Hi Hiren,<br><br>Thanks for your answer.<br><br>I tried the configuration you suggested but I cannot get the tunnels to establish if the hub does not actually own the subnet being configured in ipsec.conf.<br><br>Is this kind of setup supported in Openswan? If others have this working then maybe my issue lies elsewhere?<br>
<br>Thanks / Mattias<br>
<br><br><div class="gmail_quote">On Wed, Feb 11, 2009 at 2:59 AM, hiren joshi <span dir="ltr"><<a href="mailto:joshihirenn@gmail.com" target="_blank">joshihirenn@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Are you sure leftsubnet/rightsubnet configuration is right?<br>
I think it should be something like:<br>
<br>
y'<br>
|<br>
x' -- X -- Y -- Z -- z'<br>
<br>
X(spoke-1):<br>
leftsubnet x'<br>
rightsubnect z'<br>
left X<br>
right Y<br>
<br>
Z(spoke-2):<br>
leftsubnet z'<br>
rightsubnect x'<br>
left Z<br>
right Y<br>
<br>
Y: C-1 Y: C-2<br>
leftsubnet x' leftsubnet z'<br>
rightsubnect z' rightsubnect x'<br>
left Y left Y<br>
right Z right X<br>
<br>
Regards,<br>
hiren<br>
<div><div></div><div><br>
On Tue, Feb 10, 2009 at 10:09 PM, Mattias Mattsson <<a href="mailto:mm4748190@gmail.com" target="_blank">mm4748190@gmail.com</a>> wrote:<br>
> Hi All,<br>
><br>
> I'm having a problem when trying to upgrade from FreeS/WAN 1.99 to Openswan<br>
> 2.6.18 (klips).<br>
><br>
> The setup is a hub and spoke VPN where two spoke sites (B and C) are<br>
> connecting into the hub site (A). The protected subnets are all different<br>
> (i.e. this is not an 'extruded subnet' setup) and eroutes are used to route<br>
> from B to C and vice versa.<br>
><br>
> On each of the spokes, an additional eroute is added with the local subnet<br>
> as the source and the other spokes subnet as the destination and the hub as<br>
> the gateway.<br>
><br>
> On the hub, two eroutes are added, each having one spoke as the source and<br>
> the other spoke as the destination.<br>
><br>
> This works fine when using Freeswan, but when using Openswan for the hub,<br>
> the Hub does not even accept the incoming traffic from the spoke, i.e. if I<br>
> do a tcpdump on ipsec0 I do not see the incoming traffic.<br>
><br>
> I'm including the configuration for the two setups, as well as some ping and<br>
> tcpdump output, note that they have different IP addresses (I set up two<br>
> setups to be able to run the tests at the same time). For both setups, the<br>
> WAN addresses are on the 192.168.1.x network and the LAN addresses are on<br>
> different 172.16.x.x subnets. Also note that in the Openswan setup, only the<br>
> hub is using Openswan, the two spokes are still Freeswan.<br>
><br>
> How do I make this work in Openswan?<br>
><br>
> Thanks / Mattias<br>
><br>
><br>
><br>
> -------------------------------------------------------------------------------------------------------------------------------------<br>
> For the Freeswan setup, the IP addresses are as follows:<br>
> Hub - 172.16.10.110 - 192.168.1.10<br>
> Spoke1 - 172.16.30.130 - 192.168.1.30<br>
> Spoke2 - 172.16.60.160 - 192.168.1.60<br>
><br>
> Hub's ipsec.conf<br>
> -----------------------<br>
> config setup<br>
> interfaces = "ipsec0=eth1"<br>
> klipsdebug = none<br>
> plutodebug = none<br>
> plutoload = %search<br>
> plutostart = %search<br>
> uniqueids = yes<br>
> hidetos = no<br>
> conn t10to30<br>
> type = tunnel<br>
> left = 192.168.1.10<br>
> right = 192.168.1.30<br>
> leftnexthop = 192.168.1.1<br>
> leftsubnet = <a href="http://172.16.10.0/24" target="_blank">172.16.10.0/24</a><br>
