Discussion:
[Openswan Users] Openswan gateway behind NAT
Paul Wouters
2005-01-17 22:37:23 UTC
Permalink
----------------------------------------------------
~$ ping 192.168.1.45
PING 192.168.1.45 (192.168.1.45) 56(84) bytes of data.
64 bytes from 1.2.3.4: icmp_seq=1 ttl=117 time=43.5 ms
----------------------------------------------------
where 1.2.3.4 is the public IP address of the router gw.example.com.
This is probably because 192.168.1.45 has its default route pointing to
the router 192.168.1.1, so that it will send the echo replies to the
router instead of the IPsec gateway. The router will then NAT the echo
replies and send them to my client - unencrypted!
And it should drop the packets, which it not always does, as you can see.
Naturally the other hosts do not know that they should suddenly send
return traffic through the IPsec gateway. What is the proper solution to
this problem?
Make the ipsec machine the default gateway, or tunnel everything to the
ipsec machine (0.0.0.0/0). In the latter case, I've also seen it both
work and not work.
* Doesn't Openswan on the IPsec gateway automatically do proxy arp for
the IPsec client's address?
* Will it help if I add an ARP entry manually?
I am not sure what you are trying to do here, but I don't think so.

Paul
Paul Wouters
2005-01-18 10:05:49 UTC
Permalink
Post by Paul Wouters
The router will then NAT the echo replies and send them to my client
- unencrypted!
And it should drop the packets, which it not always does, as you can see.
The router, which is not even IPsec capable, has no reason to drop the
packets as far as I can see.
Windows should drop the packet. Since windows has a security association
up for that IP address. This was reported over a year ago to Microsoft.
So I'm looking for a solution where the IPsec gateway is acting as
gateway only for IPsec traffic.
I've had mixed results with this and Windows.
What if the IPsec client had a virtual IP address within the private
subnet. Then the gateway would do proxy-arp for that address, so it
would "catch" all traffic from the subnet to the IPsec client, right?
I dont think you can use proxy arp, because the client, gateway and ipsec
gateway are on the same subnet.
By adding a virtual IP to the machine, from a range outside its current
range, you can avoid these problems.

Paul
Marcus Better
2005-01-18 10:42:36 UTC
Permalink
Post by Paul Wouters
Windows should drop the packet.
I am not using Windows, fortunately. Perhaps you are answering a
different thread? :)
Post by Paul Wouters
I dont think you can use proxy arp, because the client, gateway and ipsec
gateway are on the same subnet.
I'm not sure what you mean by "client" here: the IPsec client is on the
outside (road-warrior).

I was under the impression that in a virtual IP setup, the IPsec gateway
would proxy-arp the virtual address of the road-warrior.

I will do some experimenting with virtual IP and see what happens.

Marcus
Paul Wouters
2005-01-18 10:47:53 UTC
Permalink
I'm not sure what you mean by "client" here: the IPsec client is on the
outside (road-warrior).
I was under the impression that in a virtual IP setup, the IPsec gateway
would proxy-arp the virtual address of the road-warrior.
I will do some experimenting with virtual IP and see what happens.
Oh1. Ofcourse.
I was under teh impression that you were setting up ipsec connections
from a client in your network and that you had local network issues, not
remote ones. Guess I completely misunderstood your original problem then.

Paul
Marcus Better
2005-01-18 11:08:21 UTC
Permalink
Post by Paul Wouters
I was under teh impression that you were setting up ipsec connections
from a client in your network and that you had local network issues,
Sorry I wasn't clear enough. It's difficult to describe a network setup
in an e-mail...

The only real issue here is that the IPsec gateway is itself a member of
the private subnet, and the whole subnet is behind a NAT router. When a
road-warrior connects with its external, public IP address, the question
is how to get traffic from the subnet to the road-warrior routed through
the IPsec gateway.

I see now that this should be easier using virtual IP.

Marcus
sasa
2005-01-22 12:29:46 UTC
Permalink
I would want to use l2tp on fc 2 and kernel 2.6 but I have read that there are compatibility problems, I must use rp-l2tp? or other?
thanks !

