FreeSWan: Can´t ping through tunnel

razametal · 05-06-2003, 12:32 PM

Hi

I am trying to set up Freeswan between two Redhat servers (9.0 and 7.3).

They both have static ip addresses and I am using the net-to-net connection. I have installed version 1.99 with x.509 support rpm's.

192.168.1.0/24 --> LINUX FIREWALL A /VPN ========= LINUX FIREWALL B/VPN <---- 192.168.3.0/24

The following is an example of my ipsec.conf file:

conn manicentro-merced
left=216.219.56.200
leftsubnet=192.168.1.0/24
leftid=@left.test.com
leftrsasigkey=0sAQNzsT5wkoF....
leftnexthop=216.219.56.1
right=216.219.56.119
rightsubnet=192.168.3.0/24
rightid=@right.test.com
rightrsasigkey=0sAQNQdzFuK...
rightnexthop=216.219.56.117
auto=add

I have turned off the rp_filter on the external interfaces for both servers.

I have opened up upd 500 and have entered the following rules for the ESP protocol to the end of the script:

# === >> VPN << === #

# === >> IKE << === #
iptables -A INPUT -p udp -i eth0 --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 500 --dport 500 -j ACCEPT

# === >> ESP << === #
iptables -A INPUT -p 50 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT

# === >> AH << === #
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT

When I start ipsec and bring up the tunnel, everything comes up fine and it indicates that the tunnel is stablished. However, I can not ping between the two subnets.

I think that it is a problem with my firewall script but I am not am iptables rules expert. Has anyone had any luck using freeswan with iptables? This is my first attempt with Freeswan and I would appreciate any help that could be offered.

Thank you,

td3201 · 05-06-2003, 01:57 PM

I recommend you try the opportnistic encryption support with 2.00 that was just released.

Is that your full IPTABLES script? Do you have a deny all rule someplace?

razametal · 05-07-2003, 09:33 AM

Hi.. i´ll test the oportunistic encryption that you are seggeting me.

I´ve this small firwall script:

#!/bin/sh

# Load required modules
depmod -a
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_MASQUERADE
modprobe ipt_owner
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

# Then flush all rules
iptables -F
iptables -t nat -F

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/conf/eth0/rp_filter

# Red Cyber 10.10.10.0 is the eth1 and 192.168.1.0 is the eth2
iptables -t nat -A POSTROUTING -d ! 10.10.10.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 192/8 -d ! 192/8 -j MASQUERADE

iptables -A FORWARD -s 10.10.10.0/24 -j ACCEPT
iptables -A FORWARD -d 10.10.10.0/24 -j ACCEPT
#iptables -A FORWARD -s ! 10.10.10.0/24 -j DROP

# port 113 is evil
iptables -A INPUT --protocol udp --source-port 113 -j DROP
iptables -A INPUT --protocol udp --destination-port 113 -j DROP

# Enmascaramiento
iptables -A INPUT -p ALL -s 216.219.56.16/28 -j ACCEPT
iptables -A INPUT -p ALL -d 216.219.56.16/28 -j ACCEPT
iptables -A FORWARD -p ALL -s 216.219.56.16/28 -j ACCEPT
iptables -A FORWARD -p ALL -d 216.219.56.16/28 -j ACCEPT
iptables -A OUTPUT -p ALL -s 216.219.56.16/28 -j ACCEPT
iptables -A OUTPUT -p ALL -d 216.219.56.16/28 -j ACCEPT
iptables -t nat -A PREROUTING -p ALL -s 216.219.56.16/28 -j ACCEPT
iptables -t nat -A PREROUTING -p ALL -d 216.219.56.16/28 -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -s 216.219.56.16/28 -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -d 216.219.56.16/28 -j ACCEPT

iptables -A INPUT -p ALL -s 216.219.56.32/27 -j ACCEPT
iptables -A INPUT -p ALL -d 216.219.56.32/27 -j ACCEPT
iptables -A FORWARD -p ALL -s 216.219.56.32/27 -j ACCEPT
iptables -A FORWARD -p ALL -d 216.219.56.32/27 -j ACCEPT
iptables -A OUTPUT -p ALL -s 216.219.56.32/27 -j ACCEPT
iptables -A OUTPUT -p ALL -d 216.219.56.32/27 -j ACCEPT
iptables -t nat -A PREROUTING -p ALL -s 216.219.56.32/27 -j ACCEPT
iptables -t nat -A PREROUTING -p ALL -d 216.219.56.32/27 -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -s 216.219.56.32/27 -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -d 216.219.56.32/27 -j ACCEPT

