2.6 IPSec tunnel mode gateway

I am having trouble getting traffic through an ipsec gateway in tunnel
mode. I have a client on a private net connecting to a 2.6 gateway
running iptables and ipsec. What I would like to happen is all traffic
from the client is encrypted and sent down the tunnel to the gateway
where it is decrypted then sent off to the Internet then back. This is
being done on a wired net now for testing but the ultimate goal is to
replace WEP with ipsec for my wireless clients.I am able to pass
traffic through the gateway when the security policy is disabled. I
can also establish a tunnel and pass traffic between the gateway and
the client but no further.

** Note the iptables script is overly simple to avoid confusion but
it works for now.

I am using the KAME tools in userland, here are the configs.


The gateway is 10.0.0.1
The client is 10.0.0.99

########################
#
#Client Configuration
#
########################
linux-2.6.2
#############
ipsec.conf
#############
#!/usr/local/sbin/setkey -f
flush;
spdflush;

spdadd 10.0.0.99/32 0.0.0.0/0 any -P out ipsec
esp/tunnel/10.0.0.99-10.0.0.1/require;

spdadd 0.0.0.0/0 10.0.0.99/32 any -P in ipsec
esp/tunnel/10.0.0.1-10.0.0.1/require;


###########
racoon.conf
############
path pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp 10.0.0.99;
}


remote anonymous {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
#lifetime time 2 min;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

########################
#
#Gateway Configuration
#
########################
linux-2.6.0
###########
ipsec.conf
###########
#!/usr/local/sbin/setkey -f
flush;
spdflush;
spdadd 10.0.0.99/32 0.0.0.0/0 any -P in ipsec
esp/tunnel/10.0.0.99-10.0.0.1/require;

spdadd 0.0.0.0/0 10.0.0.99/32 any -P out ipsec
esp/tunnel/10.0.0.1-10.0.0.99/require;

############
racoon.conf
############
path pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp 10.0.0.1;
}


remote anonymous {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
#lifetime time 2 min;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

##################
ip tables script
##################
#!/bin/sh
EXT="eth0"
LAN="10.0.0.0/24"


#Set up tables
/usr/sbin/iptables -F FORWARD
/usr/sbin/iptables -F INPUT
/usr/sbin/iptables -F OUTPUT

#allow all
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT

#NAT On
/usr/sbin/iptables -t nat -F POSTROUTING
/usr/sbin/iptables -t nat -A POSTROUTING -d ! $LAN -j MASQUERADE
/usr/sbin/iptables -A FORWARD -s $LAN -j ACCEPT
/usr/sbin/iptables -A FORWARD -d $LAN -j ACCEPT

It seems to me that you have a comparable problem to mine mentioned in
the post "ipsec and NAT". A guy from a german mailing list has told me
that ipsec sometimes views the interfaces from the wrong side. So your
iptables rule should be like the following:

${IPTABLES} -A POSTROUTING -o ipsec0 -t nat -s public_ip -j SNAT --to
private_ip

I have not tried it yet but it might work.
Have you already used tcpdump to monitor the traffic on both eth
interfaces and ipsec0 to locate where the problem actually occurs?

Good luck!

Nikolaus

Abe Froman wrote:
> I am having trouble getting traffic through an ipsec gateway in tunnel
> mode. I have a client on a private net connecting to a 2.6 gateway
> running iptables and ipsec. What I would like to happen is all traffic
> from the client is encrypted and sent down the tunnel to the gateway
> where it is decrypted then sent off to the Internet then back. This is
> being done on a wired net now for testing but the ultimate goal is to
> replace WEP with ipsec for my wireless clients.I am able to pass
> traffic through the gateway when the security policy is disabled. I
> can also establish a tunnel and pass traffic between the gateway and
> the client but no further.
>
> ** Note the iptables script is overly simple to avoid confusion but
> it works for now.
>
> I am using the KAME tools in userland, here are the configs.
>
>
> The gateway is 10.0.0.1
> The client is 10.0.0.99
>
> ########################
> #
> #Client Configuration
> #
> ########################
> linux-2.6.2
> #############
> ipsec.conf
> #############
> #!/usr/local/sbin/setkey -f
> flush;
> spdflush;
>
> spdadd 10.0.0.99/32 0.0.0.0/0 any -P out ipsec
> esp/tunnel/10.0.0.99-10.0.0.1/require;
>
> spdadd 0.0.0.0/0 10.0.0.99/32 any -P in ipsec
> esp/tunnel/10.0.0.1-10.0.0.1/require;
>
>
> ###########
> racoon.conf
> ############
> path pre_shared_key "/etc/racoon/psk.txt";
> listen {
> isakmp 10.0.0.99;
> }
>
>
> remote anonymous {
> exchange_mode main;
> proposal {
> encryption_algorithm 3des;
> hash_algorithm md5;
> authentication_method pre_shared_key;
> dh_group 2;
> }
> }
> sainfo anonymous {
> #lifetime time 2 min;
> encryption_algorithm 3des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> }
>
> ########################
> #
> #Gateway Configuration
> #
> ########################
> linux-2.6.0
> ###########
> ipsec.conf
> ###########
> #!/usr/local/sbin/setkey -f
> flush;
> spdflush;
> spdadd 10.0.0.99/32 0.0.0.0/0 any -P in ipsec
> esp/tunnel/10.0.0.99-10.0.0.1/require;
>
> spdadd 0.0.0.0/0 10.0.0.99/32 any -P out ipsec
> esp/tunnel/10.0.0.1-10.0.0.99/require;
>
> ############
> racoon.conf
> ############
> path pre_shared_key "/etc/racoon/psk.txt";
> listen {
> isakmp 10.0.0.1;
> }
>
>
> remote anonymous {
> exchange_mode main;
> proposal {
> encryption_algorithm 3des;
> hash_algorithm md5;
> authentication_method pre_shared_key;
> dh_group 2;
> }
> }
> sainfo anonymous {
> #lifetime time 2 min;
> encryption_algorithm 3des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> }
>
> ##################
> ip tables script
> ##################
> #!/bin/sh
> EXT="eth0"
> LAN="10.0.0.0/24"
>
>
> #Set up tables
> /usr/sbin/iptables -F FORWARD
> /usr/sbin/iptables -F INPUT
> /usr/sbin/iptables -F OUTPUT
>
> #allow all
> /usr/sbin/iptables -P OUTPUT ACCEPT
> /usr/sbin/iptables -P INPUT ACCEPT
> /usr/sbin/iptables -P FORWARD ACCEPT
>
> #NAT On
> /usr/sbin/iptables -t nat -F POSTROUTING
> /usr/sbin/iptables -t nat -A POSTROUTING -d ! $LAN -j MASQUERADE
> /usr/sbin/iptables -A FORWARD -s $LAN -j ACCEPT
> /usr/sbin/iptables -A FORWARD -d $LAN -j ACCEPT
>
>
>

