[Openswan Users] NAT and/or Firewall problem

Bart Smink bartsmink at gmail.com
Thu Aug 26 12:15:25 EDT 2010


Here is the output of ipsec barf on pastebin:

http://pastebin.com/wBCCYhwi

  Hello everyone,

>
> I have a NAT and or Firewall problem on my Openswan gateway. The IPsec
> tunnel works only from the Gateway to the roadwarrior, I can ssh from the
> gateway to the roadwarrior, but I can't ssh from the roadwarrior to the
> gateway or to computers on the behind lying network. I have tried many
> iptables commands, but they did not seem to work or they were old. I have
> reset my iptables to the ClearOS default, plus opening some ports that are
> listed below.
>
> My network looks like the following diagram:
>
> |10.97.10.101| |10.97.10.102, OpenVPN server|
> ....|................../
> 10.97.10.0/24 ----------|eth1(10.97.10.1 ) "Openswan Gateway"
> eth0(85.145.148.106)|-- Internet -- |(variable IP-address)Netgear router
> (10.81.9.253)| ---10.81.9.0/24 --- |eth0(10.81.9.204) "Roadwarrior" |
>
> Now the Openvpn server is having the same problem as the Openswan server, I
> can connect, but I cannot send any data from the roadwarrior to the Openvpn
> server. It has worked till I started using Clearos on the gateway as a
> replacement of my Linksys router.
>
> Commands and configuration:
> The ip route show command gives the following outputs:
> Gateway: 10.81.9.204 dev eth0 scope link src
> 10.97.10.1
> 10.81.9.203 dev eth0 scope link
> src 10.97.10.1
> 10.97.10.0/24 dev eth1 proto
> kernel scope link src 10.97.10.1
> 85.145.148.0/22 dev eth0 proto
> kernel scope link src 85.145.148.106
> default via 85.145.148.1 dev eth0
> Roadwarrior: 10.81.9.0/24 dev eth0 proto kernel
> scope link src 10.81.9.204 metric 1
> 10.97.10.0/24 dev eth0 scope
> link src 10.81.9.204
> default via 10.81.9.253 dev eth0
> proto static
> Openswan 2.6.28 built from source using NETKEY on ClearOS/Centos 2.6.18
> kernel
>
> Iptables on the gateway allow incomming UDP traffic on port 500 and 4500
> and
> allow incoming ESP/AH traffic
>
> Traceroute:
> On the gateway: [root at gateway ~]# traceroute 10.81.9.204
> traceroute to 10.81.9.204 (10.81.9.204), 30
> hops max, 40 byte packets
> 1 10.81.9.204 (10.81.9.204) 43.687 ms
> 43.729 ms 43.754 ms
> On the roadwarrior: [root at realfedora bartsmink]# traceroute 10.97.10.1
> traceroute to 10.97.10.1 (10.97.10.1), 30 hops
> max, 60 byte packets
> 1 * * *
> 2 * * *
> 3 * * *
> 4 * * *
> 5 * * *
> 6 * * *
> 7 * * *
> 8 * * *
> 9 * * *
> 10 * * *
> 11 * * *
> 12 * * *
> 13 * * *
> 14 * * *
> 15 * * *
> 16 * * *
> 17 * * *
> 18 * * *
> 19 * * *
> 20 * * *
> 21 * * *
> 22 * * *
> 23 * * *
> 24 * * *
> 25 * * *
> 26 * * *
> 27 * * *
> 28 * * *
> 29 * * *
> 30 * * *
>
>
> The configuration on the gateway:
> [root at gateway ~]# cat /etc/ipsec.conf
> # /etc/ipsec.conf - Openswan IPsec configuration file
>
> # This file: /usr/local/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # Do not set debug options to debug configuration issues!
> # plutodebug / klipsdebug = "all", "none" or a combation from below:
> # "raw crypt parsing emitting control klips pfkey natt x509 dpd
> private"
> # eg:
> # plutodebug="control parsing"
> #
> # enable to get logs per-peer
> # plutoopts="--perpeerlog"
> #
> # Again: only enable plutodebug or klipsdebug when asked by a
> developer
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
> # exclude networks used on server side by adding %v4:!a.b.c.0/24
> virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!10.97.10.0/24<http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4%3A%2110.97.10.0/24>
> # OE is now off by default. Uncomment and change to on, to enable.
> oe=off
