Re: [Astlinux-users] Setting up IPsec peers

Michael Knill Thu, 10 Nov 2016 13:15:33 -0800

Thanks so much Lonnie for the great info.

Yes you were right in that it is sitting behind NAT but the router is in DMZ 
mode so everything is forwarded to the Astlinux box.
Once I change the Local Host to the Astlinux address (172.30.10.2) rather than 
the external address (123.209.118.117) I can now ping the other end.


IPsec Associations:
Source   Destination        Created Lifetime Age       Bytes     Type
172.30.10.2     175.45.82.8     Nov 11 07:48:07 2016  1800    18        392     
 esp-udp mode=tunnel
175.45.82.8     172.30.10.2     Nov 11 07:48:07 2016  1800    18        356     
 esp-udp mode=tunnel

Regards
Michael Knill

From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
Date: Friday, 11 November 2016 at 12:54 AM
To: AstLinux List <astlinux-users@lists.sourceforge.net>
Subject: Re: [Astlinux-users] Setting up IPsec peers

Michael,

First, the firewall is automatically configured, enabled/disabled, via the 
IPsec VPN plugin when the IPsec VPN is enabled/disabled.  Nothing to do there.

You need to describe the bigger picture.
1) AstLinux to AstLInux or 3'rd party IPsec endpoint.
2) Are the Local-Net interfaces up and connected to something ?

172.30.10.2
175.45.82.8
Nov 10 19:12:14 2016  1800 314
0 esp-udp mode=tunnel

This is confusing, a private IP and a public IP, can you explain.  Is one 
endporint behind NAT which is port forwarded ?  which ports are forwarded ?  
NAT-T enabled at both ends ?

Here is an example from last year, that might help ...

Below is a copy/paste of a reply to David Kerr in May 28, 2015 [Astlinux-users] 
IPsec peer-to-peer network tunnel
================================================================================
Hi David,

Well, there are many things that can go wrong with IPsec since each phase has 
options that sort-of need to match, and proper routes.

In AstLinux this is automagically all done for you, so first start with an 
example...

I have two of my test boxes, sitting on the same private subnet, 10.10.50.64 
and 10.10.50.65


======= pbx3 ========

[cid:image001.jpg@01D23BF1.34339AC0]

pbx3 ~ # ip route
default via 10.10.50.1 dev eth0
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
10.8.1.0/24 dev tun2  proto kernel  scope link  src 10.8.1.2
10.10.50.0/24 dev eth0  proto kernel  scope link  src 10.10.50.64
192.168.101.0/24 dev eth1  proto kernel  scope link  src 192.168.101.1
192.168.103.0/24 dev eth1.10  proto kernel  scope link  src 192.168.103.1
192.168.110.0/24 via 10.8.1.1 dev tun2
192.168.111.0/24 dev eth1  scope link  src 192.168.101.1
192.168.222.0/24 dev eth3  proto kernel  scope link  src 192.168.222.1

pbx3 ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:30:18:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 10.10.50.64/24 brd 10.10.50.255 scope global eth0
    inet6 2001:470:xxxx:x::x/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::230:18ff:fec7:ae9d/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:30:18:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.1/24 brd 192.168.101.255 scope global eth1
    inet6 2001:470:xxxx:x::x/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::230:18ff:fec7:ae9e/64 scope link
       valid_lft forever preferred_lft forever
...

======= pbx4 ========

[cid:image002.jpg@01D23BF1.34339AC0]

pbx4 ~ # ip route
default via 10.10.50.1 dev eth0
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1
10.10.50.0/24 dev eth0  proto kernel  scope link  src 10.10.50.65
192.168.101.0/24 dev eth1  scope link  src 192.168.111.1
192.168.102.0/24 dev eth2  proto kernel  scope link  src 192.168.102.1
192.168.103.0/24 dev eth4  proto kernel  scope link  src 192.168.103.1
192.168.111.0/24 dev eth1  proto kernel  scope link  src 192.168.111.1
192.168.200.0/24 dev eth3  proto kernel  scope link  src 192.168.200.1

pbx4 ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:90:0b:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 10.10.50.65/24 brd 10.10.50.255 scope global eth0
    inet6 2001:470:xxxx:x::x/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::290:bff:fe36:9b78/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:90:0b:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.111.1/24 brd 192.168.111.255 scope global eth1
    inet6 2001:470:xxxx:x::x/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::290:bff:fe36:9b79/64 scope link
       valid_lft forever preferred_lft forever
...

This should give you some info to chew on.

Yes, your "br1" route is correct, AstLinux finds the interface associated with 
your "Local-Net" and hooks the "Remote-Net" to that interface.  Which means the 
"br1" link must be up or there will be issues.  Personally I have never used a 
bridge interface, but it should work as well.

AstLinux handles all the firewall stuff for you, as well as all the routes.

So, at this point if the associations are up and running, your phase options 
should be compatible, set logging to "Info" for more detail.

My guess is a route is needed on your cloud IPsec to point back to your local 
net.

Also if your have residential internet access, possibly they will block ESP 
packets, enabling NAT-T will use 4500/UDP instead.

Lonnie

Note: Seeming since these are both on the same subnet I had to specify 
"Local-Host" and not use the 0.0.0.0 wildcard, it seems.
================================================================================

Lonnie

On Nov 10, 2016, at 2:19 AM, Michael Knill 
<michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au>> 
wrote:


Are there any issues with this SA list?

Source Destination
Created Lifetime
Age Bytes
Type
123.209.118.117 175.45.82.8
Nov 10 19:17:20 2016  30 8
0 esp mode=tunnel
172.30.10.2 175.45.82.8
Nov 10 19:12:14 2016  1800 314
0 esp-udp mode=tunnel
175.45.82.8 172.30.10.2
Nov 10 19:12:14 2016  1800 314
5216 esp-udp mode=tunnel

Regards
Michael Knill

-----Original Message-----
From: Michael Knill 
<michael.kn...@ipcsolutions.com.au<mailto:michael.kn...@ipcsolutions.com.au>>
Reply-To: AstLinux List 
<astlinux-users@lists.sourceforge.net<mailto:astlinux-users@lists.sourceforge.net>>
Date: Thursday, 10 November 2016 at 7:01 PM
To: AstLinux List 
<astlinux-users@lists.sourceforge.net<mailto:astlinux-users@lists.sourceforge.net>>
Subject: [Astlinux-users] Setting up IPsec peers

Hi group

I am really struggling to set up both of my first ipsec peers to Astlinux.
The IPSec Associations seem to come up but I cannot send any data. The route 
appears in the routing table.
Is there any information on doing this? Do I need any firewall rules?

Regards
Michael Knill

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net<mailto:Astlinux-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi

_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] Setting up IPsec peers

Reply via email to