<HTML>
<HEAD>
<TITLE>Problem in site 2 site communication</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hello,<BR>
I do have a configuration with a centralsite (call it AS with public IP 4.2.3.226 on eth4 and 172.16.254.65 on eth5(public MPLS network)) that connect (without problem) to 6 sites.<BR>
I’d like to have all sites communicating together, through central site tunnels<BR>
Each site can communicate with the central site networks, but is not able to communicate with other sites.<BR>
When tracerouting from distant site RUNGIS client to distant site IER, we see packets trying to go outside through the 4.2.3.226 (Public IP) address...<BR>
Any idea / question are welcome ;-) <BR>
<BR>
Here are my ip addresses:<BR>
[root@bemersfw01 ipsec.d]# ip addr show<BR>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue <BR>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<BR>
inet 127.0.0.1/8 scope host lo<BR>
inet6 ::1/128 scope host <BR>
valid_lft forever preferred_lft forever<BR>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
link/ether 00:1b:21:3f:e1:e0 brd ff:ff:ff:ff:ff:ff<BR>
inet 172.16.0.66/24 brd 172.16.0.255 scope global eth0<BR>
inet 172.16.222.66/24 brd 172.16.222.255 scope global eth0:1<BR>
inet6 fe80::21b:21ff:fe3f:e1e0/64 scope link <BR>
valid_lft forever preferred_lft forever<BR>
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
link/ether 00:1b:21:3f:e1:e1 brd ff:ff:ff:ff:ff:ff<BR>
inet 10.10.1.126/24 brd 10.10.1.255 scope global eth1<BR>
inet6 fe80::21b:21ff:fe3f:e1e1/64 scope link <BR>
valid_lft forever preferred_lft forever<BR>
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000<BR>
link/ether 00:1b:21:3f:e1:e4 brd ff:ff:ff:ff:ff:ff<BR>
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
link/ether 00:1b:21:3f:e1:e5 brd ff:ff:ff:ff:ff:ff<BR>
inet 192.168.0.66/24 brd 192.168.0.255 scope global eth3<BR>
inet6 fe80::21b:21ff:fe3f:e1e5/64 scope link <BR>
valid_lft forever preferred_lft forever<BR>
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
link/ether 00:1b:21:3f:ee:68 brd ff:ff:ff:ff:ff:ff<BR>
inet 4.2.3.226/27 brd 194.78.61.255 scope global eth4<BR>
inet 4.2.3.227/27 brd 194.78.61.255 scope global secondary eth4:227<BR>
inet 4.2.3.228/27 brd 194.78.61.255 scope global secondary eth4:228<BR>
inet 4.2.3.229/27 brd 194.78.61.255 scope global secondary eth4:229<BR>
inet 4.2.3.230/27 brd 194.78.61.255 scope global secondary eth4:230<BR>
inet 4.2.3.242/27 brd 194.78.61.255 scope global secondary eth4:242<BR>
inet 4.2.3.243/27 brd 194.78.61.255 scope global secondary eth4:243<BR>
inet 4.2.3.244/27 brd 194.78.61.255 scope global secondary eth4:244<BR>
inet 4.2.3.245/27 brd 194.78.61.255 scope global secondary eth4:245<BR>
inet6 fe80::21b:21ff:fe3f:ee68/64 scope link <BR>
valid_lft forever preferred_lft forever<BR>
7: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
link/ether 00:1b:21:3f:ee:69 brd ff:ff:ff:ff:ff:ff<BR>
inet 172.16.254.65/24 brd 172.16.254.255 scope global eth5<BR>
inet6 fe80::21b:21ff:fe3f:ee69/64 scope link <BR>
valid_lft forever preferred_lft forever<BR>
8: eth6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
link/ether 00:1b:21:3f:ee:6c brd ff:ff:ff:ff:ff:ff<BR>
inet 172.20.0.66/24 brd 172.20.0.255 scope global eth6<BR>
inet6 fe80::21b:21ff:fe3f:ee6c/64 scope link <BR>
valid_lft forever preferred_lft forever<BR>
9: eth7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000<BR>
link/ether 00:1b:21:3f:ee:6d brd ff:ff:ff:ff:ff:ff<BR>
10: sit0: <NOARP> mtu 1480 qdisc noop <BR>
link/sit 0.0.0.0 brd 0.0.0.0<BR>
<BR>
<BR>
Here is my ipsec.conf file :<BR>
<BR>
config setup<BR>
# Debug-logging controls: "none" for (almost) none, "all" for lots.<BR>
klipsdebug=none<BR>
