[Openswan Users] Firewall rules for openswan behind NAT

Neal Murphy neal.p.murphy at alum.wpi.edu
Thu Nov 21 05:21:06 UTC 2013 

On Wednesday, November 20, 2013 10:57:35 PM Fred Weston wrote:
> >-----Original Message-----
> >From: users-bounces at lists.openswan.org
> >[mailto:users-bounces at lists.openswan.org] On Behalf Of Neal Murphy
> >Subject: Re: [Openswan Users] Firewall rules for openswan behind NAT
> >
> >On Wednesday, November 20, 2013 05:14:55 PM Fred Weston wrote:
> ...
> >If you are saying that *no* traffic passes from one end to the other
> >unless you forward their ports inbound to the destination openswan
> >server, then I must suspect that no traffic is passing >through the
> >tunnel (into which the outer firewalls will not and cannot see). Are you
> >*sure* the client nodes have their routes set up correctly?
> 
> Yes, this is exactly what I'm saying.  The traceroutes confirm that the
> traffic is passing through the two openswan boxes, there is no other path
> between the two networks so the traffic *must* be traversing the tunnel. 
> That being said, I 100% agree with you that this makes absolutely no sense
> UNLESS the traffic is only being tunneled and is not being encrypted.  In
> that case this could make sense because the firewall might be able to see
> the tunneled traffic and apply its ruleset to it.  Everything seems to
> indicate that traffic is being encrypted though, so the firewall
> controlling what traffic can come into the far openswan box shouldn't be
> able to see any of the raw traffic, all it should see is encrypted noise.

All the firewall should see is UDP packets on port 4500; it shouldn't act on 
what's in the payload (unless it's using deep packet inspection--DPI).

> 
> The way AWS handles routing is a bit different than how you would normally
> handle it.  For instance, when I set a route for 10.1.0.0/16, I don't set
> an IP address as the next hop, I set a network interface which just
> happens to be the virtual NIC assigned to the openswan VM.  Otherwise, yes
> I am pretty sure the routing should not be suspect.
> 
> >But I'm *really* beginning to suspect the configuration of the openswan
> >system. What type of system is it running on?
> 
> So am I.  It's a t1.micro instance running Amazon Linux.  Specifically, it
> was launched from their NAT AMI (machine image).
> 
> >Are you certain there is no other tunneling going on?
> 
> The only other thing I could think of is that since the image I'm using was
> purpose built for doing NAT, that perhaps there were some existing
> firewall rules on the openswan boxes that could be monkeying with things. 
> I tried to list the iptables ruleset, but it came up empty.  Since the
> boxes are designed to do NAT, shouldn't I see some sort of iptables rules?
>  Is there something other than iptables that could be in use that I should
> check?

No, only iptables (netfilter) wrangles packets.

Wait. Does the openswan machine have only one interface? If so, you're 
probably well beyond my expertise; I can handle OS when it uses two NICs. If 
it has two, your diagram and routing are wrong.

More information about the Users mailing list