How to Setup a M0n0wall to OpenSWAN IPSEC Tunnel

I have a m0n0wall (home net: 192.168.0.0/24) and a Suse Enterprise Linux 10 SP2 server (remote net 192.168.7.0/24).  

I have succesffully created an IPSEC tunnel between the subnets. However, the gateway's are unable to ping a host through the tunnel unless I use "ping -I x.x.x.x z.z.z.z".

I sort of understand the problem, according to this: http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/adv_config.html#multitunnel

I am unable to find a proper fix after trying what is suggested.  I am mostly interested in having the SUSE system access hosts on the home subnet.
/etc/ipsec.conf:
 
conn %default
	keyingtries=0
	ikelifetime=1440m
	authby=secret
	keylife=480m
	keyexchange=ike
	pfs=no
	type=tunnel
 
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
 
conn LinktoHomeNet
	auto=start
	right=20X.23X.17X.6X
	rightid=20X.23X.17X.6X
	rightnexthop=%defaultroute
	rightsubnet=192.168.0.0/24
	left=6X.19X.12X.7X
	leftid=6X.19X.12X.7X
	leftnexthop=%defaultroute
	leftsubnet=192.168.7.0/24
 
#This was added as suggested by http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/adv_config.html#multitunnel
 
conn LinktoHomeGate
	auto=start
	left=6X.19X.12X.7X
	leftnexthop=%defaultroute
	leftid=6X.19X.12X.7X
	right=20X.23X.17X.6X
	rightnexthop=%defaultroute
	rightsubnet=192.168.0.0/24
	rightid=20X.23X.17X.6X
 
 
config setup
	forwardcontrol=yes
	interfaces=%defaultroute
	uniqueids=yes

Open in new window

LVL 1
tuarisAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Artysystem administratorCommented:
> I sort of understand the problem, according to this

Not right direction. That recipe is for multiple tunnels between 2 hosts. You have only one. So remove this part of config. Can you ping from inside host in local LAN to remote from remote LAN? If yes, everything works fine.

I saw this problem and it was solved with correcting  routing tables on remote and local peers I don't remember how exactly and I have no working FreeSWAN tunnel for testing.

One of the most simple workarounds is to _always_ use your internal IP when connecting to outside private LAN. With iptables on SuSE GW run:
iptables -t nat -A OUTPUT -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.X

where 192.168.7.X is your private IP on SuSE
0
Artysystem administratorCommented:
OUTPUT chain is used only for self-originated packets, so transit traffic will not be changed.
0
Artysystem administratorCommented:
Sorry, SNAT can be used only in POSTROUTING chain, so the rule is:

iptables -t nat -A POSTROUTING -s !192.168.7.0/24 -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.X
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

tuarisAuthor Commented:
I remember reading something about having the correct routing information setup instead of using multi tunnels.  I much rather prefer your method.  Unfortunately, your solution didn't work:

I revived the following:

mercury:~ # iptables -t nat -A POSTROUTING -s !192.168.7.0/24 -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.1

iptables -t nat -A POSTROUTING -s ifconfig.168.7.0/24 -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.1
iptables v1.3.5: host/network `ifconfig.168.7.0' not found

Try `iptables -h' or 'iptables --help' for more information.

I am using Suse Firewall so any changes will need to be placed in /etc/sysconfig/SuSEfirewall2
0
Artysystem administratorCommented:
You are using incorrect shell :-)

Put '!' to single quotes or escape with \

iptables -t nat -A POSTROUTING -s \!192.168.7.0/24 -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.1
or
iptables -t nat -A POSTROUTING -s '!192.168.7.0/24' -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.1
0
tuarisAuthor Commented:
This one ran without an error message, but it didn't fix my trouble.

iptables -t nat -A POSTROUTING -s \! 192.168.7.0/24 -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.1

I'm wondering whether I already may have something similar to the above line setup.  I currently have this in my /etc/sysconfig/SuSEfirewall2:

FW_MASQ_NETS="0/0,!192.168.0.0/24"
FW_FORWARD="192.168.7.0/24,192.168.0.0/24,,,ipsec 192.168.0.0/24,192.168.7.0/24,,,ipsec"
0
Artysystem administratorCommented:
May be some other rules 'hide' this one, please provide entire 'iptables-save' output.
0
Artysystem administratorCommented:
By default you have no such rule...
0
tuarisAuthor Commented:
Here:
# Generated by iptables-save v1.3.5 on Thu Dec  4 19:55:55 2008
*mangle
:PREROUTING ACCEPT [28155007:18458951409]
:INPUT ACCEPT [1922157:555384412]
:FORWARD ACCEPT [26232056:17903515309]
:OUTPUT ACCEPT [1992342:390856700]
:POSTROUTING ACCEPT [28226483:18292369510]
COMMIT
# Completed on Thu Dec  4 19:55:55 2008
# Generated by iptables-save v1.3.5 on Thu Dec  4 19:55:55 2008
*nat
:PREROUTING ACCEPT [2331401:252699937]
:POSTROUTING ACCEPT [37382:4766899]
:OUTPUT ACCEPT [30119:2176242]
-A POSTROUTING -d ! 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE
-A POSTROUTING -s ! 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -j SNAT --to-source 192.168.7.1
COMMIT
# Completed on Thu Dec  4 19:55:55 2008
# Generated by iptables-save v1.3.5 on Thu Dec  4 19:55:55 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9521:392485]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec --proto esp -j input_int
-A INPUT -i eth0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m policy --dir in --pol ipsec --proto esp -j forward_int
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j forward_int
-A FORWARD -i eth0 -j forward_int
-A FORWARD -i eth1 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_ext -d ! 192.168.0.0/255.255.255.0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -s ! 192.168.0.0/255.255.255.0 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_int -d ! 192.168.0.0/255.255.255.0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_int -s ! 192.168.0.0/255.255.255.0 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_int -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m pkttype --pkt-type multicast -j DROP
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_int -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A input_ext -p esp -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1:65535 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1:65535 -j ACCEPT
-A input_ext -p udp -m udp --dport 1:65535 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A input_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu Dec  4 19:55:55 2008

Open in new window

0
Artysystem administratorCommented:
I see there is the hiding rule in iptables, so my SNAT doesn't work, here it is (the rule below it never works):

-A POSTROUTING -d ! 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE

You should place my rule before the above one, so the order should be:
-A POSTROUTING -s ! 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -j SNAT --to-source 192.168.7.1
-A POSTROUTING -d ! 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tuarisAuthor Commented:
You solutions worked, but I was not able to find out how to enter your rules into the /etc/sysconfig/SuseFirewall2 configuration file.

So I will probably have to keep executing the command suggested previously to apply the rules each time I reboot.  If you have any suggestions, please let me know.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.