[Openswan Users] Hub and Spoke issue

Steven Tye srtye at outlook.com
Wed Jul 2 14:24:53 EDT 2014


That had no effect.  Still no pings.

 

From: Nick Howitt [mailto:nick at howitts.co.uk] 
Sent: Wednesday, July 2, 2014 2:22 PM
To: Steven Tye
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Hub and Spoke issue

 

It is not quite the standard firewall set up that I am used to and I'm
struggling to follow each chain through. It is a very permissive set up with
virtually no DROP lines and no drop policies.

You may be able to add a couple of rules:

sudo iptables -I FORWARD -i tun+ -j ACCEPT
sudo iptables -I FORWARD -o tun+ -j ACCEPT


To delete the rules change -I to -D.

There are also marking rules so there may be some interaction between the
firewall and routing tables.

On 02/07/2014 18:32, Steven Tye wrote:

Found , but not sure what to look for.

 

Oregon:~$ sudo iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

AS0_ACCEPT  all  --  anywhere             anywhere             state
RELATED,ESTABLISHED

AS0_ACCEPT  all  --  anywhere             anywhere            

AS0_IN_PRE  all  --  anywhere             anywhere             mark match
0x2000000/0x2000000

AS0_ACCEPT  udp  --  anywhere             anywhere             state NEW udp
dpt:openvpn

AS0_ACCEPT  tcp  --  anywhere             anywhere             state NEW tcp
dpt:https

AS0_WEBACCEPT  all  --  anywhere             anywhere             state
RELATED,ESTABLISHED

AS0_WEBACCEPT  tcp  --  anywhere             anywhere             state NEW
tcp dpt:943

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

AS0_ACCEPT  all  --  anywhere             anywhere             state
RELATED,ESTABLISHED

AS0_IN_PRE  all  --  anywhere             anywhere             mark match
0x2000000/0x2000000

AS0_OUT_S2C  all  --  anywhere             anywhere            

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

AS0_OUT_LOCAL  all  --  anywhere             anywhere            

 

Chain AS0_ACCEPT (5 references)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            

 

Chain AS0_IN (3 references)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             192.168.10.1        

AS0_IN_POST  all  --  anywhere             anywhere            

 

Chain AS0_IN_NAT (0 references)

target     prot opt source               destination         

MARK       all  --  anywhere             anywhere             MARK or
0x8000000

ACCEPT     all  --  anywhere             anywhere            

 

Chain AS0_IN_POST (1 references)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             192.168.10.0/24     

ACCEPT     all  --  anywhere             192.168.69.0/24     

ACCEPT     all  --  anywhere             10.0.0.0/16         

ACCEPT     all  --  anywhere             172.31.0.0/16       

AS0_OUT    all  --  anywhere             anywhere            

DROP       all  --  anywhere             anywhere            

 

Chain AS0_IN_PRE (2 references)

target     prot opt source               destination         

AS0_IN     all  --  anywhere             192.168.0.0/16      

AS0_IN     all  --  anywhere             172.16.0.0/12       

AS0_IN     all  --  anywhere             10.0.0.0/8          

ACCEPT     all  --  anywhere             anywhere            

 

Chain AS0_IN_ROUTE (0 references)

target     prot opt source               destination         

MARK       all  --  anywhere             anywhere             MARK or
0x4000000

ACCEPT     all  --  anywhere             anywhere            

 

Chain AS0_OUT (2 references)

target     prot opt source               destination         

AS0_OUT_POST  all  --  anywhere             anywhere            

 

Chain AS0_OUT_LOCAL (1 references)

target     prot opt source               destination         

DROP       icmp --  anywhere             anywhere             icmp redirect

ACCEPT     all  --  anywhere             anywhere            

 

Chain AS0_OUT_POST (1 references)

target     prot opt source               destination         

DROP       all  --  anywhere             anywhere            

 

Chain AS0_OUT_S2C (1 references)

target     prot opt source               destination         

ACCEPT     all  --  192.168.10.0/24      anywhere            

ACCEPT     all  --  192.168.69.0/24      anywhere            

ACCEPT     all  --  10.0.0.0/16          anywhere            

ACCEPT     all  --  172.31.0.0/16        anywhere            

AS0_OUT    all  --  anywhere             anywhere            

 

Chain AS0_WEBACCEPT (2 references)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere

 

From: Nick Howitt [mailto:nick at howitts.co.uk] 
Sent: Wednesday, July 2, 2014 1:22 PM
To: Steven Tye
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org> 
Subject: Re: [Openswan Users] Hub and Spoke issue

 

I've just got home.

I suggest at this point it is an OpenVPN issue. Splitting the OpenVPN subnet
into two subnets in ipsec.conf serves no purpose. I'd have to look up the
OpenVPN configs to see how they worked. Also check for firewalling issues.
Does the firewall in Oregon only allow local subnet traffic to OpenVPN?

