[Openswan Users] Only ping allowed in VPN

"Wilfredo I. Pachón López" wilfredcom at gmail.com
Fri May 11 14:13:26 EDT 2012 

Hello friends i'm trying to configure a VPN openswan + Cisco, everything 
seems ok, even ping with remote machines is working, but if i try to 
communicate with TCP to a open port, it doesn't work.

Even "traceroute" isn't working, you can please give me a help?
I'm sure that the connection was or anything is happening because if if 
stop the ipsec daemon the ping stop to function.

My configuration is:

config setup
         plutodebug=none
         klipsdebug=none
         plutoopts="--perpeerlog"
         nat_traversal=yes
         
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
         #interfaces=%defaultroute
         oe = off
         protostack=netkey
         nhelpers = 0
         plutostderrlog=/var/log/vpn

conn net-super
         type=tunnel
         authby=secret                # Key exchange method
         left=240.125.229.25          # Public Internet IP address of the
         leftsubnet=192.168.0.0/24     # Subnet protected by the LEFT 
VPN device
         leftnexthop=240.125.229.1        # correct in many situations
         right=190.26.216.138         # Public Internet IP address of
         rightsubnet=192.168.202.0/24      # Subnet protected by the 
RIGHT VPN device
         rightnexthop=%defaultroute
         auto=start                   # authorizes and starts this 
connection
         aggrmode=no
         keyexchange=ike
         ike=3des-sha1-modp1024
         phase2=esp
         phase2alg=3des-sha1
         pfs=no


When i try to do a traceroute from machine 192.168.0.155 to 
192.168.202.22 this is the answer:

jorge at jorge-HP-Z210-Workstation:~$ traceroute 192.168.202.22
traceroute to 192.168.202.22 (192.168.202.22), 30 hops max, 60 byte packets
  1  192.168.0.1 (192.168.0.1)  0.265 ms  0.259 ms  0.253 ms
  2  * * *
...
30  * * *

And if i try to connect to a port in this machine:

jorge at jorge-HP-Z210-Workstation:~$ telnet 192.168.202.22 7778
Trying 192.168.202.22...

Thi is the log if i run ipsec auto --status :

Plutorun started on Fri May 11 13:00:27 COT 2012
adjusting ipsec.d to /etc/ipsec.d
Starting Pluto (Openswan Version 2.6.37; Vendor ID 
OEu\134d\134jy\134\134ap) pid:3036
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [disabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
    port floating activation criteria nat_t=1/port_float=1
    NAT-Traversal support  [enabled]
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
no helpers will be started, all cryptographic operations will be done inline
Using Linux 2.6 IPsec interface code on 3.2.0-24-generic-pae 
(experimental code)
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Changed path to directory '/etc/ipsec.d/cacerts'
Changed path to directory '/etc/ipsec.d/aacerts'
Changed path to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
   Warning: empty directory
added connection description "net-super"
listening for IKE messages
adding interface eth0/eth0 240.125.229.25:500
adding interface eth0/eth0 240.125.229.25:4500
adding interface eth1/eth1 192.168.0.1:500
adding interface eth1/eth1 192.168.0.1:4500
adding interface eth2:1/eth2:1 192.168.5.1:500
adding interface eth2:1/eth2:1 192.168.5.1:4500
adding interface eth2/eth2 192.168.2.1:500
adding interface eth2/eth2 192.168.2.1:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
"net-super" #1: initiating Main Mode
"net-super" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
"net-super" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
"net-super" #1: enabling possible NAT-traversal with method 
draft-ietf-ipsec-nat-t-ike-05
"net-super" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"net-super" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"net-super" #1: received Vendor ID payload [Cisco-Unity]
"net-super" #1: received Vendor ID payload [XAUTH]
"net-super" #1: ignoring unknown Vendor ID payload 
[3b76c9260b03c3aa779210047c597c79]
"net-super" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"net-super" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
"net-super" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"net-super" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"net-super" #1: received Vendor ID payload [Dead Peer Detection]
| protocol/port in Phase 1 ID Payload is 17/0. accepted with 
port_floating NAT-T
"net-super" #1: Main mode peer ID is ID_IPV4_ADDR: '190.26.216.138'
"net-super" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"net-super" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1024}
"net-super" #2: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 
msgid:5b427f4e proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs}
"net-super" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"net-super" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel 
mode {ESP=>0x7a1a4e9a <0xfc3b703c xfrm=3DES_0-HMAC_SHA1 NATOA=none 
NATD=none DPD=none}


My route table:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
0.0.0.0         240.125.229.1   0.0.0.0         UG    100    0        0 eth0
240.125.229.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

And the output of iptables -t nat -L -n :

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.2.5          0.0.0.0/0
MASQUERADE  tcp  --  192.168.0.2          240.125.229.25       tcp dpt:80
MASQUERADE  tcp  --  192.168.0.0/24       192.168.5.2          tcp 
multiport dports 80,8080,8085,8090
MASQUERADE  all  --  192.168.5.0/24       192.168.2.5
MASQUERADE  all  --  192.168.5.0/24       0.0.0.0/0
MASQUERADE  all  --  192.168.5.0/24       192.168.0.0/24
MASQUERADE  all  --  192.168.2.3          0.0.0.0/0
MASQUERADE  tcp  --  192.168.0.2          240.125.229.25       tcp dpt:80
MASQUERADE  all  --  192.168.5.2          0.0.0.0/0


Please any idea?

More information about the Users mailing list