[Openswan Users] Hub and Spoke issue
Steven Tye
srtye at outlook.com
Wed Jul 2 16:00:49 EDT 2014
I have it set to routing. For me this is working. I installed an email
server on the far (Ireland) server and I am able to send and receive email.
>From an engineering perspective I don't understand how this is getting
blocked was the only thing.
I really appreciate your help.
Steve
From: Nick Howitt [mailto:nick at howitts.co.uk]
Sent: Wednesday, July 2, 2014 2:40 PM
To: Steven Tye
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Hub and Spoke issue
In your OpenVPN set up what does this mean:
Should VPN clients have access to private subnets (non-public
networks on the server side)?
NO No
NO Yes, using NAT
CHECK Yes, using routing (advanced)
You probably do not want to use NAT as it will (?) block traffic to the
remote clients. It is probably best to give direct access if you can.
On 02/07/2014 19:24, Steven Tye wrote:
That had no effect. Still no pings.
From: Nick Howitt [mailto:nick at howitts.co.uk]
Sent: Wednesday, July 2, 2014 2:22 PM
To: Steven Tye
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org>
Subject: Re: [Openswan Users] Hub and Spoke issue
It is not quite the standard firewall set up that I am used to and I'm
struggling to follow each chain through. It is a very permissive set up with
virtually no DROP lines and no drop policies.
You may be able to add a couple of rules:
sudo iptables -I FORWARD -i tun+ -j ACCEPT
sudo iptables -I FORWARD -o tun+ -j ACCEPT
To delete the rules change -I to -D.
There are also marking rules so there may be some interaction between the
firewall and routing tables.
On 02/07/2014 18:32, Steven Tye wrote:
Found , but not sure what to look for.
Oregon:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
AS0_ACCEPT all -- anywhere anywhere
AS0_IN_PRE all -- anywhere anywhere mark match
0x2000000/0x2000000
AS0_ACCEPT udp -- anywhere anywhere state NEW udp
dpt:openvpn
AS0_ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:https
AS0_WEBACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
AS0_WEBACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:943
Chain FORWARD (policy ACCEPT)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
AS0_IN_PRE all -- anywhere anywhere mark match
0x2000000/0x2000000
AS0_OUT_S2C all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
AS0_OUT_LOCAL all -- anywhere anywhere
Chain AS0_ACCEPT (5 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_IN (3 references)
target prot opt source destination
ACCEPT all -- anywhere 192.168.10.1
AS0_IN_POST all -- anywhere anywhere
Chain AS0_IN_NAT (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or
0x8000000
ACCEPT all -- anywhere anywhere
Chain AS0_IN_POST (1 references)
target prot opt source destination
ACCEPT all -- anywhere 192.168.10.0/24
ACCEPT all -- anywhere 192.168.69.0/24
ACCEPT all -- anywhere 10.0.0.0/16
ACCEPT all -- anywhere 172.31.0.0/16
AS0_OUT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain AS0_IN_PRE (2 references)
target prot opt source destination
AS0_IN all -- anywhere 192.168.0.0/16
AS0_IN all -- anywhere 172.16.0.0/12
AS0_IN all -- anywhere 10.0.0.0/8
ACCEPT all -- anywhere anywhere
Chain AS0_IN_ROUTE (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or
0x4000000
ACCEPT all -- anywhere anywhere
Chain AS0_OUT (2 references)
target prot opt source destination
AS0_OUT_POST all -- anywhere anywhere
Chain AS0_OUT_LOCAL (1 references)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT all -- anywhere anywhere
Chain AS0_OUT_POST (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain AS0_OUT_S2C (1 references)
target prot opt source destination
ACCEPT all -- 192.168.10.0/24 anywhere
ACCEPT all -- 192.168.69.0/24 anywhere
ACCEPT all -- 10.0.0.0/16 anywhere
ACCEPT all -- 172.31.0.0/16 anywhere
AS0_OUT all -- anywhere anywhere
Chain AS0_WEBACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
From: Nick Howitt [mailto:nick at howitts.co.uk]
Sent: Wednesday, July 2, 2014 1:22 PM
To: Steven Tye
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org>
Subject: Re: [Openswan Users] Hub and Spoke issue
I've just got home.