Nick

On 02/07/2014 18:13, Steven Tye wrote:

 
Yeah so
192.168.10.1/25
&
192.168.10.129/25
 
Are the gateways for the OpenVPN networks.
 
Both are accessible all the way out in Ireland and Sao Paulo.
 
However the client cannot be pinged from anywhere except on the Oregon
server.
The Client can ping all the way out to Ireland and Sao Paulo though.
 
Stumped now
 
-----Original Message-----
From: Steven Tye [mailto:srtye at outlook.com] 
Sent: Wednesday, July 2, 2014 12:54 PM
To: 'Nick Howitt'
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org> 
Subject: RE: [Openswan Users] Hub and Spoke issue
 
Just found that I can ping 192.168.10.1 which is the virtual
gateway.......from Ireland.
 
-----Original Message-----
From: Steven Tye [mailto:srtye at outlook.com]
Sent: Wednesday, July 2, 2014 12:40 PM
To: 'Nick Howitt'
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org> 
Subject: RE: [Openswan Users] Hub and Spoke issue
 
Traceroute
 
Ireland:~$ traceroute 192.168.10.130
 
traceroute to 192.168.10.130 (192.168.10.130), 30 hops max, 60 byte packets
 1  ip-10-0-0-12.eu-west-1.compute.internal (10.0.0.12)  217.839 ms  217.793
ms  217.731 ms
 2  ip-172-31-33-163.eu-west-1.compute.internal (172.31.33.163)  424.701 ms
424.871 ms  424.831 ms
 3  * * *
 4  * * *
 5  * * *
..................
 
So it's actually making it to Oregon but not the client.
 
Oregon
Oregon:~$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
default         172.31.32.1     0.0.0.0         UG    0      0        0 eth0
172.31.32.0     *               255.255.240.0   U     0      0        0 eth0
192.168.10.0    *               255.255.255.128 U     0      0        0
as0t0
192.168.10.128  *               255.255.255.128 U     0      0        0
as0t1
 
 
I see the way that OpenVPN is separating the 192.168.10.0/24 network in two.
I wonder if I need to add 192.168.10.0/25 & 192.168.10.128/25 to the
ipsec.conf files?
 
 
-----Original Message-----
From: Steven Tye [mailto:srtye at outlook.com]
Sent: Wednesday, July 2, 2014 12:32 PM
To: 'Nick Howitt'
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org> 
Subject: RE: [Openswan Users] Hub and Spoke issue
 
Gotcha...fixed that....
Here is where are now
 
I can ping from the client all the way to 192.168.69.62 (Ireland) I cannot
ping the client from SaoPaulo or Ireland
 
conn SauPaulo-to-Oregon
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=54.232.199.31
        leftnexthop=%defaultroute
        leftsubnets=10.0.0.0/16,192.168.69.0/24
        right=54.186.82.78
        rightsubnets=172.31.0.0/16,192.168.10.0/24
        ike=aes256-sha
        esp=aes256-sha1
        pfs=yes
        auto=start
 
conn SauPaulo-to-Ireland
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=54.232.199.31
        leftnexthop=%defaultroute
        leftsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
        right=54.76.160.103
        rightsubnets=192.168.69.0/24
        ike=aes256-sha
        esp=aes256-sha1
        pfs=yes
        auto=start
 
Oregon
conn Oregon-to-SauPaulo
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=54.186.82.78
        leftnexthop=%defaultroute
        leftsubnets=172.31.0.0/16,192.168.10.0/24
        right=54.232.199.31
        rightsubnets=10.0.0.0/16,192.168.69.0/24
        ike=aes256-sha
        esp=aes256-sha1
        pfs=yes
        auto=start
 
 
Ireland
conn Ireland-to-SaoPaulo
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=54.76.160.103
        leftnexthop=%defaultroute
        leftsubnet=192.168.69.0/24
        right=54.232.199.31
        rightsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
        ike=aes256-sha
        esp=aes256-sha1
        pfs=yes
        auto=start
 
 
 
-----Original Message-----
From: Nick Howitt [mailto:nick at howitts.co.uk]
Sent: Wednesday, July 2, 2014 12:30 PM
To: Steven Tye
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org> 
Subject: RE: [Openswan Users] Hub and Spoke issue
 
SauPaulo-to-Oregon rightsubnets is missing 192.168.10.0/24
 
On 2014-07-02 17:14, Steven Tye wrote:

OpenVPN has this setting
 
Routing
 
 Should VPN clients have access to private subnets (non-public 
networks on the server side)?
 
