|
List Info
Thread: ipsec / l2tpd + iptables ?
|
|
| ipsec / l2tpd + iptables ? |
|
2006-11-27 18:02:34 |
|
Hi everybody,
I'm a french people, so please, forgive me for my bad english.
I'v installed the openswan 2.4.7 to build a vpn gateway for
windows xp pro sp2 clients.
The connection is established, but, when i done, I have no acces
to internet. I have no ipsecx interface (kernel 2.6.18), and I'm
searching how resolve
the problem.
On my server I have 3 interfaces :
- eth0 :  IP public (88....)
- eth0:0 : 172.16.7.7 (internal interface for bind)
- pppx : correspond to clients interface when the connection is
established
in this interface, the IP of l2tpd is 172.16.7.30
--> NO FIREWALL (I'll enable it when all things will work)
How could I resolve my problem to obtain the internet access when I'm
connected
over the VPN ?
Thanks for your helps.
azer.
|
| ipsec / l2tpd + iptables ? |
|
2006-11-27 18:30:47 |
On Mon, 27 Nov 2006, Reza ISSANY wrote:
> I'm a french people, so please, forgive me for my bad
english.
>
> I'v installed the openswan 2.4.7 to build a vpn gateway
for
> windows xp pro sp2 clients.
>
> The connection is established, but, when i done, I have
no acces
> to internet. I have no ipsecx interface (kernel
2.6.18), and I'm searching how
> resolve
> the problem.
You might forgot to include /etc/ipsec.d/examples/no_oe.conf
?
Paul
--
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
|
|
| ipsec / l2tpd + iptables ? |
|
2006-11-27 19:30:28 |
|
No, this is my config :
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth0"
; nat_traversal=yes
; virtual_private=%v4:!172.16.7.0/16,%v4:192.168.7.0/24
klipsdebug=none
plutodebug=all
conn %default
; left=88.191.35.181
# Add connections here
conn xp
; keyingtries=1
; compress=no
; disablearrivalcheck=no
; authby=rsasig
; leftrsasigkey=%cert
; rightrsasigkey=%cert
leftcert=integration.pem
; leftprotoport=17/1701
leftnexthop=88.191.35.1
; right=%any
rightca=%same
; rightprotoport=17/1701
; rightsubnet=vhost:%no,%priv
pfs=no
; auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
and this is my route table :
rootintegration:~# netstat -nra
Table de routage IP du noyau
Destination Passerelle ; Genmask ; Indic ; MSS FenÃ;ªtre
irtt Iface
88.191.35.0 0.0.0.0 ; 255.255.255.0 U 0 0 ;
0 eth0
172.16.0.0 ; 0.0.0.0 ; 255.255.0.0 U 0 0 ;
0 eth0
0.0.0.0 ; 88.191.35.1 0.0.0.0 ; UG ; 0 0 ;
0 eth0
any idea please ?
thanks.
reza.
Paul Wouters a écrit :
tla.xelerance.com"
type="cite">
On Mon, 27 Nov 2006, Reza ISSANY wrote:
I'm a french people, so please, forgive me for my bad english.
I'v installed the openswan 2.4.7 to build a vpn gateway for
windows xp pro sp2 clients.
The connection is established, but, when i done, I have no acces
to internet. I have no ipsecx interface (kernel 2.6.18), and I'm searching how
resolve
the problem.
You might forgot to include /etc/ipsec.d/examples/no_oe.conf ?
Paul
|
| ipsec / l2tpd + iptables ? |
|
2006-11-27 20:27:57 |
On Mon, 27 Nov 2006, Reza ISSANY wrote:
> No, this is my config :
> # basic configuration
> config setup
> interfaces="ipsec0=eth0"
> nat_traversal=yes
>
virtual_private=%v4:!172.16.7.0/16,%v4:192.168.7.0/24
> klipsdebug=none
> plutodebug=all
disable that plutodebug line.
> conn %default
> left=88.191.35.181
>
> # Add connections here
> conn xp
> keyingtries=1
> compress=no
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> leftcert=integration.pem
> leftprotoport=17/1701
> leftnexthop=88.191.35.1
> right=%any
> rightca=%same
> rightprotoport=17/1701
> rightsubnet=vhost:%no,%priv
> pfs=no
> auto=add
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
Ok, so you are trying to use l2tp. Check the logs. do you
get an IPsec SA established?
If not, the IPsec part is not working.
If you do, the next step is to check the server for ppp
interfaces. If you don't get one,
the L2TP part is not working.
If you do ge ta ppp interfaces, then check Windows to see if
you got an interfaces there.
If you did. Try and ping the gateway. If that works, ping
something else and tcpdump
the packets on the gateway to see if you have a
routing/firewall issue.
