?
Solved

How to Setup a M0n0wall to OpenSWAN IPSEC Tunnel

Posted on 2008-11-13
11
Medium Priority
?
2,357 Views
Last Modified: 2012-05-05
I have a m0n0wall (home net: 192.168.0.0/24) and a Suse Enterprise Linux 10 SP2 server (remote net 192.168.7.0/24).  

I have succesffully created an IPSEC tunnel between the subnets. However, the gateway's are unable to ping a host through the tunnel unless I use "ping -I x.x.x.x z.z.z.z".

I sort of understand the problem, according to this: http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/adv_config.html#multitunnel

I am unable to find a proper fix after trying what is suggested.  I am mostly interested in having the SUSE system access hosts on the home subnet.
/etc/ipsec.conf:
 
conn %default
	keyingtries=0
	ikelifetime=1440m
	authby=secret
	keylife=480m
	keyexchange=ike
	pfs=no
	type=tunnel
 
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
 
conn LinktoHomeNet
	auto=start
	right=20X.23X.17X.6X
	rightid=20X.23X.17X.6X
	rightnexthop=%defaultroute
	rightsubnet=192.168.0.0/24
	left=6X.19X.12X.7X
	leftid=6X.19X.12X.7X
	leftnexthop=%defaultroute
	leftsubnet=192.168.7.0/24
 
#This was added as suggested by http://www.freeswan.org/freeswan_snaps/CURRENT-SNAP/doc/adv_config.html#multitunnel
 
conn LinktoHomeGate
	auto=start
	left=6X.19X.12X.7X
	leftnexthop=%defaultroute
	leftid=6X.19X.12X.7X
	right=20X.23X.17X.6X
	rightnexthop=%defaultroute
	rightsubnet=192.168.0.0/24
	rightid=20X.23X.17X.6X
 
 
config setup
	forwardcontrol=yes
	interfaces=%defaultroute
	uniqueids=yes

Open in new window

0
Comment
Question by:tuaris
  • 7
  • 4
11 Comments
 
LVL 27

Expert Comment

by:Nopius
ID: 23019430
> I sort of understand the problem, according to this

Not right direction. That recipe is for multiple tunnels between 2 hosts. You have only one. So remove this part of config. Can you ping from inside host in local LAN to remote from remote LAN? If yes, everything works fine.

I saw this problem and it was solved with correcting  routing tables on remote and local peers I don't remember how exactly and I have no working FreeSWAN tunnel for testing.

One of the most simple workarounds is to _always_ use your internal IP when connecting to outside private LAN. With iptables on SuSE GW run:
iptables -t nat -A OUTPUT -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.X

where 192.168.7.X is your private IP on SuSE
0
 
LVL 27

Expert Comment

by:Nopius
ID: 23019432
OUTPUT chain is used only for self-originated packets, so transit traffic will not be changed.
0
 
LVL 27

Expert Comment

by:Nopius
ID: 23020235
Sorry, SNAT can be used only in POSTROUTING chain, so the rule is:

iptables -t nat -A POSTROUTING -s !192.168.7.0/24 -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.X
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 1

Author Comment

by:tuaris
ID: 23026590
I remember reading something about having the correct routing information setup instead of using multi tunnels.  I much rather prefer your method.  Unfortunately, your solution didn't work:

I revived the following:

mercury:~ # iptables -t nat -A POSTROUTING -s !192.168.7.0/24 -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.1

iptables -t nat -A POSTROUTING -s ifconfig.168.7.0/24 -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.1
iptables v1.3.5: host/network `ifconfig.168.7.0' not found

Try `iptables -h' or 'iptables --help' for more information.

