OpenSwan VPN only works in one direction

Thakowbbery · 03-27-2008, 11:21 AM

Noon,

Both ends of the VPN are configured as follows:

- Suse 10.1 - Openswan 2.4.4
- Debian 4.0 - Openswan 2.4.6

The Suse end has a VPN with other 2 places, and the VPN for those places works fine (both of them are also Suse 10.1 with Openswan 2.4).

The VPN between the Suse and Debian only works in one direction (the Suse side can access anything on the Debian side, but not the opposite).

The connection config in both ipsec.conf is as follow:

Quote:

Debian (right):
conn X
left=x.x.x.x
leftsubnet=192.168.0.0/23
leftnexthop=%defaultroute
leftrsasigkey=xxxxx...
right=y.y.y.y
rightsubnet=192.168.7.0/24
rightnexthop=%defaultroute
rightrsasigkey=yyyyy...
auto=start

Suse (left):
conn X
left=x.x.x.x
leftsubnet=192.168.0.0/23
leftnexthop=%defaultroute
leftrsasigkey=xxxxx...
right=y.y.y.y
rightsubnet=192.168.7.0/24
rightnexthop=%defaultroute
rightrsasigkey=yyyyy...
auto=add

ipsec verify for both ends:

Quote:

Debian:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.6/K2.6.18-5-486 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

Suse:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.16.21-0.25-smp (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'curl' command for CRL fetching [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]

The VPN has been established (the proof being that the left end can access everything in the right end, and if I kill IPSec daemon, the connection is killed) and everything seens just fine.
Already removed openswan and installed it again in Debian, and got the same result, even with a different key.

Please, I need help with that, urgent.

Thank you very much

Thakowbbery · 03-27-2008, 12:06 PM

Some test that didn´t work:

Changed all policies in iptables to ACCEPT (INPUT, OUTPUT, FORWARD) = didn´t work
Mass SNAT (iptables -t nat POSTROUTING -A -s 192.168.7.0/24 -j SNAT --to y.y.y.y) = didn´t work also
Both above at the same time = didn´t work

Created some logs in iptables and checked tcpdump.
Apparently, when there´s a connection attempt from inside network 192.168.7.0/24 to 192.168.0.0/23, there´s no ESP traffic in my VPN. When I do the opposite (192.168.0.0/23 --> 192.168.7.0/24), there is.

Thakowbbery · 03-27-2008, 01:15 PM

Well
Once again, I discovered it just a few minutes after posting here XD
Man, this forum is magical, hauehauehaueh

The last person who took care of the Debian firewall had a massive SNAT rule (-s internal_network -j SNAT --to external_IP).
That was not allowing the traffic from inside the network to enter the VPN. Instead, it was trying to go directly to the internet.
So, I did the following:

iptables -t nat -I POSTROUTING -s 192.168.7.0/24 -d 192.168.0.0/23 -j ACCEPT

That way the connections would not be "nated" and now they´re going right into the VPN.
Full connection