[Openswan Users] Hub and Spoke issue
Nick Howitt
nick at howitts.co.uk
Thu Jul 3 04:01:58 EDT 2014
I'm not sure where you've left this. Are you able to ping your clients
yet? If not you may want to look at the nat part of the firewall (sudo
iptables -L -n -v -t nat), but this is really an OpenVPN question now.
On 2014-07-02 21:00, Steven Tye wrote:
> I have it set to routing. For me this is working. I installed an email
> server on the far (Ireland) server and I am able to send and receive
> email. From an engineering perspective I don't understand how this is
> getting blocked was the only thing.
>
> I really appreciate your help.
>
> Steve
>
> FROM: Nick Howitt [mailto:nick at howitts.co.uk]
> SENT: Wednesday, July 2, 2014 2:40 PM
> TO: Steven Tye
> CC: users at lists.openswan.org
> SUBJECT: Re: [Openswan Users] Hub and Spoke issue
>
> In your OpenVPN set up what does this mean:
>
> Should VPN clients have access to private subnets (non-public
> networks on the server side)?
> NO No
> NO Yes, using NAT
> CHECK Yes, using routing (advanced)
>
> You probably do not want to use NAT as it will (?) block traffic to
> the remote clients. It is probably best to give direct access if you
> can.
>
> On 02/07/2014 19:24, Steven Tye wrote:
>
>> That had no effect. Still no pings.
>>
>> FROM: Nick Howitt [mailto:nick at howitts.co.uk]
>> SENT: Wednesday, July 2, 2014 2:22 PM
>> TO: Steven Tye
>> CC: users at lists.openswan.org
>> SUBJECT: Re: [Openswan Users] Hub and Spoke issue
>>
>> It is not quite the standard firewall set up that I am used to and
>> I'm struggling to follow each chain through. It is a very permissive
>> set up with virtually no DROP lines and no drop policies.
>>
>> You may be able to add a couple of rules:
>>
>>> sudo iptables -I FORWARD -i tun+ -j ACCEPT
>>> sudo iptables -I FORWARD -o tun+ -j ACCEPT
>>
>> To delete the rules change -I to -D.
>>
>> There are also marking rules so there may be some interaction
>> between the firewall and routing tables.
>>
>> On 02/07/2014 18:32, Steven Tye wrote:
>>
>> Found , but not sure what to look for.
>>
>> Oregon:~$ sudo iptables -L
>>
>> Chain INPUT (policy ACCEPT)
>>
>> target prot opt source destination
>>
>> AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
>>
>> AS0_ACCEPT all -- anywhere anywhere
>>
>> AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
>>
>> AS0_ACCEPT udp -- anywhere anywhere state NEW udp dpt:openvpn
>>
>> AS0_ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
>>
>> AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
>>
>> AS0_WEBACCEPT tcp -- anywhere anywhere state NEW tcp dpt:943
>>
>> Chain FORWARD (policy ACCEPT)
>>
>> target prot opt source destination
>>
>> AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
>>
>> AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
>>
>> AS0_OUT_S2C all -- anywhere anywhere
>>
>> Chain OUTPUT (policy ACCEPT)
>>
>> target prot opt source destination
>>
>> AS0_OUT_LOCAL all -- anywhere anywhere
>>
>> Chain AS0_ACCEPT (5 references)
>>
>> target prot opt source destination
>>
>> ACCEPT all -- anywhere anywhere
>>
>> Chain AS0_IN (3 references)
>>
>> target prot opt source destination
>>
>> ACCEPT all -- anywhere 192.168.10.1
>>
>> AS0_IN_POST all -- anywhere anywhere
>>
>> Chain AS0_IN_NAT (0 references)
>>
>> target prot opt source destination
>>
>> MARK all -- anywhere anywhere MARK or 0x8000000
>>
>> ACCEPT all -- anywhere anywhere
>>
>> Chain AS0_IN_POST (1 references)
>>
>> target prot opt source destination
>>
>> ACCEPT all -- anywhere 192.168.10.0/24
>>
>> ACCEPT all -- anywhere 192.168.69.0/24
>>
>> ACCEPT all -- anywhere 10.0.0.0/16
>>
>> ACCEPT all -- anywhere 172.31.0.0/16
>>
>> AS0_OUT all -- anywhere anywhere
>>