> rightsubnet = <a href="http://172.16.30.0/24" target="_blank">172.16.30.0/24</a><br>
> auto = start<br>
> keyexchange = ike<br>
> authby = secret<br>
> auth = esp<br>
> keyingtries = 0<br>
> esp = AES128-SHA1<br>
> pfs = yes<br>
> rekey = yes<br>
> leftid = 192.168.1.10<br>
> rightid = 192.168.1.30<br>
> ike = 3DES-SHA-MODP1024<br>
> ikelifetime = 28800s<br>
> keylife = 86400s<br>
> rekeymargin = 10m<br>
> rekeyfuzz = 20%<br>
> conn t10to60<br>
> type = tunnel<br>
> left = 192.168.1.10<br>
> right = 192.168.1.60<br>
> leftnexthop = 192.168.1.1<br>
> leftsubnet = <a href="http://172.16.10.0/24" target="_blank">172.16.10.0/24</a><br>
> rightsubnet = <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a><br>
> auto = start<br>
> keyexchange = ike<br>
> authby = secret<br>
> auth = esp<br>
> keyingtries = 0<br>
> esp = AES128-SHA1<br>
> pfs = yes<br>
> rekey = yes<br>
> leftid = 192.168.1.10<br>
> rightid = 192.168.1.60<br>
> ike = 3DES-SHA-MODP1024<br>
> ikelifetime = 28800s<br>
> keylife = 86400s<br>
> rekeymargin = 10m<br>
> rekeyfuzz = 20%<br>
><br>
> Hub's eroutes<br>
> -----------------------<br>
> 0 <a href="http://172.16.10.0/24" target="_blank">172.16.10.0/24</a> -> <a href="http://172.16.30.0/24" target="_blank">172.16.30.0/24</a> =><br>
> <a href="mailto:tun0x101b@192.168.1.30" target="_blank">tun0x101b@192.168.1.30</a><br>
> 0 <a href="http://172.16.10.0/24" target="_blank">172.16.10.0/24</a> -> <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> =><br>
> <a href="mailto:tun0x101f@192.168.1.60" target="_blank">tun0x101f@192.168.1.60</a><br>
> 26 <a href="http://172.16.30.0/24" target="_blank">172.16.30.0/24</a> -> <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> =><br>
> <a href="mailto:tun0x101f@192.168.1.60" target="_blank">tun0x101f@192.168.1.60</a><br>
> 26 <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> -> <a href="http://172.16.30.0/24" target="_blank">172.16.30.0/24</a> =><br>
> <a href="mailto:tun0x101b@192.168.1.30" target="_blank">tun0x101b@192.168.1.30</a><br>
><br>
> Spoke1's ipsec.conf<br>
> -----------------------<br>
> config setup<br>
> interfaces = "ipsec0=eth1"<br>
> klipsdebug = none<br>
> plutodebug = none<br>
> plutoload = %search<br>
> plutostart = %search<br>
> uniqueids = yes<br>
> hidetos = no<br>
> conn t30to10<br>
> type = tunnel<br>
> left = 192.168.1.30<br>
> right = 192.168.1.10<br>
> leftnexthop = 192.168.1.1<br>
> leftsubnet = <a href="http://172.16.30.0/24" target="_blank">172.16.30.0/24</a><br>
> rightsubnet = <a href="http://172.16.10.0/24" target="_blank">172.16.10.0/24</a><br>
> auto = start<br>
> keyexchange = ike<br>
> authby = secret<br>
> auth = esp<br>
> keyingtries = 0<br>
> esp = AES128-SHA1<br>
> pfs = yes<br>
> rekey = yes<br>
> leftid = 192.168.1.30<br>
> rightid = 192.168.1.10<br>
> ike = 3DES-SHA-MODP1024<br>
> ikelifetime = 28800s<br>
> keylife = 86400s<br>
> rekeymargin = 10m<br>
> rekeyfuzz = 20%<br>
><br>
> Spoke1's eroutes<br>
> -----------------------<br>
> 0 <a href="http://172.16.30.0/24" target="_blank">172.16.30.0/24</a> -> <a href="http://172.16.10.0/24" target="_blank">172.16.10.0/24</a> =><br>
> <a href="mailto:tun0x1004@192.168.1.10" target="_blank">tun0x1004@192.168.1.10</a><br>
> 26 <a href="http://172.16.30.0/24" target="_blank">172.16.30.0/24</a> -> <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> =><br>
> <a href="mailto:tun0x1004@192.168.1.10" target="_blank">tun0x1004@192.168.1.10</a><br>
><br>
><br>
> Spoke2's ipsec.conf<br>
> -----------------------<br>
> config setup<br>
> interfaces = "ipsec0=eth1"<br>
> klipsdebug = none<br>
