Cos6 Cos7 VPN Problem

Offline

Cos6 Cos7 VPN Problem

Resolved

0 votes

Before sorry for poor english ...

I have 2 system,

1 - Cos 6.7 Community with Openswan
2 - Cos 7 Busines with Libreswan

Vpn connections is succesfuly but i can't ping Cos6 and sometime (%80) can't login RDP and stay on black login screen.
But when try login for RDP on wan connection, i can login succesfuly.

Cos 7 side config ;

conn muftuluk
type=tunnel
authby=secret
auto=start
left=78.189.xx.xx
leftnexthop=
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=195.175.xx.xx
rightnexthop=192.168.15.1
rightsubnet=192.168.15.0/24
ikev2=never
pfs=yes
ike=3des-sha1;modp1024
phase2alg=3des-sha1;modp1024

Cos 6 side config ;

conn muftuluksube
type=tunnel
authby=secret
auto=start
pfs=yes
left=195.175.xx.xx
leftsourceip=192.168.15.1
leftsubnet=192.168.15.0/24
right=78.189.xx.xx
rightnexthop=192.168.1.1
rightsubnet=192.168.1.0/24
ikev2=never
ike=3des-sha1;modp1024
phase2alg=3des-sha1;modp1024

What is the problem ?

Attachments:

vpnnn.JPG

In VPN

Monday, October 17 2016, 10:47 AM

Share this post:

Responses (21)

Accepted Answer

Kumandan Forever

Offline

Tuesday, October 18 2016, 12:33 PM - #Permalink

Resolved

0 votes

[root@gateway ~]# ifconfig

enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet6 fe80::230:18ff:fecb:ffd9  prefixlen 64  scopeid 0x20<link>

        ether 00:30:18:cb:ff:d9  txqueuelen 1000  (Ethernet)

        RX packets 53003369  bytes 53123784203 (49.4 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 46961155  bytes 17532696750 (16.3 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device memory 0xdf600000-df61ffff



enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255

        inet6 fe80::230:18ff:fecb:ffda  prefixlen 64  scopeid 0x20<link>

        ether 00:30:18:cb:ff:da  txqueuelen 1000  (Ethernet)

        RX packets 46185518  bytes 17156830057 (15.9 GiB)

        RX errors 0  dropped 0  overruns 550  frame 0

        TX packets 53130911  bytes 52493039225 (48.8 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device memory 0xdf500000-df51ffff



enp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 172.16.0.1  netmask 255.255.0.0  broadcast 172.16.255.255

        inet6 fe80::230:18ff:fecb:ffdb  prefixlen 64  scopeid 0x20<link>

        ether 00:30:18:cb:ff:db  txqueuelen 1000  (Ethernet)

        RX packets 1609965  bytes 132893920 (126.7 MiB)

        RX errors 0  dropped 16140  overruns 0  frame 0

        TX packets 833101  bytes 986262482 (940.5 MiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device memory 0xdf400000-df41ffff



lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 0  (Local Loopback)

        RX packets 34779467  bytes 29265284418 (27.2 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 34779467  bytes 29265284418 (27.2 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1492

        inet 78.189.127.48  netmask 255.255.255.255  destination 81.212.171.32

        ppp  txqueuelen 3  (Point-to-Point Protocol)

        RX packets 21714254  bytes 22897897427 (21.3 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 18427185  bytes 4775743202 (4.4 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



You have new mail in /var/spool/mail/root

[root@gateway ~]#

The reply is currently minimized Show

Accepted Answer
Nick Howitt

Offline
Tuesday, October 18 2016, 12:28 PM - #Permalink
Resolved

0 votes

Have a look at an MTU based solution like in the FAQ I linked to.

You may want to check your WAN connection. What is its MTU (do an ifconfig to check)? I think it should be a maximum of 1492 with PPPoE and not 1500 but I can't remember where this is set in ClearOS or if you need to do it in the interface configuration file. Also the connection may be PPPoA even if you think it is PPPoE. This can use 1500 byte MTUs!

