Discussion:
[Openswan Users] multiple subnets ?
Indunil Jayasooriya
2008-06-25 09:54:05 UTC
Permalink
Hi Users,

I am testing a vpn setup with Openswan on CentOS 5 Server. I have
installed the below RPM pkg.

openswan-2.4.9-2.el5.kb.i386.rpm

im my side , I have only one subnet which is the leftsubnet.
But, in other sides, there are 4 subnets . I added those 4 subnets to
rightsubnet. pls see my /ect/ipsec.conf file for it.

here is my ipsec.conf file



[***@box ~]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=all

conn tunnelipsec
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=10.10.49.0/24
rightsubnet=192.168.46.0/24
rightsubnet=192.168.50.0/24
rightsubnet=192.168.55.0/24
esp=3des-md5
authby=secret
keyexchange=ike
pfs=no
auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


After restaring the service, I get below error.
It says

duplicated parameter "rightsubnet"

Pls see below

tail -f /var/log/messages

Jun 25 15:16:31 localhost ipsec__plutorun: ipsec_auto: fatal error in
"tunnelipsec": (/etc/ipsec.conf, line 42) duplicated parameter
"rightsubnet"

Can't OpenSwan have 4 subnets ? If so, Is there another pkg for it?

Pls let me know ASAP.
--
Thank you
Indunil Jayasooriya
Wolfgang Kueter
2008-06-25 10:18:15 UTC
Permalink
Post by Indunil Jayasooriya
im my side , I have only one subnet which is the leftsubnet.
But, in other sides, there are 4 subnets . I added those 4 subnets to
rightsubnet. pls see my /ect/ipsec.conf file for it.
here is my ipsec.conf file
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=all
conn tunnelipsec
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=10.10.49.0/24
rightsubnet=192.168.46.0/24
rightsubnet=192.168.50.0/24
rightsubnet=192.168.55.0/24
esp=3des-md5
authby=secret
keyexchange=ike
pfs=no
auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
After restaring the service, I get below error.
It says
duplicated parameter "rightsubnet"
Correct, this doesn't work, instead you have to configure 4 separate
tunnels to the same gateway.

Something like this works for me with two
networks on the other side of the tunnel, should work with 4 as well:

conn tunnelipsec1
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=10.10.49.0/24
esp=3des-md5
authby=secret
keyexchange=ike
pfs=no
auto=start

conn tunnelipsec2
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=192.168.46.0/24
esp=3des-md5
authby=secret
keyexchange=ike
pfs=no
auto=start


conn tunnelipsec3
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=192.168.50.0/24
esp=3des-md5
authby=secret
keyexchange=ike
pfs=no
auto=start


conn tunnelipsec4
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=192.168.55.0/24
esp=3des-md5
authby=secret
keyexchange=ike
pfs=no auto=start
Post by Indunil Jayasooriya
Can't OpenSwan have 4 subnets?
It can but you have to configure separate tunnels.

Wolfgang
Indunil Jayasooriya
2008-06-25 11:12:43 UTC
Permalink
Hi,

Thanks for your quick responce.As you mentioned, I added 4 separate
tunnels to the my linux box where OpenSwan is running.

Then, I restarted the service. Now, I do not get such error.
in a FEW seconds, I checked the status with below command.

[***@firewall etc]# /etc/init.d/ipsec status
IPsec running - pluto pid: 12587
pluto pid 12587
2 tunnels up

It said, 2 tunnels up.
Now, the question is, why it says 2 tunnels up, when I have 4 tunnels
in ipsec.conf file?

But, after 10 minutes, it said, 3 tunnels up. it took about 10 minutes
to come up the 3 rd tunnel.
Why is that?

but, yet 4 th tunnel has not come up. I am still waiting for it.


in addition to that, I can see below line after this commnad

tail -f /var/log/messages

Jun 25 16:00:24 firewall ipsec__plutorun: ...could not start conn "tunnelipsec1"

