<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Greg,<br>
<br>
What interface is tcpdump monitoring? What other arguments are you
using when you run tcpdump?<br>
<br>
Also...routing tables from both sides would be useful...<br>
<br>
-Phillip<br>
<br>
Greg Scott wrote:
<blockquote
cite="mid925A849792280C4E80C5461017A4B8A206F836@mail733.InfraSupportEtc.com"
type="cite">
<pre wrap="">I must be missing something basic here. I am trying to a simple tunnel
with 2 subnets. Here is the scenario below. Apologies if an emailer
somewhere along the line butchers the line wrapping.
Roseville
Lakeville
Left
Right
Left Firewall <-Internet--> Right Firewall
10.13.1.0/24 eth1 eth0 eth0 eth1
10.15.1.0/24
10.13.1.1 71.216.115.33 209.130.212.154 10.15.1.75
The left firewall and right firewall are running fc5 with the netkey
stack and kernel 2.6.17.2 from kernel.org.
When I watch /var/log/secure on both systems, I see a series of
messages, ending with messages like this:
Jul 22 18:17:02 lakeville-fw pluto[5492]: "Roseville-Lakeville" #5:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 22 18:17:02 lakeville-fw pluto[5492]: "Roseville-Lakeville" #5:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xad5f74c3}
This tells me the SA is established between the subnets, so
communication between the two subnets should go over the tunnel. But
that's not what happens. When a host in either subnet tries to ping the
other side, tcpdump on the sending firewall tells me the packets route
in the clear out across the Internet. I should see esp messages going
to/from the other subnet. But instead, I see icmp echo request messages
coming from the sending subnet. Yuck!
I must be missing a simple setup step but I don't see it.
Here is ipsec.conf I am using, along with the included files and my conn
definition. I like the way fc5 packages these config files, except that
it isn't working for me:
[root@lakeville-fw gregs]#
[root@lakeville-fw gregs]# cd /etc
[root@lakeville-fw etc]# more ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=none
# plutodebug="control parsing"
nat_traversal=yes
include /etc/ipsec.d/*.conf
[root@lakeville-fw etc]#
[root@lakeville-fw etc]#
[root@lakeville-fw etc]#
[root@lakeville-fw etc]# ls /etc/ipsec.d
examples hostkey.secrets no_oe.conf policies
Roseville-Lakeville.conf
[root@lakeville-fw etc]#
[root@lakeville-fw etc]#
[root@lakeville-fw etc]# more ipsec.d/no_oe.conf
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
[root@lakeville-fw etc]#
[root@lakeville-fw etc]#
[root@lakeville-fw etc]# more ipsec.d/Roseville-Lakeville.conf
# /etc/ipsec.d/Lakeville-Roseville.conf - IPsec configuration file for
this conn
ection.
# The HOME office in Lakeville is always on the right. ("Make yerself
RIGHT at
home!",
# while the other branch stores have LEFT home.)
#
# Openswan bundled with fc5 - see thee include directive from
/etc/ipsec.conf.
#
# Here are some useful commands:
#
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
--right
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
--left
#
# /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
--right
</pre>
<blockquote type="cite">
<pre wrap="">rightkey.txt
</pre>
</blockquote>
<pre wrap=""><!----># Show this host's public key in a format suitable to insert into
# ipsec.conf. This host can be either the left or right key.
#
# /usr/sbin/ipsec auto --down london-farout
# Brings down the tunnel named london-farout
#
# /usr/sbin/ipsec auto --up london-farout
# Brings up the tunnel named london-farount
#
# /usr/local/sbin/ipsec look
# To observe all kinds of stuff about the IPSEC tunnels
#
# /usr/local/sbin/ipsec showhostkey > junk.tmp
# Generates a DNS key record into the file junk.tmp for later
# insertion into a DNS zone file
#
# These were some equivalent commands under prior versions of Open
S/WAN
# /usr/sbin/ipsec showhostkey --left
# /usr/sbin/ipsec showhostkey --right
# /usr/sbin/ipsec showhostkey --left > junk.tmp
#
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
conn Roseville-Lakeville
left=71.216.115.33
leftsubnet=10.15.1.0/24
leftnexthop=71.216.115.38
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@roseville.local">leftid=@roseville.local</a>
# RSA 2192 bits roseville-fw Thu Jul 20 18:47:26 2006
leftrsasigkey=0sAQPHZAiDY....
#
# Right security gateway, subnet behind it, next hop toward
left.
right=209.130.212.154
rightsubnet=10.13.1.0/24
rightnexthop=209.130.212.153
<a class="moz-txt-link-abbreviated" href="mailto:rightid=@lakeville.local">rightid=@lakeville.local</a>
# RSA 2192 bits lakeville-fw Wed Jul 19 21:09:32 2006
rightrsasigkey=0sAQNb9diw....
#
auto=start
[root@lakeville-fw etc]#
This is what ipsec verify tells me:
[root@lakeville-fw etc]# /usr/sbin/ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.4/K2.6.17.2fw21 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
hostname: Unknown host
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support
[DISABLED]
[root@lakeville-fw etc]#
It says the RSA private key failed - but it isn't really a failure
because of the way fc5 packages ipsec.secrets, like this:
[root@lakeville-fw etc]#
[root@lakeville-fw etc]# more /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
[root@lakeville-fw etc]#
And I know the RSA keys are good because I establish an SA. I must be
missing a simple setup someplace - but what??
Thanks for any advice.
- Greg Scott
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155</a>
</pre>
</blockquote>
</body>
</html>