<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1487552814;
mso-list-type:hybrid;
mso-list-template-ids:-1949376982 -1713874416 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
@list l1
{mso-list-id:1605653260;
mso-list-type:hybrid;
mso-list-template-ids:-872131416 -200144806 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:8845;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='color:#1F497D'>And now I know the HQ site
is routing my tunnel traffic in the clear even though it should be routing it
through the tunnel. How do I know? From Rochester – ping a
host inside HQ and watch tcpdump on the HQ firewall. Watching for –i
br0 net 172.21.7.0/24, I see echo requests and replies. Breaking it
down to physical eth devices, all looks as it should. But watching
tcpdump looking for the public side of Rochester – nothing. No ESP,
just dead space. <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Anything **initiated** from the
HQ side works as it should. But anything with the HQ side
**responding** tries to route outside the tunnel. <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>OK, so what’s different
now than before? The biggie – everything is bridged now and it was
a pure router before. So now both the inside (LAN) and outside (Internet)
interface is br0 instead of eth1 and eth0. I have other sites doing
Openswan tunnels with bridged firewalls. The firewall rules are a little
different now because it’s a bridge. But I can drop all the filtering
rules and the problem does not change. I also just put in some more nat
PREROUTING rules to make sure I’m not masquerading anything that should
be part of a tunnel. But this didn’t help. <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Why bridge? Because a Cisco
VPN Concentrator and a Sonicwall VPN device were connected in parallel. Neither
of these work well behind a NAT gateway. We want them behind the firewall
so I can see all the traffic in and out of this network. <o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>So now that I have the problem
well defined, it would be lots better if I knew how to fix it.<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l0 level1 lfo3'><![if !supportLists]><span
style='color:#1F497D'><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]><span style='color:#1F497D'>Greg Scott<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
users-bounces@openswan.org [mailto:users-bounces@openswan.org] <b>On Behalf Of </b>Greg
Scott<br>
<b>Sent:</b> Thursday, March 18, 2010 4:39 PM<br>
<b>To:</b> users@openswan.org<br>
<b>Subject:</b> [Openswan Users] IPSEC routing refuses to go through the tunnel<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I’ve been banging my head all day on this one.
I’m running an Openswan tunnel between a HQ site and several
branches. These tunnels have worked for years with no hassles.
After modifying the HQ system to use bridging, now all my tunnels
have turned to pure crap. It has to be something subtle I’m missing
but I’m not getting it. Here are details:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The home HQ site is the right, the branch site in Rochester
on the left. HQ is running Openswan 2.6.19. Rochester is running
Openswan U2.4.4. The main HQ LAN is 192.168.3.nnn/24 The Rochester
LAN is 172.21.7.0/24. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The problem is on the HQ side. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>From a host inside the HQ network, I can ping anywhere I
want inside Rochester. But when Rochester tries to ping anywhere inside
HQ, the pings just hang. So do all other connection types.
Watching tcpdump on the HQ side, I see the Echo Request/Echo Reply pairs
go back and forth as normal. But Rochester never sees an echo reply
come back. Trying a traceroute from the HQ firewall to Rochester, instead
of going thru the tunnel, the packets wander out over the public Internet
– **outside** the tunnel – and eventually die. Trying the
same traceroute from a host inside the HQ LAN works as normal. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>The answer has to be right in front of my face but I
don’t see it. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I’ve also looked at some ip xfrm policy output and
tried to decipher it. Near as I can tell and comparing with other working
tunnel networks, it looks OK. So how do I tell ipsec to stop messing
around and route the stuff I want through that tunnel?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Here is the relevant portion of /etc/ipsec.d/hq-ipsec.conf
with dummied up public IP Addresses:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>##version