This is the full output

[***@firewall etc]# tail -f /var/log/messages
Jun 25 15:50:17 firewall ipsec__plutorun: 104 "tunnelipsec1" #1:
STATE_MAIN_I1: initiate
Jun 25 15:50:17 firewall ipsec__plutorun: ...could not start conn "tunnelipsec1"
Jun 25 16:00:23 firewall kernel: NET: Unregistered protocol family 15
Jun 25 16:00:23 firewall ipsec_setup: ...Openswan IPsec stopped
Jun 25 16:00:23 firewall kernel: NET: Registered protocol family 15
Jun 25 16:00:23 firewall kernel: padlock: VIA PadLock not detected.
Jun 25 16:00:23 firewall ipsec_setup: NETKEY on eth1
220.247.213.202/255.255.255.240 broadcast 220.247.213.207
Jun 25 16:00:23 firewall ipsec_setup: ...Openswan IPsec started
Jun 25 16:00:24 firewall ipsec__plutorun: 104 "tunnelipsec1" #1:
STATE_MAIN_I1: initiate
Jun 25 16:00:24 firewall ipsec__plutorun: ...could not start conn "tunnelipsec1"

help needed....


--------------------------------
Post by Wolfgang Kueter
Something like this works for me with two
conn tunnelipsec1
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=10.10.49.0/24
esp=3des-md5
authby=secret
keyexchange=ike
pfs=no
auto=start
conn tunnelipsec2
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=192.168.46.0/24
esp=3des-md5
authby=secret
keyexchange=ike
pfs=no
auto=start
conn tunnelipsec3
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=192.168.50.0/24
esp=3des-md5
authby=secret
keyexchange=ike
pfs=no
auto=start
conn tunnelipsec4
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=192.168.55.0/24
esp=3des-md5
authby=secret
keyexchange=ike
pfs=no auto=start
Post by Indunil Jayasooriya
Can't OpenSwan have 4 subnets?
It can but you have to configure separate tunnels.
--
Thank you
Indunil Jayasooriya
Wolfgang Kueter
2008-06-25 12:10:12 UTC
Permalink
On Wed, 25 Jun 2008, Indunil Jayasooriya wrote:

Hello
Thanks for your quick responce. As you mentioned, I added 4 separate
tunnels to the my linux box where OpenSwan is running.
Then, I restarted the service. Now, I do not get such error.
in a FEW seconds, I checked the status with below command.
IPsec running - pluto pid: 12587
pluto pid 12587
2 tunnels up
It said, 2 tunnels up.
Now, the question is, why it says 2 tunnels up, when I have 4 tunnels
in ipsec.conf file?
Simply because a tunnel will not be established unless there is traffic
between the subnets at the ends of the tunnel.

You can however create a tunnel manually by

ipsec auto --up <name_of_the_tunnel>
But, after 10 minutes, it said, 3 tunnels up. it took about 10 minutes
to come up the 3 rd tunnel.
Why is that?
see above, either create traffic by sending packets to the subnet at the
other end of the tunnel or establish the tunnel manually.
but, yet 4 th tunnel has not come up. I am still waiting for it.
No tunnel unless data is sent to the subnet on the other side or coming
from there.

Wolfgang
Paul Wouters
2008-06-25 17:02:37 UTC
Permalink
Post by Wolfgang Kueter
Post by Indunil Jayasooriya
But, after 10 minutes, it said, 3 tunnels up. it took about 10 minutes
to come up the 3 rd tunnel.
Why is that?
The logs will tell you.
Post by Wolfgang Kueter
Post by Indunil Jayasooriya
but, yet 4 th tunnel has not come up. I am still waiting for it.
No tunnel unless data is sent to the subnet on the other side or coming
from there.
Not if you use auto=start. Then tunnels are setup straight away.

Paul
Indunil Jayasooriya
2008-06-26 03:06:26 UTC
Permalink
Post by Wolfgang Kueter
You can however create a tunnel manually by
ipsec auto --up <name_of_the_tunnel>
Thanks for the above command. I did it. I was able to bring up the
remaining tunnels.
Now, All 4 tunnles are up. But, I still can not ping to 4 subnets in
other side.

Could you pls expalin why?

I did traceroute as well. It went through the Usual ( Default route)
path up to a certain extent. But not to the destinaltion. Those
traffice did Not GO throuh the VPN tunnel. I think If I can route
those traffic via VPN, I will be able to ping it.

That's the current status of the set up. I hope you will be able to
give some instructions to go beyond this point.

Pls NOTE: The other side VPN device is CISCO VPN Concentraotor 3000.

