[Openswan Users] Fritz!VPN working example, but some routing problems
Peter Gerland
peter at peges.de
Wed Nov 27 09:54:52 UTC 2013
I've set up an working Roadwarrior-ipsec connection from FRITZ!Box 6842
LTE (Roadwarrior) to
OpenSwan on Fedora 19 -- Linux Libreswan 3.5 (netkey) on
3.11.8-200.fc19.x86_64 --
No I went in routing problems.
>From 192.168.111.0/24 I can ping all Servers in Subnet 10.37.99.0/24
>From 10.37.99.0/24 i can ping all Servers in Subnet 192.168.111.0/24
I can't ping from 192.168.111.0 to 192.168.10.7 and vise versa.
But after the tunnel comes up, the route 192.168.111.0 is announced via
ripd to 192.168.10.7.
I've also tested it without ripd and setting the route to 192.168.111.0/24
manually on 192.168.10.7
It seems that the packets don't went beyound the tunnel.
Could sombody help me?
Here my setup (could somebody put it in the Openswan-Wiki as Working Site-Site config?):
Fritz!Box Rodwarrior
OpenswanFC19
Internal Network
Subnet 192.168.111.0/24
|
Internet
|
FC 19 x64 OpenSwan
quagga, zebra +ripd
Subnet 194.76.X.X/24
em2 static 194.76.X.X
eth2 static 10.37.99.5
Subnet 10.37.99.0/24
|
DMZ
|
CentOS 4
quagga, zebra +ripd
Subnet 10.37.99.0/24
eth0 10.37.99.3
eth1 192.168.10.7
subnet 192.168.10.0/24
subnet 192.168.11.0/24
|
Internal Network
|>
Fritz!VPN config:
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "my.static.dnsname";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 0.0.0.0;
remote_virtualip = 0.0.0.0;
remotehostname = "my.static.dnsname";
localid {
fqdn = "peges.local";
}
remoteid {
fqdn = "my.static.dnsname";
}
mode = phase1_mode_idp;
phase1ss = "all/all/all";
keytype = connkeytype_pre_shared;
key = "myverysecretauth";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.111.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 10.37.99.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 10.37.99.0 255.255.255.0",
"permit ip any 192.168.10.0 255.255.255.0",
"permit ip any 192.168.11.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}
// EOF
openswan config (FC19)
===================================
/etc/ipsec.conf
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
include /etc/ipsec.d/*.c
/etc/ipsec/rw.conf
conn peges-fritz
type=tunnel
authby=secret
auto=add
compress=yes
#pfs=no
pfs=yes
dpddelay=15
dpdtimeout=60
dpdaction=restart
ike=aes256-sha1-modp1024
esp=aes256-sha1
keyexchange=ikev2
aggrmode=no
left=194.76.X.X
leftnexthop=194.76.X.X
leftsourceip=10.37.99.5
leftsubnets={10.37.99.0/24 192.168.10.0/24 192.168.11.0/24}
leftid=@my.static.dnsname
right=%any
rightsubnet=192.168.111.0/24
rightid=@peges.local
rightsourceip=192.168.111.6
/etc/ipsec/rw.secrets
@peges.local %any : PSK "myverysecretauth"
/etc/sysconfig/iptables
# Generated by iptables-save v1.4.18 on Tue Nov 26 18:23:46 2013
*nat
:PREROUTING ACCEPT [75:12551]
:INPUT ACCEPT [63:8039]
:OUTPUT ACCEPT [46:5348]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.10.0/24 -d 192.168.111.0/24 -j ACCEPT
COMMIT
# Completed on Tue Nov 26 18:23:46 2013
# Generated by iptables-save v1.4.18 on Tue Nov 26 18:23:46 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [8:448]
:OUTPUT ACCEPT [643:85171]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p esp -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 500 -j ACCEPT
-A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport 1701 -j
ACCEPT
-A INPUT -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d 194.76.X.X/32 -i em2 -p udp -m udp --sport 500 --dport 500 -j
ACCEPT
-A INPUT -d 194.76.X.X/32 -i em2 -p udp -m udp --sport 4500 --dport 4500
-j ACCEPT
-A FORWARD -o em2 -m policy --dir out --pol ipsec -j ACCEPT
-A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
-A FORWARD -s 192.168.111.0/24 -d 10.37.99.0/24 -i em2 -o eth2 -j ACCEPT
-A FORWARD -s 10.37.99.0/24 -d 192.168.111.0/24 -i eth2 -o em2 -j ACCEPT
-A FORWARD -s 192.168.111.0/24 -d 192.168.99.0/24 -i em2 -o eth2 -m policy
--dir in --pol ipsec --mode tunnel --tunnel-dst 194.76.X.X --tunnel-src
0.0.0.0/0 -j ACCEPT
-A FORWARD -s 192.168.10.0/24 -d 192.168.111.0/24 -i eth2 -o em2 -m policy
--dir out --pol ipsec --mode tunnel --tunnel-dst 0.0.0.0/0 --tunnel-src
194.76.X.X -j ACCEPT
-A FORWARD -s 192.168.111.0/24 -d 192.168.11.0/24 -i em2 -o eth2 -m policy
--dir in --pol ipsec --mode tunnel --tunnel-dst 194.76.X.X --tunnel-src
0.0.0.0/0 -j ACCEPT
-A FORWARD -s 192.168.11.0/24 -d 192.168.111.0/24 -i eth2 -o em2 -m policy
--dir out --pol ipsec --mode tunnel --tunnel-dst 0.0.0.0/0 --tunnel-src
194.76.X.X -j ACCEPT
-A FORWARD -s 192.168.111.0/24 -d 10.37.99.0/24 -i em2 -o eth2 -m policy
--dir in --pol ipsec --mode tunnel --tunnel-dst 194.76.X.X --tunnel-src
0.0.0.0/0 -j ACCEPT
-A FORWARD -s 10.37.99.0/24 -d 192.168.111.0/24 -i eth2 -o em2 -m policy
--dir out --pol ipsec --mode tunnel --tunnel-dst 0.0.0.0/0 --tunnel-src
194.76.X.X -j ACCEPT
COMMIT
# Completed on Tue Nov 26 18:23:46 2013
/etc/sysctl.d/ip4forward.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.em1.rp_filter = 0
net.ipv4.conf.em2.rp_filter = 0
net.ipv4.conf.em4.rp_filter = 0
net.ipv4.conf.eth2.rp_filter = 0
greetings,
Peter
~
--------------------------------
Peter Gerland, Northeim, Germany
peter at peges.de
--------------------------------
More information about the Users
mailing list