[Openswan Users] Openswan with NETKEY and monitoring data
Mark Dalton
mdalton at princeton.edu
Fri Apr 8 11:22:34 EDT 2011
I will try this again. Does anyone know if I can do this and what I
need to do to
accomplish this. I am just trying to help out a research group. We
just want to
be able to monitor the packets with tcpdump both sending and received and be
able to see which client (on the right hand side) is accessing on the
internet.
I just need a pointer in the right direction, I am not sure why I needed
to have:
leftsubnet= 0.0.0.0/0
versus
leftsubnet= 192.168.0.0/25
I have tweaked things back and forth.. To see what I need to do ..
nexthops,
routing, etc..
I may have translated the below incorrectly. However, with
leftsubnet= 0.0.0.0/0 it is working, but not with leftsubnet=
192.168.0.0/25.
However, I do you know what I would need to do to be able to see the packets
on my openswan server.
(I am willing to redirect it to another ethernet as a gateway
to the internet or a virtual interface.). The server I was
asked to do this on is Ubuntu 10.10 (maverick):
Linux Openswan U2.6.26/K2.6.35-28-generic (netkey)
(1:2.6.26+dfsg-1 )
2.6.35-28-generic #49-Ubuntu SMP (2.6.35-28.49)
This is what I heard indirectly from the people with the
right side Cisco VPN.
> SA that established was for -
>
> IPSEC FLOW: permit ip 192.168.1.0/255.255.255.128 host
> xxx.xxx.xx.174
>
> They need to re-identify their permitted traffic (on Cisco it is
> done
> in the Crypto ACL) to allow any IP traffic to the mobile pool, not
> just one host. This is to mirror-reverse match what we have
> configured on our side -
>
> IPSEC FLOW: permit ip 192.168.1.0/255.255.255.128 0.0.0.0/0.0.0.0
>
eth2 network - OpenSwan (eth0) -- Internet -- Remote Cisco
-- 192.168.1.0/25
(192.168.0.0/25)
(xxx.xxx.xx.233) (255.255.255.128 or 0.0.0.127)
Left OpenSwan Server:
eth0 (inet addr:xxx.xxx.xx.174 Bcast:xxx.xxx.xx.255
Mask:255.255.252.0)
??? 0.0.0.0/0 ????
eth2 (inet addr:192.168.0.125 Bcast:192.168.0.127
Mask:255.255.255.128)
Right Cisco 7000 (or around that I only know what they sent me):
Internet IP - xxx.xxx.xx.233
subnet - 192.168.1.0/25 (255.255.255.128 or 0.0.0.127)
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.0.0 192.168.0.126 255.255.255.128 UG 0 0 0
eth0
192.168.0.0 0.0.0.0 255.255.255.128 U 0 0 0
eth0
xxx.xxx.xx.0 0.0.0.0 255.255.252.0 U 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
0.0.0.0 xxx.xxx.xx.1 0.0.0.0 UG 0 0 0
eth0
config setup
interfaces=%defaultroute
klipsdebug="none"
plutodebug="none"
nat_traversal=no
# nat_traversal=yes
uniqueids = yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/25,%v4:172.16.0.0/12,%v4
oe=off
protostack=netkey
conn cisco-swan
type= tunnel
authby= secret
# Local OpenSwan
left= xxx.xxx.xx.174
leftsubnet= 0.0.0.0/0
# leftsubnet= 192.168.0.0/25
leftnexthop= %defaultroute
# Remote/Cisco router IP Address
right= xxx.xxx.xx.233
rightsubnet= 192.168.1.0/25
rightnexthop= %defaultroute
phase2alg= 3des-sha1
ike= 3des-sha1
keyexchange= ike
pfs= no
More information about the Users
mailing list