--
Salvatore.
Jacco de Leeuw
2005-01-22 13:03:49 UTC
Permalink
Post by sasa
I would want to use l2tp on fc 2 and kernel 2.6
but I have read that there are compatibility problems,
With l2tpd and the 2.6 kernels of some distributions, yes.
L2tpd requires legacy PTYs which is not in FC2, FC3 and
Mandrake 10.1. So an option is to switch to rp-l2tp.
Post by sasa
I must use rp-l2tp?
No. There are other options as well. You could enable legacy
PTYs support and recompile the kernel included with your
distribution. Or, if you like programming, you could add
support for the new PTY style to l2tpd.

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
sasa
2005-01-22 13:21:42 UTC
Permalink
Post by Jacco de Leeuw
Mandrake 10.1. So an option is to switch to rp-l2tp.
I have installed rp-l2tp on fc but I don't have the file 'options.l2tp', I have only " /etc/ppp/options", now what file I must use for to configure the option for l2tp ? and then when I execute:

#service l2tpd start
l2tpd: unrecognized service

.. why ??
still thanks.

Salvatore.
Jacco de Leeuw
2005-01-22 14:33:29 UTC
Permalink
Post by sasa
I have installed rp-l2tp on fc but I don't have the file 'options.l2tp',
what file I must use for to configure the option for l2tp ?
rp-l2tp does not use options.l2tp. The options are specified in
/etc/l2tp/l2tp.conf
Post by sasa
#service l2tpd start
l2tpd: unrecognized service
Dunno, perhaps the RPM failed to install? Unfortunately both l2tpd
and rp-l2tp use the same filename for their daemons and init scripts,
namely l2tpd.

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
sasa
2005-01-22 14:41:42 UTC
Permalink
Post by Jacco de Leeuw
rp-l2tp does not use options.l2tp. The options are specified in
/etc/l2tp/l2tp.conf
..ah ok, therefore dns server and wins server must be indicate in l2tp.conf, it's just ??
Post by Jacco de Leeuw
Dunno, perhaps the RPM failed to install?
I have not use RPM file but tar.gz file and then './configure && make' and 'make install' and I haven't error
Post by Jacco de Leeuw
Unfortunately both l2tpd
and rp-l2tp use the same filename for their daemons and init scripts,
namely l2tpd.
..and now I as I can make to excute l2tpd daemon ??
thanks.

Salvatore.
Jacco de Leeuw
2005-01-22 14:51:53 UTC
Permalink
Post by sasa
I have not use RPM file but tar.gz file and then
'./configure && make' and 'make install' and I haven't error
Perhaps you are interested in some rp-l2tp RPMS?

http://www.jacco2.dds.nl/networking/SRPMS/rp-l2tp-0.4-1jdl.src.rpm
http://www.jacco2.dds.nl/networking/RPMS/FedoraCore2/rp-l2tp-0.4-1jdl.i386.rpm

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
sasa
2005-01-22 14:58:43 UTC
Permalink
Post by Jacco de Leeuw
Perhaps you are interested in some rp-l2tp RPMS?
http://www.jacco2.dds.nl/networking/SRPMS/rp-l2tp-0.4-1jdl.src.rpm
http://www.jacco2.dds.nl/networking/RPMS/FedoraCore2/rp-l2tp-0.4-1jdl.i386.rpm
.. ah ok, but if now I use 'rp-l2tp-0.4-1jdl.i386.rpm' file I must before to do an operation for uninstall the previous installation made with tar.gz file ??
thanks.

Salvatore.
sasa
2005-01-24 13:21:57 UTC
Permalink
Hi, with l2tp in the l2tpd.conf I use:

[global]
listen-addr = 10.0.0.1

[lns default]
ip range = 10.0.0.37-10.0.0.39
local ip = 10.0.0.200
require chap = yes
refuse pap = yes
require authentication = yes
name = fw
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes

...the equivalent on rp-l2tp in the l2tpd.conf I must use:

[global]


load-handler "sync-pppd.so"

load-handler "cmd.so"



listen-port 1701

listen-addr 10.0.0.1



section sync-pppd

lns-pppd-opts "debug refuse-pap require-chap 10.0.0.37-10.0.0.39 auth lcp-echo-interval 30 lcp-echo-failure 6 ms-dns 10.0.0.14"




section peer

peer 10.0.0.200

secret s3cr3t

port 1701

lns-handler sync-pppd

hide-avps yes



section cmd



.. but the 'secret' parameter show the 'shared secret', but it is the equivalent of what?