Paul
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
|
|
| ipsec / l2tpd + iptables ? |
|
2006-11-27 23:26:45 |
|
When I initiate a connection, I have a ppp0 that appears.
The connection works : I can ping the remote l2tpd gateway, remote DNS
server,
but I can not access to internet.
I'll try tomorrow to do a tcpdump. Do I have to add any routes to
activate internet
to remote clients ?
thanks for your help.
azer.
Paul Wouters a écrit :
tla.xelerance.com"
type="cite">
On Mon, 27 Nov 2006, Reza ISSANY wrote:
No, this is my config :
# basic configuration
config setup
interfaces="ipsec0=eth0"
nat_traversal=yes
virtual_private=%v4:!172.16.7.0/16,%v4:192.168.7.0/24
klipsdebug=none
plutodebug=all
disable that plutodebug line.
conn %default
left=88.191.35.181
# Add connections here
conn xp
keyingtries=1
compress=no
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=integration.pem
leftprotoport=17/1701
leftnexthop=88.191.35.1
right=%any
rightca=%same
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
pfs=no
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
Ok, so you are trying to use l2tp. Check the logs. do you get an IPsec SA established?
If not, the IPsec part is not working.
If you do, the next step is to check the server for ppp interfaces. If you don't get one,
the L2TP part is not working.
If you do ge ta ppp interfaces, then check Windows to see if you got an interfaces there.
If you did. Try and ping the gateway. If that works, ping something else and tcpdump
the packets on the gateway to see if you have a routing/firewall issue.
Paul
|
| ipsec / l2tpd + iptables ? |
|
2006-11-28 05:14:47 |
On Tue, 28 Nov 2006, Reza ISSANY wrote:
> When I initiate a connection, I have a ppp0 that
appears.
> The connection works : I can ping the remote l2tpd
gateway, remote DNS server,
> but I can not access to internet.
>
> I'll try tomorrow to do a tcpdump. Do I have to add any
routes to activate
> internet
> to remote clients ?
run ipsec verify on the server. Check forwarding, check for
bogus redirects, check
for firewall rules, check for NAT, and check if the gateway
can reach the internet
on its "l2tp pool" IP address using 'ping -I
sourceip www.google.com'
Paul
> thanks for your help.
>
> azer.
>
> Paul Wouters a écrit :
> > On Mon, 27 Nov 2006, Reza ISSANY wrote:
> >
> >
> > > No, this is my config :
> > >
> >
> >
> > > # basic configuration
> > > config setup
> > > interfaces="ipsec0=eth0"
> > > nat_traversal=yes
> > >
virtual_private=%v4:!172.16.7.0/16,%v4:192.168.7.0/24
> > > klipsdebug=none
> > > plutodebug=all
> > >
> >
> > disable that plutodebug line.
> >
> >
> > > conn %default
> > > left=88.191.35.181
> > >
> > > # Add connections here
> > > conn xp
> > > keyingtries=1
> > > compress=no
> > > disablearrivalcheck=no
> > > authby=rsasig
> > > leftrsasigkey=%cert
> > > rightrsasigkey=%cert
> > > leftcert=integration.pem
> > > leftprotoport=17/1701
> > > leftnexthop=88.191.35.1
> > > right=%any
> > > rightca=%same
> > > rightprotoport=17/1701
> > > rightsubnet=vhost:%no,%priv
> > > pfs=no
> > > auto=add
> > >
> > > #Disable Opportunistic Encryption
> > > include /etc/ipsec.d/examples/no_oe.conf
> > >
> >
> > Ok, so you are trying to use l2tp. Check the logs.
do you get an IPsec SA
> > established?
> > If not, the IPsec part is not working.
> >
> > If you do, the next step is to check the server
for ppp interfaces. If you
> > don't get one,
> > the L2TP part is not working.
> >
> > If you do ge ta ppp interfaces, then check Windows
to see if you got an
> > interfaces there.
> > If you did. Try and ping the gateway. If that
works, ping something else and
> > tcpdump
> > the packets on the gateway to see if you have a
routing/firewall issue.
> >
> > Paul
> >
>
>
--
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811256/104-30995
91-2946327?n=283155_________________________________________
______
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
|
|
| ipsec / l2tpd + iptables ? |
|
2006-11-28 10:00:48 |
|
Hi,
Here it is my ipsec verify command results :
rootintegration:~# ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path ; ; ; [OK]
Linux Openswan U2.4.7/K2.6.18.3dedibox_r6_final (netkey)
Checking for IPsec support in kernel ; ; [OK]
NETKEY detected, testing for disabled ICMP send_redirects ; [OK]
NETKEY detected, testing for disabled ICMP accept_redirects ; [OK]
Checking for RSA private key (/etc/ipsec.secrets) ;
[DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running ; ; ; [OK]
Checking for 'ip' command ; ; ; [OK]
Checking for 'iptables' command ; ; ; [OK]
Opportunistic Encryption Support ; ; ;
[DISABLED]
Any idea to activate Internet on vpn l2tpd clients ?
