[Openswan Users] Openswan not updating the routing table
nemus at grayhatlabs.com
nemus at grayhatlabs.com
Thu Mar 8 11:47:25 EST 2012
> On Wed, 7 Mar 2012, nemus at grayhatlabs.com wrote:
>
>> I am trying to get openswan to connect to a pfsense box.
>>
>> The pfsense box connects and says everything is good.
>>
>> I can ping 172.x.x.1 from pfsense its self.
>
>> so I don't know how to do the route so everything will work.
>
> You should never need to do manual routing, unless your client machines
> need to send packets to a machine that is not their default gateway. On
> the ipsec gateway itself you should never need to do any manual routing.
>
>> also I read some where on linux forums that netkey does not do tunnel
>> mode
>>
>> is this true?
>
> That is not true. NETKEY works fine.
>
>> conn net-to-net
>> type=tunnel
>> authby = secret
>> left = x.x.x.236
>> leftsubnet = 172.x.x.0/24
>> right= x.x.x.50
>> rightsubnet= 10.x.x.0/24
>> esp = 3des-md5
>> keyexchange = ike
>> pfs = no
>
>> 000 #2: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA
>> established);
>> EVENT_SA_REPLACE in 27753s; newest IPSEC; eroute owner; isakmp#1; idle;
>> import:admin initiate
>> 000 #2: "net-to-net" esp.4f845fa at x.x.x.50 esp.bc46ab15 at x.x.x.x
>> tun.0 at x.x.x.x tun.0 at z.x.x.236 ref=0 refhim=4294901761
>> 000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
>> EVENT_SA_REPLACE in 2312s; newest ISAKMP; lastdpd=1s(seq in:0 out:0);
>> idle; import:admin initiate
>
> Seems up. What does "ipsec verify" say ?
>
> Check firewall/nat/forwarding
>
> Paul
>
I am not seeing the routes being update in the routing tables not sure why.
no for some reason I cannot connect to the 172.x.x.1 ip from the pfsense box.
How does NETKEYS handle routing?
"net-to-net":
172.x.x.0/24===x.x.1x.236<x.x.x.236>[+S=C]...x.x.x.50<x.x.x.50>[+S=C]===10.x.x.0/24;
erouted; eroute owner: #2
I see this in ipsec auo --status
but I am not sure how the kernel knows about it and why doesn't show up in
the routing table?
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.33/K2.6.35.4-rscloud (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Routing tables Pfsense
Internet:
Destination Gateway Flags Refs Use Netif Expire
default xxxxxxx. UGS 0 6252191 rl0
10.x.x.0 link#2 U 0 286107799 fxp0
pfsense link#2 UHS 0 0 lo0
x.x.x.0/23 link#1 U 0 319699 rl0
c-x-x-x-x.hsd1 link#1 UHS 0 0 lo0
localhost link#4 UH 0 350 lo0
Routing Table Openswan box
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
172.x.x.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
x.x.x.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.x.x.0 172.x.x.2 255.255.255.0 UG 0 0 0 tun0
0.0.0.0 x.x.x.1 0.0.0.0 UG 0 0 0 eth0
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK state NEW
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN state NEW
DROP tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN,RST state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
state NEW
fail2ban-VSFTP tcp -- anywhere anywhere tcp
dpt:ftp state NEW
fail2ban-BadBots tcp -- anywhere anywhere tcp
multiport dports http,https state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http
state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https
state NEW
ACCEPT udp -- anywhere anywhere udp
spt:isakmp dpt:isakmp
ACCEPT esp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp
spt:ipsec-nat-t dpt:ipsec-nat-t
ACCEPT tcp -- anywhere anywhere tcp
dpt:warmspotMgmt state NEW
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:mysql
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
spt:isakmp dpt:isakmp
ACCEPT esp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp
spt:ipsec-nat-t dpt:ipsec-nat-t
Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-VSFTP (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
More information about the Users
mailing list