> plutodebug = none<br>
> plutoload = %search<br>
> plutostart = %search<br>
> uniqueids = yes<br>
> hidetos = no<br>
> conn t60to10<br>
> type = tunnel<br>
> left = 192.168.1.60<br>
> right = 192.168.1.10<br>
> leftnexthop = 192.168.1.1<br>
> leftsubnet = <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a><br>
> rightsubnet = <a href="http://172.16.10.0/24" target="_blank">172.16.10.0/24</a><br>
> auto = start<br>
> keyexchange = ike<br>
> authby = secret<br>
> auth = esp<br>
> keyingtries = 0<br>
> esp = AES128-SHA1<br>
> pfs = yes<br>
> rekey = yes<br>
> leftid = 192.168.1.60<br>
> rightid = 192.168.1.10<br>
> ike = 3DES-SHA-MODP1024<br>
> ikelifetime = 28800s<br>
> keylife = 86400s<br>
> rekeymargin = 10m<br>
> rekeyfuzz = 20%<br>
><br>
> Spoke2's eroutes<br>
> -----------------------<br>
> 0 <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> -> <a href="http://172.16.10.0/24" target="_blank">172.16.10.0/24</a> =><br>
> <a href="mailto:tun0x1004@192.168.1.10" target="_blank">tun0x1004@192.168.1.10</a><br>
> 62 <a href="http://172.16.60.0/24" target="_blank">172.16.60.0/24</a> -> <a href="http://172.16.30.0/24" target="_blank">172.16.30.0/24</a> =><br>
> <a href="mailto:tun0x1004@192.168.1.10" target="_blank">tun0x1004@192.168.1.10</a><br>
><br>
><br>
> When pinging from spoke1 to hub:<br>
> # ping -I 172.16.30.130 172.16.10.110<br>
> PING 172.16.10.110 (172.16.10.110): 56 data bytes<br>
> 64 bytes from <a href="http://172.16.10.110" target="_blank">172.16.10.110</a>: icmp_seq=0 ttl=64 time=3.2 ms<br>
> 64 bytes from <a href="http://172.16.10.110" target="_blank">172.16.10.110</a>: icmp_seq=1 ttl=64 time=2.3 ms<br>
><br>
> When pinging from spoke1 to spoke2:<br>
> # ping -I 172.16.30.130 172.16.60.160<br>
> PING 172.16.60.160 (172.16.60.160): 56 data bytes<br>
> 64 bytes from <a href="http://172.16.60.160" target="_blank">172.16.60.160</a>: icmp_seq=0 ttl=63 time=12.7 ms<br>
> 64 bytes from <a href="http://172.16.60.160" target="_blank">172.16.60.160</a>: icmp_seq=1 ttl=63 time=4.6 ms<br>
><br>
> Tcpdump on spoke1 when pinging from spoke1 to spoke2:<br>
> # tcpdump -ni ipsec0 icmp<br>
> tcpdump: listening on ipsec0<br>
> 00:34:17.262268 172.16.30.130 > <a href="http://172.16.60.160" target="_blank">172.16.60.160</a>: icmp: echo request (DF)<br>
> 00:34:17.266201 172.16.60.160 > <a href="http://172.16.30.130" target="_blank">172.16.30.130</a>: icmp: echo reply<br>
><br>
> And tcpdump on hub when pinging from spoke1 to spoke2:<br>
> # tcpdump -ni ipsec0 icmp<br>
> tcpdump: listening on ipsec0<br>
> 16:29:56.543048 172.16.30.130 > <a href="http://172.16.60.160" target="_blank">172.16.60.160</a>: icmp: echo request (DF)<br>
> 16:29:56.543527 172.16.30.130 > <a href="http://172.16.60.160" target="_blank">172.16.60.160</a>: icmp: echo request (DF)<br>
> 16:29:56.545636 172.16.60.160 > <a href="http://172.16.30.130" target="_blank">172.16.30.130</a>: icmp: echo reply<br>
> 16:29:56.546168 172.16.60.160 > <a href="http://172.16.30.130" target="_blank">172.16.30.130</a>: icmp: echo reply<br>
><br>
><br>
> -------------------------------------------------------------------------------------------------------------------------------------<br>
> For the Openswan setup, the IP addresses are as follows:<br>
> Hub - 172.16.50.150 - 192.168.1.50<br>
> Spoke1 - 172.16.40.140 - 192.168.1.40<br>
> Spoke2 - 172.16.20.120 - 192.168.1.20<br>
><br>
> Hub's ipsec.conf<br>
> -----------------------<br>
> config setup<br>
> interfaces = "ipsec0=eth1"<br>
> klipsdebug = none<br>
> plutodebug = none<br>
