[Openswan Users] {Disarmed} Re: {Disarmed} IPSec Tunnel: Pass through connection not working

Michael H. Warfield mhw at WittsEnd.com
Mon Nov 21 14:34:34 EST 2011 

On Mon, 2011-11-21 at 10:21 -0800, SaRaVanAn wrote: 
> Hi Michael,
>    I want to encrypt all the traffic that is going via my system(Router).
> Suppose if a traffic is coming for a destination IP for which there is no
> tunnel exists, I need to block it(Plain traffic should not go via my
> router).  The reason behind adding pass through connection is that , my
> system should not block AH/ESP/UDP encapsulated traffic for a destination
> irrespective of tunnel configurations.

Are you trying to set this up as a gateway router that roadwarrior
clients will connect to or is it for you to connect to other sites from?
I see your "east-west" conn in your config but I didn't see any sort of
"road warrior" open conn.

# Accept AH and ESP
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT

# Accept port 500 UDP (if you want clients to start connections
-A INPUT -p udp -m udp --dport 500 -j ACCEPT

# Accept external initiation of IPsec NAT-T
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT

# Accept returning packets for connections you have initiated...
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

# Other ACCEPT rules...

# Drop everything else
-A INPUT -j DROP


If the other side of your tunnel needs to be able to initiate
connections back into "your system" then appropriate ACCEPT rules with
those source addresses would need to be included.

You can also get fancy with marking like this:

iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1 

Then you catch the uncapsulated packet like this and allow it by
inserting this rule somewhere before the DROP rule: 

iptables -A INPUT -m mark --mark 1 -j ACCEPT

Then, anything that doesn't have that mark didn't come from the ipsec
tunnel in esp and you can then drop it in the filter table rules.  That
way the firewall rules obey the tunnel setups.

Or you could use dynamic up/down firewall rules (would require a little
scripting but not much - the mark trick is easier though).

You can include those in the FORWARDING rule as well if you're acting as
a router.

> If i remove drop declaration above, its get loaded. But I cant use iptables
> for drop, because iptables rule hit before ipsec processing starts, which
> will not fulfill not requirements .Hope you understand my situation.

Ok, so if the bypass declaration gets through when the discard
declaration is not present, that tells me it's hitting a policy conflict
between those two declarations.  You need to figure out how to make it
work with the firewall doing your filtering instead of trying to get the
policy database to do it.

Regards,
Mike

> On Mon, Nov 21, 2011 at 8:17 AM, Michael H. Warfield <mhw at wittsend.com>wrote:
> 
> > This sounds like an old problem I patched ages ago.  What version of
> > Openswan are you running?
> >
> > On Mon, 2011-11-21 at 20:24 +0530, SaRaVanAn wrote:
> > > Hi all,
> > >    I  want to add below three SPD rules.
> > >
> > > source          destination               protocol        action
> > > 1)0.0.0.0/0       172.31.114.239            any            ipsec
> > > 2)0.0.0.0/0       0.0.0.0/0                     ah/esp         none
> > > 3)0.0.0.0/0      0.0.0.0/0                      any
> > discard.
> >
> > Not sure what you're trying to do with those policies but the discard
> > one gives me the impression that you're trying to use the policy
> > database as if it were a firewall.
> >
> > > I tried by adding these rules using openswan.  Only two rules are getting
> > > added in Security policy database, the pass through rule is not
> > > added(verified using setkey tool).
> > > Please find my ipsec.conf below
> > >
> > >
> > > config setup
> > >         protostack=netkey
> > >         nat_traversal=yes
> > >         virtual_private=
> > >         oe=off
> > >         nhelpers=0
> > >         interfaces=%defaultroute
> > >
> > > conn west-east
> > >     left=172.31.114.245
> > >     right=172.31.114.239
> > >     leftsubnet=0.0.0.0/0
> > >     keyexchange=ike
> > >     auto=add
> > >     auth=esp
> > >     authby=secret
> > >     pfs=no
> > >     keylife=120m
> > >     rekey=yes
> > >     ikelifetime=240m
> > >     keyingtries=0
> > >
> > > conn drop
> > >         left=172.31.114.245
> > >         right=172.31.114.239
> > >         leftsubnet=0.0.0.0/0
> > >         rightsubnet=0.0.0.0/0
> > >         type=drop
> > >         authby=never
> > >         auto=route
> > >
> > > conn passthrough
> > >         left=172.31.114.245
> > >         leftprotoport=ah
> > >         right=172.31.114.239
> > >         leftsubnet=0.0.0.0/0
> > >         rightsubnet=0.0.0.0/0
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > Not quite sure what you are trying to do with that subnet declaration
> > but it seems like this declaration directly conflicts with the drop
> > declaration above.  I'm not sure what it's going to do when it gets two
> > configuration specifications for basically the same ordered set of
> > source and destination address and source and destination subnet but
> > something tells me it's not going to do what you expect it to and it my
> > not be allowing it.
> >
> > What happens if you remove the "drop" declaration above and retry it?
> > Does the bypass declaration get loaded then?  Maybe you should be using
> > iptables for that drop above?
> >
> > > type=passthrough
> > >         authby=never
> > >         auto=route
> >
> > > Please correct me if my configuration is wrong. It would be great, if you
> > > help me out on this.
> > >
> > >
> > > Regards,
> > > Saravanan N
> > >
> > > _______________________________________________
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > Building and Integrating Virtual Private Networks with Openswan:
> > > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
> > --
> > Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
> >   /\/\|=mhw=|\/\/          | (678) 463-0932 |
> > http://www.wittsend.com/mhw/
> >   NIC whois: MHW9          | An optimist believes we live in the best of
> > all
> >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> >
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20111121/ca3e2396/attachment.bin

More information about the Users mailing list