Paul Wouters a écrit :
tla.xelerance.com"
type="cite">
On Tue, 28 Nov 2006, Reza ISSANY wrote:
When I initiate a connection, I have a ppp0 that appears.
The connection works : I can ping the remote l2tpd gateway, remote DNS server,
but I can not access to internet.
I'll try tomorrow to do a tcpdump. Do I have to add any routes to activate
internet
to remote clients ?
run ipsec verify on the server. Check forwarding, check for bogus redirects, check
for firewall rules, check for NAT, and check if the gateway can reach the internet
on its "l2tp pool" IP address using 'ping -I sourceip www.google.com'
Paul
thanks for your help.
azer.
Paul Wouters a écrit :
On Mon, 27 Nov 2006, Reza ISSANY wrote:
No, this is my config :
# basic configuration
config setup
interfaces="ipsec0=eth0"
nat_traversal=yes
virtual_private=%v4:!172.16.7.0/16,%v4:192.168.7.0/24
klipsdebug=none
plutodebug=all
disable that plutodebug line.
conn %default
left=88.191.35.181
# Add connections here
conn xp
keyingtries=1
compress=no
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=integration.pem
leftprotoport=17/1701
leftnexthop=88.191.35.1
right=%any
rightca=%same
rightprotoport=17/1701
rightsubnet=vhost:%no,%priv
pfs=no
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
Ok, so you are trying to use l2tp. Check the logs. do you get an IPsec SA
established?
If not, the IPsec part is not working.
If you do, the next step is to check the server for ppp interfaces. If you
don't get one,
the L2TP part is not working.
If you do ge ta ppp interfaces, then check Windows to see if you got an
interfaces there.
If you did. Try and ping the gateway. If that works, ping something else and
tcpdump
the packets on the gateway to see if you have a routing/firewall issue.
Paul
|
| ipsec / l2tpd + iptables ? |
|
2006-11-28 15:33:25 |
On Tue, 28 Nov 2006, Reza ISSANY wrote:
> Here it is my ipsec verify command results :
>
> rootintegration:~# ipsec verify
> Checking your system to see if IPsec got installed and
started correctly:
> Version check and ipsec on-path
[OK]
> Linux Openswan U2.4.7/K2.6.18.3dedibox_r6_final
(netkey)
> Checking for IPsec support in kernel
[OK]
> NETKEY detected, testing for disabled ICMP
send_redirects [OK]
> NETKEY detected, testing for disabled ICMP
accept_redirects [OK]
> Checking for RSA private key (/etc/ipsec.secrets)
[DISABLED]
> ipsec showhostkey: no default key in
"/etc/ipsec.secrets"
> Checking that pluto is running
[OK]
> Checking for 'ip' command
[OK]
> Checking for 'iptables' command
[OK]
> Opportunistic Encryption Support
[DISABLED]
>
> Any idea to activate Internet on vpn l2tpd clients ?
That looks good. Do the checks I asked you to do before:
> > check
> > for firewall rules, check for NAT, and check if
the gateway can reach the
> > internet
> > on its "l2tp pool" IP address using
'ping -I sourceip www.google.com'
> >
Paul
--
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
|
|
| ipsec / l2tpd + iptables ? |
|
2006-11-29 07:14:20 |
|
Hi,
The gateway have internet :
rootintegration:~# ping google.com
PING google.com (72.14.207.99) 56(84) bytes of data.
64 bytes from 72.14.207.99: icmp_seq=1 ttl=245 time=86.7 ms
64 bytes from 72.14.207.99: icmp_seq=2 ttl=245 time=86.8 ms
64 bytes from 72.14.207.99: icmp_seq=3 ttl=245 time=86.8 ms
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 86.775/86.828/86.857/0.243 ms
and my iptable looks to be good :
#!/bin/sh
# reset des tables
iptables -F
#iptables-restore < /var/log/uiptables
iptables -t filter -A INPUT -p all -j ULOG --ulog-prefix=DefaultDrop
# default policy : DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# on accepte les paquets relatifs aux connexions deja ouvertes
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A INPUT -s 172.16.7.0/16 -j ACCEPT
iptables -A FORWARD -s 172.16.7.0/16 -j ACCEPT
# Autorisation des requetes DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# on accepte les requetes icmp
iptables -A INPUT -i eth0 -p icmp -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m state --state NEW -j ACCEPT
# telnet
iptables -A INPUT -i eth0 -p tcp --dport 23 -j ACCEPT
# ssh
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# ipsec vpn
iptables -A INPUT ; -p udp -m udp -i eth0 --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp -m udp -o eth0 --dport 4500 -j ACCEPT
# IKE negotiations
iptables -A INPUT ; -p udp -m udp -i eth0 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -m udp -o eth0 --dport 500 -j ACCEPT
# ESP encryption & authentication
iptables -A INPUT ; -p 50 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT
# L2TP roadwarrior
iptables -A INPUT ; -p udp -i eth0 --dport 1701 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 1701 -j ACCEPT
# accepte tout ce qui concerne l'interface loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# on accepte ce qui sort vers l'exterieur
iptables -A OUTPUT -o eth0 -j ACCEPT
Any idea ?
