Before sorry for poor english ...
I have 2 system,
1 - Cos 6.7 Community with Openswan
2 - Cos 7 Busines with Libreswan
Vpn connections is succesfuly but i can't ping Cos6 and sometime (%80) can't login RDP and stay on black login screen.
But when try login for RDP on wan connection, i can login succesfuly.
Cos 7 side config ;
conn muftuluk
type=tunnel
authby=secret
auto=start
left=78.189.xx.xx
leftnexthop=
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=195.175.xx.xx
rightnexthop=192.168.15.1
rightsubnet=192.168.15.0/24
ikev2=never
pfs=yes
ike=3des-sha1;modp1024
phase2alg=3des-sha1;modp1024
Cos 6 side config ;
conn muftuluksube
type=tunnel
authby=secret
auto=start
pfs=yes
left=195.175.xx.xx
leftsourceip=192.168.15.1
leftsubnet=192.168.15.0/24
right=78.189.xx.xx
rightnexthop=192.168.1.1
rightsubnet=192.168.1.0/24
ikev2=never
ike=3des-sha1;modp1024
phase2alg=3des-sha1;modp1024
What is the problem ?
I have 2 system,
1 - Cos 6.7 Community with Openswan
2 - Cos 7 Busines with Libreswan
Vpn connections is succesfuly but i can't ping Cos6 and sometime (%80) can't login RDP and stay on black login screen.
But when try login for RDP on wan connection, i can login succesfuly.
Cos 7 side config ;
conn muftuluk
type=tunnel
authby=secret
auto=start
left=78.189.xx.xx
leftnexthop=
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=195.175.xx.xx
rightnexthop=192.168.15.1
rightsubnet=192.168.15.0/24
ikev2=never
pfs=yes
ike=3des-sha1;modp1024
phase2alg=3des-sha1;modp1024
Cos 6 side config ;
conn muftuluksube
type=tunnel
authby=secret
auto=start
pfs=yes
left=195.175.xx.xx
leftsourceip=192.168.15.1
leftsubnet=192.168.15.0/24
right=78.189.xx.xx
rightnexthop=192.168.1.1
rightsubnet=192.168.1.0/24
ikev2=never
ike=3des-sha1;modp1024
phase2alg=3des-sha1;modp1024
What is the problem ?
In VPN
Share this post:
Responses (21)
-
Accepted Answer
[root@gateway ~]# ifconfig
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::230:18ff:fecb:ffd9 prefixlen 64 scopeid 0x20<link>
ether 00:30:18:cb:ff:d9 txqueuelen 1000 (Ethernet)
RX packets 53003369 bytes 53123784203 (49.4 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 46961155 bytes 17532696750 (16.3 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xdf600000-df61ffff
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::230:18ff:fecb:ffda prefixlen 64 scopeid 0x20<link>
ether 00:30:18:cb:ff:da txqueuelen 1000 (Ethernet)
RX packets 46185518 bytes 17156830057 (15.9 GiB)
RX errors 0 dropped 0 overruns 550 frame 0
TX packets 53130911 bytes 52493039225 (48.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xdf500000-df51ffff
enp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.0.1 netmask 255.255.0.0 broadcast 172.16.255.255
inet6 fe80::230:18ff:fecb:ffdb prefixlen 64 scopeid 0x20<link>
ether 00:30:18:cb:ff:db txqueuelen 1000 (Ethernet)
RX packets 1609965 bytes 132893920 (126.7 MiB)
RX errors 0 dropped 16140 overruns 0 frame 0
TX packets 833101 bytes 986262482 (940.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xdf400000-df41ffff
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 34779467 bytes 29265284418 (27.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34779467 bytes 29265284418 (27.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1492
inet 78.189.127.48 netmask 255.255.255.255 destination 81.212.171.32
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 21714254 bytes 22897897427 (21.3 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18427185 bytes 4775743202 (4.4 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
You have new mail in /var/spool/mail/root
[root@gateway ~]#
-
Accepted Answer
Have a look at an MTU based solution like in the FAQ I linked to.
You may want to check your WAN connection. What is its MTU (do an ifconfig to check)? I think it should be a maximum of 1492 with PPPoE and not 1500 but I can't remember where this is set in ClearOS or if you need to do it in the interface configuration file. Also the connection may be PPPoA even if you think it is PPPoE. This can use 1500 byte MTUs!
