[Openswan Users] problem with openswan

Alejandro Perretta alejandro at geopagos.com
Mon Nov 17 09:13:18 EST 2014 

because the other site of the vpn doesnt accept private address in the
domain encript ( because they have a lot of clients, and the subnets can be
the same ) . the snat do the translate look the tcpdump (the back is to
54.x) if i cancel the postrouting the telnet doesnt work.


root at vpn:~# tcpdump -n | grep "21516"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:08:56.840720 IP 10.0.1.217.48870 > 148.171.xxx.xxx.21516: Flags [S], seq
3658416554, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 5],
length 0
14:08:56.913926 IP 148.171.xxx.xxx.21516 > 54.86.xx.xx.48870: Flags [S.],
seq 151239451, ack 3658416555, win 14600, options [mss
1320,nop,nop,sackOK,nop,wscale 7], length 0
14:08:56.913961 IP 148.171.xxx.xxx.21516 > 10.0.1.217.48870: Flags [S.],
seq 151239451, ack 3658416555, win 14600, options [mss
1320,nop,nop,sackOK,nop,wscale 7], length 0
14:08:56.914734 IP 10.0.1.217.48870 > 148.171.xxx.xxx.21516: Flags [.], ack
1, win 457, length 0
14:08:59.146805 IP 10.0.1.217.48870 > 148.171.xxx.xxx.21516: Flags [P.],
seq 1:7, ack 1, win 457, length 6
14:08:59.219639 IP 148.171.xxx.xxx.21516 > 54.86.xx.xx.48870: Flags [.],
ack 7, win 115, length 0
14:08:59.219682 IP 148.171.xxx.xxx.21516 > 10.0.1.217.48870: Flags [.], ack
7, win 115, length 0
14:08:59.219666 IP 148.171.xxx.xxx.21516 > 54.86.xx.xx.48870: Flags [F.],
seq 1, ack 7, win 115, length 0
14:08:59.219691 IP 148.171.xxx.xxx.21516 > 10.0.1.217.48870: Flags [F.],
seq 1, ack 7, win 115, length 0
14:08:59.220439 IP 10.0.1.217.48870 > 148.171.xxx.xxx.21516: Flags [F.],
seq 7, ack 2, win 457, length 0
14:08:59.293339 IP 148.171.xxx.xxx.21516 > 54.86.xx.xx.48870: Flags [.],
ack 8, win 115, length 0
14:08:59.293380 IP 148.171.xxx.xxx.21516 > 10.0.1.217.48870: Flags [.], ack
8, win 115, length 0



2014-11-17 10:42 GMT-03:00 Nick Howitt <nick at howitts.co.uk>:

> Curious. Is there a reason why you don't just go from and to private
> subnets rather than natting to public IPs? Correct me if I'm wrong but I
> did not think SNAT would give you a 1:1 map or reproducible map from
> private to public IP.
>
> Nick
>
> On 2014-11-17 13:25, Alejandro Perretta wrote:
>
>> thanks the problem was the postrouting i must do src nat the source
>> with
>>
>> -A POSTROUTING -d 148.171xxx.xx/32 -j SNAT --to-source 54.86.xxx.xxx
>> so the 10.x will we traslated to 54.86
>>
>> 2014-11-17 10:22 GMT-03:00 Nick Howitt <nick at howitts.co.uk>:
>>
>>  Alejandro,
>>>
>>> Routing is set up through the use of left/rightsubnet(s) and not
>>> iptables or "ip route"
>>>
>>> You will need to have the subnet on which 10.0.0.1.37 is located as
>>> one of your left/rightsubnets. Don't subnets have to be between {
>>> and }, not ""?
>>>
>>> Nick
>>>
>>> On 2014-11-17 12:57, Alejandro Perretta wrote:
>>>
>>>  Hi i have this ipsec.conf
>>>>
>>>> conn test1
>>>>         left=10.0.1.196
>>>> #     esp=aes256-sha1!
>>>>     phase2alg=aes128
>>>>         leftid=54.86.xxx.xx
>>>>         leftsourceip=54.86.34.213
>>>>         leftsubnets="54.86.34.xxx/32 54.86.xx.54/32"
>>>>         right=12.10.219.57
>>>>         rightsubnets="148.171.xxx.0/22 148.171.xxx.0/22"
>>>>         authby=secret
>>>>        ike=aes-128
>>>>     ikelifetime=86400s
>>>>         pfs=yes
>>>>     auto=start
>>>>
>>>> the telnet from the vpn server to test one host on 148.171.221.92
>>>> and
>>>> works fine. but if i send a telnet from 10.0.0.1.37 ( one host on
>>>> my
>>>> private network) cant connect the service.
>>>>
>>>> My iptables
>>>>
>>>> filter
>>>> :INPUT ACCEPT [362601:2929633039]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [311889:27000502]
>>>> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>> -A FORWARD -s 10.6.0.0/24 [1] [1] -j ACCEPT
>>>> -A FORWARD -s 10.128.88.0/24 [2] [2] -j ACCEPT
>>>> -A FORWARD -s 148.xxx.xxx.xxx -j ACCEPT
>>>> -A FORWARD -s 54.86.xxx.xxx -j ACCEPT
>>>> -A FORWARD -s 10.0.1.0/24 [3] [3] -j ACCEPT
>>>> -A FORWARD -j REJECT --reject-with icmp-port-unreachable
>>>> COMMIT
>>>> # Completed on Fri Nov 14 21:43:05 2014
>>>> # Generated by iptables-save v1.4.21 on Fri Nov 14 21:43:05 2014
>>>> *nat
>>>> :PREROUTING ACCEPT [4:642]
>>>> :INPUT ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [11:765]
>>>> :POSTROUTING ACCEPT [11:765]
>>>> #-A PREROUTING  -d 54.86.xxx.xxx/32 -j DNAT --to-destination
>>>> 10.0.1.217
>>>> #-A POSTROUTING -s 10.0.1.217   -j MASQUERADE
>>>>
>>>> COMMIT
>>>> # Completed on Fri Nov 14 21:43:05 2014
>>>>
>>>> --
>>>>
>>>> Alejandro Perretta
>>>> Geopagos
>>>>
>>>> Links:
>>>> ------
>>>> [1] http://10.6.0.0/24 [1]
>>>> [2] http://10.128.88.0/24 [2]
>>>> [3] http://10.0.1.0/24 [3]
>>>>
>>>> _______________________________________________
>>>> Users at lists.openswan.org
>>>> https://lists.openswan.org/ [4]mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/
>>>> [5]38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/
>>>> [6]product/1904811256/104-3099591-2946327?n=283155
>>>>
>>>
>> --
>>
>> Alejandro Perretta
>> Geopagos
>>
>>
>> Links:
>> ------
>> [1] http://10.6.0.0/24
>> [2] http://10.128.88.0/24
>> [3] http://10.0.1.0/24
>> [4] https://lists.openswan.org/
>> [5] https://flattr.com/thing/
>> [6] http://www.amazon.com/gp/
>>
>


-- 
Alejandro Perretta
Geopagos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141117/e6e063df/attachment-0001.html>

More information about the Users mailing list