If you google around there is a basic ping test you can do to see the optimum MTU size for your WAN. At a guess you can also do this through your tunnel.
The reply is currently minimized Show
Accepted Answer

Kumandan Forever

Offline
Tuesday, October 18 2016, 12:14 PM - #Permalink
Resolved

0 votes

This problem only exists in cos to cos vpn connection. All other clients are zyxel modem and we dont have any problem ...

Wan connection is :

adsl modem on bridge -> cos 7 ppoe
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Tuesday, October 18 2016, 11:53 AM - #Permalink
Resolved

0 votes

I am surprised about the file shares. I used to use them with a remote Draytek router for IPsec and Libreswan locally. I would expect them to work by IP address, but network (NetBIOS) browsing won't work. In theory you can get network browsing to work by setting up samba so that one end acts as a relay for the other end. You do this by putting in the remote ClearOS LAN IP in the Windows Networking WINS Server box and disabling the WINS server on that machine. I need to have another play with that set up as I am trying to do it over an odd OpenVPN set up (which is not LAN <-> LAN). It may work.

Are you able to manually map the shares?

RDP is possibly a bigger issue and I think a classic IPsec issue. I believe it is to do with the MTU of the connection. Have a look at the My ssh sessions hang or connectivity is very slow section of the Libreswan FAQ and have a play.

What sort of connections are your WAN connections? Cable, PPPoE or ????
The reply is currently minimized Show
Accepted Answer

Kumandan Forever

Offline
Tuesday, October 18 2016, 10:48 AM - #Permalink
Resolved

0 votes

ok now i can mutual ping but rdp and file share problem continues ...
The reply is currently minimized Show

Accepted Answer

Kumandan Forever

Offline

Tuesday, October 18 2016, 10:30 AM - #Permalink

Resolved

0 votes

Cos 7 side

conn muftuluk

 type=tunnel

 authby=secret

 auto=start

 left=78.189.127.48

 leftnexthop=

 leftsourceip=192.168.1.1

 leftsubnet=192.168.1.0/24

 right=195.175.xx.xx

 rightsubnet=192.168.15.0/24

 rightsourceip=192.168.15.1

Cos 6 side

conn muftuluk

 type=tunnel

 authby=secret

 auto=start

 left=195.175.xx.xx

 leftsourceip=192.168.15.1

 leftsubnet=192.168.15.0/24

 right=78.189.127.48

 rightsubnet=192.168.1.0/24

 rightsourceip=192.168.1.1

Ok removed leftnexthop line ...

The reply is currently minimized Show

Accepted Answer
Nick Howitt

Offline
Tuesday, October 18 2016, 10:07 AM - #Permalink
Resolved

0 votes

Configs must go between code tags as indentation is important. All lines apart from the "conn" line must be indented. (Also there should be no blank lines within a conn but you don't have any). Can you remove the leftnexthop line from COS7?
The reply is currently minimized Show
Accepted Answer

Kumandan Forever

Offline
Tuesday, October 18 2016, 09:33 AM - #Permalink
Resolved

0 votes

Cos 7 side

conn muftuluk
type=tunnel
authby=secret
auto=start
left=78.189.127.48
leftnexthop=
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=195.175.xx.xx
rightsubnet=192.168.15.0/24
rightsourceip=192.168.15.1

Cos 6 side

conn muftuluk
type=tunnel
authby=secret
auto=start
left=195.175.xx.xx
leftsourceip=192.168.15.1
leftsubnet=192.168.15.0/24
right=78.189.127.48
rightsubnet=192.168.1.0/24
rightsourceip=192.168.1.1
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Tuesday, October 18 2016, 09:30 AM - #Permalink
Resolved

0 votes

Now I see your logs. There are no subnets in the logs. Have you left out the left/rightsubnet lines from your configs? Unfortunately I switched from Openswan to Lbreswan a couple of years ago so I am no longer totally familiar with the Openswan logs.
The reply is currently minimized Show

Accepted Answer

Kumandan Forever

Offline

Tuesday, October 18 2016, 09:29 AM - #Permalink

Resolved

0 votes

Oct 18 12:28:49 gateway pluto[11132]: NSS DB directory: sql:/etc/ipsec.d

Oct 18 12:28:49 gateway pluto[11132]: NSS initialized

Oct 18 12:28:49 gateway pluto[11132]: libcap-ng support [enabled]