This Side vpn devise is CentOS 5 box with 3 network cards. I have
enabled rounting with below line /etc/sysctl.conf

net.ipv4.ip_forward = 1


Hope to hear from you.
--
Thank you
Indunil Jayasooriya
Paul Wouters
2008-06-26 05:18:35 UTC
Permalink
Post by Indunil Jayasooriya
Post by Wolfgang Kueter
ipsec auto --up <name_of_the_tunnel>
Thanks for the above command. I did it. I was able to bring up the
remaining tunnels.
auto=start should cause the same results....
Post by Indunil Jayasooriya
Now, All 4 tunnles are up. But, I still can not ping to 4 subnets in
other side.
Could you pls expalin why?
firewalling? routing? natting? rp_filter?

what does ipsec verify say?
Post by Indunil Jayasooriya
I did traceroute as well.
Traceroute is a very bad tool to use in combination with IPsec.
Post by Indunil Jayasooriya
Pls NOTE: The other side VPN device is CISCO VPN Concentraotor 3000.
Should not be a problem.

Paul
Indunil Jayasooriya
2008-06-26 05:43:33 UTC
Permalink
Post by Paul Wouters
auto=start should cause the same results....
Thanks for it.
Post by Paul Wouters
Post by Indunil Jayasooriya
Now, All 4 tunnles are up. But, I still can not ping to 4 subnets in
other side.
Could you pls expalin why?
firewalling? routing? natting? rp_filter?
it is a firewall with a lot of rules. I has 3 network cards. Natting is DONE.

rp_filter is set to 1.
Post by Paul Wouters
what does ipsec verify say?
pls see below

[***@firewall etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.18-8.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Post by Paul Wouters
Post by Indunil Jayasooriya
I did traceroute as well.
Traceroute is a very bad tool to use in combination with IPsec.
Then, Can you recommnad a good tool instead?

Command ifconfig shows the USUAL ip addresses. It does NOT show any tunnel?

Could you pls expalin why I can not ping their subnets.

What are the areas I will have to look in to it ?

Hope to hear form you ASAP?-

-
Thank you
Indunil Jayasooriya
Peter McGill
2008-06-26 13:39:25 UTC
Permalink
Indunil,

Did you exempt your ipsec traffic from your nat rules?
It is a common mistake to forget this, and would cause the
traffic to use the internet route instead of the tunnel.

For example, if you have local: 192.168.1.0/24,
remote: 192.168.2.0/24 & 192.168.3.0/24,
and eth0 internet interface.
Then you probably have the following NAT rule:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
You need the following two rules before it:
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.3.0/24 -j ACCEPT

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
-----Original Message-----
Sent: June 26, 2008 1:44 AM
To: Paul Wouters
Subject: Re: [Openswan Users] multiple subnets ?
Post by Paul Wouters
auto=start should cause the same results....
Thanks for it.
Post by Paul Wouters
Post by Indunil Jayasooriya
Now, All 4 tunnles are up. But, I still can not ping to 4
subnets in
Post by Paul Wouters
Post by Indunil Jayasooriya
other side.
Could you pls expalin why?
firewalling? routing? natting? rp_filter?
it is a firewall with a lot of rules. I has 3 network cards.
Natting is DONE.
rp_filter is set to 1.
Post by Paul Wouters
what does ipsec verify say?
pls see below
Checking your system to see if IPsec got installed and
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.18-8.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects
[FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects
[FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets)
[DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support
[DISABLED]
Post by Paul Wouters
Post by Indunil Jayasooriya
I did traceroute as well.
Traceroute is a very bad tool to use in combination with IPsec.
Then, Can you recommnad a good tool instead?
Command ifconfig shows the USUAL ip addresses. It does NOT
show any tunnel?
Could you pls expalin why I can not ping their subnets.
What are the areas I will have to look in to it ?
Hope to hear form you ASAP?-
-
Thank you
Indunil Jayasooriya
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp/product/1904811256/104-3099591-294632
7?n=283155
Indunil Jayasooriya
2008-06-27 06:11:36 UTC
Permalink
Post by Peter McGill
Indunil,
Did you exempt your ipsec traffic from your nat rules?
It is a common mistake to forget this, and would cause the
traffic to use the internet route instead of the tunnel.
For example, if you have local: 192.168.1.0/24,
remote: 192.168.2.0/24 & 192.168.3.0/24,
and eth0 internet interface.
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.3.0/24 -j ACCEPT
Hi ,

We have SNAT rules like below. Not for ALL LAN.but for about 10 ips.
one by one .


iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.2 -j SNAT
--to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.9 -j SNAT
--to-source 1.2.3.4

anyway, I put below 4 rules before those line

iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT


Still No luck.

