<HTML>
<HEAD>
<TITLE>Problem in site 2 site communication</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hello,<BR>
I do have a configuration with a centralsite (call it AS with public IP 4.2.3.226 on eth4 and 172.16.254.65 on eth5(public MPLS network)) that connect (without problem) to 6 sites.<BR>
I’d like to have all sites communicating together, through central site tunnels<BR>
Each site can communicate with the central site networks, but is not able to communicate with other sites.<BR>
When tracerouting from distant site RUNGIS client to distant site IER, we see packets trying to go outside through the 4.2.3.226 (Public IP) address...<BR>
Any idea / question are welcome ;-) <BR>
<BR>
Here are my ip addresses:<BR>
[root@bemersfw01 ipsec.d]# ip addr show<BR>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue <BR>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
inet 172.16.0.66/24 brd 172.16.0.255 scope global eth0<BR>
inet 172.16.222.66/24 brd 172.16.222.255 scope global eth0:1<BR>
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
inet 10.10.1.126/24 brd 10.10.1.255 scope global eth1<BR>
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000<BR>
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
link/ether 00:1b:21:3f:e1:e5 brd ff:ff:ff:ff:ff:ff<BR>
inet 192.168.0.66/24 brd 192.168.0.255 scope global eth3<BR>
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
inet 4.2.3.226/27 brd 194.78.61.255 scope global eth4<BR>
inet 4.2.3.227/27 brd 194.78.61.255 scope global secondary eth4:227<BR>
inet 4.2.3.228/27 brd 194.78.61.255 scope global secondary eth4:228<BR>
inet 4.2.3.229/27 brd 194.78.61.255 scope global secondary eth4:229<BR>
inet 4.2.3.230/27 brd 194.78.61.255 scope global secondary eth4:230<BR>
inet 4.2.3.242/27 brd 194.78.61.255 scope global secondary eth4:242<BR>
inet 4.2.3.243/27 brd 194.78.61.255 scope global secondary eth4:243<BR>
inet 4.2.3.244/27 brd 194.78.61.255 scope global secondary eth4:244<BR>
inet 4.2.3.245/27 brd 194.78.61.255 scope global secondary eth4:245<BR>
7: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
link/ether 00:1b:21:3f:ee:69 brd ff:ff:ff:ff:ff:ff<BR>
inet 172.16.254.65/24 brd 172.16.254.255 scope global eth5<BR>
8: eth6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000<BR>
inet 172.20.0.66/24 brd 172.20.0.255 scope global eth6<BR>
9: eth7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000<BR>
10: sit0: <NOARP> mtu 1480 qdisc noop <BR>
link/sit 0.0.0.0 brd 0.0.0.0<BR>
<BR>
<BR>
Here is my ipsec.conf file :<BR>
<BR>
config setup<BR>
# Debug-logging controls: "none" for (almost) none, "all" for lots.<BR>
klipsdebug=none<BR>
plutodebug=none<BR>
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey<BR>
plutowait=no<BR>
<BR>
interfaces="ipsec0=eth5 ipsec1=eth4"<BR>
protostack=netkey<BR>
nat_traversal=yes<BR>
<BR>
include /etc/ipsec.d/*.conf<BR>
<BR>
<BR>
In ipsec.d we have the following files :<BR>
-rw-r--r-- 1 root root 793 Aug 9 07:08 aix.conf<BR>
-rw-r--r-- 1 root root 150 Aug 9 06:53 aix.secrets<BR>
-rw-r--r-- 1 root root 884 Aug 9 07:11 blyes.conf<BR>
-rw-r--r-- 1 root root 55 Aug 9 06:09 blyes.secrets<BR>
-rw-r--r-- 1 root root 354 Aug 8 15:46 canada.conf<BR>
-rw-r--r-- 1 root root 47 Aug 8 16:58 canada.secrets<BR>
-rw-r--r-- 1 root root 805 Aug 13 15:38 ier.conf<BR>
-rw-r--r-- 1 root root 49 Aug 12 18:19 ier.secrets<BR>