Oct 18 12:28:49 gateway pluto[11132]: FIPS HMAC integrity verification test passed

Oct 18 12:28:49 gateway pluto[11132]: FIPS: pluto daemon NOT running in FIPS mode

Oct 18 12:28:49 gateway pluto[11132]: Linux audit support [enabled]

Oct 18 12:28:49 gateway pluto[11132]: Linux audit activated

Oct 18 12:28:49 gateway pluto[11132]: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:11132

Oct 18 12:28:49 gateway pluto[11132]: core dump dir: /var/run/pluto/

Oct 18 12:28:49 gateway pluto[11132]: secrets file: /etc/ipsec.secrets

Oct 18 12:28:49 gateway pluto[11132]: leak-detective disabled

Oct 18 12:28:49 gateway pluto[11132]: NSS crypto [enabled]

Oct 18 12:28:49 gateway pluto[11132]: XAUTH PAM support [enabled]

Oct 18 12:28:49 gateway pluto[11132]:   NAT-Traversal support  [enabled]

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok

Oct 18 12:28:49 gateway pluto[11132]: starting up 3 crypto helpers

Oct 18 12:28:49 gateway pluto[11132]: started thread for crypto helper 0 (master fd 10)

Oct 18 12:28:49 gateway pluto[11132]: started thread for crypto helper 1 (master fd 13)

Oct 18 12:28:49 gateway pluto[11132]: started thread for crypto helper 2 (master fd 15)

Oct 18 12:28:49 gateway pluto[11132]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-327.36.1.v7.x86_64

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating aes_ccm_8: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating aes_ccm_12: Ok

Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating aes_ccm_16: Ok

Oct 18 12:28:49 gateway pluto[11132]: | selinux support is NOT enabled.

Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end

Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end

Oct 18 12:28:50 gateway pluto[11132]: added connection description "muftuluk"

Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end

Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end

Oct 18 12:28:50 gateway pluto[11132]: added connection description "v6neighbor-hole-in"

Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end

Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end

Oct 18 12:28:50 gateway pluto[11132]: added connection description "v6neighbor-hole-out"

Oct 18 12:28:50 gateway pluto[11132]: listening for IKE messages

Oct 18 12:28:50 gateway pluto[11132]: adding interface ppp0/ppp0 78.189.127.48:500

Oct 18 12:28:50 gateway pluto[11132]: adding interface ppp0/ppp0 78.189.127.48:4500

Oct 18 12:28:50 gateway pluto[11132]: adding interface enp4s0/enp4s0 172.16.0.1:500

Oct 18 12:28:50 gateway pluto[11132]: adding interface enp4s0/enp4s0 172.16.0.1:4500

Oct 18 12:28:50 gateway pluto[11132]: adding interface enp3s0/enp3s0 192.168.1.1:500

Oct 18 12:28:50 gateway pluto[11132]: adding interface enp3s0/enp3s0 192.168.1.1:4500

Oct 18 12:28:50 gateway pluto[11132]: adding interface lo/lo 127.0.0.1:500

Oct 18 12:28:50 gateway pluto[11132]: adding interface lo/lo 127.0.0.1:4500

Oct 18 12:28:50 gateway pluto[11132]: adding interface lo/lo ::1:500

Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface lo:500 fd 30

Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface lo:4500 fd 29

Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface lo:500 fd 28

Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface enp3s0:4500 fd 27

Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface enp3s0:500 fd 26

Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface enp4s0:4500 fd 25

Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface enp4s0:500 fd 24

Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface ppp0:4500 fd 23

Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface ppp0:500 fd 22

Oct 18 12:28:50 gateway pluto[11132]: loading secrets from "/etc/ipsec.secrets"

Oct 18 12:28:50 gateway pluto[11132]: loading secrets from "/etc/ipsec.d/ipsec.unmanaged.muftuluk.secrets"

Oct 18 12:28:50 gateway pluto[11132]: "muftuluk" #1: initiating Main Mode

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: ignoring Vendor ID payload [Openswan(project)]

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: received Vendor ID payload [Dead Peer Detection]

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: received Vendor ID payload [RFC 3947]

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: STATE_MAIN_I2: sent MI2, expecting MR2

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: STATE_MAIN_I3: sent MI3, expecting MR3