The content of chap-secrets it remains equal ??
thanks.
Salvatore.
Jacco de Leeuw
2005-01-24 21:43:03 UTC
Permalink
Post by sasa
[global]
listen-addr = 10.0.0.1
[lns default]
ip range = 10.0.0.37-10.0.0.39
local ip = 10.0.0.200
lns-pppd-opts "debug refuse-pap require-chap 10.0.0.37-10.0.0.39
auth lcp-echo-interval 30 lcp-echo-failure 6 ms-dns 10.0.0.14"
No, this is not the equivalent. L2tpd can assign IP addresses, but
rp-l2tp cannot. Unless rp-l2tp gets help from a RADIUS or DHCP plugin.

For testing purposes (will only work with one static IP address)
try this:

"debug refuse-pap require-chap 10.0.0.200:10.0.0.37 ...etc."
Post by sasa
section peer
peer 10.0.0.200
Add a line:
mask 0

I forgot to add this to the RPM.
Post by sasa
secret s3cr3t
.. but the 'secret' parameter show the 'shared secret', but it is the equivalent of what?
It is a password for the L2TP server. Remove that line.
Post by sasa
The content of chap-secrets it remains equal ??
Yes.

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
sasa
2005-01-25 22:39:08 UTC
Permalink
Post by Jacco de Leeuw
No, this is not the equivalent. L2tpd can assign IP addresses, but
rp-l2tp cannot. Unless rp-l2tp gets help from a RADIUS or DHCP plugin.
..therefore I am forced to use a dhcp server ? there is a another way ?
Post by Jacco de Leeuw
For testing purposes (will only work with one static IP address)
"debug refuse-pap require-chap 10.0.0.200:10.0.0.37 ...etc."
Post by sasa
section peer
peer 10.0.0.200
I am sorry but I have not understood .. in this way the client vpn it comes
assigned the address 10.0.0.200 ??
thanks.

Salvatore.
Jacco de Leeuw
2005-01-25 23:23:44 UTC
Permalink
Post by sasa
Post by Jacco de Leeuw
No, this is not the equivalent. L2tpd can assign IP addresses, but
rp-l2tp cannot. Unless rp-l2tp gets help from a RADIUS or DHCP plugin.
..therefore I am forced to use a dhcp server ? there is a another way ?
Or RADIUS. Or Samba / Windows Server (via the Winbind plugin). Or LDAP.
Or (perhaps) any PAM module (via the PAM plugin).
Post by sasa
Post by Jacco de Leeuw
Post by sasa
section peer
peer 10.0.0.200
I am sorry but I have not understood .. in this way the client vpn it comes
assigned the address 10.0.0.200 ??
No, this line does not assign the virtual IP address. Sorry for the confusion.
These 'peer' lines indicates what clients are allowed to connect. So generally
you will want to set this to 'peer 0.0.0.0' with a separate line 'mask 0'.
The virtual IP addresses are actually assigned in the 'lns-pppd-opts' line:

lns-pppd-opts "debug refuse-pap require-chap 10.0.0.200:10.0.0.37 ...etc."

This will work only with one particular client (should be OK for testing).
When you decide that you do want to use multiple clients, you will need
a plugin. You add this plugin and remove the static client IP address:

lns-pppd-opts "debug refuse-pap require-chap 10.0.0.200: plugin radius.so
...etc."

This is standard PPP stuff, so we are starting to get a little bit
off-topic here.

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
sasa
2005-01-25 23:34:57 UTC
Permalink
Post by Jacco de Leeuw
lns-pppd-opts "debug refuse-pap require-chap 10.0.0.200:10.0.0.37 ...etc."
This will work only with one particular client (should be OK for testing).
When you decide that you do want to use multiple clients, you will need
lns-pppd-opts "debug refuse-pap require-chap 10.0.0.200: plugin radius.so
...etc."
.. therefore if I have undertood well (in my situation I have only one client) I can
write:

lns-pppd-opts "debug refuse-pap require-chap 10.0.0.37:10.0.0.37 ...etc."