reza.
Paul Wouters a écrit :
tla.xelerance.com"
type="cite">
On Tue, 28 Nov 2006, Reza ISSANY wrote:
Here it is my ipsec verify command results :
rootintegration:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.7/K2.6.18.3dedibox_r6_final (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Any idea to activate Internet on vpn l2tpd clients ?
That looks good. Do the checks I asked you to do before:
check
for firewall rules, check for NAT, and check if the gateway can reach the
internet
on its "l2tp pool" IP address using 'ping -I sourceip www.google.com'
Paul
|
| ipsec / l2tpd + iptables ? |
|
2006-11-30 08:40:32 |
|
Hi,
Now I can ping the server public adresse.
server side
remote test client l2tp
172.16.7.0 -- 88.191.35.181 -- 88.191.35.1 ----------------------
82.236.77.254 -- 82.236.77.42 -- 172.16.7.10
The client take the adress 172.16.7.10 and can ping with any problems
all network 172.16.7.0. The client can also ping
the remote public interface : 88.191.35.181 but can't ping 88.191.35.1
and anything on internet.
any idea please ?
Thanks
reza.
Reza ISSANY a écrit :
laposte.net" type="cite">
Hi,
The gateway have internet :
rootintegration:~# ping google.com
PING google.com (72.14.207.99) 56(84) bytes of data.
64 bytes from 72.14.207.99: icmp_seq=1 ttl=245 time=86.7 ms
64 bytes from 72.14.207.99: icmp_seq=2 ttl=245 time=86.8 ms
64 bytes from 72.14.207.99: icmp_seq=3 ttl=245 time=86.8 ms
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 86.775/86.828/86.857/0.243 ms
and my iptable looks to be good :
#!/bin/sh
# reset des tables
iptables -F
#iptables-restore < /var/log/uiptables
iptables -t filter -A INPUT -p all -j ULOG --ulog-prefix=DefaultDrop
# default policy : DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# on accepte les paquets relatifs aux connexions deja ouvertes
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A INPUT -s 172.16.7.0/16 -j ACCEPT
iptables -A FORWARD -s 172.16.7.0/16 -j ACCEPT
# Autorisation des requetes DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# on accepte les requetes icmp
iptables -A INPUT -i eth0 -p icmp -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m state --state NEW -j ACCEPT
# telnet
iptables -A INPUT -i eth0 -p tcp --dport 23 -j ACCEPT
# ssh
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# ipsec vpn
iptables -A INPUT ; -p udp -m udp -i eth0 --dport 4500 -j ACCEPT
iptables -A OUTPUT -p udp -m udp -o eth0 --dport 4500 -j ACCEPT
# IKE negotiations
iptables -A INPUT ; -p udp -m udp -i eth0 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -m udp -o eth0 --dport 500 -j ACCEPT
# ESP encryption & authentication
iptables -A INPUT ; -p 50 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT
# L2TP roadwarrior
iptables -A INPUT ; -p udp -i eth0 --dport 1701 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 1701 -j ACCEPT
# accepte tout ce qui concerne l'interface loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# on accepte ce qui sort vers l'exterieur
iptables -A OUTPUT -o eth0 -j ACCEPT
Any idea ?
reza.
Paul Wouters a écrit :
tla.xelerance.com"
type="cite">
On Tue, 28 Nov 2006, Reza ISSANY wrote:
Here it is my ipsec verify command results :
rootintegration:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.7/K2.6.18.3dedibox_r6_final (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Any idea to activate Internet on vpn l2tpd clients ?
That looks good. Do the checks I asked you to do before:
check
for firewall rules, check for NAT, and check if the gateway can reach the
internet
on its "l2tp pool" IP address using 'ping -I sourceip www.google.com'
Paul
_______________________________________________
openswan.org">Usersopenswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
|
[1-10]
|
|