[Openswan Users] Connected to gateway but cannot ping or telnet the internal lan
Bob Miller
bob at computerisms.ca
Thu Mar 11 00:30:54 EST 2010
Since your tunnel is up but the ping packets don't seem to be going in
the tunnel, I would guess your firewall needs some tweaking. There are
several examples on the net of how to mark your packets using iptables
for use with openswan.
but it's just a guess...
On Thu, 2010-03-11 at 11:33 +0800, chr1x2 wrote:
> Hi All,
>
> I'm a bit new with Openswan and I'm trying to setup a IPSec/VPN tunnel
> connection and I need help. I already asked Google about it but I
> cannot seem find the solution.
>
> Here's the problem. I can connect to the gateway but I cannot ping,
> telnet or make any other connection on the internal lan. Thus making
> the tunnel connection useless.
>
> Please see my configuration below.
>
> ipsec.conf
>
> version 2.0
>
> config setup
> plutostderrlog="/var/log/ipsec.log"
> plutoopts="--perpeerlog"
>
>
> conn L2TP-PSK
> authby=secret
> pfs=no
> rekey=no
> keyingtries=3
> left=%defaultroute
> leftnexthop=192.168.0.1
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
> auto=add
>
> include /etc/ipsec.d/examples/no_oe.conf
>
>
> # setkey -DP
> 172.16.0.156[1701] 192.168.0.41[1701] udp
> in ipsec
> esp/transport//unique#16397
> created: Mar 11 10:49:29 2010 lastused: Mar 11
> 11:12:29 2010
> lifetime: 0(s) validtime: 0(s)
> spid=992 seq=7 pid=22104
> refcnt=2
> 192.168.0.41[1701] 172.16.0.156[1701] udp
> out ipsec
> esp/transport//unique#16397
> created: Mar 11 10:49:29 2010 lastused: Mar 11
> 11:12:29 2010
> lifetime: 0(s) validtime: 0(s)
> spid=1001 seq=6 pid=22104
> refcnt=2
> ::/0[any] ::/0[any] any
> in none
> created: Mar 11 10:35:43 2010
> lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=947 seq=5 pid=22104
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> in none
> created: Mar 11 10:35:43 2010
> lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=931 seq=4 pid=22104
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> in none
> created: Mar 11 10:35:43 2010 lastused: Mar 11
> 10:49:29 2010
> lifetime: 0(s) validtime: 0(s)
> spid=915 seq=3 pid=22104
> refcnt=1
> ::/0[any] ::/0[any] any
> out none
> created: Mar 11 10:35:43 2010
> lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=956 seq=2 pid=22104
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> out none
> created: Mar 11 10:35:43 2010
> lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=940 seq=1 pid=22104
> refcnt=1
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> out none
> created: Mar 11 10:35:43 2010 lastused: Mar 11
> 10:49:29 2010
> lifetime: 0(s) validtime: 0(s)
> spid=924 seq=0 pid=22104
> refcnt=1
>
>
> # ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.164.41
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
> keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1,
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2,
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5,
> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
> keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null),
> keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
> bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
> bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
> bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
> bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
> bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
> bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
> bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt,
> maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
> 000
> 000 "L2TP-PSK": 192.168.0.41:17/1701---192.168.0.1...%any:17/%
> any; unrouted; eroute owner: #0
> 000 "L2TP-PSK": srcip=unset; dstip=unset; srcup=ipsec
> _updown; dstup=ipsec _updown;
> 000 "L2TP-PSK": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
> 000 "L2TP-PSK": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio:
> 32,32; interface: eth0; encap: esp;
> 000 "L2TP-PSK": newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "L2TP-PSK"[3]:
> 192.168.0.41:17/1701---192.168.0.1...172.16.0.156:17/1701;
> erouted; eroute owner: #6
> 000 "L2TP-PSK"[3]: srcip=unset; dstip=unset; srcup=ipsec
> _updown; dstup=ipsec _updown;
> 000 "L2TP-PSK"[3]: ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
> 000 "L2TP-PSK"[3]: policy: PSK+ENCRYPT+TUNNEL+DONTREKEY;
> prio: 32,32; interface: eth0; encap: esp;
> 000 "L2TP-PSK"[3]: newest ISAKMP SA: #5; newest IPsec SA:
> #6;
> 000 "L2TP-PSK"[3]: IKE algorithm newest:
> 3DES_CBC_192-SHA1-MODP2048
> 000
> 000 #6: "L2TP-PSK"[3] 172.16.0.156:500 STATE_QUICK_R2 (IPsec
> SA established); EVENT_SA_EXPIRE in 1967s; newest IPSEC;
> eroute owner
> 000 #6: "L2TP-PSK"[3] 172.16.0.156 esp.a6aa4532 at 172.16.0.156
> esp.41471b19 at 192.168.0.41
> 000 #5: "L2TP-PSK"[3] 172.16.0.156:500 STATE_MAIN_R3 (sent
> MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 27167s; newest
> ISAKMP; nodpd
> 000
>
> route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric
> Ref Use Iface
> 172.16.0.156 192.168.0.1 255.255.255.255 UGH 0 0
> 0 eth0
> 10.0.1.2 0.0.0.0 255.255.255.255 UH 0 0
> 0 ppp0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0
> 0 eth0
> 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0
> 0 eth0
>
> # tcpdump -i ppp0
> 11:25:58.314939 IP 192.168.0.240.1082 > 192.168.0.21.8888: S
> 2675286046:2675286046(0) win 64240 <mss 1360,nop,nop,sackOK>
> 11:26:01.317168 IP 192.168.0.240.1082 > 192.168.0.21.8888: S
> 2675286046:2675286046(0) win 64240 <mss 1360,nop,nop,sackOK>
> 11:26:07.326024 IP 192.168.0.240.1082 > 192.168.0.21.8888: S
> 2675286046:2675286046(0) win 64240 <mss 1360,nop,nop,sackOK>
> 11:26:22.864028 IP 192.168.0.240 > 192.168.0.21: icmp 40: echo
> request seq 2304
> 11:26:28.088071 IP 192.168.0.240 > 192.168.0.21: icmp 40: echo
> request seq 2560
> 11:26:33.097248 IP 192.168.0.240 > 192.168.0.21: icmp 40: echo
> request seq 2816
>
> l2tpd.conf
> [lns default]
> ip range = 192.168.0.240-192.168.0.250
> local ip = 192.168.0.41
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = ipsec
> ppp debug = yes
> pppoptfile = /etc/ppp/options.l2tpd
> length bit = yes
>
>
> Any help would be appreciated.
>
>
> Thanks,
> chr1x2
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Bob Miller
334-7117/633-3760
http://computerisms.ca
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions
More information about the Users
mailing list