# === >> VPN << === #

# === >> IKE << === #
iptables -A INPUT -p udp -i eth0 --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 500 --dport 500 -j ACCEPT

# === >> ESP << === #
iptables -A INPUT -p 50 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT

# === >> AH << === #
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT

# Proxy
iptables -t nat -A PREROUTING -i eth1 -d ! 216.219.56.2 -p tcp --dport 80 -j RED
IRECT --to-port 8080

# END

razametal · 05-07-2003, 09:36 AM

This is my routing table on left:

netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
216.219.56.0 0.0.0.0 255.255.255.252 U 0 0 0 eth0
216.219.56.0 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0
216.219.56.8 216.219.56.18 255.255.255.248 UG 0 0 0 eth1
216.219.56.16 0.0.0.0 255.255.255.240 U 0 0 0 eth1
216.219.56.32 0.0.0.0 255.255.255.224 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 216.219.56.1 128.0.0.0 UG 0 0 0 ipsec0
128.0.0.0 216.219.56.1 128.0.0.0 UG 0 0 0 ipsec0
0.0.0.0 216.219.56.1 0.0.0.0 UG 0 0 0 eth0

td3201 · 05-07-2003, 09:39 AM

First, simplify things and cut down your firewall to something extremely simple, like no filtering, just forward. Also, you dont need the '-p ALL' stuff, when you omit the -p, all is assumed.

razametal · 05-07-2003, 12:08 PM

Hi.. I got the tunnel with FreesWan 2.0 , but I can´t ping the two lans.

# ipsec auto --verbose --up manicentro-merced
002 "manicentro-merced" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP
112 "manicentro-merced" #3: STATE_QUICK_I1: initiate
002 "manicentro-merced" #3: sent QI2, IPsec SA established
004 "manicentro-merced" #3: STATE_QUICK_I2: sent QI2, IPsec SA established

192.168.1.0/24 is manicentro
192.168.3.0/24 is merced

If I ping from 192.168.1.1 (is a manicentro terminal, not the firewall) to 192.168.3.9 (is a merced terminal, not the firewall) and make tcpdump -i ipsec0 on left, I get:

[..]
12:00:12.472632 carcesa.com > 192.168.3.9: icmp: echo request (DF)
[..]

This is my routing table on left:
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
216.219.56.0 0.0.0.0 255.255.255.252 U 0 0 0 eth0
216.219.56.0 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0
216.219.56.8 216.219.56.18 255.255.255.248 UG 0 0 0 eth1
216.219.56.16 0.0.0.0 255.255.255.240 U 0 0 0 eth1
216.219.56.32 0.0.0.0 255.255.255.224 U 0 0 0 eth1
192.168.3.0 216.219.56.1 255.255.255.0 UG 0 0 0 ipsec0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 216.219.56.1 128.0.0.0 UG 0 0 0 ipsec0
128.0.0.0 216.219.56.1 128.0.0.0 UG 0 0 0 ipsec0
0.0.0.0 216.219.56.1 0.0.0.0 UG 0 0 0 eth0

And the routing table on right:
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
216.219.56.16 0.0.0.0 255.255.255.240 U 40 0 0 wlan0
216.219.56.16 0.0.0.0 255.255.255.240 U 40 0 0 ipsec0
10.10.10.0 0.0.0.0 255.255.255.240 U 40 0 0 eth0
192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
192.168.1.0 216.219.56.17 255.255.255.0 UG 40 0 0 ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 216.219.56.17 128.0.0.0 UG 40 0 0 ipsec0
128.0.0.0 216.219.56.17 128.0.0.0 UG 40 0 0 ipsec0
0.0.0.0 216.219.56.17 0.0.0.0 UG 40 0 0 wlan0

razametal · 05-07-2003, 11:22 PM

Arghh...

what you think about openvpn ? ttp://openvpn.sf.net

Any 1 have tryed ?