I suggest at this point it is an OpenVPN issue. Splitting the OpenVPN subnet
into two subnets in ipsec.conf serves no purpose. I'd have to look up the
OpenVPN configs to see how they worked. Also check for firewalling issues.
Does the firewall in Oregon only allow local subnet traffic to OpenVPN?
Nick
On 02/07/2014 18:13, Steven Tye wrote:
Yeah so
192.168.10.1/25
&
192.168.10.129/25
Are the gateways for the OpenVPN networks.
Both are accessible all the way out in Ireland and Sao Paulo.
However the client cannot be pinged from anywhere except on the Oregon
server.
The Client can ping all the way out to Ireland and Sao Paulo though.
Stumped now
-----Original Message-----
From: Steven Tye [mailto:srtye at outlook.com]
Sent: Wednesday, July 2, 2014 12:54 PM
To: 'Nick Howitt'
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org>
Subject: RE: [Openswan Users] Hub and Spoke issue
Just found that I can ping 192.168.10.1 which is the virtual
gateway.......from Ireland.
-----Original Message-----
From: Steven Tye [mailto:srtye at outlook.com]
Sent: Wednesday, July 2, 2014 12:40 PM
To: 'Nick Howitt'
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org>
Subject: RE: [Openswan Users] Hub and Spoke issue
Traceroute
Ireland:~$ traceroute 192.168.10.130
traceroute to 192.168.10.130 (192.168.10.130), 30 hops max, 60 byte packets
1 ip-10-0-0-12.eu-west-1.compute.internal (10.0.0.12) 217.839 ms 217.793
ms 217.731 ms
2 ip-172-31-33-163.eu-west-1.compute.internal (172.31.33.163) 424.701 ms
424.871 ms 424.831 ms
3 * * *
4 * * *
5 * * *
..................
So it's actually making it to Oregon but not the client.
Oregon
Oregon:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
default 172.31.32.1 0.0.0.0 UG 0 0 0 eth0
172.31.32.0 * 255.255.240.0 U 0 0 0 eth0
192.168.10.0 * 255.255.255.128 U 0 0 0
as0t0
192.168.10.128 * 255.255.255.128 U 0 0 0
as0t1
I see the way that OpenVPN is separating the 192.168.10.0/24 network in two.
I wonder if I need to add 192.168.10.0/25 & 192.168.10.128/25 to the
ipsec.conf files?
-----Original Message-----
From: Steven Tye [mailto:srtye at outlook.com]
Sent: Wednesday, July 2, 2014 12:32 PM
To: 'Nick Howitt'
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org>
Subject: RE: [Openswan Users] Hub and Spoke issue
Gotcha...fixed that....
Here is where are now
I can ping from the client all the way to 192.168.69.62 (Ireland) I cannot
ping the client from SaoPaulo or Ireland
conn SauPaulo-to-Oregon
type=tunnel
authby=secret
left=%defaultroute
leftid=54.232.199.31
leftnexthop=%defaultroute
leftsubnets=10.0.0.0/16,192.168.69.0/24
right=54.186.82.78
rightsubnets=172.31.0.0/16,192.168.10.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
conn SauPaulo-to-Ireland
type=tunnel
authby=secret
left=%defaultroute
leftid=54.232.199.31
leftnexthop=%defaultroute
leftsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
right=54.76.160.103
rightsubnets=192.168.69.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
Oregon
conn Oregon-to-SauPaulo
type=tunnel
authby=secret
left=%defaultroute
leftid=54.186.82.78
leftnexthop=%defaultroute
leftsubnets=172.31.0.0/16,192.168.10.0/24
right=54.232.199.31
rightsubnets=10.0.0.0/16,192.168.69.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
Ireland
conn Ireland-to-SaoPaulo
type=tunnel
authby=secret
left=%defaultroute
leftid=54.76.160.103
leftnexthop=%defaultroute
leftsubnet=192.168.69.0/24
right=54.232.199.31
rightsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
-----Original Message-----
From: Nick Howitt [mailto:nick at howitts.co.uk]
Sent: Wednesday, July 2, 2014 12:30 PM
To: Steven Tye
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org>
Subject: RE: [Openswan Users] Hub and Spoke issue
SauPaulo-to-Oregon rightsubnets is missing 192.168.10.0/24
On 2014-07-02 17:14, Steven Tye wrote:
OpenVPN has this setting
Routing
Should VPN clients have access to private subnets (non-public
networks on the server side)?
