[Openswan Users] NAT and/or Firewall problem
Bart Smink
bartsmink at gmail.com
Thu Aug 26 09:34:56 EDT 2010
Hello everyone,
I have a NAT and or Firewall problem on my Openswan gateway. The IPsec
tunnel works only from the Gateway to the roadwarrior, I can ssh from the
gateway to the roadwarrior, but I can't ssh from the roadwarrior to the
gateway or to computers on the behind lying network. I have tried many
iptables commands, but they did not seem to work or they were old. I have
reset my iptables to the ClearOS default, plus opening some ports that are
listed below.
My network looks like the following diagram:
|10.97.10.101| |10.97.10.102, OpenVPN server|
....|................../
10.97.10.0/24 ----------|eth1(10.97.10.1 ) "Openswan Gateway"
eth0(85.145.148.106)|-- Internet -- |(variable IP-address)Netgear router
(10.81.9.253)| ---10.81.9.0/24 --- |eth0(10.81.9.204) "Roadwarrior" |
Now the Openvpn server is having the same problem as the Openswan server, I
can connect, but I cannot send any data from the roadwarrior to the Openvpn
server. It has worked till I started using Clearos on the gateway as a
replacement of my Linksys router.
Commands and configuration:
The ip route show command gives the following outputs:
Gateway: 10.81.9.204 dev eth0 scope link src
10.97.10.1
10.81.9.203 dev eth0 scope link
src 10.97.10.1
10.97.10.0/24 dev eth1 proto
kernel scope link src 10.97.10.1
85.145.148.0/22 dev eth0 proto
kernel scope link src 85.145.148.106
default via 85.145.148.1 dev eth0
Roadwarrior: 10.81.9.0/24 dev eth0 proto kernel
scope link src 10.81.9.204 metric 1
10.97.10.0/24 dev eth0 scope
link src 10.81.9.204
default via 10.81.9.253 dev eth0
proto static
Openswan 2.6.28 built from source using NETKEY on ClearOS/Centos 2.6.18
kernel
Iptables on the gateway allow incomming UDP traffic on port 500 and 4500 and
allow incoming ESP/AH traffic
Traceroute:
On the gateway: [root at gateway ~]# traceroute 10.81.9.204
traceroute to 10.81.9.204 (10.81.9.204), 30
hops max, 40 byte packets
1 10.81.9.204 (10.81.9.204) 43.687 ms
43.729 ms 43.754 ms
On the roadwarrior: [root at realfedora bartsmink]# traceroute 10.97.10.1
traceroute to 10.97.10.1 (10.97.10.1), 30 hops
max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
The configuration on the gateway:
[root at gateway ~]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Again: only enable plutodebug or klipsdebug when asked by a
developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!10.97.10.0/24
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then
mast
protostack=netkey
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward
right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward
left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=add
conn LAN
left=85.145.148.106
leftsourceip=10.97.10.1
leftsubnet=10.97.10.0/24
leftrsasigkey=%cert
leftcert="Left1024-cert.pem"
leftid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing
Corporation/OU=Research and Development/CN=Left1024/emailAddress=
admin at testingcorporation.nl"
right=%any
rightsubnet=vhost:%priv,%no
rightrsasigkey=%cert
rightid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing
Corporation/OU=Research and Development/CN=Right1024/emailAddress=
admin at testingcorporation.nl"
rightca=%same
auto=add
Configuration on the roadwarrior:
[root at realfedora bartsmink]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.97.10.0/24
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=add
conn LAN
left=%defaultroute
leftsourceip=10.81.9.204
leftid="C=NL, ST=Utrecht, L=Utrecht, O=Testing Corporation,
OU=Research and Development, CN=Right1024, E=admin at testingcorporation.nl"
leftrsasigkey=%cert
leftcert=Right1024-cert.pem
leftca=%same
right=85.145.148.106
rightid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing
Corporation/OU=Research and Development/CN=Left1024/emailAddress=
admin at testingcorporation.nl"
rightca=%same
rightrsasigkey=%cert
keyingtries=%forever
rightsubnet=10.97.10.0/24
auto=add
I hope someone can give me a solution for this problem. It would be nice to
see this VPN working.
Greetings,
Bart Smink
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100826/28e774be/attachment-0001.html
More information about the Users
mailing list