth2
12.34.56.78:4500
Apr 19 10:39:01 charon1 pluto[22429]: loading secrets from "/etc/
ipsec.secrets"
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [RFC 3947] method set to=109
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108,
but already using method 109
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,
but already using method 109
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
ignoring Vendor ID payload [FRAGMENTATION 80000000]
Apr 19 10:41:52 charon1 pluto[22429]: packet from 192.168.0.168:500:
received Vendor ID payload [Dead Peer Detection]
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: responding to Main Mode from unknown peer
147.175.183.89
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: NAT-Traversal: Result using RFC 3947 (NAT-
Traversal): both are NATed
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.168'
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: new NAT mapping for #1, was 147.175.183.89:500, now
192.168.0.168:4500
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: received and ignored informational message
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: the peer proposed: 10.0.0.2/32:0/0 ->
192.168.0.168/32:0/0
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: responding to Quick Mode proposal {msgid:4c56b781}
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: us:
10.0.0.0/16===12.34.56.78<12.34.56.78>[+S=C]---12.34.56.1
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: them: 192.168.0.168[+S=C]===192.168.0.0/24
Apr 19 10:41:53 charon1 pluto[22429]: | NAT-OA: 32 tunnel: 0
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP/NAT=>0x0b6204fa <0xd6474be5 xfrm=3DES_0-HMAC_MD5 NATOA=none
NATD=192.168.0.168:4500 DPD=none}
Apr 19 11:37:22 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #3: initiating Main Mode to replace #1
Apr 19 11:38:32 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #3: max number of retransmissions (2) reached
STATE_MAIN_I1. No response (or no acceptable response) to our first
IKE message
Apr 19 11:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
192.168.0.168 #1: ISAKMP SA expired (LATEST!)
==================
firewall (not complete but relevant chains i think)
========
###############################################################################
# IP MASQUERADE/SNAT
###############################################################################
$IPTABLES -t nat -A POSTROUTING -o $INET1_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INET2_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $INET2_IFACE -j MASQUERADE
$IPTABLES -A INPUT -i ipsec0 -j ACCEPT
$IPTABLES -A INPUT -i $INET1_IFACE -p esp -j ACCEPT
$IPTABLES -A INPUT -i $INET2_IFACE -p esp -j ACCEPT
$IPTABLES -A INPUT -i $INET1_IFACE -p udp --dport 500 -j ACCEPT
$IPTABLES -A INPUT -i $INET2_IFACE -p udp --dport 500 -j ACCEPT
$IPTABLES -A INPUT -i $INET1_IFACE -p udp --dport 4500 -j ACCEPT
$IPTABLES -A INPUT -i $INET2_IFACE -p udp --dport 4500 -j ACCEPT
$IPTABLES -A INPUT -i $INET1_IFACE -p udp --dport 1701 -j ACCEPT
$IPTABLES -A INPUT -i $INET2_IFACE -p udp --dport 1701 -j ACCEPT
===============
from mac os x, I connect with ipsecuritas v3.4, after logging, status
of connection is "green" and logs are just like mentioned above.
there is also new device gif0 througth mac should send packets.
firewall doesnt block it, in /var/log/syslog there is nothing (and it used to be
until we open firewall to appropriate connections)
If my config is ok and everything seems to be ok, what I shoud to try?
Huge thanks to you in advance
Stefan Miklosovic
More information about the Users
mailing list