NO No
NO Yes, using NAT
CHECK Yes, using routing (advanced)
Specify the private subnets to which all clients should be given
access (as 'network/netmask_bits', one per line)
172.31.0.0/16
10.0.0.0/16
192.168.69.0/24
192.168.10.0/24
Cleaned up the ipsec.conf as you suggested:
conn SauPaulo-to-Oregon
type=tunnel
authby=secret
left=%defaultroute
leftid=54.232.199.31
leftnexthop=%defaultroute
leftsubnets=10.0.0.0/16,192.168.69.0/24
right=54.186.82.78
rightsubnets=172.31.0.0/16
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
conn SauPaulo-to-Ireland
type=tunnel
authby=secret
left=%defaultroute
leftid=54.232.199.31
leftnexthop=%defaultroute
leftsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
right=54.76.160.103
rightsubnets=192.168.69.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
Now I cannot ping from client to/from hub.
Oregon
conn Oregon-to-SauPaulo
type=tunnel
authby=secret
left=%defaultroute
leftid=54.186.82.78
leftnexthop=%defaultroute
leftsubnets=172.31.0.0/16,192.168.10.0/24
right=54.232.199.31
rightsubnets=10.0.0.0/16,192.168.69.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
Ireland
conn Ireland-to-SaoPaulo
type=tunnel
authby=secret
left=%defaultroute
leftid=54.76.160.103
leftnexthop=%defaultroute
leftsubnet=192.168.69.0/24
right=54.232.199.31
rightsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
-----Original Message-----
From: Nick Howitt [mailto:nick at howitts.co.uk]
Sent: Wednesday, July 2, 2014 12:03 PM
To: steve
Cc: users at lists.openswan.org <mailto:users at lists.openswan.org>
Subject: Re: [Openswan Users] Hub and Spoke issue
In OpenVPN are you also pushing a route to 192.168.69.0/24?
Something also looks wrong in your conns. You should have:
conn SauPaulo-to-Oregon
leftsubnets=SauPaulo's_subnets, Ireland's_subnets
rightsubnets=Oregon's_subnets
conn SauPaulo-to-Ireland
leftsubnets=SauPaulo's_subnets, Oregon's_subnets
rightsubnets=Ireland's_subnets
You appear to have 192.168.10.0/24 in both Ireland and Oregon
Nick
On 2014-07-02 16:39, steve wrote:
Nick, awesome. I am almost there.
I am able to now ping from spoke to spoke. However, I am trying to
ping from my client at 192.168.10.0/24 through to Ireland,
192.168.69.0/24 and its fails. Should the 192.168.10.0/24 network be
added anywhere else?
Here is my new Hub IPsec.conf
Hub
conn SauPaulo-to-Oregon
type=tunnel
authby=secret
left=%defaultroute
leftid=54.232.199.31
leftnexthop=%defaultroute
leftsubnets=10.0.0.0/16,192.168.69.0/24
right=54.186.82.78
rightsubnets=172.31.0.0/16,192.168.10.0/24,192.168.69.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
conn SauPaulo-to-Ireland
type=tunnel
authby=secret
left=%defaultroute
leftid=54.232.199.31
leftnexthop=%defaultroute
leftsubnets=10.0.0.0/16,172.31.0.0/16
right=54.76.160.103
rightsubnets=172.31.0.0/16,192.168.10.0/24,192.168.69.0/24
ike=aes256-sha
esp=aes256-sha1
pfs=yes
auto=start
_______________________________________________
Users at lists.openswan.org <mailto:Users at lists.openswan.org>
https://lists.openswan.org/mailman/listinfo/users [1]
Micropayments:
https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
[3]
55
Links:
------
[1] https://lists.openswan.org/mailman/listinfo/users
[2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[3]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140702/204ef6eb/attachment-0001.html>
More information about the Users
mailing list