>> DROP all -- anywhere anywhere
>>
>> Chain AS0_IN_PRE (2 references)
>>
>> target prot opt source destination
>>
>> AS0_IN all -- anywhere 192.168.0.0/16
>>
>> AS0_IN all -- anywhere 172.16.0.0/12
>>
>> AS0_IN all -- anywhere 10.0.0.0/8
>>
>> ACCEPT all -- anywhere anywhere
>>
>> Chain AS0_IN_ROUTE (0 references)
>>
>> target prot opt source destination
>>
>> MARK all -- anywhere anywhere MARK or 0x4000000
>>
>> ACCEPT all -- anywhere anywhere
>>
>> Chain AS0_OUT (2 references)
>>
>> target prot opt source destination
>>
>> AS0_OUT_POST all -- anywhere anywhere
>>
>> Chain AS0_OUT_LOCAL (1 references)
>>
>> target prot opt source destination
>>
>> DROP icmp -- anywhere anywhere icmp redirect
>>
>> ACCEPT all -- anywhere anywhere
>>
>> Chain AS0_OUT_POST (1 references)
>>
>> target prot opt source destination
>>
>> DROP all -- anywhere anywhere
>>
>> Chain AS0_OUT_S2C (1 references)
>>
>> target prot opt source destination
>>
>> ACCEPT all -- 192.168.10.0/24 anywhere
>>
>> ACCEPT all -- 192.168.69.0/24 anywhere
>>
>> ACCEPT all -- 10.0.0.0/16 anywhere
>>
>> ACCEPT all -- 172.31.0.0/16 anywhere
>>
>> AS0_OUT all -- anywhere anywhere
>>
>> Chain AS0_WEBACCEPT (2 references)
>>
>> target prot opt source destination
>>
>> ACCEPT all -- anywhere anywhere
>>
>> FROM: Nick Howitt [mailto:nick at howitts.co.uk]
>> SENT: Wednesday, July 2, 2014 1:22 PM
>> TO: Steven Tye
>> CC: users at lists.openswan.org
>> SUBJECT: Re: [Openswan Users] Hub and Spoke issue
>>
>> I've just got home.
>>
>> I suggest at this point it is an OpenVPN issue. Splitting the
>> OpenVPN subnet into two subnets in ipsec.conf serves no purpose. I'd
>> have to look up the OpenVPN configs to see how they worked. Also
>> check for firewalling issues. Does the firewall in Oregon only allow
>> local subnet traffic to OpenVPN?
>>
>> Nick
>>
>> On 02/07/2014 18:13, Steven Tye wrote:
>>
>> Yeah so
>>
>> 192.168.10.1/25
>>
>> &
>>
>> 192.168.10.129/25
>>
>> Are the gateways for the OpenVPN networks.
>>
>> Both are accessible all the way out in Ireland and Sao Paulo.
>>
>> However the client cannot be pinged from anywhere except on the
>> Oregon
>>
>> server.
>>
>> The Client can ping all the way out to Ireland and Sao Paulo though.
>>
>> Stumped now
>>
>> -----Original Message-----
>>
>> From: Steven Tye [mailto:srtye at outlook.com]
>>
>> Sent: Wednesday, July 2, 2014 12:54 PM
>>
>> To: 'Nick Howitt'
>>
>> Cc: users at lists.openswan.org
>>
>> Subject: RE: [Openswan Users] Hub and Spoke issue
>>
>> Just found that I can ping 192.168.10.1 which is the virtual
>>
>> gateway.......from Ireland.
>>
>> -----Original Message-----
>>
>> From: Steven Tye [mailto:srtye at outlook.com]
>>
>> Sent: Wednesday, July 2, 2014 12:40 PM
>>
>> To: 'Nick Howitt'
>>
>> Cc: users at lists.openswan.org
>>
>> Subject: RE: [Openswan Users] Hub and Spoke issue
>>
>> Traceroute
>>
>> Ireland:~$ traceroute 192.168.10.130
>>
>> traceroute to 192.168.10.130 (192.168.10.130), 30 hops max, 60 byte
>> packets
>>
>> 1 ip-10-0-0-12.eu-west-1.compute.internal (10.0.0.12) 217.839 ms
>> 217.793
>>
>> ms 217.731 ms
>>
>> 2 ip-172-31-33-163.eu-west-1.compute.internal (172.31.33.163)
>> 424.701 ms
>>
>> 424.871 ms 424.831 ms
>>
>> 3 * * *
>>
>> 4 * * *
>>
>> 5 * * *
>>
>> ..................
>>
>> So it's actually making it to Oregon but not the client.
>>
>> Oregon
>>
>> Oregon:~$ route
>>
>> Kernel IP routing table
>>
>> Destination Gateway Genmask Flags Metric Ref Use
>>
>> Iface
>>
>> default 172.31.32.1 0.0.0.0 UG 0 0 0 eth0
>>
>> 172.31.32.0 * 255.255.240.0 U 0 0 0 eth0
>>
>> 192.168.10.0 * 255.255.255.128 U 0 0 0
>>
>> as0t0
>>
>> 192.168.10.128 * 255.255.255.128 U 0 0 0
>>
>> as0t1
>>
>> I see the way that OpenVPN is separating the 192.168.10.0/24 network
>> in two.
