[Openswan Users] Shouldn't this be NATed?

James Nelson james.nelson.ii at gmail.com
Sun Sep 25 22:09:02 EDT 2011 

UDP 500 and 4500 are open through the EC2 security group and I'm running a
standard Ubuntu image that by default does not lock down any ports,
something just has to be listening there.  I think we've found the actual
problem in that no traffic is being NAT'ed through 4500, but I'm still at a
loss as to how to make it happen.

My verify looks good:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.23/K2.6.32-317-ec2 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

My netstat isn't showing anything from 500 or 4500- should it?
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
unix  2      [ ACC ]     STREAM     LISTENING     53519
 /var/run/pluto/pluto.ctl
unix  2      [ ACC ]     STREAM     LISTENING     53521    /var/run/pluto/
pluto.info
unix  2      [ ACC ]     STREAM     LISTENING     5670
/var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     3614
@/com/ubuntu/upstart

Finally, for posterity's sake, here's my iptables as they currently stand:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp spt:isakmp
dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere            udp spt:isakmp
dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere            udp spt:4500
dpt:4500

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp spt:isakmp
dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere            udp spt:4500
dpt:4500

nat iptable:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination



On Fri, Sep 23, 2011 at 11:27 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Fri, 23 Sep 2011, James Nelson II wrote:
>
>  Those answers are unfortunately yes, yes, and yes.
>>
>
> Ahh, but:
>
>
>  004 "ec2check" #7: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
>>>> mode {ESP/NAT=>0xbcd53ec2 <0x6981795a
>>>> xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
>>>>
>>>
> Note it does say "ESP/NAT". check if UDP 4500 is open? Note that this means
> you might need to allow 4500 -> random high port and randomin high
> port -> 4500
>
> Paul
>



-- 
-----------------------
James Nelson II
630-334-0177
james.nelson.ii at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110925/ea07c866/attachment.html

More information about the Users mailing list