[Openswan Users] Host-to-host connection with SAref without tunneling
Eduard Veleba
eduard.veleba at emtc.cz
Fri Jan 18 14:41:33 EST 2013
Hello Daniel,
yes, I have net.ipv4.ip_forward=1 in nearly all my Linux systems. Also I'm
trying everything with empty iptables with ACCEPT policy:
[virtmaster] root at ingwe:~# sysctl -a 2>/dev/null | grep ip_forward
net.ipv4.ip_forward = 1
[virtmaster] root at ingwe:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Do you mean "ipsec verify"? If so, here it is:
[virtmaster] root at ingwe:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.6.38 (klips)
Checking for IPsec support in kernel [OK]
KLIPS: checking for NAT Traversal support [OK]
KLIPS: checking for OCF crypto offload support [N/A]
Kernel: IPsec SAref kernel support [OK]
Kernel: IPsec SAref Bind kernel support [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
If you mean something else, how can I try it? "ipsec auto verify" shows me
usage (help) screen.
Should I send output of "ipsec barf"?
Thanks!
_____
Eduard Veleba
Have you enabled ip.forwarding in /etc/sysctl.conf ?
also, have you done ipsec auto verify ?
d.
On 18 Jan 2013, at 10:46, Eduard Veleba wrote:
Hello,
I need to set up host-to-host IPsec encrypted (ESP) connection without any
VPN (just "plain" transport mode). There's our server with public IP address
on the left side and many clients (with different OS) with different IP
addresses (some of them on public addresses, some of them behind NAT, some
of them even behind the very same NAT).
As I need to handle multiple clients behind the same NAT, I assume I need to
use MAST stack and SAref patched kernel. I have now both functional (kernel
is patched and I can modprobe ipsec without problems) and command "ipsec
verify" shows "OK" for SAref support as well.
I don't want to use L2TP or any other tunneling, I just need to secure
connection to that single IP address (server address) with ESP.
My ipsec.conf looks like this (our IP address replaced with 1.2.3.4):
version 2.0
config setup
nat_traversal=yes
protostack=mast
virtual_private=%v4:1.2.3.4/32,%v4:!0.0.0.0/0
conn host-to-host
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
sareftrack=yes
overlapip=yes
dpddelay=10
dpdtimeout=90
dpdaction=clear
ikelifetime=8h
keylife=1h
type=transport
left=1.2.3.4
right=%any
And when I start Openswan, clients are able to associate (I see multiple
SAs), but ping doesn't work. Mast interface looks like this:
mast0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:26840 (26.2 KiB) TX bytes:0 (0.0 B)
The strange thing is I can see ping requests on mast0 with tcpdump and also
if I change stack from MAST to KLIPS or NETKEY, everything works well
(except only one client behind each NAT can connect, I assume that SAref is
supported only in MAST stack).
What may I be doing wrong? Are my assumptions about the need of using MAST
stack correct or can I get SAref support with KLIPS stack somehow?
Thanks!
_____
Eduard Veleba
_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Regards
Dan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130118/f0348d8e/attachment-0001.html>
More information about the Users
mailing list