If you google around there is a basic ping test you can do to see the optimum MTU size for your WAN. At a guess you can also do this through your tunnel. -
Accepted Answer
-
Accepted Answer
I am surprised about the file shares. I used to use them with a remote Draytek router for IPsec and Libreswan locally. I would expect them to work by IP address, but network (NetBIOS) browsing won't work. In theory you can get network browsing to work by setting up samba so that one end acts as a relay for the other end. You do this by putting in the remote ClearOS LAN IP in the Windows Networking WINS Server box and disabling the WINS server on that machine. I need to have another play with that set up as I am trying to do it over an odd OpenVPN set up (which is not LAN <-> LAN). It may work.
Are you able to manually map the shares?
RDP is possibly a bigger issue and I think a classic IPsec issue. I believe it is to do with the MTU of the connection. Have a look at the My ssh sessions hang or connectivity is very slow section of the Libreswan FAQ and have a play.
What sort of connections are your WAN connections? Cable, PPPoE or ???? -
Accepted Answer
-
Accepted Answer
Cos 7 side
conn muftuluk
type=tunnel
authby=secret
auto=start
left=78.189.127.48
leftnexthop=
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=195.175.xx.xx
rightsubnet=192.168.15.0/24
rightsourceip=192.168.15.1
Cos 6 side
conn muftuluk
type=tunnel
authby=secret
auto=start
left=195.175.xx.xx
leftsourceip=192.168.15.1
leftsubnet=192.168.15.0/24
right=78.189.127.48
rightsubnet=192.168.1.0/24
rightsourceip=192.168.1.1
Ok removed leftnexthop line ... -
Accepted Answer
-
Accepted Answer
Cos 7 side
conn muftuluk
type=tunnel
authby=secret
auto=start
left=78.189.127.48
leftnexthop=
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=195.175.xx.xx
rightsubnet=192.168.15.0/24
rightsourceip=192.168.15.1
Cos 6 side
conn muftuluk
type=tunnel
authby=secret
auto=start
left=195.175.xx.xx
leftsourceip=192.168.15.1
leftsubnet=192.168.15.0/24
right=78.189.127.48
rightsubnet=192.168.1.0/24
rightsourceip=192.168.1.1 -
Accepted Answer
-
Accepted Answer
Oct 18 12:28:49 gateway pluto[11132]: NSS DB directory: sql:/etc/ipsec.d
Oct 18 12:28:49 gateway pluto[11132]: NSS initialized
Oct 18 12:28:49 gateway pluto[11132]: libcap-ng support [enabled]
Oct 18 12:28:49 gateway pluto[11132]: FIPS HMAC integrity verification test passed
Oct 18 12:28:49 gateway pluto[11132]: FIPS: pluto daemon NOT running in FIPS mode
Oct 18 12:28:49 gateway pluto[11132]: Linux audit support [enabled]
Oct 18 12:28:49 gateway pluto[11132]: Linux audit activated
Oct 18 12:28:49 gateway pluto[11132]: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:11132
Oct 18 12:28:49 gateway pluto[11132]: core dump dir: /var/run/pluto/
Oct 18 12:28:49 gateway pluto[11132]: secrets file: /etc/ipsec.secrets
Oct 18 12:28:49 gateway pluto[11132]: leak-detective disabled
Oct 18 12:28:49 gateway pluto[11132]: NSS crypto [enabled]
Oct 18 12:28:49 gateway pluto[11132]: XAUTH PAM support [enabled]
Oct 18 12:28:49 gateway pluto[11132]: NAT-Traversal support [enabled]
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
Oct 18 12:28:49 gateway pluto[11132]: starting up 3 crypto helpers
Oct 18 12:28:49 gateway pluto[11132]: started thread for crypto helper 0 (master fd 10)
Oct 18 12:28:49 gateway pluto[11132]: started thread for crypto helper 1 (master fd 13)
Oct 18 12:28:49 gateway pluto[11132]: started thread for crypto helper 2 (master fd 15)
Oct 18 12:28:49 gateway pluto[11132]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-327.36.1.v7.x86_64
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating aes_ccm_8: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating aes_ccm_12: Ok
Oct 18 12:28:49 gateway pluto[11132]: ike_alg_register_enc(): Activating aes_ccm_16: Ok
Oct 18 12:28:49 gateway pluto[11132]: | selinux support is NOT enabled.
Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end
Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end
Oct 18 12:28:50 gateway pluto[11132]: added connection description "muftuluk"
Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end
Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end
Oct 18 12:28:50 gateway pluto[11132]: added connection description "v6neighbor-hole-in"
Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end
Oct 18 12:28:50 gateway pluto[11132]: | certificate not loaded for this end
Oct 18 12:28:50 gateway pluto[11132]: added connection description "v6neighbor-hole-out"
Oct 18 12:28:50 gateway pluto[11132]: listening for IKE messages
Oct 18 12:28:50 gateway pluto[11132]: adding interface ppp0/ppp0 78.189.127.48:500
Oct 18 12:28:50 gateway pluto[11132]: adding interface ppp0/ppp0 78.189.127.48:4500
Oct 18 12:28:50 gateway pluto[11132]: adding interface enp4s0/enp4s0 172.16.0.1:500
Oct 18 12:28:50 gateway pluto[11132]: adding interface enp4s0/enp4s0 172.16.0.1:4500
Oct 18 12:28:50 gateway pluto[11132]: adding interface enp3s0/enp3s0 192.168.1.1:500
Oct 18 12:28:50 gateway pluto[11132]: adding interface enp3s0/enp3s0 192.168.1.1:4500
Oct 18 12:28:50 gateway pluto[11132]: adding interface lo/lo 127.0.0.1:500
Oct 18 12:28:50 gateway pluto[11132]: adding interface lo/lo 127.0.0.1:4500
Oct 18 12:28:50 gateway pluto[11132]: adding interface lo/lo ::1:500
Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface lo:500 fd 30
Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface lo:4500 fd 29
Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface lo:500 fd 28
Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface enp3s0:4500 fd 27
Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface enp3s0:500 fd 26
Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface enp4s0:4500 fd 25
Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface enp4s0:500 fd 24
Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface ppp0:4500 fd 23
Oct 18 12:28:50 gateway pluto[11132]: | setup callback for interface ppp0:500 fd 22
Oct 18 12:28:50 gateway pluto[11132]: loading secrets from "/etc/ipsec.secrets"
Oct 18 12:28:50 gateway pluto[11132]: loading secrets from "/etc/ipsec.d/ipsec.unmanaged.muftuluk.secrets"
Oct 18 12:28:50 gateway pluto[11132]: "muftuluk" #1: initiating Main Mode
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: ignoring Vendor ID payload [Openswan(project)]
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: received Vendor ID payload [Dead Peer Detection]
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: received Vendor ID payload [RFC 3947]
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: received Vendor ID payload [CAN-IKEv2]
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: Main mode peer ID is ID_IPV4_ADDR: '195.175.110.54'
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:a0f763b6 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Oct 18 12:28:51 gateway pluto[11132]: "muftuluk" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x631a07c5 <0x31d20f14 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}
-
Accepted Answer
-
Accepted Answer
Cos 7 side Lan : 192.168.1.1
Cos 6 side Lan : 192.168.15.1
For cos 6
[root@guvenlik ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 47792 packets, 3430K bytes)
pkts bytes target prot opt in out source destination
215 12900 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:90 to:192.168.15.73:90
0 0 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:1010 to:192.168.15.110:1010
0 0 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:1020 to:192.168.15.120:1020
0 0 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:1030 to:192.168.15.130:1030
0 0 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:1040 to:192.168.15.140:1040
7 448 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:1050 to:192.168.15.150:1050
13 520 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:8000 to:192.168.1.212:8000
2 92 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:4444 to:192.168.15.73:3389
112 6420 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:5555 to:192.168.15.104:3389
2 120 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:2222 to:192.168.1.210:2222
188 9776 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:7617 to:192.168.15.75:1433
56 2688 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:32049 to:192.168.15.73:32049
0 0 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:6666 to:192.168.1.104:3389
0 0 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:1070 to:192.168.1.81:1070
1 40 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:1080 to:192.168.1.82:1080
0 0 DNAT udp -- * * 0.0.0.0/0 195.175.xx.xx udp dpt:1080 to:192.168.1.82:1080
0 0 DNAT udp -- * * 0.0.0.0/0 195.175.xx.xx udp dpt:1070 to:192.168.1.81:1070
2 80 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:5060 to:192.168.1.210:5060
32 14081 DNAT udp -- * * 0.0.0.0/0 195.175.xx.xx udp dpt:5060 to:192.168.1.210:5060
0 0 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpts:50000:50512 to:192.168.1.210
