[Openswan Users] Site-to-site + OpenVPN

Simon Deziel simon at xelerance.com
Mon May 13 16:12:53 UTC 2013


On 13-05-13 11:46 AM, Damir Reic wrote:
>>>> Your OpenVPN connection isn't established?
>>>
>>> No it is not.
>>>
>>> iptables -t nat -A PREROUTING -p udp -d 1.1.1.1 --dport 1191 -j
>>> REDIRECT  - missing the rest of the rule
>>
>> We are missing context to make sense of this traffic redirection rule.
>> Assuming OpenSwan is running on the same boxes as your IPsec endpoints,
>> few iptables rules should be involved and probably none in PREROUTING.
> 
> 
> Well that's what i don't know :)
> 
> 
>>
>>> Now i don't know how to push this traffic inside the tunnel (don't
>>> even know is it possible with iptables). 1.1.1.1 is let's say 1st
>>> server, 2.2.2.2 is server on the other end of tunnel on which openVPN
> is.
>>
>> Please show your IPsec configs from both sides.
>>
>> Simon
> 
> 
> conn site-to-site
>         left=50.56.213.56
>         leftnexthop=%defaultroute
>         right=50.56.213.234
>         auto=start
>         keyexchange=ike
>         authby=secret
>         # Optional specify encryption/hash methods for phase 1 & 2
>         ike=3des-sha1;modp1024
>         phase2=esp
>         phase2alg=3des-sha1;modp1024
>         ikelifetime=8h
>         salifetime=1h
>         # Disable Perfect Forward Secrecy, if not working proper
>         pfs=yes
>         # Optional enable compression (if working)
>         # compress=yes
>         type=transport
> 
> 
> 
> 
> conn site-to-site
>         left=50.56.213.234
>         leftnexthop=%defaultroute
>         right=50.56.213.56
>         auto=start
>         keyexchange=ike
>         authby=secret
>         # Optional specify encryption/hash methods for phase 1 & 2
>         ike=3des-sha1;modp1024
>         phase2=esp
>         phase2alg=3des-sha1;modp1024
>         ikelifetime=8h
>         salifetime=1h
>         # Disable Perfect Forward Secrecy, if not working proper
>         pfs=yes
>         # Optional enable compression (if working)
>         # compress=yes
>         type=transport

I'm a bit surprised by the proximity of your letf/right IPs. IPsec +
OpenVPN while on the same LAN/VLAN is quite paranoiac ;)

> OpenVPN is running on 50.56.213.234. So i want to configure 1st server
> (50.56.213.56) that requests on OpenVPN ports are pushed inside the tunnel.

On the 50.56.213.234 side, make sure OpenVPN binds to 50.56.213.234 or
0.0.0.0.

On the 50.56.213.56 side, make sure the OpenVPN clients connects to the
listening port on 50.56.213.234.

You should probably disable all firewalling on both sides while you are
debugging this issue and enable it afterwards.

HTH,
Simon


More information about the Users mailing list