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: received Vendor ID payload [CAN-IKEv2]

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: Main mode peer ID is ID_IPV4_ADDR: '195.175.110.54'

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:a0f763b6 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2

Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x631a07c5 <0x31d20f14 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}

The reply is currently minimized Show

Accepted Answer
Nick Howitt

Offline
Tuesday, October 18 2016, 09:07 AM - #Permalink
Resolved

0 votes

If you're trying to post your logs, you need less then 20 lines from each end up to the message which contains something like IPsec SA established. Copy it and paste it between code tags rather than attaching the whole log file.
The reply is currently minimized Show

Accepted Answer

Kumandan Forever

Offline

Tuesday, October 18 2016, 08:47 AM - #Permalink

Resolved

0 votes

Cos 7 side Lan : 192.168.1.1
Cos 6 side Lan : 192.168.15.1

For cos 6

 [root@guvenlik ~]# iptables -nvL -t nat

Chain PREROUTING (policy ACCEPT 47792 packets, 3430K bytes)

 pkts bytes target     prot opt in     out     source               destination

  215 12900 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:90 to:192.168.15.73:90

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:1010 to:192.168.15.110:1010

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:1020 to:192.168.15.120:1020

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:1030 to:192.168.15.130:1030

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:1040 to:192.168.15.140:1040

    7   448 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:1050 to:192.168.15.150:1050

   13   520 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:8000 to:192.168.1.212:8000

    2    92 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:4444 to:192.168.15.73:3389

  112  6420 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:5555 to:192.168.15.104:3389

    2   120 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:2222 to:192.168.1.210:2222

  188  9776 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:7617 to:192.168.15.75:1433

   56  2688 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:32049 to:192.168.15.73:32049

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:6666 to:192.168.1.104:3389

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:1070 to:192.168.1.81:1070

    1    40 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:1080 to:192.168.1.82:1080

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            195.175.xx.xx      udp dpt:1080 to:192.168.1.82:1080

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            195.175.xx.xx      udp dpt:1070 to:192.168.1.81:1070

    2    80 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:5060 to:192.168.1.210:5060

   32 14081 DNAT       udp  --  *      *       0.0.0.0/0            195.175.xx.xx      udp dpt:5060 to:192.168.1.210:5060

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpts:50000:50512 to:192.168.1.210

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            195.175.xx.xx      udp dpts:50000:50512 to:192.168.1.210

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpts:9874:9877 to:192.168.1.210

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            195.175.xx.xx      udp dpts:9874:9877 to:192.168.1.210

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.15.1        tcp dpt:80

  122  6964 ACCEPT     tcp  --  *      *       0.0.0.0/0            195.175.xx.xx      tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            217.68.217.20       tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       217.68.217.20        0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            217.169.195.90      tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       217.169.195.90       0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            84.17.81.167        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       84.17.81.167         0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            137.254.120.24      tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       137.254.120.24       0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            85.158.96.209       tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       85.158.96.209        0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            85.158.96.209       tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       85.158.96.209        0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            85.158.96.204       tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       85.158.96.204        0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            91.208.199.70       tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       91.208.199.70        0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            85.159.67.244       tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       85.159.67.244        0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            204.13.248.116      tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       204.13.248.116       0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            216.146.38.70       tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            91.198.22.70        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            216.146.43.70       tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       216.146.43.70        0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       216.146.38.70        0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       91.198.22.70         0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            109.232.221.183     tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       109.232.221.183      0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            213.148.65.223      tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       213.148.65.223       0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            212.175.130.30      tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       212.175.130.30       0.0.0.0/0           tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            193.254.228.224     tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       193.254.228.224      0.0.0.0/0           tcp dpt:80

 3533  203K REDIRECT   tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080



Chain POSTROUTING (policy ACCEPT 8552 packets, 624K bytes)

 pkts bytes target     prot opt in     out     source               destination

19707 1344K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir out pol ipsec

    0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.15.73       tcp dpt:90 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.15.110      tcp dpt:1010 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.15.120      tcp dpt:1020 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.15.130      tcp dpt:1030 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.15.140      tcp dpt:1040 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.15.150      tcp dpt:1050 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.1.212       tcp dpt:8000 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.15.73       tcp dpt:3389 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.15.104      tcp dpt:3389 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.1.210       tcp dpt:2222 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.15.75       tcp dpt:1433 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.15.73       tcp dpt:32049 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.1.104       tcp dpt:3389 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.1.81        tcp dpt:1070 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.1.82        tcp dpt:1080 to:192.168.15.1

