<div dir="ltr"><div><div><div>Found the firewall issues:<br><a href="http://www.mad-hacking.net/documentation/linux/networking/ipsec/static-vpn.xml">http://www.mad-hacking.net/documentation/linux/networking/ipsec/static-vpn.xml</a><br><br></div>There are a few rules there that DON'T work (those with the logical not for policy don't work and the ! needs to be before the -d <ip|interface><br></div> in the iptables file itself.<br><br></div>Basically, I needed to stop mangling the packets AFTER encryption. <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 28, 2015 at 3:19 PM, Jim Kinney <span dir="ltr"><<a href="mailto:jim.kinney@gmail.com" target="_blank">jim.kinney@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Setting up a libreswan (fork of OpenSwan - default in RHEL/CentOS7) between two gateways for a net-to-net vpn.<br><br></div>The tunnel gives all indications of building properly but absolutely no packets move between the gateways afterwards, no ping, nothing.<br><br></div>the connection conf file:<br><br>conn test<br> type=tunnel<br> rightid=@mostlyme<br> right=70.88.18.24<br> rightsourceip=192.168.0.1<br> rightsubnet=<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a><br> leftid=@otherme<br> left=173.160.9.6<br> leftsourceip=192.168.1.2<br> leftsubnet=<a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a><br> esp=3des-md5-96<br> keyexchange=ike<br> pfs=no<br> auth=esp<br> authby=secret<br> auto=start<br><br></div>secret is found and used.<br><div><br clear="all"><div><div><div>Using netkey so the iptables stuff is very weird. Basically allow all sources for protocol esp, ah (UDP) and udp port 4500 for NAT-T. Default rules are to allow ANYTHING from either end, gateway or private network in incoming, forward, outgoing. <br><br>ip xfrm state (same on both ends)<br>src 173.160.9.6 dst 70.88.18.24<br> proto esp spi 0x0465e409 reqid 16385 mode tunnel<br> replay-window 32 flag af-unspec<br> auth-trunc hmac(md5) 0x934678d91da8c457f779aab661eefc7f 96<br> enc cbc(des3_ede) 0x9bd95c9caac61d1c63586b4aa6b4c2966e35fea5ecc316b5<br>src 70.88.18.24 dst 173.160.9.6<br> proto esp spi 0x4b4a9dc7 reqid 16385 mode tunnel<br> replay-window 32 flag af-unspec<br> auth-trunc hmac(md5) 0xaf5c69d32b81b49df203315fe8f0ea66 96<br> enc cbc(des3_ede) 0xf6636ecda9d307f9d4e4b114746d6deb55f8d7f418b884e3<br><br><br>ipsec auto --status (other gateway is similar)<br>000 using kernel interface: netkey<br>000 interface lo/lo ::1<br>000 interface enp3s0/enp3s0 2601:0:8781:700:6a05:caff:fe2e:5859<br>000 interface lo/lo 127.0.0.1<br>000 interface lo/lo 127.0.0.1<br>000 interface enp2s0/enp2s0 192.168.1.2<br>000 interface enp2s0/enp2s0 192.168.1.2<br>000 interface enp3s0/enp3s0 173.160.9.6<br>000 interface enp3s0/enp3s0 173.160.9.6<br>000 <br>000 fips mode=disabled;<br>000 SElinux=disabled<br>000 <br>000 config setup options:<br>000 <br>000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset<br>000 sbindir=/usr/sbin, libdir=/usr/libexec/ipsec, libexecdir=/usr/libexec/ipsec<br>000 pluto_version=3.8, pluto_vendorid=OE-Libreswan-3.8<br>000 nhelpers=-1, uniqueids=yes, retransmits=yes, force_busy=no<br>000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any><br>000 secctx_attr_value=32001<br>000 myid = (none)<br>000 debug none<br>000 <br>000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500, disable_port_floating=no<br>000 virtual_private (%priv):<br>000 - allowed 7 subnets: <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a>, <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a>, <a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a>, <a href="http://25.0.0.0/8" target="_blank">25.0.0.0/8</a>, <a href="http://100.64.0.0/10" target="_blank">100.64.0.0/10</a>, fd00::/8, fe80::/10<br>000 - disallowed 1 subnet: <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a><br>000 <br>000 ESP algorithms supported:<br>000 <br>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<br>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<br>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128<br>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448<br>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0<br>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288<br>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<br>000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384<br>000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512<br>000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0<br>000 <br>000 IKE algorithms supported:<br>000 <br>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192<br>000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128<br>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48<br>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024<br>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048<br>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048<br>000 <br>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,3072} attrs={0,2,2048} <br>000 <br>000 Connection list:<br>000 <br>000 "test": <a href="http://192.168.1.0/24===173.160.9.6" target="_blank">192.168.1.0/24===173.160.9.6</a><173.160.9.6>[@otherme]...70.88.18.24<70.88.18.24>[@mostlyme]===<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a>; erouted; eroute owner: #4<br>000 "test": oriented; my_ip=192.168.1.2; their_ip=192.168.0.1;<br>000 "test": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]; ;<br>000 "test": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;<br>000 "test": labeled_ipsec:no, loopback:no; <br>000 "test": policy_label:unset; <br>000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;<br>000 "test": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;<br>000 "test": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+IKE_FRAG; <br>000 "test": conn_prio: 24,24; interface: enp3s0; metric: 0; mtu: unset; sa_prio:auto;<br>000 "test": newest ISAKMP SA: #3; newest IPsec SA: #4; <br>000 "test": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048<br>000 "test": ESP algorithms wanted: 3DES(3)_000-MD5(1)_096<br>000 "test": ESP algorithms loaded: 3DES(3)_192-MD5(1)_096<br>000 "test": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A><br>000 <br>000 Total IPsec connections: loaded 1, active 1<br>000 <br>000 State list:<br>000 <br>000 #4: "test":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 26351s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set<br>000 #4: "test" <a href="mailto:esp.465e409@70.88.18.24" target="_blank">esp.465e409@70.88.18.24</a> <a href="mailto:esp.4b4a9dc7@173.160.9.6" target="_blank">esp.4b4a9dc7@173.160.9.6</a> <a href="mailto:tun.0@70.88.18.24" target="_blank">tun.0@70.88.18.24</a> <a href="mailto:tun.0@173.160.9.6" target="_blank">tun.0@173.160.9.6</a> ref=0 refhim=4294901761 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B <br>000 #3: "test":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 1151s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set<br>000 <br>000 Shunt list:<br>000 <br><span class="HOEnZb"><font color="#888888"><br><br><br></font></span></div><span class="HOEnZb"><font color="#888888"><div>-- <br><div><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div></div>
</div></font></span></div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div></div>
</div>