[Openswan Users] Old user having troubles with new techniques

Fri Jul 2 09:33:20 EDT 2010

On Mon, 2010-06-28 at 14:22 -0400, Larry Brown wrote:
> I used to successfully use FreeS/WAN after following the howto's and it
> worked brilliantly.  Fast forward 10 years and I, for the life of me,
> cannot get my packets through...  I followed the howto for a roadwarrior
> using netkey and it eludes me.  If anyone can help, I sure can use it.
> Scenario:
> 
> RoadWarrior 
>   [192.168.2.1 (netmask 255.255.0.0)]
> RoadWarrior Local Gateway 
>   [192.168.1.1 (internal eth1) --NAT-- 10.45.212.101(external eth0)]
> Office Gateway 
>   [10.45.212.71 (external eth0) --NAT-- 172.16.0.1 (internal eth1)]
> Office Server 
>   [172.16.0.4 (netmask 255.255.255.0)]
> 
> 
> The Roadwarrior in the example is behind a gateway, but may in other
> circumstances be directly connected to the Internet.
> 
> I get a successful tunnel using the following ipsec.confs
> 
> RoadWarrior:
> 
> version 2.0
> 
> config setup
> 	nat_traversal=yes
> 	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/24
> 	oe=off
> 	protostack=netkey
> 
> conn road
> 	left=%defaultroute
> 	leftid=@rw1
> 	leftrsasigkey=0s.....K
> 	right=10.45.212.71
> 	rightsubnet=172.16.0.0/24
> 	rightid=@gateway
> 	rightrsasigkey=0s.....N
> 	auto=add
> 
> Gateway:
> 
> version 2.0
> 
> config setup
> 	nat_traversal=yes
> 	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/24
> 	oe=off
> 	protostack=netkey
> 
> conn road
> 	left=10.45.212.71
> 	leftid=@gateway
> 	leftsubnet=172.16.0.0/24
> 	leftrsasigkey=0s.....N
> 	right=%any
> 	rightid=@rw1
> 	rightrsasigkey=0s.....K
> 	auto=add
> 
> 
> So I am able to create the tunnel from the roadwarrior successfully.  I
> send out a ping from the roadwarrior to the 172.16.0.4 server with no
> response. Sniffing traffic on the roadwarrior gateway I can see the
> packets source 192.168.2.1 destination 10.45.212.71 as ESP packets.  On
> the Office gateway I can see the ESP packets from 10.45.212.101
> arriving.  Imediately after those packets I see the ICMP packet from
> 192.168.2.1 destination 172.16.0.4 on eth0 (external interface).  I do
> not see a packet on eth1 of that gateway bound for 172.16.0.4.  There is
> no firewall enabled.
> 
> I have tried various iptables attempts that the howto does not mention
> to no avail.  The howto looks like it should just work at this point.
> 
> Do I need to set up something on netkey to get it to work?
> 
> ipsec version on the roadwarrior is:
> Linux Openswan U2.6.27/K2.6.33.3 (netkey)
> 
> ipsec version on the office gateway:
> Linux Openswan U2.6.27/K2.6.22.9-61.fc6 (netkey)
> 
> TIA
> 
> Larry

I found a relatively significant piece to the puzzle.  After some number
of tests with various changes the following allowed packets from the
roadwarrior to the office server.

RoadWarrior:

version 2.0

config setup
	nat_traversal=yes
	virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:!172.16.0.0/24
	oe=off
	protostack=netkey
	interfaces=%defaultroute

conn road
	left=%defaultroute
	leftid=@rw1
	leftsubnet=192.168.0.0/16       #these were the last changes
	leftrsasigkey=0s.....K
	right=10.45.212.71
	rightsubnet=172.16.0.0/24
	rightid=@gateway
	rightrsasigkey=0s.....N
	auto=add

Gateway:

version 2.0

config setup
	nat_traversal=yes
	virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/24
	oe=off
	protostack=netkey
	interfaces=%defaultroute

conn road
	left=10.45.212.71
	leftid=@gateway
	leftsubnet=172.16.0.0/24
	leftrsasigkey=0s.....N
	right=%any
	rightid=@rw1
	rightsubnet=192.168.0.0/16       #these were the last changes
	rightrsasigkey=0s.....K
	auto=add

So now I need to know how can I have rightsubnet populated when the
roadwarrior connects similar to the way right=%any works.  What can I
use on the roadwarrior and gateway configs to accomplish this?

Larry