 NO No
 
 NO Yes, using NAT
 
CHECK Yes, using routing (advanced)
 
Specify the private subnets to which all clients should be given 
access (as 'network/netmask_bits', one per line)
 
172.31.0.0/16
 
10.0.0.0/16
 
192.168.69.0/24
 
192.168.10.0/24
 
Cleaned up the ipsec.conf as you suggested:
 
conn SauPaulo-to-Oregon
 
 type=tunnel
 
 authby=secret
 
 left=%defaultroute
 
 leftid=54.232.199.31
 
 leftnexthop=%defaultroute
 
 leftsubnets=10.0.0.0/16,192.168.69.0/24
 
 right=54.186.82.78
 
 rightsubnets=172.31.0.0/16
 
 ike=aes256-sha
 
 esp=aes256-sha1
 
 pfs=yes
 
 auto=start
 
conn SauPaulo-to-Ireland
 
 type=tunnel
 
 authby=secret
 
 left=%defaultroute
 
 leftid=54.232.199.31
 
 leftnexthop=%defaultroute
 
 leftsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
 
 right=54.76.160.103
 
 rightsubnets=192.168.69.0/24
 
 ike=aes256-sha
 
 esp=aes256-sha1
 
 pfs=yes
 
 auto=start
 
Now I cannot ping from client to/from hub.
 
Oregon
 
conn Oregon-to-SauPaulo
 
 type=tunnel
 
 authby=secret
 
 left=%defaultroute
 
 leftid=54.186.82.78
 
 leftnexthop=%defaultroute
 
 leftsubnets=172.31.0.0/16,192.168.10.0/24
 
 right=54.232.199.31
 
 rightsubnets=10.0.0.0/16,192.168.69.0/24
 
 ike=aes256-sha
 
 esp=aes256-sha1
 
 pfs=yes
 
 auto=start
 
Ireland
 
conn Ireland-to-SaoPaulo
 
 type=tunnel
 
 authby=secret
 
 left=%defaultroute
 
 leftid=54.76.160.103
 
 leftnexthop=%defaultroute
 
 leftsubnet=192.168.69.0/24
 
 right=54.232.199.31
 
 rightsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
 
 ike=aes256-sha
 
 esp=aes256-sha1
 
 pfs=yes
 
 auto=start
 
-----Original Message-----
From: Nick Howitt [mailto:nick at howitts.co.uk]
Sent: Wednesday, July 2, 2014 12:03 PM
To: steve
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org> 
Subject: Re: [Openswan Users] Hub and Spoke issue
 
In OpenVPN are you also pushing a route to 192.168.69.0/24?
 
Something also looks wrong in your conns. You should have:
 
conn SauPaulo-to-Oregon
 
 leftsubnets=SauPaulo's_subnets, Ireland's_subnets
 
 rightsubnets=Oregon's_subnets
 
conn SauPaulo-to-Ireland
 
 leftsubnets=SauPaulo's_subnets, Oregon's_subnets
 
 rightsubnets=Ireland's_subnets
 
You appear to have 192.168.10.0/24 in both Ireland and Oregon
 
Nick
 
On 2014-07-02 16:39, steve wrote:
 

Nick, awesome. I am almost there.

 

I am able to now ping from spoke to spoke. However, I am trying to

 

ping from my client at 192.168.10.0/24 through to Ireland,

 

192.168.69.0/24 and its fails. Should the 192.168.10.0/24 network be

 
 

added anywhere else?

 

 

 

Here is my new Hub IPsec.conf

 

Hub

 

conn SauPaulo-to-Oregon

 

type=tunnel

 

authby=secret

 

left=%defaultroute

 

leftid=54.232.199.31

 

leftnexthop=%defaultroute

 

leftsubnets=10.0.0.0/16,192.168.69.0/24

 

right=54.186.82.78

 

rightsubnets=172.31.0.0/16,192.168.10.0/24,192.168.69.0/24

 

ike=aes256-sha

 

esp=aes256-sha1

 

pfs=yes

 

auto=start

 

 

 

conn SauPaulo-to-Ireland

 

type=tunnel

 

authby=secret

 

left=%defaultroute

 

leftid=54.232.199.31

 

leftnexthop=%defaultroute

 

leftsubnets=10.0.0.0/16,172.31.0.0/16

 

right=54.76.160.103

 

rightsubnets=172.31.0.0/16,192.168.10.0/24,192.168.69.0/24

 

ike=aes256-sha

 

esp=aes256-sha1

 

pfs=yes

 

auto=start

 

 

 

_______________________________________________

 

Users at lists.openswan.org <mailto:Users at lists.openswan.org> 

 

https://lists.openswan.org/mailman/listinfo/users [1]

 

Micropayments:

 

https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]

 

Building and Integrating Virtual Private Networks with Openswan:

 

 

http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
[3]
 

55

 
Links:
------
[1] https://lists.openswan.org/mailman/listinfo/users
[2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[3]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140702/0d039300/attachment-0001.html>


More information about the Users mailing list