[Openswan Users] Openswan not updating the routing table
Paul Wouters
paul at nohats.ca
Thu Mar 8 16:33:43 EST 2012
On Thu, 8 Mar 2012, nemus at grayhatlabs.com wrote:
> Thank you so much for your help it was the iptables rules.
It often is like that :)
> Just out of curiosity how does the kernel now how to route the packets
> through the tunnel?
NETKEY has special hooks to steal packets from the routing chain. It is
like forward/input/output but they have no "name" in userland.
> I am not sure what exactly NETKEYS is .
Look at net/xfrm/* in the kernel source.
Paul
>>> On Wed, 7 Mar 2012, nemus at grayhatlabs.com wrote:
>>>
>>>> I am trying to get openswan to connect to a pfsense box.
>>>>
>>>> The pfsense box connects and says everything is good.
>>>>
>>>> I can ping 172.x.x.1 from pfsense its self.
>>>
>>>> so I don't know how to do the route so everything will work.
>>>
>>> You should never need to do manual routing, unless your client machines
>>> need to send packets to a machine that is not their default gateway. On
>>> the ipsec gateway itself you should never need to do any manual routing.
>>>
>>>> also I read some where on linux forums that netkey does not do tunnel
>>>> mode
>>>>
>>>> is this true?
>>>
>>> That is not true. NETKEY works fine.
>>>
>>>> conn net-to-net
>>>> type=tunnel
>>>> authby = secret
>>>> left = x.x.x.236
>>>> leftsubnet = 172.x.x.0/24
>>>> right= x.x.x.50
>>>> rightsubnet= 10.x.x.0/24
>>>> esp = 3des-md5
>>>> keyexchange = ike
>>>> pfs = no
>>>
>>>> 000 #2: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA
>>>> established);
>>>> EVENT_SA_REPLACE in 27753s; newest IPSEC; eroute owner; isakmp#1; idle;
>>>> import:admin initiate
>>>> 000 #2: "net-to-net" esp.4f845fa at x.x.x.50 esp.bc46ab15 at x.x.x.x
>>>> tun.0 at x.x.x.x tun.0 at z.x.x.236 ref=0 refhim=4294901761
>>>> 000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
>>>> EVENT_SA_REPLACE in 2312s; newest ISAKMP; lastdpd=1s(seq in:0 out:0);
>>>> idle; import:admin initiate
>>>
>>> Seems up. What does "ipsec verify" say ?
>>>
>>> Check firewall/nat/forwarding
>>>
>>> Paul
>>>
>>
>> I am not seeing the routes being update in the routing tables not sure
>> why.
>>
>> no for some reason I cannot connect to the 172.x.x.1 ip from the pfsense
>> box.
>>
>>
>> How does NETKEYS handle routing?
>>
>> "net-to-net":
>> 172.x.x.0/24===x.x.1x.236<x.x.x.236>[+S=C]...x.x.x.50<x.x.x.50>[+S=C]===10.x.x.0/24;
>> erouted; eroute owner: #2
>> I see this in ipsec auo --status
>>
>> but I am not sure how the kernel knows about it and why doesn't show up in
>> the routing table?
>>
>>
>> ipsec verify
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path [OK]
>> Linux Openswan U2.6.33/K2.6.35.4-rscloud (netkey)
>> Checking for IPsec support in kernel [OK]
>> SAref kernel support [N/A]
>> NETKEY: Testing XFRM related proc values [OK]
>> [OK]
>> [OK]
>> Checking that pluto is running [OK]
>> Pluto listening for IKE on udp 500 [OK]
>> Pluto listening for NAT-T on udp 4500 [OK]
>> Two or more interfaces found, checking IP forwarding [OK]
>> Checking NAT and MASQUERADEing [OK]
>> Checking for 'ip' command [OK]
>> Checking /bin/sh is not /bin/dash [OK]
>> Checking for 'iptables' command [OK]
>> Opportunistic Encryption Support [DISABLED]
>>
>>
>> Routing tables Pfsense
>>
>> Internet:
>> Destination Gateway Flags Refs Use Netif Expire
>> default xxxxxxx. UGS 0 6252191 rl0
>> 10.x.x.0 link#2 U 0 286107799 fxp0
>> pfsense link#2 UHS 0 0 lo0
>> x.x.x.0/23 link#1 U 0 319699 rl0
>> c-x-x-x-x.hsd1 link#1 UHS 0 0 lo0
>> localhost link#4 UH 0 350 lo0
>>
>>
>> Routing Table Openswan box
>> netstat -nr
>> Kernel IP routing table
>> Destination Gateway Genmask Flags MSS Window irtt
>> Iface
>> 172.x.x.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
>> x.x.x.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
>> 172.x.x.0 172.x.x.2 255.255.255.0 UG 0 0 0 tun0
>> 0.0.0.0 x.x.x.1 0.0.0.0 UG 0 0 0 eth0
>>
>> iptables -L
>> Chain INPUT (policy DROP)
>> target prot opt source destination
>> fail2ban-SSH tcp -- anywhere anywhere tcp
>> dpt:ssh
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>> ACCEPT all -- anywhere anywhere state NEW
>> DROP tcp -- anywhere anywhere tcp
>> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK state NEW
>> DROP tcp -- anywhere anywhere tcp
>> flags:FIN,SYN/FIN,SYN state NEW
>> DROP tcp -- anywhere anywhere tcp
>> flags:SYN,RST/SYN,RST state NEW
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
>> state NEW
>> fail2ban-VSFTP tcp -- anywhere anywhere tcp
>> dpt:ftp state NEW
>> fail2ban-BadBots tcp -- anywhere anywhere tcp
>> multiport dports http,https state NEW
>> ACCEPT tcp -- anywhere anywhere tcp dpt:http
>> state NEW
>> ACCEPT tcp -- anywhere anywhere tcp dpt:https
>> state NEW
>> ACCEPT udp -- anywhere anywhere udp
>> spt:isakmp dpt:isakmp
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT udp -- anywhere anywhere udp
>> spt:ipsec-nat-t dpt:ipsec-nat-t
>> ACCEPT tcp -- anywhere anywhere tcp
>> dpt:warmspotMgmt state NEW
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:ftp-data
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:ftp
>> ACCEPT tcp -- anywhere anywhere state NEW tcp
>> dpt:mysql
>>
>> Chain FORWARD (policy DROP)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> ACCEPT udp -- anywhere anywhere udp
>> spt:isakmp dpt:isakmp
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT udp -- anywhere anywhere udp
>> spt:ipsec-nat-t dpt:ipsec-nat-t
>>
>> Chain fail2ban-BadBots (1 references)
>> target prot opt source destination
>> RETURN all -- anywhere anywhere
>>
>> Chain fail2ban-SSH (1 references)
>> target prot opt source destination
>> RETURN all -- anywhere anywhere
>>
>> Chain fail2ban-VSFTP (1 references)
>> target prot opt source destination
>> RETURN all -- anywhere anywhere
>>
>> iptables -t nat -L
>> Chain PREROUTING (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain POSTROUTING (policy ACCEPT)
>> target prot opt source destination
>>
>>
>>
>>
>>
>>
>>
>>
> thank you so
>
More information about the Users
mailing list