Then, I added below 4 lines after the above 4 lines as well. Still the same.


iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
196.4.49.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
196.4.51.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
10.10.99.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
10.10.250.0/24 -j SNAT --to-source 2.2.3.4


I added below lines to sysctl.conf: as well


net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0

Now, ipsec verify give below output

[***@firewall etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.18-8.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]


But, We can not Still ping their 4 networks.


Furthur help is needed to solve this.


Hope to hear from you.


-
Thank you
Indunil Jayasooriya
Peter McGill
2008-06-27 14:33:36 UTC
Permalink
-----Original Message-----
Sent: June 27, 2008 2:12 AM
Subject: Re: [Openswan Users] multiple subnets ?
On Thu, Jun 26, 2008 at 7:09 PM, Peter McGill
Post by Peter McGill
Indunil,
Did you exempt your ipsec traffic from your nat rules?
It is a common mistake to forget this, and would cause the
traffic to use the internet route instead of the tunnel.
For example, if you have local: 192.168.1.0/24,
remote: 192.168.2.0/24 & 192.168.3.0/24,
and eth0 internet interface.
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j
MASQUERADE
Post by Peter McGill
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.3.0/24 -j ACCEPT
Hi ,
We have SNAT rules like below. Not for ALL LAN.but for about 10 ips.
one by one .
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.2 -j SNAT
--to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.9 -j SNAT
--to-source 1.2.3.4
anyway, I put below 4 rules before those line
iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
You need these keep them.
Still No luck.
Then, I added below 4 lines after the above 4 lines as well.
Still the same.
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
196.4.49.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
196.4.51.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
10.10.99.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
10.10.250.0/24 -j SNAT --to-source 2.2.3.4
These do absolutely nothing you should remove them.
A) The 4 rules I told you to keep will match first and prevent the packets from going further.
B) If you only had these rules then the first rule would match negating the next three.
I added below lines to sysctl.conf: as well
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
Now, ipsec verify give below output
Checking your system to see if IPsec got installed and
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.18-8.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets)
[DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support
[DISABLED]
But, We can not Still ping their 4 networks.
Furthur help is needed to solve this.
Hope to hear from you.
-
Thank you
Indunil Jayasooriya
Could you attach an ipsec barf > ipsec_barf.txt please.
Also include a description of your ping tests and results in the email.
What host/ip are you pinging from, what host/ips are you pinging to?

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
Indunil Jayasooriya
2008-06-28 03:06:06 UTC
Permalink
Post by Peter McGill
Post by Indunil Jayasooriya
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
196.4.49.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
196.4.51.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
10.10.99.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
10.10.250.0/24 -j SNAT --to-source 2.2.3.4
These do absolutely nothing you should remove them.
I removed. U r great.

Yes, I got VPN up and running. Now I can ping 4 networks in the other side.
Thnks very much for it.

Below 4 rules did the job. ( AS U said)

iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT


So far, We added a whole network to ipsec.conf file. Now I want to add
one ip address to rightsubnet in ipsec.conf file. ip address is
10.254.6.172/32. I have already added in this way. pls see below


conn tunnelipsec5
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=10.254.6.172/32
esp=3des
authby=secret
keyexchange=ike
pfs=no
auto=start


in addition to that, I added below rule in firewall after the other 4 rules.

iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT

Am I right?

I am curretly having below rules in sysctl.conf. Are they needed?

Pls let me know.


net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0



Peter and Paul , Thanks for your helps given to me. U r genius.

Hope to hear form you.


Thank you
Indunil Jayasooriya
Peter McGill
2008-06-30 14:07:12 UTC
Permalink
Indunil,

I assume you meant to do:
iptables -t nat -A POSTROUTING -o eth1 -d 10.254.6.172/32 -j ACCEPT
Which would be correct.

