[Openswan Users] Questions regarding firewall and routing accommodations for openswan 2.6.28

Stephen Jones hivemynd at hivemynd.net
Thu Aug 12 18:28:37 EDT 2010 

Any suggestions at all on how to configure openswan-2.6.28 (klips) 
running on a gateway?  Just a nudge to current documentation covering 
how to handle the mast# interface would likely help tons! (source 
code/man page only sort of defines mast as: mast stands for Mooring And 
Status Tunnel, but pretty sparse on how to use/configure it)  Every 
single tutorial or howto I have found (including the opsenswan book by 
Paul Wouters) is at least 4 years out of date. Thanks again for your time!

~SJ

Stephen Jones wrote:
> Greetings openswan users and gurus!
> 
> I am involved with a project that is attempting to drag the venerable 
> SmoothWall 3.0 OSS firewall project kicking-and-screaming into the 21st 
> century.  Among the many, many, many version upgrades required to 
> re-establish the platform around modern versions of gcc 4.4.3 (from 
> 3.3.5) and current 2.6 kernels 2.6.32.17 (from 2.6.16.60), the openswan 
> component was also updated to 2.6.28 (from 2.4.15).
> 
> It appears that openswan 2.6.28 (KLIPS) is installed and running on the 
> modernized SmoothWall, however, the tunnels do not come up, and thus no 
> traffic is passed. Both endpoints are identical platforms (i.e. same 
> kernel, iptables and openswan versions).
> 
> My google-fu has failed me miserably in attempting to locate current 
> how-to's for the newer versions of openswan that have the 'mast#' 
> interfaces and what accommodations in routing and iptables rules are 
> required on a firewall/gateway appliance such as the SmoothWall. I have 
> read the 'Building and Integrating Virtual Private Networks with 
> Openswan' from PACKT, 2006, but it appears to not cover the very latest 
> versions, understandably (is there an updated version in the works Paul?)
> 
> Three lead-off questions:
> 1. mast0: What IP is it supposed to end up with (I'm thinking the public 
> IP, evidence: 
> http://lists.openswan.org/pipermail/users/2010-June/018881.html)
> 
> 2. Do there need to be explicit firewall rules addressing the mast0 
> interface? (I have attempted to add these rules, but to no apparent 
> effect. Please see the ipsec-barf output link below).
> 
> 3. Does there need to be explicit routing added for the mast0 interface 
> to the other side of the tunnel? (Currently, I am thinking no.)
> 
> Any nudges in the right direction are greatly appreciated!
> 
> Again, thank you for your time and consideration in helping us modernize 
> the venerable OSS SmoothWall project!
> 
> Best regards,
> 
> ~SJ
> -----------------------------------------------
> Platform and configuration information follows:
> 
> Platform(s) Summary (both ends are identical):
> kernel: 2.6.32.17-phaeton #1 SMP Fri Aug 6 17:57:24 BST 2010 i686 GNU/Linux
> iptables: iptables v1.4.8
> openswan: Linux Openswan 2.6.28 (klips)
> 
> 
> ipsec.conf:
> 
> version 2
> 
> config setup
> 	interfaces=%defaultroute
> 	klipsdebug=none
> 	plutodebug=none
> 	plutowait=no
> 	uniqueids=yes
> 	mast=no
> 
> conn clear
> 	auto=ignore
> 
> conn clear-or-private
> 	auto=ignore
> 
> conn private-or-clear
> 	auto=ignore
> 
> conn private
> 	auto=ignore
> 
> conn block
> 	auto=ignore
> 
> conn packetdefault
> 	auto=ignore
> 
> conn phaeton2phaeton
> 	ike=3des-md5
> 	esp=3des-md5
> 	authby=secret
> 	keyingtries=0
> 	left=192.168.1.40
> 	leftsubnet=192.168.4.0/24
> 	leftnexthop=%defaultroute
> 	right=192.168.1.50
> 	rightsubnet=192.168.10.0/24
> 	rightnexthop=%defaultroute
> 	compress=no
> 	auto=start
> 
> ipsec status:
> IPsec running  - pluto pid: 6113
> pluto pid 6113
> No tunnels up
> 
> ipsec verify:
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                             	[OK]
> Checking for IPsec support in kernel                        	[OK]
> KLIPS detected, checking for NAT Traversal support          	[OK]
> Checking that pluto is running                              	[OK]
> Two or more interfaces found, checking IP forwarding        	[OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command                                   	[OK]
> Checking for 'iptables' command                             	[OK]
> Opportunistic Encryption Support                            	[DISABLED]
> 
> 
> ipsec barf: 
> http://www.hivemynd.net/smoothwall/phaeton/openswan/ipsec_barf_2.6.28.txt
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature database 5350 (20100808) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 
>

More information about the Users mailing list