[Openswan Users] [NEWSENDER - ] - Re: IPsec configuration

Pascal Fuks Pascal at financial-art.be
Sat Nov 16 16:55:11 UTC 2013


Hello Kent.
Result is as expected.
Regards
Pascal Fuks
Network & Security Architect,
CEO / Administrateur délégué,

Tel. : +32 2 387 08 00
Fax : +32 2 387 07 06
Email : pascal at financial-art.be<mailto:pascal at financial-art.be>
IM: pascal at financial-art (MSN)
Free/Busy Time : http://www.financialart.be/pfukscal.html

On 16 Nov 2013, at 17:46, Ana <kentdavies at gmail.com<mailto:kentdavies at gmail.com>> wrote:

Hi Pascal.

Many many thanks.
I forgotten to manage my iptables rules.
For now I've flushed my iptables and now on got this:
<image.png>

So I believe it is working as expected. Isn't it?

My next step is to accomplish the exact same thing but now using x509 certificates. I know I have to generate on CA, and then generate two certificates for each machine signed with my CA. Will try and If I bump  in any obstacle will then use this list.

Once again, thanks for your help.

Kent



On Sat, Nov 16, 2013 at 2:23 PM, Pascal Fuks <Pascal at financial-art.be<mailto:Pascal at financial-art.be>> wrote:
Hello Kent,
Could you lits your netfilters on both machines?
iptables-save

Pascal Fuks
Network & Security Architect,
CEO / Administrateur délégué,

Tel. : +32 2 387 08 00<tel:%2B32%202%20387%2008%2000>
Fax : +32 2 387 07 06<tel:%2B32%202%20387%2007%2006>
Email : pascal at financial-art.be<mailto:pascal at financial-art.be>
IM: pascal at financial-art (MSN)
Free/Busy Time : http://www.financialart.be/pfukscal.html

On 16 Nov 2013, at 13:37, Ana <kentdavies at gmail.com<mailto:kentdavies at gmail.com>> wrote:

Hello Pascal.

Thanks.

>From machine A I test like this:
[root at mainmachine etc]# ping -I 10.1.1.254 10.1.2.254
PING 10.1.2.254 (10.1.2.254) from 10.1.1.254 : 56(84) bytes of data.
^C
--- 10.1.2.254 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3424ms
[root at mainmachine etc]# ping -I 10.1.1.254 10.1.2.2
PING 10.1.2.2 (10.1.2.2) from 10.1.1.254 : 56(84) bytes of data.
^C
--- 10.1.2.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3727ms
[root at mainmachine etc]#

Listening on eth6 of machine B with Wireshark I got this:
<image.png>


So now I believe it's encrypted but host is unreachable.

On machine A, If I do this instead:
[root at mainmachine etc]# ping -I 192.168.1.1 10.1.2.254
PING 10.1.2.254 (10.1.2.254) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 10.1.2.254<http://10.1.2.254/>: icmp_seq=1 ttl=64 time=0.411 ms
64 bytes from 10.1.2.254<http://10.1.2.254/>: icmp_seq=2 ttl=64 time=1.22 ms
64 bytes from 10.1.2.254<http://10.1.2.254/>: icmp_seq=3 ttl=64 time=0.442 ms
^C
--- 10.1.2.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.411/0.691/1.222/0.376 ms
[root at mainmachine etc]# ping -I 192.168.1.1 10.1.2.2
PING 10.1.2.2 (10.1.2.2) from 192.168.1.1 : 56(84) bytes of data.
^C
--- 10.1.2.2 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3351ms
[root at mainmachine etc]#

Listening on eth6 of machine B with Wireshark I got this:
<image.png>

Host now is reachable but conn is not encrypted.

I believe I have some kind of routing problem.

My routing table on Machine A is this:
[root at mainmachine etc]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth2
10.1.1.0        0.0.0.0         255.255.255.0   U     1      0        0 eth1
10.1.2.0        192.168.1.2     255.255.255.0   UG    0      0        0 eth2
0.0.0.0         10.1.1.254      0.0.0.0         UG    0      0        0 eth1

And on Machine B is this:
[root at mainmachine etc]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth6
10.1.1.0        192.168.1.1     255.255.255.0   UG    0      0        0 eth6
10.1.2.0        0.0.0.0         255.255.255.0   U     1      0        0 eth5

0.0.0.0         10.1.2.254      0.0.0.0         UG    0      0        0 eth5

Aren't those routing tables correct?

Thanks,

Kent Davies














On Sat, Nov 16, 2013 at 12:12 PM, Pascal Fuks <Pascal at financial-art.be<mailto:Pascal at financial-art.be>> wrote:
Hello Ana,
You should take care when pinging to make packets come from your "lan" IP.
So
>From A:
 ping -I 10.1.1.254 10.1.2.254
This should work.

