[Openswan Users] Multiple L2L connections - traffic filtered as input output or forward

Damian McHugh damian at bulbs.ie
Fri Jun 6 07:02:52 EDT 2014 

Hi Guys,

 

I have a situation with a debian 6 box, with multiple nic's &
u2.6.28/k2.6.32-5-686.

This box acts as our external gateway and VPN router.

There are approx. 6 L2L connections config'ed in ipsec.conf and
communication between remote (for example LAN_B, LAN_C & LAN_D) and directly
attached networks (for example LAN_A) is just fine.

 

Where I am experiencing difficulty is in communicating from one remote
network to another (for example LAN_B to LAN_C).

 

I have rules defined in iptables to allow the traffic using the FORWARD
chain, and within reason I have routes defined - note I am using netkey for
proto stack.

 

Am I missing an obvious config here - I'm baffled.

The gateway can ping each remote network individually.

I have enabled the TRACE chain in the iptables, but its not really giving me
any clarity.

 

Should I have the remote networks (LAN_B & LAN_C) defined in PREROUTING,
INPUT & OUTPUT ?

I would have thought the tunnels terminate within the ipsec process and
therefore should be filtered with the FORWARD chain.

 

version 2.0 # conforms to second version of ipsec.conf specification

 

# basic configuration

config setup

    # Do not set debug options to debug configuration issues!

    # plutodebug / klipsdebug = "all", "none" or a combation from below:

    # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"

    # eg:

    # plutodebug="control parsing"

    #

    # enable to get logs per-peer

    # plutoopts="--perpeerlog"

    #

    # Again: only enable plutodebug or klipsdebug when asked by a developer

    #

    # NAT-TRAVERSAL support, see README.NAT-Traversal

    nat_traversal=yes

    # exclude networks used on server side by adding %v4:!a.b.c.0/24

    virtual_private=%v4:192.168.12.0/24,%v4:10.0.0.0/8,.etc.

    # OE is now off by default. Uncomment and change to on, to enable.

    oe=off

    # which IPsec stack to use. auto will try netkey, then klips then mast

    #protostack=auto

    protostack=netkey

 

conn LAN_C

#    plutodebug=none

    type=tunnel

    authby=secret

    left=232.141.33.55

    leftnexthop=%defaultroute

    leftsubnet=192.168.12.0/24

    right=121.232.55.66

    rightnexthop=%defaultroute

    rightsubnet=22.33.44.0/24

    ike=aes128-sha1-modp1024             # first statge authentication

    esp=aes128-sha1;modp1024             # second stage

    ikelifetime=86400s              #  Life time for the fist stage
authentication

    keylife=3600s                   #  Life time for the second stage
authentication

    pfs=yes

    auto=start

 

conn LAN_B

#    plutodebug=none

   type=tunnel

    authby=secret

    left=232.141.33.55

    leftid=232.141.33.55

    leftnexthop=%defaultroute

    leftsubnets={%v4:192.168.12.0/24,%v4:10.0.0.0/8,.etc.}

    right=85.96.107.128

    rightid=85.96.107.128

    rightnexthop=%defaultroute

    rightsubnet=10.11.22.0/24

    ike=aes256-sha1-modp1024             # first statge authentication

    ikelifetime=86400s              #  Life time for the fist stage
authentication

    phase2=esp

    phase2alg=aes256-sha1;modp1024             # second stage

    keylife=3600s                   #  Life time for the second stage
authentication

    rekey=yes

    rekeymargin=9m

    forceencaps=yes

    pfs=yes

    auto=start

 

 

Damian McHugh

 

Beechill Bulbs Ltd

 

Direct:    +353 (0)57 93 22956

Fax:        +353 (0)57 93 22957

Mob:       +353 (0)87 24 13402

 <mailto:damian at bulbs.ie> damian at bulbs.ie

 <http://www.bulbs.ie/> www.bulbs.ie

 

Beechill,

Ballyduff,

Tullamore,

Co. Offaly,

Ireland

 

P Please consider the environment before printing this email


This email and any files transmitted with it are confidential and are
intended solely for use by the addressee. Any unauthorised dissemination,
distribution or copying of this message and any attachments is strictly
prohibited. If you have received this email in error please notify the
sender and delete the message. Any views or opinions presented in this email
are solely those of the author and cannot be relied upon as being those of
Beechill Bulbs Ltd. E-mail communications such as this cannot be guaranteed
to be virus free, timely, secure or error free and we do not accept
liability for any such matters or their consequences. Beechill Bulbs is a
company registered in Ireland, registered No. 455117 with a registered and
trading address at: Beechill, Ballyduff, Tullamore, Co. Offaly, Ireland.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140606/e4bd63de/attachment.html>

More information about the Users mailing list