Shorewall users - Mar 2009 - Openswan VPN with public IP subnets and Shorewall

Hello guys,

i am a newbie about openswan and a support service ask me to create a 
VPN connection with them using just only public IP addresses.

So i''m trying from several days to establish the following connection (
in a simulated network environment)

left subnet  ----------------->left VPN gw 
---------------------------------> right VPN gw  ------------------> 
right subnet
88.xxx.yyy.abc/32 --------->88.xxx.yyy.rst 
-------------------------------> 85.ttt.www.npq ------------------> 
85.ttt.www.def/32

where

88.xxx.yyy is the same subnet for VPN gw and left subnet and the same is 
for 85.ttt.www.

left and right subnets has 88.xxx.yyy.rst and 85.ttt.ww.npq as their own 
network gateways respectively.

Both Vpn gateways, in the simulated network environment, have openswan 
2.49 on linux kernel 2.6.24-19 and shorewall 4.0.6 single interface as 
firewall
The two subnet hosts have linux kernel 2.6.24-19 and shorewall 4.0.6 
single interface as firewall.

I can establish the VPN connection between gateways as resulting from 
message :

ipsec auto --status
....
root@rightvpngw:~#  #428: "VpnTest":500 STATE_QUICK_R2 (IPsec SA 
established); EVENT_SA_REPLACE in 1256s; newest IPSEC; eroute owner
000 #428: "VpnTest" esp.ee70e6eb@85.ttt.www.npq 
esp.b66eb69d@88.xxx.yyy.rst tun.0@85.ttt.www.npq tun.0@88.xxx.yyy.rst
000 #426: "VpnTest":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established);
EVENT_SA_REPLACE in 826s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
root@rightvpngw:~# 000 #428: "VpnTest" esp.ee70e6eb@85.ttt.www.npq 
esp.b66eb69d@88.xxx.yyy.rst tun.0@85.ttt.www.npq tun.0@88.xxx.yyy.rst

but it seems I cannot reach the two hosts in the subnets.

I check the firewall and i found no reject or drop messages, so i think 
it is a routing problem

Is anyone can help me asap?

Thanks in advance and Regards.
-- 
_________________________________________________
*/Gianni Socionovo/*
/E-Business Manager/
MEP S.p.A.
Via Papa Giovanni XXIII, 49
61045 Pergola (PU)
ITALY
/email: giannisocionovo@mepsaws.it <mailto:giannisocionovo@mepsaws.it>/
/Web Page: http://www.mepsaws.com/
Tel. +39 0721 737262
Fax. +39 0721 734533
------------------------------------------------------------------------

Le informazioni contenute nella presente comunicazione e i relativi 
allegati possono essere riservate e sono, comunque, destinate 
esclusivamente alle persone o alla Società sopraindicate. La diffusione, 
distribuzione e/o copiatura del documento trasmesso da parte di 
qualsiasi soggetto diverso dal destinatario è proibita, sia ai sensi 
dell''art. 616 c.p. , che ai sensi del D.Lgs. n. 196/2003. Se avete 
ricevuto questo messaggio per errore, vi preghiamo di distruggerlo e di 
informare il mittente.

The information in this e-mail is confidential and may also be legally 
privileged. It is intended for the addressee only. Unauthorized 
recipients are required to maintain confidentiality. If you have 
received this e-mail in error please notify us immediately, destroy any 
copies. Any use, dissemination, forwarding, printing or copying of this 
e-mail is prohibited in accordance with art. 616 of the Penal Code and 
Legislative Decree N° 196 of 2003.


------------------------------------------------------------------------------

Gianni Socionovo wrote:
> Hello guys,
> 
> i am a newbie about openswan and a support service ask me to create a
> VPN connection with them using just only public IP addresses.
> 
> So i''m trying from several days to establish the following
connection (
> in a simulated network environment)
> 
> left subnet  ----------------->left VPN gw
> ---------------------------------> right VPN gw  ------------------>
> right subnet
> 88.xxx.yyy.abc/32 --------->88.xxx.yyy.rst
> -------------------------------> 85.ttt.www.npq ------------------>
> 85.ttt.www.def/32
> 
> where
> 
> 88.xxx.yyy is the same subnet for VPN gw and left subnet and the same is
> for 85.ttt.www.
> 
> left and right subnets has 88.xxx.yyy.rst and 85.ttt.ww.npq as their own
> network gateways respectively.
> 
> Both Vpn gateways, in the simulated network environment, have openswan
> 2.49 on linux kernel 2.6.24-19 and shorewall 4.0.6 single interface as
> firewall
> The two subnet hosts have linux kernel 2.6.24-19 and shorewall 4.0.6
> single interface as firewall.
> 
> I can establish the VPN connection between gateways as resulting from
> message :
> 
> ipsec auto --status
> ....
> root@rightvpngw:~#  #428: "VpnTest":500 STATE_QUICK_R2 (IPsec SA
> established); EVENT_SA_REPLACE in 1256s; newest IPSEC; eroute owner
> 000 #428: "VpnTest" esp.ee70e6eb@85.ttt.www.npq
> esp.b66eb69d@88.xxx.yyy.rst tun.0@85.ttt.www.npq tun.0@88.xxx.yyy.rst
> 000 #426: "VpnTest":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established);
> EVENT_SA_REPLACE in 826s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> root@rightvpngw:~# 000 #428: "VpnTest"
esp.ee70e6eb@85.ttt.www.npq
> esp.b66eb69d@88.xxx.yyy.rst tun.0@85.ttt.www.npq tun.0@88.xxx.yyy.rst
> 
> but it seems I cannot reach the two hosts in the subnets.
> 
> I check the firewall and i found no reject or drop messages, so i think
> it is a routing problem
> 
> Is anyone can help me asap?
I can give you several bits of advice:

a) Get everything working before adding Shorewall. You can ''shorewall
clear'' until you have IPSEC working correctly. That way you know that
the firewall is not causing any problems.

b) Post on this list only when you have IPSEC working but when you start
Shorewall, things stop working. Then you know that you have a Shorewall
problem and we will be happy to help.

c) Beginning with Kernel 2.6 and the PF_KEY implementation, IPSEC works
IN PARALLEL with routing. So it is very doubtful that you have a
''routing problem'' and much more likely that you have an
''OpenSwan
configuration problem''.

d) If you do need to post here again, please follow the problem
reporting guidelines at http://www.shorewall.net/support.htm.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------