[Openswan Users] Site-to-site between two OpenSwan machines

abc def botroter at yahoo.com
Mon Jun 11 19:49:37 EDT 2012


Thank you Daniel, I have one last question:

If I have nat_traversal enabled, is there any way to actually see the source IP of the private host after I the packet passes out of the OpenSwan gateway?

e.g. OpenSwan-A address is 10.10.1.5/24 and it is doing NAT for other hosts in 10.10.1.0/24, while OpenSwan-B address is 10.10.8.5/24 and it is doing NAT for other hosts in 10.10.8.0/24
If I send traffic from side A into side B, it always looks like it's coming from 10.10.1.5 because of NAT, but I need to apply specific firewall rules in order to allow some hosts from side A into side B, and vice versa.

I'm kind of weak on networking -- is it possible to expose the private IP address once it reaches the other side, or will I always only see the IP of the instance doing the NAT?

Thank you!




----- Original Message -----
From: Daniel Cave <dan.cave at me.com>
To: abc def <botroter at yahoo.com>
Cc: "users at lists.openswan.org" <users at lists.openswan.org>
Sent: Sunday, June 10, 2012 1:41 PM
Subject: Re: [Openswan Users] Site-to-site between two OpenSwan machines

>  
> I have two OpenSwan 2.6.27 VMs using NETKEY and I can't seem to get them to establish a connection. I have a few questions:
> 1. 
> 
> Instead of putting my "conn" definitions right in ipsec.conf, I have an entry in ipsec.conf that says to look for *.conf files in /etc/ipsec.d/
> Is that an acceptable way to do it, and will that work if I want to define two tunnels from one machine? So if I just have one file /etc/ipsec.d/tunnels.conf and
> inside it's got two "conn" definitions, should it load both connetions or do I need to break them out into individual .conf files?
> 

Yes, that's what I have on both my devices.. you need a 'leftHandSide.conf' in /etc/ipsec.d/ with your connection details. I usually name my config files to the names of the Endpoints they're connecting to and in the [conf] directive.

i.e.  /etc/ipsec.d/walmart-east.conf will contain a directive which says [walmart-east]  and state the Lefthandside, IP, Subnets etc and the matching opposite  RighthandSide endpoint IP/subnets. 

*Walmart aren't my customers, I was just being generic ;) before anyone got excited lol :D


> 
> 2.
> When I start the machine on the "right" the logging shows that it is waiting for an IKE key, then it loads the secrets file and nothing happens. 
> I can then try to send traffic down the tunnel but nothing else happens or gets established. Does this mean that not all the proper ports are open or could that be something else? 
> 
> 

That's possible - have you run ipsec verify first to check you're end is setup right at both ends? 

(don't forget to check your corresponding secrets file in /etc/ipsec.d matches your RHS.

Also worth checking your iptables rules, vis  /etc/sysconfig/iptables , i setup a table specifically for openswan, so I can 'check' the tablename rather than having to do iptables --list -nv with my stuff in there .. or just 

iptables --list -nv |grep 500
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:500 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:4500 

If you do ipsec auto --up <connection> a successful conn should look like this.

[root at fcs01 ipsec.d]# ipsec auto --up c4l
104 "c4l" #5438: STATE_MAIN_I1: initiate
003 "c4l" #5438: ignoring unknown Vendor ID payload [4f4568794c64414365636661]
003 "c4l" #5438: received Vendor ID payload [Dead Peer Detection]
003 "c4l" #5438: received Vendor ID payload [RFC 3947] method set to=115 
106 "c4l" #5438: STATE_MAIN_I2: sent MI2, expecting MR2
003 "c4l" #5438: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
108 "c4l" #5438: STATE_MAIN_I3: sent MI3, expecting MR3
003 "c4l" #5438: received Vendor ID payload [CAN-IKEv2]
004 "c4l" #5438: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
117 "c4l" #5439: STATE_QUICK_I1: initiate
004 "c4l" #5439: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x1e64a913 <0xf084cb6d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}


The endpoint I have in this example is another Netkey ipsec box


> 3.
> When doing a site-to-site tunnel between two OpenSwan machines, should I enable PFS or any other features, or just "auto=start"?
> 

I don't bother with PFS, but an auto=start is fine :)

> 4.
> Can I use PSK when doing a site-to-site between OpenSwan machines, or do I have to use certs in that configuration?
> 
Yes preshared Keys is good.  make sure you specify  ' authby=secret'  and have an associated <connection.secrets> with perms of rw=o / 600 in /etc/ipsec.d/

in the format <Local Public IP>  <Remote Public IP>  :  PSK "<presharedkey>"

That should sort u.


> 
> 
> Thank you!!
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Regards

Dan.


More information about the Users mailing list