Re: [strongSwan] Trouble on establishing ESP channel

2009-09-23 Thread Daniel Mentz 
Salut Jean-Paul!

 A tcpdump on LAN interface Debian box shows the icmp request packets.
 A tcpdump on Public interface Debian box shows no icmp request packet.

I have a similar setup here at our site. Regarding tcpdump you should see:

- An outgoing ESP packet. (icmp request encrypted)
- An incoming ESP packet. (icmp reply encrypted)
- An incoming ICMP echo reply unencrypted.

I admit that there's an asymmetry. One might expect to see a plaintext 
outgoing ICMP echo request. But that's a feature of the Linux kernel.

The fact that your traffic doesn't go through appears like a firewall 
problem to me. Here are some examples from my setup:

# Make sure not to block traffic handled by IPsec
iptables -A FORWARD -s 192.168.99.0/24 -m policy --dir out --pol ipsec 
-j ACCEPT
iptables -A FORWARD -d 192.168.99.0/24 -m policy --dir in --pol ipsec -j 
ACCEPT

iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A OUTPUT -m policy --dir out --pol ipsec -j ACCEPT

# Do not mess with packets comming over IPSec
# Put those rules at the very top
iptables -t nat -A PREROUTING -m policy --dir in --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT

# Accept ESP traffic from ppp0
iptables -A INPUT -i ppp0 -p esp -j ACCEPT

# Allow outgoing ESP traffic on ppp0
iptables -A OUTPUT -o ppp0 -p esp -j ACCEPT

Let me know it works for you.

Bonne chance!
-Daniel
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Trouble on establishing ESP channel

2009-09-22 Thread Jean-Paul Chavant 
Hello,

I'm running strongswan 4.2.4-5+lenny1 on Debian 5.0.3 (2.6.26-2-686 kernel).

My configuration files are :

-
IPTables rules for IPSEC :

/sbin/iptables -A INPUT -i $PUB_IFACE -s $DTI -p 50 -j ACCEPT
/sbin/iptables -A INPUT -i $PUB_IFACE -s $DTI -p 51 -j ACCEPT
/sbin/iptables -A INPUT -i $PUB_IFACE -p udp --destination-port 500 -j ACCEPT
/sbin/iptables -A INPUT -i $PUB_IFACE -p udp --destination-port 4500 -j ACCEPT

I've added this line because my Debian box make MASQUERADE for my private
network client to access Internet.

/sbin/iptables -t nat -I POSTROUTING 1 -s $LEFT_LAN -o eth2 -m policy --dir
out --pol ipsec --proto esp -j ACCEPT


-
/etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification

config setup
interfaces=%defaultroute
klipsdebug=all
plutodebug=control
charonstart=no
nat_traversal=yes

conn dti-ext
left=pub_ip_1
leftnexthop=%defaultroute
leftsubnet=private_net_1 (rfc 1918)
leftfirewall=yes
right=pub_ip_2
rightsubnet=private_net_2 (not an rfc 1918 network) 
authby=psk
ike=3des-sha1
ikelifetime=28800
esp=3des-sha1
keylife=3600
keyexchange=ike
pfs=yes
auth=esp
auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

I've read http://www.strongswan.org/uml/testresults43/ikev1/net2net-psk/.
Every thing seems to be ok.

When I launch ipsec connection, I established the connection and the ISAKMP SA
: ipsec statusall

000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 private_ip:500
000 interface eth1/eth1 dmz_ip:500
000 interface eth2/eth2 public_ip:500
000 %myid = (none)
000 debug control
000
000 dti-ext: private_net_1===pub_ip_1---router...pub_ip_2===private_net_2;
erouted; eroute owner: #2
000 dti-ext:   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 dti-ext:   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 22,27; interface: 
eth2;
000 dti-ext:   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 dti-ext:   IKE algorithms wanted: 5_000-2-5, 5_000-2-2,
000 dti-ext:   IKE algorithms found:  5_192-2_160-5, 5_192-2_160-2,
000 dti-ext:   IKE algorithm newest: 3DES_CBC_192-SHA-MODP1024
000 dti-ext:   ESP algorithms wanted: 3_000-2,
000 dti-ext:   ESP algorithms loaded: 3_192-2_160,
000 dti-ext:   ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=Phase1
000
000 #2: dti-ext STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 151s; newest IPSEC; eroute owner
000 #2: dti-ext esp.37848...@pub_ip_2 (60 bytes, 2495s ago)
esp.abd0b...@pub_ip_1 (0 bytes); tunnel
000 #1: dti-ext STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
25293s; newest ISAKMP

On my client on private_net_1 (windows XP), I've added a route to
private_net_2 which is private_ip (LAN ip address of my Debian box).

When I try to ping an host on private_net_2 there is no reply.

A tcpdump on LAN interface Debian box shows the icmp request packets.

A tcpdump on Public interface Debian box shows no icmp request packet.

When I do a tracert to private_net_2 (from windows XP) I can see with a
tcpdump on the public interface the icmp request going to the Internet...

Can some help me I don't know what to do ...

Regards,

JPaul

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users