> # which IPsec stack to use. auto will try netkey, then klips then
> mast
> protostack=netkey
>
> # Add connections here
>
> # sample VPN connection
> # for more examples, see /etc/ipsec.d/examples/
> #conn sample
> # # Left security gateway, subnet behind it, nexthop toward
> right.
> # left=10.0.0.1
> # leftsubnet=172.16.0.0/24
> # leftnexthop=10.22.33.44
> # # Right security gateway, subnet behind it, nexthop toward
> left.
> # right=10.12.12.1
> # rightsubnet=192.168.0.0/24
> # rightnexthop=10.101.102.103
> # # To authorize this connection, but not actually start it,
> # # at startup, uncomment this.
> # #auto=add
> conn LAN
> left=85.145.148.106
> leftsourceip=10.97.10.1
> leftsubnet=10.97.10.0/24
> leftrsasigkey=%cert
> leftcert="Left1024-cert.pem"
> leftid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing
> Corporation/OU=Research and Development/CN=Left1024/emailAddress=
> admin at testingcorporation.nl"
> right=%any
> rightsubnet=vhost:%priv,%no
> rightrsasigkey=%cert
> rightid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing
> Corporation/OU=Research and Development/CN=Right1024/emailAddress=
> admin at testingcorporation.nl"
> rightca=%same
> auto=add
>
>
>
>
> Configuration on the roadwarrior:
> [root at realfedora bartsmink]# cat /etc/ipsec.conf
> # /etc/ipsec.conf - Openswan IPsec configuration file
>
> # This file: /usr/local/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # Do not set debug options to debug configuration issues!
> # plutodebug / klipsdebug = "all", "none" or a combation from below:
> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
> # eg:
> # plutodebug="control parsing"
> #
> # enable to get logs per-peer
> # plutoopts="--perpeerlog"
> #
> # Again: only enable plutodebug or klipsdebug when asked by a developer
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
> # exclude networks used on server side by adding %v4:!a.b.c.0/24
> virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.97.10.0/24<http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:%2110.97.10.0/24>
> # OE is now off by default. Uncomment and change to on, to enable.
> oe=off
> # which IPsec stack to use. auto will try netkey, then klips then mast
> protostack=netkey
>
>
> # Add connections here
>
> # sample VPN connection
> # for more examples, see /etc/ipsec.d/examples/
> #conn sample
> # # Left security gateway, subnet behind it, nexthop toward right.
> # left=10.0.0.1
> # leftsubnet=172.16.0.0/24
> # leftnexthop=10.22.33.44
> # # Right security gateway, subnet behind it, nexthop toward left.
> # right=10.12.12.1
> # rightsubnet=192.168.0.0/24
> # rightnexthop=10.101.102.103
> # # To authorize this connection, but not actually start it,
> # # at startup, uncomment this.
> # #auto=add
> conn LAN
> left=%defaultroute
> leftsourceip=10.81.9.204
> leftid="C=NL, ST=Utrecht, L=Utrecht, O=Testing Corporation,
> OU=Research and Development, CN=Right1024, E=admin at
> testingcorporation.nl"
> leftrsasigkey=%cert
> leftcert=Right1024-cert.pem
> leftca=%same
> right=85.145.148.106
> rightid="/C=NL/ST=Utrecht/L=Utrecht/O=Testing
> Corporation/OU=Research and Development/CN=Left1024/emailAddress=
> admin at testingcorporation.nl"
> rightca=%same
> rightrsasigkey=%cert
> keyingtries=%forever
> rightsubnet=10.97.10.0/24
> auto=add
>
> I hope someone can give me a solution for this problem. It would be nice to
> see this VPN working.
>
> Greetings,
>
> Bart Smink
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.openswan.org/pipermail/users/attachments/20100826/28e774be/attachment-0001.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100826/ce5d63c7/attachment.html 


More information about the Users mailing list