I am using Suse Firewall so any changes will need to be placed in /etc/sysconfig/SuSEfirewall2
0
 
LVL 27

Expert Comment

by:Nopius
ID: 23054058
You are using incorrect shell :-)

Put '!' to single quotes or escape with \

iptables -t nat -A POSTROUTING -s \!192.168.7.0/24 -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.1
or
iptables -t nat -A POSTROUTING -s '!192.168.7.0/24' -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.1
0
 
LVL 1

Author Comment

by:tuaris
ID: 23074541
This one ran without an error message, but it didn't fix my trouble.

iptables -t nat -A POSTROUTING -s \! 192.168.7.0/24 -d 192.168.0.0/24 -j SNAT --to-source 192.168.7.1

I'm wondering whether I already may have something similar to the above line setup.  I currently have this in my /etc/sysconfig/SuSEfirewall2:

FW_MASQ_NETS="0/0,!192.168.0.0/24"
FW_FORWARD="192.168.7.0/24,192.168.0.0/24,,,ipsec 192.168.0.0/24,192.168.7.0/24,,,ipsec"
0
 
LVL 27

Expert Comment

by:Nopius
ID: 23082409
May be some other rules 'hide' this one, please provide entire 'iptables-save' output.
0
 
LVL 27

Expert Comment

by:Nopius
ID: 23083274
By default you have no such rule...
0
 
LVL 1

Author Comment

by:tuaris
ID: 23101141
Here:
# Generated by iptables-save v1.3.5 on Thu Dec  4 19:55:55 2008
*mangle
:PREROUTING ACCEPT [28155007:18458951409]
:INPUT ACCEPT [1922157:555384412]
:FORWARD ACCEPT [26232056:17903515309]
:OUTPUT ACCEPT [1992342:390856700]
:POSTROUTING ACCEPT [28226483:18292369510]
COMMIT
# Completed on Thu Dec  4 19:55:55 2008
# Generated by iptables-save v1.3.5 on Thu Dec  4 19:55:55 2008
*nat
:PREROUTING ACCEPT [2331401:252699937]
:POSTROUTING ACCEPT [37382:4766899]
:OUTPUT ACCEPT [30119:2176242]
-A POSTROUTING -d ! 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE
-A POSTROUTING -s ! 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -j SNAT --to-source 192.168.7.1
COMMIT
# Completed on Thu Dec  4 19:55:55 2008
# Generated by iptables-save v1.3.5 on Thu Dec  4 19:55:55 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [9521:392485]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m policy --dir in --pol ipsec --proto esp -j input_int
-A INPUT -i eth0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m policy --dir in --pol ipsec --proto esp -j forward_int
-A FORWARD -m policy --dir out --pol ipsec --proto esp -j forward_int
-A FORWARD -i eth0 -j forward_int
-A FORWARD -i eth1 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDext-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_ext -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_ext -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_ext -d ! 192.168.0.0/255.255.255.0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -s ! 192.168.0.0/255.255.255.0 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir in --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m limit --limit 3/min -m state --state NEW -m policy --dir out --pol ipsec --proto esp -j LOG --log-prefix "SFW2-FWDint-ACC-FORW " --log-tcp-options --log-ip-options
-A forward_int -s 192.168.0.0/255.255.255.0 -d 192.168.7.0/255.255.255.0 -m state --state NEW,RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_int -s 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A forward_int -d ! 192.168.0.0/255.255.255.0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_int -s ! 192.168.0.0/255.255.255.0 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_int -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m pkttype --pkt-type multicast -j DROP
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_int -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
-A input_ext -p esp -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 1:65535 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 1:65535 -j ACCEPT
-A input_ext -p udp -m udp --dport 1:65535 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A input_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu Dec  4 19:55:55 2008

Open in new window

0
 
LVL 27

Accepted Solution

by:
Nopius earned 1000 total points
ID: 23110981
I see there is the hiding rule in iptables, so my SNAT doesn't work, here it is (the rule below it never works):

-A POSTROUTING -d ! 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE

You should place my rule before the above one, so the order should be:
-A POSTROUTING -s ! 192.168.7.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -j SNAT --to-source 192.168.7.1
-A POSTROUTING -d ! 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE

0
 
LVL 1

Author Closing Comment

by:tuaris
ID: 31516693
You solutions worked, but I was not able to find out how to enter your rules into the /etc/sysconfig/SuseFirewall2 configuration file.

So I will probably have to keep executing the command suggested previously to apply the rules each time I reboot.  If you have any suggestions, please let me know.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question