[Openswan Users] Openswan not updating the routing table
nemus at grayhatlabs.com
nemus at grayhatlabs.com
Thu Mar 8 16:18:34 EST 2012
Thank you so much for your help it was the iptables rules.
Once I set accept on all that tunnel started working.
Just out of curiosity how does the kernel now how to route the packets
through the tunnel?
I am just curious on how NETKEYS works with the routing table.
if net keys is the thing that manages the subnets?
I am not sure what exactly NETKEYS is .
>> On Wed, 7 Mar 2012, nemus at grayhatlabs.com wrote:
>>
>>> I am trying to get openswan to connect to a pfsense box.
>>>
>>> The pfsense box connects and says everything is good.
>>>
>>> I can ping 172.x.x.1 from pfsense its self.
>>
>>> so I don't know how to do the route so everything will work.
>>
>> You should never need to do manual routing, unless your client machines
>> need to send packets to a machine that is not their default gateway. On
>> the ipsec gateway itself you should never need to do any manual routing.
>>
>>> also I read some where on linux forums that netkey does not do tunnel
>>> mode
>>>
>>> is this true?
>>
>> That is not true. NETKEY works fine.
>>
>>> conn net-to-net
>>> type=tunnel
>>> authby = secret
>>> left = x.x.x.236
>>> leftsubnet = 172.x.x.0/24
>>> right= x.x.x.50
>>> rightsubnet= 10.x.x.0/24
>>> esp = 3des-md5
>>> keyexchange = ike
>>> pfs = no
>>
>>> 000 #2: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA
>>> established);
>>> EVENT_SA_REPLACE in 27753s; newest IPSEC; eroute owner; isakmp#1; idle;
>>> import:admin initiate
>>> 000 #2: "net-to-net" esp.4f845fa at x.x.x.50 esp.bc46ab15 at x.x.x.x
>>> tun.0 at x.x.x.x tun.0 at z.x.x.236 ref=0 refhim=4294901761
>>> 000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
>>> EVENT_SA_REPLACE in 2312s; newest ISAKMP; lastdpd=1s(seq in:0 out:0);
>>> idle; import:admin initiate
>>
>> Seems up. What does "ipsec verify" say ?
>>
>> Check firewall/nat/forwarding
>>
>> Paul
>>
>
> I am not seeing the routes being update in the routing tables not sure
> why.
>
> no for some reason I cannot connect to the 172.x.x.1 ip from the pfsense
> box.
>
>
> How does NETKEYS handle routing?
>
> "net-to-net":
> 172.x.x.0/24===x.x.1x.236<x.x.x.236>[+S=C]...x.x.x.50<x.x.x.50>[+S=C]===10.x.x.0/24;
> erouted; eroute owner: #2
> I see this in ipsec auo --status
>
> but I am not sure how the kernel knows about it and why doesn't show up in
> the routing table?
>
>
> ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.33/K2.6.35.4-rscloud (netkey)
> Checking for IPsec support in kernel [OK]
> SAref kernel support [N/A]
> NETKEY: Testing XFRM related proc values [OK]
> [OK]
> [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on udp 4500 [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing [OK]
> Checking for 'ip' command [OK]
> Checking /bin/sh is not /bin/dash [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
>
>
> Routing tables Pfsense
>
> Internet:
> Destination Gateway Flags Refs Use Netif Expire
> default xxxxxxx. UGS 0 6252191 rl0
> 10.x.x.0 link#2 U 0 286107799 fxp0
> pfsense link#2 UHS 0 0 lo0
> x.x.x.0/23 link#1 U 0 319699 rl0
> c-x-x-x-x.hsd1 link#1 UHS 0 0 lo0
> localhost link#4 UH 0 350 lo0
>
>
> Routing Table Openswan box
> netstat -nr
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt
> Iface
> 172.x.x.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> x.x.x.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 172.x.x.0 172.x.x.2 255.255.255.0 UG 0 0 0 tun0
> 0.0.0.0 x.x.x.1 0.0.0.0 UG 0 0 0 eth0
>
> iptables -L
> Chain INPUT (policy DROP)
> target prot opt source destination
> fail2ban-SSH tcp -- anywhere anywhere tcp
> dpt:ssh
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state NEW
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK state NEW
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN/FIN,SYN state NEW
> DROP tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN,RST state NEW
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> state NEW
> fail2ban-VSFTP tcp -- anywhere anywhere tcp
> dpt:ftp state NEW
> fail2ban-BadBots tcp -- anywhere anywhere tcp
> multiport dports http,https state NEW
> ACCEPT tcp -- anywhere anywhere tcp dpt:http
> state NEW
> ACCEPT tcp -- anywhere anywhere tcp dpt:https
> state NEW
> ACCEPT udp -- anywhere anywhere udp
> spt:isakmp dpt:isakmp
> ACCEPT esp -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp
> spt:ipsec-nat-t dpt:ipsec-nat-t
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:warmspotMgmt state NEW
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:ftp-data
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:ftp
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:mysql
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp
> spt:isakmp dpt:isakmp
> ACCEPT esp -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp
> spt:ipsec-nat-t dpt:ipsec-nat-t
>
> Chain fail2ban-BadBots (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> Chain fail2ban-SSH (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> Chain fail2ban-VSFTP (1 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
>
> iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
>
>
>
>
>
>
>
thank you so
More information about the Users
mailing list