> uniqueids = yes<br>
> hidetos = no<br>
> conn t50to40<br>
> type = tunnel<br>
> left = 192.168.1.50<br>
> right = 192.168.1.40<br>
> leftnexthop = 192.168.1.1<br>
> leftsubnet = <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a><br>
> rightsubnet = <a href="http://172.16.40.0/24" target="_blank">172.16.40.0/24</a><br>
> auto = start<br>
> keyexchange = ike<br>
> authby = secret<br>
> auth = esp<br>
> keyingtries = 0<br>
> esp = AES128-SHA1<br>
> pfs = yes<br>
> rekey = yes<br>
> leftid = 192.168.1.50<br>
> rightid = 192.168.1.40<br>
> ike = 3DES-SHA-MODP1024<br>
> ikelifetime = 28800s<br>
> keylife = 86400s<br>
> rekeymargin = 10m<br>
> rekeyfuzz = 20%<br>
> conn t50to20<br>
> type = tunnel<br>
> left = 192.168.1.50<br>
> right = 192.168.1.20<br>
> leftnexthop = 192.168.1.1<br>
> leftsubnet = <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a><br>
> rightsubnet = <a href="http://172.16.20.0/24" target="_blank">172.16.20.0/24</a><br>
> auto = start<br>
> keyexchange = ike<br>
> authby = secret<br>
> auth = esp<br>
> keyingtries = 0<br>
> esp = AES128-SHA1<br>
> pfs = yes<br>
> rekey = yes<br>
> leftid = 192.168.1.50<br>
> rightid = 192.168.1.20<br>
> ike = 3DES-SHA-MODP1024<br>
> ikelifetime = 28800s<br>
> keylife = 86400s<br>
> rekeymargin = 10m<br>
> rekeyfuzz = 20%<br>
><br>
> Hub's eroutes<br>
> -----------------------<br>
> 0 <a href="http://172.16.20.0/24" target="_blank">172.16.20.0/24</a> -> <a href="http://172.16.40.0/24" target="_blank">172.16.40.0/24</a> =><br>
> <a href="mailto:tun0x1016@192.168.1.40" target="_blank">tun0x1016@192.168.1.40</a><br>
> 0 <a href="http://172.16.40.0/24" target="_blank">172.16.40.0/24</a> -> <a href="http://172.16.20.0/24" target="_blank">172.16.20.0/24</a> =><br>
> <a href="mailto:tun0x1014@192.168.1.20" target="_blank">tun0x1014@192.168.1.20</a><br>
> 2 <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a> -> <a href="http://172.16.20.0/24" target="_blank">172.16.20.0/24</a> =><br>
> <a href="mailto:tun0x1014@192.168.1.20" target="_blank">tun0x1014@192.168.1.20</a><br>
> 12 <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a> -> <a href="http://172.16.40.0/24" target="_blank">172.16.40.0/24</a> =><br>
> <a href="mailto:tun0x1016@192.168.1.40" target="_blank">tun0x1016@192.168.1.40</a><br>
><br>
><br>
> Spoke1's ipsec.conf<br>
> -----------------------<br>
> config setup<br>
> interfaces = "ipsec0=eth1"<br>
> klipsdebug = none<br>
> plutodebug = none<br>
> plutoload = %search<br>
> plutostart = %search<br>
> uniqueids = yes<br>
> hidetos = no<br>
> conn t40to50<br>
> type = tunnel<br>
> left = 192.168.1.40<br>
> right = 192.168.1.50<br>
> leftnexthop = 192.168.1.1<br>
> leftsubnet = <a href="http://172.16.40.0/24" target="_blank">172.16.40.0/24</a><br>
> rightsubnet = <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a><br>
> auto = start<br>
> keyexchange = ike<br>
> authby = secret<br>
> auth = esp<br>
> keyingtries = 0<br>
> esp = AES128-SHA1<br>
> pfs = yes<br>
> rekey = yes<br>
> leftid = 192.168.1.40<br>
> rightid = 192.168.1.50<br>
> ike = 3DES-SHA-MODP1024<br>
> ikelifetime = 28800s<br>
> keylife = 86400s<br>
> rekeymargin = 10m<br>
> rekeyfuzz = 20%<br>
><br>
> Spoke1's eroutes<br>
> -----------------------<br>
> 2 <a href="http://172.16.20.0/24" target="_blank">172.16.20.0/24</a> -> <a href="http://172.16.40.0/24" target="_blank">172.16.40.0/24</a> =><br>
> <a href="mailto:tun0x1008@192.168.1.50" target="_blank">tun0x1008@192.168.1.50</a><br>
> 2 <a href="http://172.16.20.0/24" target="_blank">172.16.20.0/24</a> -> <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a> =><br>