..and in this mode the client vpn it comes assigned the address 10.0.0.37 ??
and I don't have to use dhcp, radious or other ??
if this is just I have solved the my problem !
Post by Jacco de Leeuw
This is standard PPP stuff, so we are starting to get a little bit
off-topic here.
..sorry, you have reason !! :-)

Salvatore.
Jacco de Leeuw
2005-01-26 10:21:43 UTC
Permalink
Post by sasa
.. therefore if I have undertood well (in my situation I have only one client) I can
lns-pppd-opts "debug refuse-pap require-chap 10.0.0.37:10.0.0.37 ...etc."
..and in this mode the client vpn it comes assigned the address 10.0.0.37 ??
and I don't have to use dhcp, radious or other ??
Yes, that's correct. (Except you should use 10.0.0.200:10.0.0.37 because
10.0.0.200 is your server and 10.0.0.37 is the IP address assigned to the
client).

Also make sure that the CHAP password is also restricted for use
by that IP address 10.0.0.137 (in /etc/ppp/chap-secrets):

sasa * "yourpassword" 10.0.0.137

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
sasa
2005-01-24 13:24:11 UTC
Permalink
Hi,
if execute:

#usr/local/sbin/l2tpd start

I haven't error, is this the right way ??

.. now for to use your rpm file I must before to do an operation for uninstall the previous installation made with tar.gz file ??
Post by Jacco de Leeuw
Post by sasa
I have not use RPM file but tar.gz file and then
'./configure && make' and 'make install' and I haven't error
Perhaps you are interested in some rp-l2tp RPMS?
http://www.jacco2.dds.nl/networking/SRPMS/rp-l2tp-0.4-1jdl.src.rpm
http://www.jacco2.dds.nl/networking/RPMS/FedoraCore2/rp-l2tp-0.4-1jdl.i386.rpm
Jacco de Leeuw
2005-01-24 22:07:47 UTC
Permalink
Post by sasa
#usr/local/sbin/l2tpd start
I haven't error, is this the right way ??
Does the rp-l2tp install script install the executable
in /usr/sbin? If you don't get an error, what's the
problem then?
Post by sasa
.. now for to use your rpm file I must before to do an operation
for uninstall the previous installation made with tar.gz file ??
There does not seem to be an uninstall in the Makefile. That's why
perhaps you might like the RPM. Or else you could run 'make install'
once again and reverse its actions (rm instead of install).

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
sasa
2005-01-25 22:28:57 UTC
Permalink
Post by Jacco de Leeuw
Does the rp-l2tp install script install the executable
in /usr/sbin? If you don't get an error, what's the
problem then?
..when I execute:

#ps -ax|grep l2tp

I don't see the demon
Post by Jacco de Leeuw
There does not seem to be an uninstall in the Makefile. That's why
perhaps you might like the RPM. Or else you could run 'make install'
once again and reverse its actions (rm instead of install).
..with rpm file there is also the init script for to do to start l2tp on boot ?
still thanks.

Salvatore.
Jacco de Leeuw
2005-01-25 23:29:06 UTC
Permalink
Post by sasa
#ps -ax|grep l2tp
I don't see the demon
Then it failed to startup. Check the logs.
But why don't you use the RPM instead, if you problems with
the tar ball?
Post by sasa
..with rpm file there is also the init script for to do to start l2tp on boot ?
Yes, an init script for rp-l2tp is included in the RPM. It was made by
Alexandr D. Kanevskiy of ASPLinux.

Jacco
--
Jacco de Leeuw mailto:***@dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
Marcus Better
2005-01-18 08:53:35 UTC
Permalink
Post by Paul Wouters
The router will then NAT the echo replies and send them to my client
- unencrypted!
And it should drop the packets, which it not always does, as you can see.
The router, which is not even IPsec capable, has no reason to drop the
packets as far as I can see.
Post by Paul Wouters
Make the ipsec machine the default gateway,
I could, but I don't want to add another point of failure. Most hosts in
the subnet have no need for IPsec traffic, so it is unnecessary to
have the ipsec box as default gateway.

So I'm looking for a solution where the IPsec gateway is acting as
gateway only for IPsec traffic.

What if the IPsec client had a virtual IP address within the private
subnet. Then the gateway would do proxy-arp for that address, so it
would "catch" all traffic from the subnet to the IPsec client, right?

Thanks for all your help!

Marcus
Loading...