[Openswan Users] Routing problem with IPSec Site-To-Site between Openswan and Cisco ASA
Min Hwan Chang
minchang at gmail.com
Mon Nov 15 13:12:56 EST 2010
A user here recommended I try configuring my iptables and I've done so
but still getting the same errors when trying to ping a server on the
other end. I've included the changes made to iptables and a new output
of tcpdump.
iptables -t filter -A INPUT -p 17 --dport 500 -j ACCEPT
iptables -t filter -A INPUT -p 50 -j ACCEPT
iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1
iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -d 10.1.x.x/16> -j ACCEPT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT esp -- anywhere anywhere
ACCEPT all -- anywhere anywhere MARK match 0x1
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere MARK match 0x1
ACCEPT all -- 192.168.1.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
09:48:00.437162 IP min-ubuntu.50402 > unknown.domain: 47438+ PTR?
50.1.168.192.in-addr.arpa. (43)
09:48:00.439201 IP unknown.domain > min-ubuntu.50402: 47438* 1/0/0 (63)
09:48:00.443834 IP min-ubuntu.42583 > unknown.domain: 14050+ PTR?
1.1.168.192.in-addr.arpa. (42)
09:48:00.445201 IP unknown.domain > min-ubuntu.42583: 14050* 1/0/0 PTR[|domain]
09:48:02.657724 IP min-ubuntu.55423 > unknown.domain: 13203+ PTR?
255.255.255.255.in-addr.arpa. (46)
09:48:02.680800 IP unknown.domain > min-ubuntu.55423: 13203 NXDomain 0/1/0 (113)
09:48:02.770615 IP min-ubuntu.52447 > unknown.domain: 54912+ PTR?
255.1.168.192.in-addr.arpa. (44)
09:48:02.841275 IP unknown.domain > min-ubuntu.52447: 54912 NXDomain 0/0/0 (44)
09:48:03.878458 IP custnets-66-xx-xx-xxx.rinc.net.4500 >
min-ubuntu.4500: NONESP-encap: isakmp: phase 2/others ? inf[E]
09:48:03.882849 IP min-ubuntu.4500 >
custnets-66-xx-xx-xxx.rinc.net.4500: NONESP-encap: isakmp: phase
2/others ? inf[E]
09:48:03.886945 IP min-ubuntu.36303 > unknown.domain: 62112+ PTR?
120.94.43.66.in-addr.arpa. (43)
Thanks everyone!
Regards,
Mike
On Fri, Nov 12, 2010 at 11:01 AM, Min Hwan Chang <minchang at gmail.com> wrote:
> Hi all,
>
> I've set up an Openswan to Cisco ASA Site-to-Site but having some
> problems with the Left side not being able to ping the 10.1.0.0/16
> network. From the Cisco ASA side I'm able to ping the 192.168.1.x
> network with no problems.
> I suppose it has to do with wrong values for the left and right sides
> but I'm stumped on this one.
>
> For the sake of brevity I've included what I thought might be relevant
> logs and a TCP Dump but can send the full barf if requested.
>
> 192.168.1.0/24===192.168.1.50---192.168.1.1...10.1.0.1---66.xx.xx.xxx===10.1.0.0/16
>
> config setup
> interfaces=%defaultroute #interfaces="ipsec0=eth0"
> klipsdebug=all #enable debugging using all
> plutodebug=all
> nat_traversal=yes
> # virtual_private=%v4:192.168.1.0/24
>
> conn test
> type=tunnel #tunnel mode ipsec
> leftsourceip=98.248.95.yyy
> left=192.168.1.50
> leftnexthop=192.168.1.1
> leftsubnet=192.168.1.0/24
> right=66.xx.xx.xxx # External IP Address
> rightnexthop=10.1.0.1
> rightsubnet=10.1.0.0/16
> ike=3des-md5
> esp=3des-md5
> keyexchange=ike #use regular ike
> authby=secret #pre-shared secret
> pfs=no #use perfect forward secrecy
> auto=add #add doesnt initiate tunnel, but allow incoming.
> Use start for auto initiate
>
> #Disable Opportunistic Encryption
>
>
> + _________________________ netstat-rn
> +
> + netstat -nr
> + head -n 100
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 10.1.0.0 192.168.1.1 255.255.0.0 UG 0 0 0 eth0
> 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
>
> + _________________________ iptables
> +
> + test -r /sbin/iptables
> + iptables -L -v -n
> Chain INPUT (policy ACCEPT 8396 packets, 1135K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 9008 packets, 5634K bytes)
> pkts bytes target prot opt in out source
> destination
>
> A tcpdump shows the following when pinging from 192.168.1.50 to
> 10.1.xxx.xxx (Excuse the length, I'm not sure what's required)
>
> 10:48:34.867754 IP c-98-248-95-xxx.hsd1.ca.comcast.net > 10.1.x.x:
> ICMP echo request, id 10008, seq 1, length 64
> 10:48:35.109387 IP min-ubuntu.ntp > 64.73.32.xxx.ntp: NTPv4, Client, length 48
> 10:48:35.109747 IP min-ubuntu.51659 > unknown.domain: 54833+ PTR?
> 134.32.73.64.in-addr.arpa. (43)
> 10:48:35.131769 IP unknown.domain > min-ubuntu.51659: 54833 NXDomain 0/1/0 (106)
> 10:48:35.190366 IP 64.73.xxx.xxx.ntp > min-ubuntu.ntp: NTPv4, Server, length 48
> 10:48:35.876522 IP c-98-248-95-xxx.hsd1.ca.comcast.net > 10.1.xxx.xxx:
> ICMP echo request, id 10008, seq 2, length 64
> 10:48:36.591853 IP 66-xx-xx-xxx.rinc.net.4500 > min-ubuntu.4500:
> NONESP-encap: isakmp: phase 2/others ? inf[E]
> 10:48:36.714926 IP min-ubuntu.4500 >
> custnets-66-xx-xx-xxx.rinc.net.4500: NONESP-encap: isakmp: phase
> 2/others ? inf[E]
>
More information about the Users
mailing list