>>
>> I wonder if I need to add 192.168.10.0/25 & 192.168.10.128/25 to the
>>
>> ipsec.conf files?
>>
>> -----Original Message-----
>>
>> From: Steven Tye [mailto:srtye at outlook.com]
>>
>> Sent: Wednesday, July 2, 2014 12:32 PM
>>
>> To: 'Nick Howitt'
>>
>> Cc: users at lists.openswan.org
>>
>> Subject: RE: [Openswan Users] Hub and Spoke issue
>>
>> Gotcha...fixed that....
>>
>> Here is where are now
>>
>> I can ping from the client all the way to 192.168.69.62 (Ireland) I
>> cannot
>>
>> ping the client from SaoPaulo or Ireland
>>
>> conn SauPaulo-to-Oregon
>>
>> type=tunnel
>>
>> authby=secret
>>
>> left=%defaultroute
>>
>> leftid=54.232.199.31
>>
>> leftnexthop=%defaultroute
>>
>> leftsubnets=10.0.0.0/16,192.168.69.0/24
>>
>> right=54.186.82.78
>>
>> rightsubnets=172.31.0.0/16,192.168.10.0/24
>>
>> ike=aes256-sha
>>
>> esp=aes256-sha1
>>
>> pfs=yes
>>
>> auto=start
>>
>> conn SauPaulo-to-Ireland
>>
>> type=tunnel
>>
>> authby=secret
>>
>> left=%defaultroute
>>
>> leftid=54.232.199.31
>>
>> leftnexthop=%defaultroute
>>
>> leftsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
>>
>> right=54.76.160.103
>>
>> rightsubnets=192.168.69.0/24
>>
>> ike=aes256-sha
>>
>> esp=aes256-sha1
>>
>> pfs=yes
>>
>> auto=start
>>
>> Oregon
>>
>> conn Oregon-to-SauPaulo
>>
>> type=tunnel
>>
>> authby=secret
>>
>> left=%defaultroute
>>
>> leftid=54.186.82.78
>>
>> leftnexthop=%defaultroute
>>
>> leftsubnets=172.31.0.0/16,192.168.10.0/24
>>
>> right=54.232.199.31
>>
>> rightsubnets=10.0.0.0/16,192.168.69.0/24
>>
>> ike=aes256-sha
>>
>> esp=aes256-sha1
>>
>> pfs=yes
>>
>> auto=start
>>
>> Ireland
>>
>> conn Ireland-to-SaoPaulo
>>
>> type=tunnel
>>
>> authby=secret
>>
>> left=%defaultroute
>>
>> leftid=54.76.160.103
>>
>> leftnexthop=%defaultroute
>>
>> leftsubnet=192.168.69.0/24
>>
>> right=54.232.199.31
>>
>> rightsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
>>
>> ike=aes256-sha
>>
>> esp=aes256-sha1
>>
>> pfs=yes
>>
>> auto=start
>>
>> -----Original Message-----
>>
>> From: Nick Howitt [mailto:nick at howitts.co.uk]
>>
>> Sent: Wednesday, July 2, 2014 12:30 PM
>>
>> To: Steven Tye
>>
>> Cc: users at lists.openswan.org
>>
>> Subject: RE: [Openswan Users] Hub and Spoke issue
>>
>> SauPaulo-to-Oregon rightsubnets is missing 192.168.10.0/24
>>
>> On 2014-07-02 17:14, Steven Tye wrote:
>>
>> OpenVPN has this setting
>>
>> Routing
>>
>> Should VPN clients have access to private subnets (non-public
>>
>> networks on the server side)?
>>
>> NO No
>>
>> NO Yes, using NAT
>>
>> CHECK Yes, using routing (advanced)
>>
>> Specify the private subnets to which all clients should be given
>>
>> access (as 'network/netmask_bits', one per line)
>>
>> 172.31.0.0/16
>>
>> 10.0.0.0/16
>>
>> 192.168.69.0/24
>>
>> 192.168.10.0/24
>>
>> Cleaned up the ipsec.conf as you suggested:
>>
>> conn SauPaulo-to-Oregon
>>
>> type=tunnel
>>
>> authby=secret
>>
>> left=%defaultroute
>>
>> leftid=54.232.199.31
>>
>> leftnexthop=%defaultroute
>>
>> leftsubnets=10.0.0.0/16,192.168.69.0/24
>>
>> right=54.186.82.78
>>
>> rightsubnets=172.31.0.0/16
>>
>> ike=aes256-sha
>>
>> esp=aes256-sha1
>>
>> pfs=yes
>>
>> auto=start
>>
>> conn SauPaulo-to-Ireland
>>
>> type=tunnel
>>
>> authby=secret
>>
>> left=%defaultroute
>>
>> leftid=54.232.199.31
>>
>> leftnexthop=%defaultroute
>>
>> leftsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
>>
>> right=54.76.160.103
>>
>> rightsubnets=192.168.69.0/24
>>
>> ike=aes256-sha
>>
>> esp=aes256-sha1
>>
>> pfs=yes
>>
>> auto=start
>>
>> Now I cannot ping from client to/from hub.
