LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-05-2015, 07:06 AM   #1
substancev
LQ Newbie
 
Registered: Jul 2011
Posts: 7

Rep: Reputation: Disabled
Question OpenSwan to Sonicwall: Site to Site VPN - Ubuntu 14.04


Please help. My openswan configurations are establishing connections between my linux server and the sonicwall. So as far as the sonicwall is concerned, the configurations are good. But still, I am unable to ping the local networks between the sites. So 10.1.1.1 can't ping 10.1.2.1 and vice versa.

Local Site (OpenSWAN)

Server: Ubuntu 14.04
Server IP: 10.1.1.1
Subnet: 255.255.255.0
External IP: 159.159.159.159

eth0 is WAN
eth1 is LAN

Remote Site (SonicWall)

Server IP: 10.1.2.1
Subnet: 255.255.255.0
External IP: 174.174.174.174

/etc/ipsec.conf:
Code:
# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        oe=off
        protostack=netkey
        fragicmp=no

conn PTWVPN

        left=159.159.159.159
        leftsourceip=10.1.1.1
        leftsubnet=10.1.1.0/24
        leftid=159.159.159.159
        right=174.174.174.174
        rightid=174.174.174.174
        rightsourceip=10.1.2.1
        rightsubnet=10.1.2.0/24
        type=tunnel
        auth=esp
        authby=secret
        ikelifetime=28800m
        rekeymargin=10m
        rekeyfuzz=0%
        keylife=28800s
        esp=3des-md5
        ike=3des-md5
        keyexchange=ike
        pfs=yes
        auto=start
/etc/ipsec.secret:
Code:
159.159.159.159 174.174.174.174: PSK "PASSWORD"
ipsec verify
Code:
$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.19.0-25-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
    [OK]
    [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
iptables -vl -t nat
Code:
iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 7672 packets, 527K bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain INPUT (policy ACCEPT 935 packets, 95840 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 372 packets, 26395 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain POSTROUTING (policy ACCEPT 321 packets, 22829 bytes)
 pkts bytes target     prot opt in     out     source               destination        
 6788  435K SNAT       all  --  any    eth0    anywhere             anywhere             to:159.159.159.159
ip r:
Code:
$ ip r
default via 159.159.159.1 dev eth0 
10.1.1.0/24 dev eth1  proto kernel  scope link  src 10.1.1.1 
10.1.2.0/24 dev eth0  scope link  src 10.1.1.1 
159.159.159.0/25 dev eth0  proto kernel  scope link  src 159.159.159.159

Last edited by substancev; 11-05-2015 at 07:46 AM.
 
Old 11-05-2015, 09:30 AM   #2
substancev
LQ Newbie
 
Registered: Jul 2011
Posts: 7

Original Poster
Rep: Reputation: Disabled
These configurations work.. the problem was my IP address 10.1.1.1. It was supposed to be 10.1.1.2


Now I'm able to ping from 10.1.2.0/24 network to 10.1.1.0/24 but not the other way around.
 
Old 11-05-2015, 09:37 AM   #3
substancev
LQ Newbie
 
Registered: Jul 2011
Posts: 7

Original Poster
Rep: Reputation: Disabled
Well I had a SNAT rule that I removed from iptables.

Now the ping works in both directions.

Now to secure the firewall.. I guess this could close ... sorry
 
Old 11-05-2015, 08:02 PM   #4
ansisys
LQ Newbie
 
Registered: Nov 2015
Posts: 11

Rep: Reputation: Disabled
Quote:
Originally Posted by substancev View Post
Well I had a SNAT rule that I removed from iptables.

Now the ping works in both directions.

Now to secure the firewall.. I guess this could close ... sorry
To get the exact picture of the setup, do you have screenshots of the config from sonicwall device, that you could share please? I've got snwl, too and I'd like to compare with my settings, then my vpn setup doesn't seem to be working at all. I'm wondering what exact options have you chosen so it's working with your openswan ones.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How to create a site-to-site IPsec VPN tunnel using Openswan in Linux LXer Syndicated Linux News 0 08-26-2014 12:50 PM
Openswan Ubuntu (Host) to Cisco (Site) connection flatbeat Linux - Security 3 01-28-2014 10:30 AM
IKE_SA_INIT failed with StrongSwan Site to Site VPN between different amazon VPCs loesprite Linux - Networking 1 11-21-2012 11:43 PM
site to site vpn racoon with cisco asa 5505 routing issues wastingtime Linux - Networking 1 04-02-2010 12:26 PM
One Way Communication in CentOS/OpenSwan to Sonicwall VPN pacmantravis Linux - Networking 0 02-21-2010 02:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration