[Openswan Users] Firewall rules for openswan behind NAT

Nick Howitt n1ck.h0w1tt at gmail.com
Tue Nov 19 08:44:11 UTC 2013


 

For your rules, I was hoping for something like the output to "iptables
-L -n -v" and "iptables -t nat -L -n -v" rather than a description of
the rules. 

Forceencaps is unlikely but can be useful 

Openswan/ipsec logs are typically found in /var/log/secure depending on
your system. If you have dpd enabled you should see constant tunnel
renegotiation if the tunnel has gone down. You'll see nothing odd if the
tunnel is up but no traffic is passing. When the tunnel is up you should
see in the logs something like "IPSec SA Established". Available status
information is not particulrly helpful. 

Can you also try adding a firewall rule something like: 

iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT


Either that or somthing in the post routing chain which allows traffic
between the local and remote subnets, but this rule is more flexible as
you don't need to specify the subnets. 

Nick 

On 2013-11-18 23:28, Fred Weston wrote: 

> FROM: users-bounces at lists.openswan.org [mailto:users-bounces at lists.openswan.org] ON BEHALF OF Nick Howitt
> 
> Can you post the exact rules you are using? 
> 
> I included those in my original message. 
> 
> *:* > UDP 500 
> 
> *:* > UDP 4500 
> 
> * > IP Protocol 50 
> 
> * > IP Protocol 51 
> 
> Also have you tried forcing encapsulation with forceencaps=yes in your conns? 
> 
> No, I haven't tried that. 
> 
> When you say "things stop working" does the tunnel come down, or does traffic just fail to pass? 
> 
> I'm not sure how to tell the difference, my test methodology was to ping a host on the far side of the tunnel and when I change the firewall rules from wide open to those above the ping starts timing out. How can I tell what state the tunnel is in? 
> 
> Regards, 
> 
> Nick 
> 
> On 2013-11-17 17:13, Fred Weston wrote: 
> 
> Does anyone else have any suggestions? I would like to implement this in production but I am hesitant to do so when the only way I can get it to work is permit all traffic from the Internet into the openswan boxes. 
> 
> FROM: users-bounces at lists.openswan.org [mailto:users-bounces at lists.openswan.org] ON BEHALF OF Fred Weston
> SENT: Wednesday, November 13, 2013 11:49 AM
> TO: Leto
> CC: users at lists.openswan.org
> SUBJECT: Re: [Openswan Users] Firewall rules for openswan behind NAT 
> 
> Let me clarify - when I reference ports/protocols that I'm allowing inbound, I'm allowing it from the opposite host and not specifying a source port. 
> 
> Thanks, 
> 
> FW 
> 
> FROM: Leto [mailto:letoams at gmail.com] 
> SENT: Wednesday, November 13, 2013 11:27 AM
> TO: Fred Weston
> CC: users at lists.openswan.org
> SUBJECT: Re: [Openswan Users] Firewall rules for openswan behind NAT 
> 
> sent from a tiny device 
> 
> On 2013-11-13, at 10:44, Fred Weston <fred.weston at lpga.com> wrote: 
> 
> Hello All, 
> 
> I'm using OpenSwan with AWS to link two private VPC networks in different regions. 
> 
> I'm having trouble getting my firewall ACLs right. Everything works if I permit all traffic to the OpenSwan boxes, however when I try to get more restrictive and permit only the necessary ports things stop working. 
> 
> One side has all traffic permitted inbound for the time being and I'm making ACL changes trying to restrict traffic to certain ports/protocols on the other side. 
> 
> Both endpoints are behind 1:1 NAT. Everything is permitted outbound on both sides. 
> 
> From reading online, I understand that the following ports and protocols should be all I need: 
> 
> UDP 500 
> 
> UDP 4500 
> 
> IP Protocol 50 
> 
> IP Protocol 51 
> 
> I tried the above and had no luck. As soon as I change from permitting all inbound to permitting only the above list the tunnel comes down. 
> 
> You should really allow icmp. 
> 
> Note that you need to accept from a random high port to dest udp 4500, not just 4500 <-> 4500. Same for 500 
> 
> I also tried permitting tcp/1721 and tcp/1723 and IP Protocol 47. 
> 
> I am using AWS 'security groups' to control filtering and according to the docs (and my observations) security groups are stateful, so I am not sure why this isn't working. 
> 
> Can anyone offer any suggestions? 
> 
> Thanks, 
> 
> FRED WESTON 
> 
> The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No empl
 oyee is
authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You. 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3] 
> 
> The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No empl
 oyee is
authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You. 
> 
> The information transmitted in this message (including any attachments) is intended only for the use of the individual(s) and/or entity(ies) to which it is addressed and may contain confidential business information which should not be disclosed. If you are not the intended recipient, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this email in error, please notify the sender and immediately destroy and delete this email from your system without disseminating it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message. Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the LPGA and/or its affiliates. No empl
 oyee is
authorized to conclude any binding agreement on behalf of LPGA and/or its affiliates with another party by e-mail. All agreements shall be contained in a separate writing executed by an authorized LPGA signatory. Thank You. 
> 
> _______________________________________________
> 
> Users at lists.openswan.org
> 
> https://lists.openswan.org/mailman/listinfo/users [1]
> 
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> 
> Building and Integrating Virtual Private Networks with Openswan:
> 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]
 The information transmitted in this message (including any attachments)
is intended only for the use of the individual(s) and/or entity(ies) to
which it is addressed and may contain confidential business information
which should not be disclosed. If you are not the intended recipient,
you are not authorized to read, print, retain, copy or disseminate this
message or any part of it. If you have received this email in error,
please notify the sender and immediately destroy and delete this email
from your system without disseminating it. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses. The sender therefore does not accept liability for any
errors or omissions in the contents of this message. Any views or
opinions presented in this e-mail are solely those of the author and do
not necessarily represent those of the LPGA and/or its affiliates. No
employee is authorized to conclude any binding agreement on behalf of
LPGA and/or its affiliates with another party by e-mail. All agreements
shall be contained in a separate writing executed by an authorized LPGA
signatory. Thank You. 

Links:
------
[1] https://lists.openswan.org/mailman/listinfo/users
[2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[3]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131119/448d774b/attachment-0001.html>


More information about the Users mailing list