    0     0 SNAT       udp  --  *      *       192.168.15.0/24      192.168.1.82        udp dpt:1080 to:192.168.15.1

    0     0 SNAT       udp  --  *      *       192.168.15.0/24      192.168.1.81        udp dpt:1070 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.1.210       tcp dpt:5060 to:192.168.15.1

    0     0 SNAT       udp  --  *      *       192.168.15.0/24      192.168.1.210       udp dpt:5060 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.1.210       tcp dpts:50000:50512 to:192.168.15.1

    0     0 SNAT       udp  --  *      *       192.168.15.0/24      192.168.1.210       udp dpts:50000:50512 to:192.168.15.1

    0     0 SNAT       tcp  --  *      *       192.168.15.0/24      192.168.1.210       tcp dpts:9874:9877 to:192.168.15.1

    0     0 SNAT       udp  --  *      *       192.168.15.0/24      192.168.1.210       udp dpts:9874:9877 to:192.168.15.1

20266 1521K MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0



Chain OUTPUT (policy ACCEPT 18418 packets, 1448K bytes)

 pkts bytes target     prot opt in     out     source               destination

[root@guvenlik ~]#

For Cos 7

 [root@gateway ~]# iptables -nvL -t nat

Chain PREROUTING (policy ACCEPT 345K packets, 50M bytes)

 pkts bytes target     prot opt in     out     source               destination

   82  4280 DNAT       tcp  --  *      *       0.0.0.0/0            78.189.127.48        tcp dpt:80 to:192.168.1.215:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.1          tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            78.189.127.48        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            85.111.23.206        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       85.111.23.206        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            194.29.215.18        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       194.29.215.18        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            194.29.215.11        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       194.29.215.11        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            194.29.215.50        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       194.29.215.50        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            194.29.215.19        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       194.29.215.19        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            194.29.215.16        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       194.29.215.16        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            194.29.215.13        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       194.29.215.13        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            194.29.215.12        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       194.29.215.12        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            85.111.20.123        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       85.111.20.123        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            217.68.217.29        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       217.68.217.29        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            212.174.175.207      tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            212.174.168.207      tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       212.174.175.207      0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       212.174.168.207      0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            92.45.116.96         tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       92.45.116.96         0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            194.29.215.15        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       194.29.215.15        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            194.29.215.51        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       194.29.215.51        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            31.13.92.36          tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       31.13.92.36          0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            217.68.217.20        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       217.68.217.20        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            217.68.217.12        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       217.68.217.12        0.0.0.0/0            tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.15.104       tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       192.168.15.104       0.0.0.0/0            tcp dpt:80

12785  966K REDIRECT   tcp  --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080



Chain INPUT (policy ACCEPT 128K packets, 8873K bytes)

 pkts bytes target     prot opt in     out     source               destination



Chain OUTPUT (policy ACCEPT 220K packets, 14M bytes)

 pkts bytes target     prot opt in     out     source               destination



Chain POSTROUTING (policy ACCEPT 114K packets, 7281K bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0

  739 37446 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec

    0     0 SNAT       tcp  --  *      *       192.168.1.0/24       192.168.1.215        tcp dpt:80 to:192.168.1.1

    0     0 SNAT       tcp  --  *      *       172.16.0.0/16        192.168.1.215        tcp dpt:80 to:172.16.0.1

 231K   17M MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

[root@gateway ~]#

http://akmansoy.poweredbyclear.com/Cos7-side-ipsec.txt

The reply is currently minimized Show

Accepted Answer
Nick Howitt

Offline
Monday, October 17 2016, 03:56 PM - #Permalink
Resolved

0 votes

Can you confirm that the ClearOS LAN IP's are 192.168.1.1 and 192.168.15.1?
What is the output of "iptables -nvL -t nat"? Please put the answer between code tags (the piece of paper icon with a <> at the top of the reply box).
Can you also post a connection snippet from /var/log/ipsec where it is negotiating the connection (and not the stuff before that as ipsec is loading)

