[Openswan Users] Tunnel initiates to Sonicwall but cannot reach anything inside network
Michael Leonetti
mleonetti at evolutionce.com
Mon Feb 15 21:52:47 EST 2010
fortissimo ~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.14/K2.6.24-gentoo-r8 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
tcpdump -n -p udp port 500 or udp port 4500 reports nothing at all. Also iptables -v -L -n only shows this:
4 1568 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
As far as masquerading goes, I set up
iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.0/24 -d ! 10.10.12.0/24 -j MASQUERADE
-----Original message-----
From: Randy Wyatt <rwyatt at nvtl.com>
Sent: Mon 02-15-2010 09:14 pm
To: users at openswan.org;
Subject: Re: [Openswan Users] Tunnel initiates to Sonicwall but cannot reach anything inside network
Have you run ipsec verify?
What does your tcpdump or wireshark trace show?
Have you set up masquerading correctly?
What version of openswan?
-----Original Message-----
From: users-bounces at openswan.org on behalf of Michael Leonetti
Sent: Mon 2/15/2010 5:27 PM
To: users at openswan.org
Subject: [Openswan Users] Tunnel initiates to Sonicwall but cannot reach anything inside network
I set up a connection to a Sonicwall system with the current config:
conn sonicwall
left=(leftip)
leftsubnet=10.1.1.0/24
leftid=(leftid)
right=(rightip)
rightsubnet=10.10.12.0/24
rightid=(rightid)
keyingtries=0
pfs=no
aggrmode=yes
auto=add
auth=esp
esp=3des-sha1
ike=3des-sha1
authby=secret
xauth=no
keyexchange=ike
And I can get it up just fine:
fortissimo linux # ipsec auto --up sonicwall
003 "sonicwall" #5: multiple transforms were set in aggressive mode. Only first one used.
003 "sonicwall" #5: transform (5,2,2,0) ignored.
003 "sonicwall" #5: multiple transforms were set in aggressive mode. Only first one used.
003 "sonicwall" #5: transform (5,2,2,0) ignored.
112 "sonicwall" #5: STATE_AGGR_I1: initiate
003 "sonicwall" #5: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "sonicwall" #5: ignoring unknown Vendor ID payload [5b362bc820f60007]
003 "sonicwall" #5: received Vendor ID payload [RFC 3947] method set to=109
003 "sonicwall" #5: received Vendor ID payload [Dead Peer Detection]
003 "sonicwall" #5: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
004 "sonicwall" #5: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
117 "sonicwall" #6: STATE_QUICK_I1: initiate
004 "sonicwall" #6: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x97b8d6ff <0x0eb44887 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 (leftip)
000 interface eth0/eth0 (leftip)
000 interface br0/br0 10.1.1.1
000 interface br0/br0 10.1.1.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,64} trans={0,4,960} attrs={0,4,320}
000
000 "sonicwall": 10.1.1.0/24===(leftip)...(rightip)===10.10.12.0/24; erouted; eroute owner: #6
000 "sonicwall": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "sonicwall": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "sonicwall": policy: PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE; prio: 24,24; interface: eth0; encap: esp;
000 "sonicwall": newest ISAKMP SA: #5; newest IPsec SA: #6;
000 "sonicwall": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "sonicwall": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "sonicwall": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536
000 "sonicwall": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=strict
000 "sonicwall": ESP algorithms loaded: 3DES(3)_000-SHA1(2); flags=strict
000 "sonicwall": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=<N/A>
000
000 #6: "sonicwall":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28036s; newest IPSEC; eroute owner
000 #6: "sonicwall" esp.97b8d6ff@(rightip) esp.eb44887 at 72.68.153.122 tun.0@(rightip) tun.0@(leftip)
000 #5: "sonicwall":500 STATE_AGGR_I2 (sent AI2, ISAKMP SA established); EVENT_SA_REPLACE in 2554s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
When I try to reach anything in the network:
fortissimo linux # ping 10.10.12.199
PING 10.10.12.199 (10.10.12.199) 56(84) bytes of data.
>From 130.81.12.202 icmp_seq=6 Destination Net Unreachable
>From 130.81.12.202 icmp_seq=12 Destination Net Unreachable
But I can reach:
fortissimo linux # ping 10.10.12.1
PING 10.10.12.1 (10.10.12.1) 56(84) bytes of data.
64 bytes from 10.10.12.1: icmp_seq=1 ttl=243 time=21.1 ms
64 bytes from 10.10.12.1: icmp_seq=2 ttl=243 time=12.2 ms
But the problem is that when I stop ipsec I can still ping 10.10.12.1 even though it's not defined anywhere else :X. I'm actually not even sure if I got an IP on the remote side. DHCP isn't even enabled on the remote side so I'm not sure what IP I'd get or if I even need one.
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100215/2c47f9ed/attachment-0001.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: inline.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20100215/2c47f9ed/attachment-0001.txt
More information about the Users
mailing list