2.0 # conforms to second version of ipsec.conf
specification<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal># basic configuration<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>conn Rochester-Everywhere<o:p></o:p></p>
<p class=MsoNormal> type=tunnel<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> # Left security
gateway, subnet behind it, next hop toward right.<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> also=rochester<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> # Right security
gateway, subnet behind it, next hop toward left.<o:p></o:p></p>
<p class=MsoNormal> #<o:p></o:p></p>
<p class=MsoNormal> also=hq<o:p></o:p></p>
<p class=MsoNormal> rightupdown=/etc/ipsec.d/hq-updown.sh<o:p></o:p></p>
<p class=MsoNormal> auto=start<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>include /etc/ipsec.d/sites.conf<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Here is the relevant portion of my sites.conf file:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>##version
2.0 # conforms to second version of ipsec.conf
specification<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal># basic configuration<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>conn hq<o:p></o:p></p>
<p class=MsoNormal> right=1.2.3.50<o:p></o:p></p>
<p class=MsoNormal>
rightnexthop=1.2.3.49<o:p></o:p></p>
<p class=MsoNormal>
rightsubnet=192.168.0.0/16<o:p></o:p></p>
<p class=MsoNormal>
rightsourceip=192.168.3.5<o:p></o:p></p>
<p class=MsoNormal> rightid=@hq.local<o:p></o:p></p>
<p class=MsoNormal> # RSA 2192
bits hq.lme.local Wed Jul 19 21:09:32 2006<o:p></o:p></p>
<p class=MsoNormal>
rightrsasigkey=0sAQNb… <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>conn rochester<o:p></o:p></p>
<p class=MsoNormal> left=3.2.1.145<o:p></o:p></p>
<p class=MsoNormal>
leftnexthop=3.2.1.150<o:p></o:p></p>
<p class=MsoNormal>
leftsubnet=172.21.7.0/24<o:p></o:p></p>
<p class=MsoNormal>
leftsourceip=172.21.7.1<o:p></o:p></p>
<p class=MsoNormal>
leftid=@rochester.local<o:p></o:p></p>
<p class=MsoNormal> # RSA 2192
bits rochester.lme.local Sat Oct 21 07:04:18 2006<o:p></o:p></p>
<p class=MsoNormal> leftrsasigkey=0sAQNki3sx4…<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>And here is hq_updown.sh. I’ve gone through a
few different iterations of this:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>#!/bin/sh<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>LOCALNET1=192.168.0.0/16<o:p></o:p></p>
<p class=MsoNormal>LOCALNET2=10.200.1.0/24<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>##/usr/lib/ipsec/_updown $*<o:p></o:p></p>
<p class=MsoNormal>/usr/libexec/ipsec/_updown $*<o:p></o:p></p>
<p class=MsoNormal>if [ "$PLUTO_VERB" = "route-host" -o
"$PLUTO_VERB" = "route-client" ]; then<o:p></o:p></p>
<p class=MsoNormal> for dir in in out; do<o:p></o:p></p>
<p class=MsoNormal> ip xfrm policy
update dir $dir src $LOCALNET1 dst $LOCALNET1<o:p></o:p></p>
<p class=MsoNormal> ip xfrm policy
update dir $dir src $LOCALNET2 dst $LOCALNET2<o:p></o:p></p>
<p class=MsoNormal> done<o:p></o:p></p>
<p class=MsoNormal>fi<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal># Route to Rochester<o:p></o:p></p>
<p class=MsoNormal>##/sbin/ip route change 172.21.7.0/24 dev br0 src
192.168.3.5 mtu 1400<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>One more clue. Ip route show… will display the
relevant routes after restarting ipsec, relevant extract pasted in below.
But notice the route to Rochester, 172.21.7.0/24 - it doesn’t say
scope link the way other IPSEC routes on other hosts do. This is a clue
but I don’t know what it means. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>[root@lme-fw2 ipsec]# ip route show<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>1.2.3.48/28 dev br0 proto kernel scope
link src 12.2.3.50<o:p></o:p></p>
<p class=MsoNormal>192.168.4.0/24 via 192.168.3.100 dev br0<o:p></o:p></p>
<p class=MsoNormal>192.168.3.0/24 dev br0 proto kernel scope
link src 192.168.3.5<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>172.21.7.0/24 via 12.24.248.49 dev br0 src 192.168.3.5<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>.<o:p></o:p></p>
<p class=MsoNormal>default via 1.2.3.49 dev br0<o:p></o:p></p>
<p class=MsoNormal>[root@lme-fw2 ipsec]#<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thanks<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoListParagraph style='text-indent:-.25in;mso-list:l1 level1 lfo2'><![if !supportLists]><span
style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]>Greg Scott<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>