>>
>> Oregon
>>
>> conn Oregon-to-SauPaulo
>>
>> type=tunnel
>>
>> authby=secret
>>
>> left=%defaultroute
>>
>> leftid=54.186.82.78
>>
>> leftnexthop=%defaultroute
>>
>> leftsubnets=172.31.0.0/16,192.168.10.0/24
>>
>> right=54.232.199.31
>>
>> rightsubnets=10.0.0.0/16,192.168.69.0/24
>>
>> ike=aes256-sha
>>
>> esp=aes256-sha1
>>
>> pfs=yes
>>
>> auto=start
>>
>> Ireland
>>
>> conn Ireland-to-SaoPaulo
>>
>> type=tunnel
>>
>> authby=secret
>>
>> left=%defaultroute
>>
>> leftid=54.76.160.103
>>
>> leftnexthop=%defaultroute
>>
>> leftsubnet=192.168.69.0/24
>>
>> right=54.232.199.31
>>
>> rightsubnets=10.0.0.0/16,172.31.0.0/16,192.168.10.0/24
>>
>> ike=aes256-sha
>>
>> esp=aes256-sha1
>>
>> pfs=yes
>>
>> auto=start
>>
>> -----Original Message-----
>>
>> From: Nick Howitt [mailto:nick at howitts.co.uk]
>>
>> Sent: Wednesday, July 2, 2014 12:03 PM
>>
>> To: steve
>>
>> Cc: users at lists.openswan.org
>>
>> Subject: Re: [Openswan Users] Hub and Spoke issue
>>
>> In OpenVPN are you also pushing a route to 192.168.69.0/24?
>>
>> Something also looks wrong in your conns. You should have:
>>
>> conn SauPaulo-to-Oregon
>>
>> leftsubnets=SauPaulo's_subnets, Ireland's_subnets
>>
>> rightsubnets=Oregon's_subnets
>>
>> conn SauPaulo-to-Ireland
>>
>> leftsubnets=SauPaulo's_subnets, Oregon's_subnets
>>
>> rightsubnets=Ireland's_subnets
>>
>> You appear to have 192.168.10.0/24 in both Ireland and Oregon
>>
>> Nick
>>
>> On 2014-07-02 16:39, steve wrote:
>>
>> Nick, awesome. I am almost there.
>>
>> I am able to now ping from spoke to spoke. However, I am trying to
>>
>> ping from my client at 192.168.10.0/24 through to Ireland,
>>
>> 192.168.69.0/24 and its fails. Should the 192.168.10.0/24 network be
>>
>> added anywhere else?
>>
>> Here is my new Hub IPsec.conf
>>
>> Hub
>>
>> conn SauPaulo-to-Oregon
>>
>> type=tunnel
>>
>> authby=secret
>>
>> left=%defaultroute
>>
>> leftid=54.232.199.31
>>
>> leftnexthop=%defaultroute
>>
>> leftsubnets=10.0.0.0/16,192.168.69.0/24
>>
>> right=54.186.82.78
>>
>> rightsubnets=172.31.0.0/16,192.168.10.0/24,192.168.69.0/24
>>
>> ike=aes256-sha
>>
>> esp=aes256-sha1
>>
>> pfs=yes
>>
>> auto=start
>>
>> conn SauPaulo-to-Ireland
>>
>> type=tunnel
>>
>> authby=secret
>>
>> left=%defaultroute
>>
>> leftid=54.232.199.31
>>
>> leftnexthop=%defaultroute
>>
>> leftsubnets=10.0.0.0/16,172.31.0.0/16
>>
>> right=54.76.160.103
>>
>> rightsubnets=172.31.0.0/16,192.168.10.0/24,192.168.69.0/24
>>
>> ike=aes256-sha
>>
>> esp=aes256-sha1
>>
>> pfs=yes
>>
>> auto=start
>>
>> _______________________________________________
>>
>> Users at lists.openswan.org
>>
>> https://lists.openswan.org/mailman/listinfo/users [1] [1]
>>
>> Micropayments:
>>
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2] [2]
>>
>> Building and Integrating Virtual Private Networks with Openswan:
>>
>>
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
>> [3]
>>
>> [3]
>>
>> 55
>>
>> Links:
>>
>> ------
>>
>> [1] https://lists.openswan.org/mailman/listinfo/users [1]
>>
>> [2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
>>
>> [3]
>>
>>
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
>> [3]
>
>
>
> Links:
> ------
> [1] https://lists.openswan.org/mailman/listinfo/users
> [2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> [3]
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831
More information about the Users
mailing list