I would keep the sysctl.conf changes suggested by Paul.
Without them you may experience similar or other problems.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
-----Original Message-----
Sent: June 27, 2008 11:06 PM
Subject: Re: [Openswan Users] multiple subnets ?
Post by Peter McGill
Post by Indunil Jayasooriya
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
196.4.49.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
196.4.51.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
10.10.99.0/24 -j SNAT --to-source 1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
10.10.250.0/24 -j SNAT --to-source 2.2.3.4
These do absolutely nothing you should remove them.
I removed. U r great.
Yes, I got VPN up and running. Now I can ping 4 networks in
the other side.
Thnks very much for it.
Below 4 rules did the job. ( AS U said)
iptables -t nat -A POSTROUTING -o eth1 -d 196.4.49.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 196.4.51.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.99.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
So far, We added a whole network to ipsec.conf file. Now I want to add
one ip address to rightsubnet in ipsec.conf file. ip address is
10.254.6.172/32. I have already added in this way. pls see below
conn tunnelipsec5
type=tunnel
left=1.2.3.4
leftsubnet=192.168.1.0/24
right=5.6.7.8
rightsubnet=10.254.6.172/32
esp=3des
authby=secret
keyexchange=ike
pfs=no
auto=start
in addition to that, I added below rule in firewall after the
other 4 rules.
iptables -t nat -A POSTROUTING -o eth1 -d 10.10.250.0/24 -j ACCEPT
Am I right?
I am curretly having below rules in sysctl.conf. Are they needed?
Pls let me know.
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
Peter and Paul , Thanks for your helps given to me. U r genius.
Hope to hear form you.
Thank you
Indunil Jayasooriya
Paul Wouters
2008-06-30 15:46:19 UTC
Permalink
Post by Peter McGill
iptables -t nat -A POSTROUTING -o eth1 -d 10.254.6.172/32 -j ACCEPT
Which would be correct.
Shouldn't that be "-j RETURN" ?

Paul
Peter McGill
2008-06-30 16:22:30 UTC
Permalink
I used to suggest -j RETURN, I do not recall why
I started suggesting -j ACCEPT, but both should work.
Logically, -j RETURN results in an implicit ACCEPT
being it is the policy for the nat POSTROUTING chain.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
-----Original Message-----
Sent: June 30, 2008 11:46 AM
To: Peter McGill
Subject: RE: [Openswan Users] multiple subnets ?
Post by Peter McGill
iptables -t nat -A POSTROUTING -o eth1 -d 10.254.6.172/32 -j ACCEPT
Which would be correct.
Shouldn't that be "-j RETURN" ?
Paul
Indunil Jayasooriya
2008-07-01 02:48:51 UTC
Permalink
Post by Peter McGill
iptables -t nat -A POSTROUTING -o eth1 -d 10.254.6.172/32 -j ACCEPT
Which would be correct.
Okay, thaks for it.
Post by Peter McGill
I would keep the sysctl.conf changes suggested by Paul.
Without them you may experience similar or other problems.
Thanks again.
--
Thank you
Indunil Jayasooriya
Paul Wouters
2008-06-26 20:30:40 UTC
Permalink
Post by Indunil Jayasooriya
rp_filter is set to 1.
unset it. rp_filter is a feature that should be killed of.
Post by Indunil Jayasooriya
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Add to sysctl.conf:

net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
Post by Indunil Jayasooriya
Post by Paul Wouters
Traceroute is a very bad tool to use in combination with IPsec.
Then, Can you recommnad a good tool instead?
If checking on the first ike packet, you can use ikeping. If checking
on subsequent IKE packets, use the logs on both ends. For checking
packets, the best is just tcpdump, preferably not on the machine itself
(because NETKEY confuses things)
Post by Indunil Jayasooriya
Command ifconfig shows the USUAL ip addresses. It does NOT show any tunnel?
That is correct. ipsec0 interfaces only appear with KLIPS, and you are
using NETKEY.
Post by Indunil Jayasooriya
Could you pls expalin why I can not ping their subnets.
That I don't know without more information. Try the above fixes.
Post by Indunil Jayasooriya
What are the areas I will have to look in to it ?
if your clients do not have the vpn server in their "default path",
them you need to add some routing on them.

be VERY sure you're not accidentally NATing ipsec packets. The digital
signatures would be broken and packets would be dropped (on netkey,
silently, on KLIPS silently too but you can define klipsdebug to make it
log those)

Paul
Continue reading on narkive:
Loading...