You apparently do not use FreeS/WAN so I cannot tell you the correct
syntax but watch out that the client can connect to all nets. That
means: 0.0.0.0/0 I have coincidentally limited access to my own subnet
only and could not connect to the the internet.

Nikolaus

Abe Froman wrote:
> I am having trouble getting traffic through an ipsec gateway in tunnel
> mode. I have a client on a private net connecting to a 2.6 gateway
> running iptables and ipsec. What I would like to happen is all traffic
> from the client is encrypted and sent down the tunnel to the gateway
> where it is decrypted then sent off to the Internet then back. This is
> being done on a wired net now for testing but the ultimate goal is to
> replace WEP with ipsec for my wireless clients.I am able to pass
> traffic through the gateway when the security policy is disabled. I
> can also establish a tunnel and pass traffic between the gateway and
> the client but no further.
>
> ** Note the iptables script is overly simple to avoid confusion but
> it works for now.
>
> I am using the KAME tools in userland, here are the configs.
>
>
> The gateway is 10.0.0.1
> The client is 10.0.0.99
>
> ########################
> #
> #Client Configuration
> #
> ########################
> linux-2.6.2
> #############
> ipsec.conf
> #############
> #!/usr/local/sbin/setkey -f
> flush;
> spdflush;
>
> spdadd 10.0.0.99/32 0.0.0.0/0 any -P out ipsec
> esp/tunnel/10.0.0.99-10.0.0.1/require;
>
> spdadd 0.0.0.0/0 10.0.0.99/32 any -P in ipsec
> esp/tunnel/10.0.0.1-10.0.0.1/require;
>
>
> ###########
> racoon.conf
> ############
> path pre_shared_key "/etc/racoon/psk.txt";
> listen {
> isakmp 10.0.0.99;
> }
>
>
> remote anonymous {
> exchange_mode main;
> proposal {
> encryption_algorithm 3des;
> hash_algorithm md5;
> authentication_method pre_shared_key;
> dh_group 2;
> }
> }
> sainfo anonymous {
> #lifetime time 2 min;
> encryption_algorithm 3des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> }
>
> ########################
> #
> #Gateway Configuration
> #
> ########################
> linux-2.6.0
> ###########
> ipsec.conf
> ###########
> #!/usr/local/sbin/setkey -f
> flush;
> spdflush;
> spdadd 10.0.0.99/32 0.0.0.0/0 any -P in ipsec
> esp/tunnel/10.0.0.99-10.0.0.1/require;
>
> spdadd 0.0.0.0/0 10.0.0.99/32 any -P out ipsec
> esp/tunnel/10.0.0.1-10.0.0.99/require;
>
> ############
> racoon.conf
> ############
> path pre_shared_key "/etc/racoon/psk.txt";
> listen {
> isakmp 10.0.0.1;
> }
>
>
> remote anonymous {
> exchange_mode main;
> proposal {
> encryption_algorithm 3des;
> hash_algorithm md5;
> authentication_method pre_shared_key;
> dh_group 2;
> }
> }
> sainfo anonymous {
> #lifetime time 2 min;
> encryption_algorithm 3des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> }
>
> ##################
> ip tables script
> ##################
> #!/bin/sh
> EXT="eth0"
> LAN="10.0.0.0/24"
>
>
> #Set up tables
> /usr/sbin/iptables -F FORWARD
> /usr/sbin/iptables -F INPUT
> /usr/sbin/iptables -F OUTPUT
>
> #allow all
> /usr/sbin/iptables -P OUTPUT ACCEPT
> /usr/sbin/iptables -P INPUT ACCEPT
> /usr/sbin/iptables -P FORWARD ACCEPT
>
> #NAT On
> /usr/sbin/iptables -t nat -F POSTROUTING
> /usr/sbin/iptables -t nat -A POSTROUTING -d ! $LAN -j MASQUERADE
> /usr/sbin/iptables -A FORWARD -s $LAN -j ACCEPT
> /usr/sbin/iptables -A FORWARD -d $LAN -j ACCEPT
>
>
>