[ale] vpn set up fun (NOT!)

Jim Kinney jim.kinney at gmail.com
Sat Feb 28 19:41:43 EST 2015 

Found the firewall issues:
http://www.mad-hacking.net/documentation/linux/networking/ipsec/static-vpn.xml

There are a few rules there that DON'T work (those with the logical not for
policy don't work and the ! needs to be before the -d <ip|interface>
 in the iptables file itself.

Basically, I needed to stop mangling the packets AFTER encryption.

On Sat, Feb 28, 2015 at 3:19 PM, Jim Kinney <jim.kinney at gmail.com> wrote:

> Setting up a libreswan (fork of OpenSwan - default in RHEL/CentOS7)
> between two gateways for a net-to-net vpn.
>
> The tunnel gives all indications of building properly but absolutely no
> packets move between the gateways afterwards, no ping, nothing.
>
> the connection conf file:
>
> conn test
>     type=tunnel
>     rightid=@mostlyme
>     right=70.88.18.24
>     rightsourceip=192.168.0.1
>     rightsubnet=192.168.0.0/24
>     leftid=@otherme
>     left=173.160.9.6
>     leftsourceip=192.168.1.2
>     leftsubnet=192.168.1.0/24
>     esp=3des-md5-96
>     keyexchange=ike
>     pfs=no
>     auth=esp
>     authby=secret
>     auto=start
>
> secret is found and used.
>
> Using netkey so the iptables stuff is very weird. Basically allow all
> sources for protocol esp, ah (UDP) and udp port 4500 for NAT-T. Default
> rules are to allow ANYTHING from either end, gateway or private network in
> incoming, forward, outgoing.
>
> ip xfrm state (same on both ends)
> src 173.160.9.6 dst 70.88.18.24
>     proto esp spi 0x0465e409 reqid 16385 mode tunnel
>     replay-window 32 flag af-unspec
>     auth-trunc hmac(md5) 0x934678d91da8c457f779aab661eefc7f 96
>     enc cbc(des3_ede) 0x9bd95c9caac61d1c63586b4aa6b4c2966e35fea5ecc316b5
> src 70.88.18.24 dst 173.160.9.6
>     proto esp spi 0x4b4a9dc7 reqid 16385 mode tunnel
>     replay-window 32 flag af-unspec
>     auth-trunc hmac(md5) 0xaf5c69d32b81b49df203315fe8f0ea66 96
>     enc cbc(des3_ede) 0xf6636ecda9d307f9d4e4b114746d6deb55f8d7f418b884e3
>
>
> ipsec auto --status  (other gateway is similar)
> 000 using kernel interface: netkey
> 000 interface lo/lo ::1
> 000 interface enp3s0/enp3s0 2601:0:8781:700:6a05:caff:fe2e:5859
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface enp2s0/enp2s0 192.168.1.2
> 000 interface enp2s0/enp2s0 192.168.1.2
> 000 interface enp3s0/enp3s0 173.160.9.6
> 000 interface enp3s0/enp3s0 173.160.9.6
> 000
> 000 fips mode=disabled;
> 000 SElinux=disabled
> 000
> 000 config setup options:
> 000
> 000 configdir=/etc, configfile=/etc/ipsec.conf,
> secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/,
> statsbin=unset
> 000 sbindir=/usr/sbin, libdir=/usr/libexec/ipsec,
> libexecdir=/usr/libexec/ipsec
> 000 pluto_version=3.8, pluto_vendorid=OE-Libreswan-3.8
> 000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no
> 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
> 000 secctx_attr_value=32001
> 000 myid = (none)
> 000 debug none
> 000
> 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500,
> disable_port_floating=no
> 000 virtual_private (%priv):
> 000 - allowed 7 subnets: 10.0.0.0/8, 192.168.0.0/24, 172.16.0.0/12,
> 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10
> 000 - disallowed 1 subnet: 192.168.1.0/24
> 000
> 000 ESP algorithms supported:
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
> keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
> keysizemin=160, keysizemax=288
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
> keysizemin=384, keysizemax=384
> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
> keysizemin=512, keysizemax=512
> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
> keysizemin=0, keysizemax=0
> 000
> 000 IKE algorithms supported:
> 000
> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=20, v2name=AES_GCM_C,
> blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=19, v2name=AES_GCM_B,
> blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=18, v2name=AES_GCM_A,
> blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C,
> blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B,
> blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A,
> blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3,
> v2name=3DES, blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12,
> v2name=AES_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC,
> v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC,
> v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH,
> v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
> trans={0,2,3072} attrs={0,2,2048}
> 000
> 000 Connection list:
> 000
> 000 "test": 192.168.1.0/24===173.160.9.6
> <173.160.9.6>[@otherme]...70.88.18.24<70.88.18.24>[@mostlyme]===
> 192.168.0.0/24; erouted; eroute owner: #4
> 000 "test":     oriented; my_ip=192.168.1.2; their_ip=192.168.0.1;
> 000 "test":   xauth info: us:none, them:none,  my_xauthuser=[any];
> their_xauthuser=[any]; ;
> 000 "test":   modecfg info: us:none, them:none, modecfg policy:push,
> dns1:unset, dns2:unset, domain:unset, banner:unset;
> 000 "test":   labeled_ipsec:no, loopback:no;
> 000 "test":    policy_label:unset;
> 000 "test":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0;
> 000 "test":   sha2_truncbug:no; initial_contact:no; cisco_unity:no;
> send_vendorid:no;
> 000 "test":   policy:
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+IKE_FRAG;
> 000 "test":   conn_prio: 24,24; interface: enp3s0; metric: 0; mtu: unset;
> sa_prio:auto;
> 000 "test":   newest ISAKMP SA: #3; newest IPsec SA: #4;
> 000 "test":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
> 000 "test":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_096
> 000 "test":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_096
> 000 "test":   ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
> 000
> 000 Total IPsec connections: loaded 1, active 1
> 000
> 000 State list:
> 000
> 000 #4: "test":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE
> in 26351s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
> 000 #4: "test" esp.465e409 at 70.88.18.24 esp.4b4a9dc7 at 173.160.9.6
> tun.0 at 70.88.18.24 tun.0 at 173.160.9.6 ref=0 refhim=4294901761 Traffic:
> ESPin=0B ESPout=0B! ESPmax=4194303B
> 000 #3: "test":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
> EVENT_SA_REPLACE in 1151s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
> idle; import:not set
> 000
> 000 Shunt list:
> 000
>
>
>
> --
> --
> James P. Kinney III
>
> Every time you stop a school, you will have to build a jail. What you gain
> at one end you lose at the other. It's like feeding a dog on his own tail.
> It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
>
>
> *http://heretothereideas.blogspot.com/
> <http://heretothereideas.blogspot.com/>*
>



-- 
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain


*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150228/7e1c2d8f/attachment.html>

More information about the Ale mailing list