[Openswan Users] Fritz!VPN working example, but some routing problems

Peter Gerland peter at peges.de
Wed Nov 27 09:54:52 UTC 2013






I've set up an working Roadwarrior-ipsec connection from FRITZ!Box 6842 
LTE (Roadwarrior) to
OpenSwan on Fedora 19  -- Linux Libreswan 3.5 (netkey) on 
3.11.8-200.fc19.x86_64 --

No I went in routing problems.
>From 192.168.111.0/24 I can ping all Servers in Subnet 10.37.99.0/24
>From 10.37.99.0/24 i can ping all Servers in Subnet 192.168.111.0/24
I can't ping from 192.168.111.0 to 192.168.10.7 and vise versa.
But after the tunnel comes up, the route 192.168.111.0 is announced via
ripd to 192.168.10.7.
I've also tested it without ripd and setting the route to 192.168.111.0/24 
manually on 192.168.10.7
It seems that the packets don't went beyound the tunnel.

Could sombody help me?


Here my setup (could somebody put it in the Openswan-Wiki as Working Site-Site config?):

Fritz!Box Rodwarrior 
OpenswanFC19 
Internal Network
Subnet 192.168.111.0/24
       |
   Internet
       |
FC 19 x64 OpenSwan
quagga, zebra +ripd
Subnet 194.76.X.X/24
em2 static 194.76.X.X
eth2 static 10.37.99.5
Subnet 10.37.99.0/24
       |
      DMZ
       |
CentOS 4
quagga, zebra +ripd
Subnet 10.37.99.0/24
eth0 10.37.99.3
eth1 192.168.10.7
subnet 192.168.10.0/24
subnet 192.168.11.0/24
       |
    Internal Network
       |>



Fritz!VPN config:

vpncfg {
         connections {
                 enabled = yes;
                 conn_type = conntype_lan;
                 name = "my.static.dnsname";
                 always_renew = yes;
                 reject_not_encrypted = no;
                 dont_filter_netbios = yes;
                 localip = 0.0.0.0;
                 local_virtualip = 0.0.0.0;
                 remoteip = 0.0.0.0;
                 remote_virtualip = 0.0.0.0;
                 remotehostname = "my.static.dnsname";
                 localid {
                         fqdn = "peges.local";
                 }
                 remoteid {
                         fqdn = "my.static.dnsname";
                 }
                 mode = phase1_mode_idp;
                 phase1ss = "all/all/all";
                 keytype = connkeytype_pre_shared;
                 key = "myverysecretauth";
                 cert_do_server_auth = no;
                 use_nat_t = yes;
                 use_xauth = no;
                 use_cfgmode = no;
                 phase2localid {
                         ipnet {
                                 ipaddr = 192.168.111.0;
                                 mask = 255.255.255.0;
                         }
                 }
                 phase2remoteid {
                         ipnet {
                                 ipaddr = 10.37.99.0;
                                 mask = 255.255.255.0;
                         }
                 }
                 phase2ss = "esp-all-all/ah-none/comp-all/pfs";
                 accesslist = "permit ip any 10.37.99.0 255.255.255.0",
                              "permit ip any 192.168.10.0 255.255.255.0",
                              "permit ip any 192.168.11.0 255.255.255.0";
         }
         ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                             "udp 0.0.0.0:4500 0.0.0.0:4500";
}

// EOF




openswan config (FC19)
===================================
/etc/ipsec.conf
config setup
         protostack=netkey
         dumpdir=/var/run/pluto/
         nat_traversal=no

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
         include /etc/ipsec.d/*.c


/etc/ipsec/rw.conf
conn peges-fritz
     type=tunnel
     authby=secret
     auto=add
     compress=yes
     #pfs=no
     pfs=yes
     dpddelay=15
     dpdtimeout=60
     dpdaction=restart
     ike=aes256-sha1-modp1024
     esp=aes256-sha1
     keyexchange=ikev2
     aggrmode=no
     left=194.76.X.X
     leftnexthop=194.76.X.X
     leftsourceip=10.37.99.5
     leftsubnets={10.37.99.0/24 192.168.10.0/24 192.168.11.0/24}
     leftid=@my.static.dnsname
     right=%any
     rightsubnet=192.168.111.0/24
     rightid=@peges.local
     rightsourceip=192.168.111.6


/etc/ipsec/rw.secrets
@peges.local %any : PSK "myverysecretauth"


/etc/sysconfig/iptables
# Generated by iptables-save v1.4.18 on Tue Nov 26 18:23:46 2013
*nat
:PREROUTING ACCEPT [75:12551]
:INPUT ACCEPT [63:8039]
:OUTPUT ACCEPT [46:5348]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.10.0/24 -d 192.168.111.0/24 -j ACCEPT
COMMIT
# Completed on Tue Nov 26 18:23:46 2013
# Generated by iptables-save v1.4.18 on Tue Nov 26 18:23:46 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [8:448]
:OUTPUT ACCEPT [643:85171]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p esp -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 500 -j ACCEPT
-A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j 
ACCEPT
-A INPUT -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d 194.76.X.X/32 -i em2 -p udp -m udp --sport 500 --dport 500 -j 
ACCEPT
-A INPUT -d 194.76.X.X/32 -i em2 -p udp -m udp --sport 4500 --dport 4500 
-j ACCEPT
-A FORWARD -o em2 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -s 192.168.111.0/24 -d 10.37.99.0/24 -i em2 -o eth2 -j ACCEPT
-A FORWARD -s 10.37.99.0/24 -d 192.168.111.0/24 -i eth2 -o em2 -j ACCEPT
-A FORWARD -s 192.168.111.0/24 -d 192.168.99.0/24 -i em2 -o eth2 -m policy 
--dir in --pol ipsec --mode tunnel --tunnel-dst 194.76.X.X --tunnel-src 
0.0.0.0/0 -j ACCEPT
-A FORWARD -s 192.168.10.0/24 -d 192.168.111.0/24 -i eth2 -o em2 -m policy 
--dir out --pol ipsec --mode tunnel --tunnel-dst 0.0.0.0/0 --tunnel-src 
194.76.X.X -j ACCEPT
-A FORWARD -s 192.168.111.0/24 -d 192.168.11.0/24 -i em2 -o eth2 -m policy 
--dir in --pol ipsec --mode tunnel --tunnel-dst 194.76.X.X --tunnel-src 
0.0.0.0/0 -j ACCEPT
-A FORWARD -s 192.168.11.0/24 -d 192.168.111.0/24 -i eth2 -o em2 -m policy 
--dir out --pol ipsec --mode tunnel --tunnel-dst 0.0.0.0/0 --tunnel-src 
194.76.X.X -j ACCEPT
-A FORWARD -s 192.168.111.0/24 -d 10.37.99.0/24 -i em2 -o eth2 -m policy 
--dir in --pol ipsec --mode tunnel --tunnel-dst 194.76.X.X --tunnel-src 
0.0.0.0/0 -j ACCEPT
-A FORWARD -s 10.37.99.0/24 -d 192.168.111.0/24 -i eth2 -o em2 -m policy 
--dir out --pol ipsec --mode tunnel --tunnel-dst 0.0.0.0/0 --tunnel-src 
194.76.X.X -j ACCEPT
COMMIT
# Completed on Tue Nov 26 18:23:46 2013


/etc/sysctl.d/ip4forward.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.em1.rp_filter = 0
net.ipv4.conf.em2.rp_filter = 0
net.ipv4.conf.em4.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 0


greetings,

Peter

~
--------------------------------
Peter Gerland, Northeim, Germany
peter at peges.de
--------------------------------


More information about the Users mailing list