plutodebug=none<BR>
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey<BR>
plutowait=no<BR>
<BR>
interfaces="ipsec0=eth5 ipsec1=eth4"<BR>
protostack=netkey<BR>
nat_traversal=yes<BR>
<BR>
include /etc/ipsec.d/*.conf<BR>
<BR>
<BR>
In ipsec.d we have the following files :<BR>
-rw-r--r-- 1 root root 793 Aug 9 07:08 aix.conf<BR>
-rw-r--r-- 1 root root 150 Aug 9 06:53 aix.secrets<BR>
-rw-r--r-- 1 root root 884 Aug 9 07:11 blyes.conf<BR>
-rw-r--r-- 1 root root 55 Aug 9 06:09 blyes.secrets<BR>
-rw-r--r-- 1 root root 354 Aug 8 15:46 canada.conf<BR>
-rw-r--r-- 1 root root 47 Aug 8 16:58 canada.secrets<BR>
-rw-r--r-- 1 root root 805 Aug 13 15:38 ier.conf<BR>
-rw-r--r-- 1 root root 49 Aug 12 18:19 ier.secrets<BR>
-rw-r--r-- 1 root root 880 Aug 9 08:31 nyc.conf<BR>
-rw-r--r-- 1 root root 46 Aug 9 07:52 nyc.secrets<BR>
-rw-r--r-- 1 root root 921 Aug 13 12:38 rungis.conf<BR>
-rw-r--r-- 1 root root 47 Aug 9 05:31 rungis.secrets<BR>
<BR>
And here are 2 configs files (say if you need more)<BR>
Rungis.conf<BR>
----------------<BR>
conn Rungis1<BR>
leftsubnet=172.16.0.0/23<BR>
also=Rungis<BR>
<BR>
conn Rungis2<BR>
leftsubnet=172.24.0.0/16<BR>
also=Rungis<BR>
<BR>
conn Rungis3<BR>
leftsubnet=212.155.183.226/32<BR>
also=Rungis<BR>
<BR>
conn Rungis4<BR>
leftsubnet=10.123.32.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis5<BR>
leftsubnet=172.16.3.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis6<BR>
leftsubnet=172.16.4.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis7<BR>
leftsubnet=172.16.222.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis8<BR>
leftsubnet=172.16.30.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis9<BR>
leftsubnet=172.16.40.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis10<BR>
leftsubnet=172.16.5.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis<BR>
authby=secret<BR>
pfs=no<BR>
auto=start<BR>
keyingtries=3<BR>
disablearrivalcheck=no<BR>
keyexchange=ike<BR>
ikelifetime=240m<BR>
type=tunnel<BR>
auth=esp<BR>
compress=no<BR>
keylife=60m<BR>
right=4.4.3.21<BR>
rightsubnet=172.16.10.0/24<BR>
rightnexthop=4.4.3.22<BR>
left=4.2.3.226<BR>
leftnexthop=4.2.3.254<BR>
<BR>
<BR>
IER.conf<BR>
------------<BR>
conn IERB<BR>
leftsubnet=172.16.0.0/24<BR>
rightsubnet=172.24.0.0/18<BR>
also=IER<BR>
<BR>
conn IERF<BR>
leftsubnet=172.16.10.0/24<BR>
rightsubnet=172.24.0.0/18<BR>
also=IER<BR>
<BR>
conn BOLLOREB<BR>
leftsubnet=172.16.0.0/24<BR>
rightsubnet=10.128.0.0/11<BR>
also=IER<BR>
<BR>
conn BOLLOREF<BR>
leftsubnet=172.16.10.0/24<BR>
rightsubnet=10.128.0.0/11<BR>
also=IER<BR>
<BR>
conn BOLLOREB1<BR>
leftsubnet=172.16.0.0/24<BR>
rightsubnet=10.123.0.0/16<BR>
also=IER<BR>
<BR>
conn BOLLOREF1<BR>
leftsubnet=172.16.10.0/24<BR>
rightsubnet=10.123.0.0/16<BR>
also=IER<BR>
<BR>
conn IER<BR>
authby=secret<BR>
pfs=yes<BR>
auto=start<BR>
keyingtries=3<BR>
disablearrivalcheck=no<BR>
keyexchange=ike<BR>
ikelifetime=86400s<BR>
type=tunnel<BR>
auth=esp<BR>
compress=no<BR>
keylife=14400s<BR>
right=4.3.3.20<BR>
left=4.2.3.226<BR>
leftnexthop=4.2.3.254<BR>
esp=aes128-sha1<BR>
ike=3des-sha<BR>
<BR>
<BR>
<BR>
---<BR>
Pascal Fuks<BR>
Network & Security Consultant - CEO<BR>
<BR>
Financial Art S.A.<BR>
Rue des Pâquerettes 12<BR>
Braine-l'Alleud, B 1420 Belgium<BR>
<a href="http://www.financial-art.be">http://www.financial-art.be</a><BR>
<BR>
Work: +32 2 387 0800<BR>
Mobile: +32 475 26 8902<BR>
Fax: +32 2 387 0706<BR>
Email: <a href="Pascal@financial-art.be">Pascal@financial-art.be</a><BR>
IM: pascal@financial-art (MSN)<BR>
<BR>
Before printing, think if it's really necessary and think in the environment impact<BR>
</SPAN></FONT>
</BODY>
</HTML>