Until pings are working nothing else will.
The reply is currently minimized Show
Accepted Answer

Kumandan Forever

Offline
Monday, October 17 2016, 03:28 PM - #Permalink
Resolved

0 votes

Now problem is fixed and ipsec started normally but rdp login, ping and samba (shared folder) accessing is same problem ...
The reply is currently minimized Show
Accepted Answer

Kumandan Forever

Offline
Monday, October 17 2016, 02:41 PM - #Permalink
Resolved

0 votes

Network Mode Gateway Mode

Version ClearOS Community release 6.7.0 (Final)
Kernel Version 2.6.32-573.26.1.v6.x86_64

[root@guvenlik ~]# rpm -qa | grep swan
openswan-2.6.32-37.el6.x86_64

??
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Monday, October 17 2016, 02:27 PM - #Permalink
Resolved

0 votes

The config file has nothing to do with the results of "ipsec verify"

Presumably ClearOS is in Gateway mode? If not then this config won't work. If it is in gateway mode then IP forwarding should be enabled anyway. I also don't understand why it says no IPsec support in the kernel. I'll have to check my system when I'm home. Can you make sure IPsec is running when you run the "IPsec verify" command. Can you tell me if 6.x is running openswan or libreswan (rpm -qa | grep swan")? I suspect openswan.
The reply is currently minimized Show
Accepted Answer

Kumandan Forever

Offline
Monday, October 17 2016, 02:12 PM - #Permalink
Resolved

0 votes

Cos 6 side after the editing cfg file ;

Attachments:

vpn2.JPG
The reply is currently minimized Show
Accepted Answer

Kumandan Forever

Offline
Monday, October 17 2016, 01:06 PM - #Permalink
Resolved

0 votes

Thank you, I will try now ...
The reply is currently minimized Show

Accepted Answer

Nick Howitt

Offline

Monday, October 17 2016, 12:31 PM - #Permalink

Resolved

0 votes

Keeping it simple:

conn muftuluk

 type=tunnel

 authby=secret

 auto=start

 left=78.189.xx.xx

 leftsourceip=192.168.1.1

 leftsubnet=192.168.1.0/24

 right=195.175.xx.xx

 rightsubnet=192.168.15.0/24

 pfs=yes

and

conn muftuluksube

 type=tunnel

 authby=secret

 auto=start

 pfs=yes

 left=195.175.xx.xx

 leftsourceip=192.168.15.1

 leftsubnet=192.168.15.0/24

 right=78.189.xx.xx

 rightsubnet=192.168.1.0/24

Optionally add:

ike=3des-sha1;modp1024

ike=aes128-sha1;modp1024

(it may be ike=aes-sha1;modp1024, but I can't remember)

The reply is currently minimized Show

Accepted Answer

Kumandan Forever

Offline
Monday, October 17 2016, 12:19 PM - #Permalink
Resolved

0 votes

Nick ;

Thank your interest, can you edit above the config file for me ? Because i can't understand :/
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Monday, October 17 2016, 12:05 PM - #Permalink
Resolved

0 votes

I think your nexthops are wrong. They are normally not needed as Openswan/Libreswan normally works them out automatically. If you use them they should be the next external hop beyond the IPsec WAN so 195.175.xx.xx's and 78.189.xx.xx's gateways.

How have you allowed IPsec through the firewall. If you've just enabled incoming upd:500, it will fail. Better is to allow the Standard Service IPsec.

It is probably better to look at /var/log/IPsec to see if your connection is stable or continually rekeying.

Can you change your phase2alg to either nothing or 3des-sha1 (no modp1024) as I don't think *swan plays well if you specify any modp? If you leave it out, it will assume 3des-sha1 from ike anyway. If you leave out both ike and phase2alg, *swan should negotiate something sensible anyway. Also, FWIW, aes128 uses much less processing power than 3des for a similar level of security.
The reply is currently minimized Show

Your Reply

Please login to post a reply

You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.

Community Forums

ClearOS Portal

ClearVM Platform

ClearVM 2 Platform

Forums