[strongSwan] Migration from Openswan to Strongswan

Pavel Arnošt pavel.arnost at valvera.cz
Tue May 10 13:19:55 CEST 2011 

Hi, thanks, I managed to get similar system with the same software versions 
but simplier setup where I can test it at will. At the beginning, I have 
Openswan:

/etc/ipsec.conf:

version 2.0

config setup
   plutodebug="parsing"

conn %default
   authby=secret

conn CONN
   type=tunnel
   left=A.A.A.A
   leftsubnet=172.24.26.64/26
   right=B.B.B.B
   rightsubnet=172.27.96.15/32
   auto=start
   auth=esp
   keylife=3600s
   ikelifetime=1440m
   compress=no
   ike=aes256-sha1,aes128-md5
   esp=aes256-sha1,aes128-md5
   pfs=yes

# ping -I 172.24.26.65 172.27.96.15
PING 172.27.96.15 (172.27.96.15) from 172.24.26.65 : 56(84) bytes of data.
64 bytes from 172.27.96.15: icmp_seq=1 ttl=123 time=6.32 ms
64 bytes from 172.27.96.15: icmp_seq=2 ttl=123 time=5.69 ms
64 bytes from 172.27.96.15: icmp_seq=3 ttl=123 time=5.58 ms

Then I uninstall Openswan and install Strongswan:

/etc/ipsec.conf:

version 2.0

config setup
   plutodebug="parsing"
   charonstart=no

conn %default
   keyexchange=ikev1
   authby=secret
   leftfirewall=yes
   lefthostaccess=yes

conn CONN
   type=tunnel
   left=A.A.A.A
   leftsubnet=172.24.26.64/26
   right=B.B.B.B
   rightsubnet=172.27.96.15/32
   auto=start
   auth=esp
   keylife=3600s
   ikelifetime=1440m
   compress=no
   ike=aes256-sha1,aes128-md5
   esp=aes256-sha1,aes128-md5
   pfs=yes

# ping -I 172.24.26.65 172.27.96.15
PING 172.27.96.15 (172.27.96.15) from 172.24.26.65 : 56(84) bytes of data.
ping: sendmsg: No such process
ping: sendmsg: No such process
ping: sendmsg: No such process

SAs are established:

000 #2: "CONN" STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 2719s; newest IPSEC; eroute owner
000 #2: "CONN" esp.bfbfcee8 at 194.228.96.46 (0 bytes) 
esp.c7b835a6 at 213.180.34.38 (0 bytes); tunnel
000 #1: "CONN" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 
85277s; newest ISAKMP

Policies are in place:

src 172.27.96.15/32 dst 172.24.26.64/26
        dir in priority 1819
        tmpl src B.B.B.B dst A.A.A.A
                proto esp reqid 16384 mode tunnel
src 172.24.26.64/26 dst 172.27.96.15/32
        dir out priority 1819
        tmpl src A.A.A.A dst B.B.B.B
                proto esp reqid 16386 mode tunnel
src 172.27.96.15/32 dst 172.24.26.64/26
        dir fwd priority 1819
        tmpl src B.B.B.B dst A.A.A.A
                proto esp reqid 16385 mode tunnel

Firewall policies also in place:

Chain INPUT (policy DROP 63626 packets, 5624K bytes)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 ACCEPT     all  --  eth1   *       172.27.96.15 
172.24.26.64/26     policy match dir in pol ipsec reqid 16384 proto 50

Chain FORWARD (policy DROP 106K packets, 4269K bytes)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 ACCEPT     all  --  eth1   *       172.27.96.15 
172.24.26.64/26     policy match dir in pol ipsec reqid 16384 proto 50

Chain OUTPUT (policy ACCEPT 21M packets, 21G bytes)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 ACCEPT     all  --  *      eth1    172.24.26.64/26 
172.27.96.15        policy match dir out pol ipsec reqid 16384 proto 50

All zeroes, I would expect something in the OUTPUT chain (from ping -I 
172.24.26.65 172.27.96.15).

eth1 is external interface and eth0 is internal interface with IP 
172.24.26.65 assigned:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 
1000
    link/ether 00:18:fe:32:56:08 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
    inet 172.24.26.65/26 brd 172.24.26.127 scope global eth0:0

What am I missing?

Thanks,
Regards,
Pavel Arnost

--------------------------------------------------
From: "Andreas Steffen" <andreas.steffen at strongswan.org>
Sent: Tuesday, May 10, 2011 12:12 PM
To: "Pavel Arnošt" <pavel.arnost at valvera.cz>
Cc: <users at lists.strongswan.org>
Subject: Re: [strongSwan] Migration from Openswan to Strongswan

> Hello Pavel,
>
> if you have iptables in place and you ping the internal interface
> of the VPN gateway then you need an INPUT/OUTPUT iptables rule
> to access that interface. Thus you'll need
>
>    leftfirewall=yes
>    lefthostaccess=yes
>
> If you have a MASQUERADING rule in place which NATs all traffic
> from the internal network to the outer IP address of the gateway
> then you must exempt traffic to be tunneled from this rule by adding
>
> iptables -t nat -I POSTROUTING 1 -s 10.10.0.0/16 -o eth0 \
>          -m policy --dir out --pol ipsec --proto esp -j ACCEPT
>
> Regards
>
> Andreas
>
> On 05/10/2011 11:51 AM, Pavel Arnošt wrote:
>> Hi,
>> I tried to migrate our Openswan VPN (2.6.21) to Strongswan VPN (4.5.1)
>> on our CentOS 5 server. Openswan package is from official CentOS
>> repository (openswan-2.6.21-5.el5_6.4), Strongswan package have been
>> built from this spec file:
>> http://developer.intra2net.com/git/?p=strongswan-rpm;a=blob_plain;f=strongswan.spec;hb=e2bb0076fce6d44ee80cff4b20d90a0eee1fa689
>> I slightly modified configuration for IKEv1 keying, ipsec.conf looks 
>> like:
>> config setup
>> charonstart=no
>> plutodebug="control"
>> conn %default
>> keyexchange=ikev1
>> authby=secret
>> conn CONN
>> type=tunnel
>> left=A.A.A.A
>> leftsubnet=192.168.52.0/24
>> right=B.B.B.B
>> rightsubnet=10.10.0.0/16
>> auto=start
>> auth=esp
>> ikelifetime=28800s
>> keylife=3600s
>> compress=no
>> ike=3des-sha1-modp1024
>> esp=3des-sha1
>> pfs=yes
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=restart
>> Both ISAKMP and IPsec SA were succesfully established, ip xfrm policy
>> output was the same as output from Openswan. But...
>> In tcpdump, I saw incoming ESP traffic from B.B.B.B, but no ESP traffic
>> from our address A.A.A.A. Ping to 10.10.255.1 returned no response, so I
>> think that policies were in place (with turned off VPN, ping returned
>> "host unreachable" from far away gateway). I added "iptables -I FORWARD
>> -j ACCEPT" rule to iptables to rule out problem with firewall.
>> Do you have any idea what can be wrong?
>> Thanks,
>> Regards,
>> Pavel Arnost
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
> -- 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list