0 0 DNAT udp -- * * 0.0.0.0/0 195.175.xx.xx udp dpts:50000:50512 to:192.168.1.210
0 0 DNAT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpts:9874:9877 to:192.168.1.210
0 0 DNAT udp -- * * 0.0.0.0/0 195.175.xx.xx udp dpts:9874:9877 to:192.168.1.210
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.15.1 tcp dpt:80
122 6964 ACCEPT tcp -- * * 0.0.0.0/0 195.175.xx.xx tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 217.68.217.20 tcp dpt:80
0 0 ACCEPT tcp -- * * 217.68.217.20 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 217.169.195.90 tcp dpt:80
0 0 ACCEPT tcp -- * * 217.169.195.90 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 84.17.81.167 tcp dpt:80
0 0 ACCEPT tcp -- * * 84.17.81.167 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 137.254.120.24 tcp dpt:80
0 0 ACCEPT tcp -- * * 137.254.120.24 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 85.158.96.209 tcp dpt:80
0 0 ACCEPT tcp -- * * 85.158.96.209 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 85.158.96.209 tcp dpt:80
0 0 ACCEPT tcp -- * * 85.158.96.209 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 85.158.96.204 tcp dpt:80
0 0 ACCEPT tcp -- * * 85.158.96.204 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 91.208.199.70 tcp dpt:80
0 0 ACCEPT tcp -- * * 91.208.199.70 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 85.159.67.244 tcp dpt:80
0 0 ACCEPT tcp -- * * 85.159.67.244 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 204.13.248.116 tcp dpt:80
0 0 ACCEPT tcp -- * * 204.13.248.116 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 216.146.38.70 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 91.198.22.70 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 216.146.43.70 tcp dpt:80
0 0 ACCEPT tcp -- * * 216.146.43.70 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 216.146.38.70 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 91.198.22.70 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 109.232.221.183 tcp dpt:80
0 0 ACCEPT tcp -- * * 109.232.221.183 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 213.148.65.223 tcp dpt:80
0 0 ACCEPT tcp -- * * 213.148.65.223 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 212.175.130.30 tcp dpt:80
0 0 ACCEPT tcp -- * * 212.175.130.30 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 193.254.228.224 tcp dpt:80
0 0 ACCEPT tcp -- * * 193.254.228.224 0.0.0.0/0 tcp dpt:80
3533 203K REDIRECT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
Chain POSTROUTING (policy ACCEPT 8552 packets, 624K bytes)
pkts bytes target prot opt in out source destination
19707 1344K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.15.73 tcp dpt:90 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.15.110 tcp dpt:1010 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.15.120 tcp dpt:1020 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.15.130 tcp dpt:1030 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.15.140 tcp dpt:1040 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.15.150 tcp dpt:1050 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.1.212 tcp dpt:8000 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.15.73 tcp dpt:3389 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.15.104 tcp dpt:3389 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.1.210 tcp dpt:2222 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.15.75 tcp dpt:1433 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.15.73 tcp dpt:32049 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.1.104 tcp dpt:3389 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.1.81 tcp dpt:1070 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.1.82 tcp dpt:1080 to:192.168.15.1
0 0 SNAT udp -- * * 192.168.15.0/24 192.168.1.82 udp dpt:1080 to:192.168.15.1
0 0 SNAT udp -- * * 192.168.15.0/24 192.168.1.81 udp dpt:1070 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.1.210 tcp dpt:5060 to:192.168.15.1
0 0 SNAT udp -- * * 192.168.15.0/24 192.168.1.210 udp dpt:5060 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.1.210 tcp dpts:50000:50512 to:192.168.15.1
0 0 SNAT udp -- * * 192.168.15.0/24 192.168.1.210 udp dpts:50000:50512 to:192.168.15.1
0 0 SNAT tcp -- * * 192.168.15.0/24 192.168.1.210 tcp dpts:9874:9877 to:192.168.15.1
0 0 SNAT udp -- * * 192.168.15.0/24 192.168.1.210 udp dpts:9874:9877 to:192.168.15.1
20266 1521K MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 18418 packets, 1448K bytes)
pkts bytes target prot opt in out source destination
[root@guvenlik ~]#
For Cos 7
[root@gateway ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 345K packets, 50M bytes)
pkts bytes target prot opt in out source destination
82 4280 DNAT tcp -- * * 0.0.0.0/0 78.189.127.48 tcp dpt:80 to:192.168.1.215:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 78.189.127.48 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 85.111.23.206 tcp dpt:80
0 0 ACCEPT tcp -- * * 85.111.23.206 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.29.215.18 tcp dpt:80
0 0 ACCEPT tcp -- * * 194.29.215.18 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.29.215.11 tcp dpt:80