This is because the IP stack always choose the interface that is the nearest to the destination as normal source for the packet, thus choosing your "public" IP as source. When using -I in ping, you force the source to be in the LeftSubnet...
Regards
Pascal Fuks
Network & Security Architect,
CEO / Administrateur délégué,

Tel. : +32 2 387 08 00<tel:%2B32%202%20387%2008%2000>
Fax : +32 2 387 07 06<tel:%2B32%202%20387%2007%2006>
Email : pascal at financial-art.be<mailto:pascal at financial-art.be>
IM: pascal at financial-art (MSN)
Free/Busy Time : http://www.financialart.be/pfukscal.html

On 16 Nov 2013, at 12:37, Bart Smink <bartsmink at gmail.com<mailto:bartsmink at gmail.com>> wrote:

Hi Kent,

Nice images, way better than the usual textart. I think that you need to change virtual private to virtual_private=%v4:0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24<http://0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24> on left and virtual_private=%v4:0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.2.0/24<http://0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.2.0/24> on right. In ipsec.conf it is normal to have left as the local computer. So the ipsec.conf on computer B would be left = 192.168.2.1 leftsubnet = 10.1.2.0/24<http://10.1.2.0/24> right = 192.168.1.1 rightsubnet = 10.1.1.0/24<http://10.1.1.0/24> . And I dont use leftnexthop and rightnexthop in my config, and I dont think you need it, it is the next hop to the ISP, so in the direction of the WAN network.

Greetings,

Bart



2013/11/16 Ana <kentdavies at gmail.com<mailto:kentdavies at gmail.com>>
Hi everybody.

I’m starting to learn IPsec and I'm having some problems.

I’m running two virtual machines with CentOS that simulates the network depicted in the bellow picture.
<image.png>



I want to create an IPsec tunnel between machine A and machine B. The keys should be negotiated using IKE and the tunnel should enable total connectivity between the two machines.


My ipsec.conf file on both machines is this:

config setup
            protostack=netkey
            dumpdir=/var/run/pluto/
            nat_traversal=yes
            virtual_private=%v4:10.1.1.0/24,%v4:10.1.2.0/24<http://10.1.1.0/24,%v4:10.1.2.0/24>
conn gw-to-gw
            authby=secret
            left=192.168.1.1
            leftsubnet=10.1.1.0/24<http://10.1.1.0/24>
            leftnexthop=192.168.1.2
            right=192.168.1.2
            rightsubnet=10.1.2.0/24<http://10.1.2.0/24>
            rightnexthop=192.168.1.1
            auto=start

            type=tunnel

And ipsec.secrets on both machines is this:

192.168.1.1 192.168.1.2 : PSK "test"

I then do service ipsec start on machine A followed by the same command on machine B. Then, again on machine A, I do ipsec auto –up gw-to-gw followed by the exact same command on machine B.
Machine A output:
[root at mainmachine etc]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root at mainmachine etc]# ipsec auto --up gw-to-gw
117 "gw-to-gw" #5: STATE_QUICK_I1: initiate
004 "gw-to-gw" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xc17e5cb7 <0xefd31319 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
[root at mainmachine etc]#

Machine B output:
[root at mainmachine etc]# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root at mainmachine etc]# ipsec auto --up gw-to-gw
117 "gw-to-gw" #6: STATE_QUICK_I1: initiate
004 "gw-to-gw" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xf5fe7b43 <0x94c97925 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
[root at mainmachine etc]#

I’m now using Wireshark to see how the traffic goes through the network from machine A to machine B.

Listening on interface eth5 of machine B and pinging 10.1.2.254 or 10.1.2.2 from machine A, Wireshark does not capture any packet. If I do the exact same procedure but not listening on interface eth6 Wireshark captures the following image.
<33en.jpg>

I believe that the packet should somehow be encrypted but Wireshark is telling me that it is not, so probably I have some kind of error on my ipsec.conf configuration.

Can someone point me in some direction?

Thanks,


Kent Davies
























_______________________________________________
Users at lists.openswan.org<mailto:Users at lists.openswan.org>
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155




--
**** DISCLAIMER ****

"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above.
Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".

Thank you for your cooperation.
_______________________________________________
Users at lists.openswan.org<mailto:Users at lists.openswan.org>
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


**** DISCLAIMER ****

"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above.
Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".

Thank you for your cooperation.

* This e-mail was scanned against known viruses by MDaemon-DKAV



**** DISCLAIMER ****

"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above.
Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".

Thank you for your cooperation.

* This e-mail was scanned against known viruses by MDaemon-DKAV




**** DISCLAIMER ****

"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. 
Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. 
If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".

Thank you for your cooperation.

* This e-mail was scanned against known viruses by MDaemon-DKAV
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131116/2c9fc330/attachment-0001.html>


More information about the Users mailing list