> <a href="mailto:tun0x1008@192.168.1.50" target="_blank">tun0x1008@192.168.1.50</a><br>
><br>
> Spoke2's ipsec.conf<br>
> -----------------------<br>
> config setup<br>
> interfaces = "ipsec0=eth1"<br>
> klipsdebug = none<br>
> plutodebug = none<br>
> plutoload = %search<br>
> plutostart = %search<br>
> uniqueids = yes<br>
> hidetos = no<br>
> conn t20to50<br>
> type = tunnel<br>
> left = 192.168.1.20<br>
> right = 192.168.1.50<br>
> leftnexthop = 192.168.1.1<br>
> leftsubnet = <a href="http://172.16.20.0/24" target="_blank">172.16.20.0/24</a><br>
> rightsubnet = <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a><br>
> auto = start<br>
> keyexchange = ike<br>
> authby = secret<br>
> auth = esp<br>
> keyingtries = 0<br>
> esp = AES128-SHA1<br>
> pfs = yes<br>
> rekey = yes<br>
> leftid = 192.168.1.20<br>
> rightid = 192.168.1.50<br>
> ike = 3DES-SHA-MODP1024<br>
> ikelifetime = 28800s<br>
> keylife = 86400s<br>
> rekeymargin = 10m<br>
> rekeyfuzz = 20%<br>
><br>
> Spoke2's eroutes<br>
> -----------------------<br>
> 549 <a href="http://172.16.40.0/24" target="_blank">172.16.40.0/24</a> -> <a href="http://172.16.20.0/24" target="_blank">172.16.20.0/24</a> =><br>
> <a href="mailto:tun0x100c@192.168.1.50" target="_blank">tun0x100c@192.168.1.50</a><br>
> 12 <a href="http://172.16.40.0/24" target="_blank">172.16.40.0/24</a> -> <a href="http://172.16.50.0/24" target="_blank">172.16.50.0/24</a> =><br>
> <a href="mailto:tun0x100c@192.168.1.50" target="_blank">tun0x100c@192.168.1.50</a><br>
><br>
><br>
> When pinging from spoke1 to hub:<br>
> # ping -I 172.16.20.120 172.16.50.150<br>
> PING 172.16.50.150 (172.16.50.150): 56 data bytes<br>
> 64 bytes from <a href="http://172.16.50.150" target="_blank">172.16.50.150</a>: icmp_seq=0 ttl=64 time=12.4 ms<br>
> 64 bytes from <a href="http://172.16.50.150" target="_blank">172.16.50.150</a>: icmp_seq=1 ttl=64 time=10.4 ms<br>
><br>
> When pinging from spoke1 to spoke2:<br>
> # ping -I 172.16.20.120 172.16.40.140<br>
> PING 172.16.40.140 (172.16.40.140): 56 data bytes<br>
><br>
> --- 172.16.40.140 ping statistics ---<br>
> 8 packets transmitted, 0 packets received, 100% packet loss<br>
><br>
> Tcpdump on spoke1 when pinging from spoke1 to spoke2:<br>
> # tcpdump -ni ipsec0 icmp<br>
> tcpdump: listening on ipsec0<br>
> 16:33:49.927435 172.16.20.120 > <a href="http://172.16.40.140" target="_blank">172.16.40.140</a>: icmp: echo request (DF)<br>
> 16:33:50.927440 172.16.20.120 > <a href="http://172.16.40.140" target="_blank">172.16.40.140</a>: icmp: echo request (DF)<br>
><br>
> And tcpdump on hub when pinging from spoke1 to spoke2:<br>
> # tcpdump -ni ipsec0 icmp<br>
> tcpdump: listening on ipsec0<br>
><br>
> 0 packets received by filter<br>
> 0 packets dropped by kernel<br>
><br>
><br>
> I can ping from the hub to spoke2:<br>
> # ping -I 172.16.50.150 172.16.40.140<br>
> PING 172.16.40.140 (172.16.40.140): 56 data bytes<br>
> 64 bytes from <a href="http://172.16.40.140" target="_blank">172.16.40.140</a>: icmp_seq=0 ttl=64 time=3.3 ms<br>
> 64 bytes from <a href="http://172.16.40.140" target="_blank">172.16.40.140</a>: icmp_seq=1 ttl=64 time=2.1 ms<br>
><br>
><br>
><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> <a href="mailto:Users@openswan.org" target="_blank">Users@openswan.org</a><br>
> <a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
> Building and Integrating Virtual Private Networks with Openswan:<br>
> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
><br>
><br>
</blockquote></div><br>