-rw-r--r-- 1 root root 880 Aug 9 08:31 nyc.conf<BR>
-rw-r--r-- 1 root root 46 Aug 9 07:52 nyc.secrets<BR>
-rw-r--r-- 1 root root 921 Aug 13 12:38 rungis.conf<BR>
-rw-r--r-- 1 root root 47 Aug 9 05:31 rungis.secrets<BR>
<BR>
And here are 2 configs files (say if you need more)<BR>
Rungis.conf<BR>
----------------<BR>
conn Rungis1<BR>
leftsubnet=172.16.0.0/23<BR>
also=Rungis<BR>
<BR>
conn Rungis2<BR>
leftsubnet=172.24.0.0/16<BR>
also=Rungis<BR>
<BR>
conn Rungis3<BR>
leftsubnet=212.155.183.226/32<BR>
also=Rungis<BR>
<BR>
conn Rungis4<BR>
leftsubnet=10.123.32.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis5<BR>
leftsubnet=172.16.3.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis6<BR>
leftsubnet=172.16.4.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis7<BR>
leftsubnet=172.16.222.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis8<BR>
leftsubnet=172.16.30.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis9<BR>
leftsubnet=172.16.40.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis10<BR>
leftsubnet=172.16.5.0/24<BR>
also=Rungis<BR>
<BR>
conn Rungis<BR>
authby=secret<BR>
pfs=no<BR>
auto=start<BR>
keyingtries=3<BR>
disablearrivalcheck=no<BR>
keyexchange=ike<BR>
ikelifetime=240m<BR>
type=tunnel<BR>
auth=esp<BR>
compress=no<BR>
keylife=60m<BR>
right=4.4.3.21<BR>
rightsubnet=172.16.10.0/24<BR>
rightnexthop=4.4.3.22<BR>
left=4.2.3.226<BR>
leftnexthop=4.2.3.254<BR>
<BR>
<BR>
IER.conf<BR>
------------<BR>
conn IERB<BR>
leftsubnet=172.16.0.0/24<BR>
rightsubnet=172.24.0.0/18<BR>
also=IER<BR>
<BR>
conn IERF<BR>
leftsubnet=172.16.10.0/24<BR>
rightsubnet=172.24.0.0/18<BR>
also=IER<BR>
<BR>
conn BOLLOREB<BR>
leftsubnet=172.16.0.0/24<BR>
rightsubnet=10.128.0.0/11<BR>
also=IER<BR>
<BR>
conn BOLLOREF<BR>
leftsubnet=172.16.10.0/24<BR>
rightsubnet=10.128.0.0/11<BR>
also=IER<BR>
<BR>
conn BOLLOREB1<BR>
leftsubnet=172.16.0.0/24<BR>
rightsubnet=10.123.0.0/16<BR>
also=IER<BR>
<BR>
conn BOLLOREF1<BR>
leftsubnet=172.16.10.0/24<BR>
rightsubnet=10.123.0.0/16<BR>
also=IER<BR>
<BR>
conn IER<BR>
authby=secret<BR>
pfs=yes<BR>
auto=start<BR>
keyingtries=3<BR>
disablearrivalcheck=no<BR>
keyexchange=ike<BR>
ikelifetime=86400s<BR>
type=tunnel<BR>
auth=esp<BR>
compress=no<BR>
keylife=14400s<BR>
right=4.3.3.20<BR>
left=4.2.3.226<BR>
leftnexthop=4.2.3.254<BR>
esp=aes128-sha1<BR>
ike=3des-sha<BR>
<BR>
<BR>
<BR>
---<BR>
Pascal Fuks<BR>
Network & Security Consultant - CEO<BR>
<BR>
Financial Art S.A.<BR>
Rue des Pâquerettes 12<BR>
Braine-l'Alleud, B 1420 Belgium<BR>
<a href="http://www.financial-art.be">http://www.financial-art.be</a><BR>
<BR>
Work: +32 2 387 0800<BR>
Mobile: +32 475 26 8902<BR>
Fax: +32 2 387 0706<BR>
Email: <a href="Pascal@financial-art.be">Pascal@financial-art.be</a><BR>
IM: pascal@financial-art (MSN)<BR>
<BR>
Before printing, think if it's really necessary and think in the environment impact<BR>
</SPAN></FONT>
<!--[object_id=#financial-art.be#]--><P align=left><FONT face=Tahoma size=2><FONT color=#0000ff><FONT size=2>"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. <BR></FONT></FONT></FONT><FONT face=Tahoma size=2><FONT color=#0000ff><FONT size=2>Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. <BR></FONT><FONT size=2>If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".</FONT></P>
<P align=left><FONT size=2>Thank you for your cooperation.</FONT> </P></FONT></FONT></BODY>
</HTML>