0 0 ACCEPT tcp -- * * 194.29.215.11 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.29.215.50 tcp dpt:80
0 0 ACCEPT tcp -- * * 194.29.215.50 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.29.215.19 tcp dpt:80
0 0 ACCEPT tcp -- * * 194.29.215.19 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.29.215.16 tcp dpt:80
0 0 ACCEPT tcp -- * * 194.29.215.16 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.29.215.13 tcp dpt:80
0 0 ACCEPT tcp -- * * 194.29.215.13 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.29.215.12 tcp dpt:80
0 0 ACCEPT tcp -- * * 194.29.215.12 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 85.111.20.123 tcp dpt:80
0 0 ACCEPT tcp -- * * 85.111.20.123 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 217.68.217.29 tcp dpt:80
0 0 ACCEPT tcp -- * * 217.68.217.29 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 212.174.175.207 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 212.174.168.207 tcp dpt:80
0 0 ACCEPT tcp -- * * 212.174.175.207 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 212.174.168.207 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 92.45.116.96 tcp dpt:80
0 0 ACCEPT tcp -- * * 92.45.116.96 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.29.215.15 tcp dpt:80
0 0 ACCEPT tcp -- * * 194.29.215.15 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 194.29.215.51 tcp dpt:80
0 0 ACCEPT tcp -- * * 194.29.215.51 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 31.13.92.36 tcp dpt:80
0 0 ACCEPT tcp -- * * 31.13.92.36 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 217.68.217.20 tcp dpt:80
0 0 ACCEPT tcp -- * * 217.68.217.20 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 217.68.217.12 tcp dpt:80
0 0 ACCEPT tcp -- * * 217.68.217.12 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.15.104 tcp dpt:80
0 0 ACCEPT tcp -- * * 192.168.15.104 0.0.0.0/0 tcp dpt:80
12785 966K REDIRECT tcp -- enp3s0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
Chain INPUT (policy ACCEPT 128K packets, 8873K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 220K packets, 14M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 114K packets, 7281K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
739 37446 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
0 0 SNAT tcp -- * * 192.168.1.0/24 192.168.1.215 tcp dpt:80 to:192.168.1.1
0 0 SNAT tcp -- * * 172.16.0.0/16 192.168.1.215 tcp dpt:80 to:172.16.0.1
231K 17M MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
[root@gateway ~]#
http://akmansoy.poweredbyclear.com/Cos7-side-ipsec.txt -
Accepted Answer
Can you confirm that the ClearOS LAN IP's are 192.168.1.1 and 192.168.15.1?
What is the output of "iptables -nvL -t nat"? Please put the answer between code tags (the piece of paper icon with a <> at the top of the reply box).
Can you also post a connection snippet from /var/log/ipsec where it is negotiating the connection (and not the stuff before that as ipsec is loading)
Until pings are working nothing else will. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
The config file has nothing to do with the results of "ipsec verify"
Presumably ClearOS is in Gateway mode? If not then this config won't work. If it is in gateway mode then IP forwarding should be enabled anyway. I also don't understand why it says no IPsec support in the kernel. I'll have to check my system when I'm home. Can you make sure IPsec is running when you run the "IPsec verify" command. Can you tell me if 6.x is running openswan or libreswan (rpm -qa | grep swan")? I suspect openswan. -
Accepted Answer
Keeping it simple:conn muftuluk
type=tunnel
authby=secret
auto=start
left=78.189.xx.xx
leftsourceip=192.168.1.1
leftsubnet=192.168.1.0/24
right=195.175.xx.xx
rightsubnet=192.168.15.0/24
pfs=yes
and
conn muftuluksube
type=tunnel
authby=secret
auto=start
pfs=yes
left=195.175.xx.xx
leftsourceip=192.168.15.1
leftsubnet=192.168.15.0/24
right=78.189.xx.xx
rightsubnet=192.168.1.0/24
Optionally add:
orike=3des-sha1;modp1024
(it may be ike=aes-sha1;modp1024, but I can't remember)ike=aes128-sha1;modp1024
-
Accepted Answer
-
Accepted Answer
I think your nexthops are wrong. They are normally not needed as Openswan/Libreswan normally works them out automatically. If you use them they should be the next external hop beyond the IPsec WAN so 195.175.xx.xx's and 78.189.xx.xx's gateways.
How have you allowed IPsec through the firewall. If you've just enabled incoming upd:500, it will fail. Better is to allow the Standard Service IPsec.
It is probably better to look at /var/log/IPsec to see if your connection is stable or continually rekeying.
Can you change your phase2alg to either nothing or 3des-sha1 (no modp1024) as I don't think *swan plays well if you specify any modp? If you leave it out, it will assume 3des-sha1 from ike anyway. If you leave out both ike and phase2alg, *swan should negotiate something sensible anyway. Also, FWIW, aes128 uses much less processing power than 3des for a similar level of security.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »