[Openswan Users] CentOS5 + Draytek 2820 pings only one way
Nick Howitt
n1ck.h0w1tt at gmail.com
Fri Feb 15 11:45:40 EST 2013
In my firewall, supplied by ClearOS I have an extra rule in the nat
table which translates to:
Chain POSTROUTING (policy ACCEPT 13046 packets, 2505K bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir out pol ipsec
You should not need to do anything with protocol 51 as it is not used
with esp.
I am not sure iptables is the issue. In the 2820 LAN-LAN profile is
"From first subnet to remote network, you have to do" set to Route or
NAT. It should be set to Route.
Answering other points, your leftsourceip looks OK. Because it is
specified you do not need to set a source IP when pinging. It will
happen anyway. Pings from CentOS will appear from leftsourceip rather
than L.C.98.24.
BTW, in your config you have a lot of redundant stuff. I would get rid of:
%myid
leftid
rightid
rightsourceip
nat_traversal
compress
connaddrfamily
ike
phase2alg
phase2
keyexchange
keyingtries
ike and phase2alg will be negotiated to whatever you have set in the
2820 (and I'd suggest, unless your CentOS Processor is anaemic, you use
aes256,sha1,group14 and you also enable pfs in the advanced settings).
The other settings are default or unnecessary. Unless you have changed
the defaults in the 2820 you also have a mismatch of keylife and
ikelifetime - they need to be reversed.
Regards,
Nick
On 15/02/2013 12:33, John Crisp wrote:
> On 15/02/13 12:49, Paul Overton wrote:
>> Have you specified the following on your Centos machine?
>>
>> leftsourceip
>> the IP address for this host to use when transmitting a packet to the other side of this
>> link. Relevant only locally, the other end need not agree. This option is used to make the
>> gateway itself use its internal IP, which is part of the leftsubnet, to communicate to the
>> rightsubnet or right. Otherwise, it will use its nearest IP address, which is its public IP
>> address. This option is mostly used when defining subnet-subnet connections, so that the
>> gateways can talk to each other and the subnet at the other end, without the need to build
>> additional host-subnet, subnet-host and host-host tunnels.
>>
>> I have not tried this with Centos, but you never know.
>>
> Hi Paul,
>
> I think I got that right as per the config below :
>
> L.C. is Left CentOS
> R.D. is Right Draytek
>
>
> Config is as below. I am pretty sure it is something to do with the
> CentOS/OpenSwan box not routing properly, but not sure how to get it right.
>
> The Draytek has it figured out.
>
> I know there are a lot of people using Drayteks and this config. Just
> me that can't figure it out !
>
> B. Rgds
> John
>
>
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> klipsdebug=all
> plutodebug="control parsing"
> interfaces=%defaultroute
> myid=L.C.98.24
> nat_traversal=yes
> oe=no
> protostack=netkey
> syslog=syslog.debug
> virtual_private=%v4:10.0.0.0/24,%v4:192.168.99.0/24
>
> conn net-to-net
> type=tunnel
> connaddrfamily=ipv4
> authby=secret
> auto=start
> compress=no
> ike=3des-sha1,des-md5
> phase2alg=3des-sha1,des-md5
> phase2=esp
> ikelifetime=3600s
> keyexchange=ike
> keylife=28800s
> keyingtries=%forever
> left=%defaultroute
> leftsourceip=192.168.99.1 # Server local address
> leftid=L.C.98.24 # Server public IP
> leftsubnet=192.168.99.0/24
> pfs=no
> dpdaction=restart
> right=R.D.128.243 # Router public IP
> rightid=R.D.128.243 # Router public IP
> rightsourceip=10.0.0.251 # Router local address
> rightsubnet=10.0.0.0/24
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list