Problem: I create a host to host vpn tunnel, when use the native netkey stack, the tunnel works perfectly without any problem, but when I change the stack from netkey to klips on one end, the tunnel can be successfully bulit, but it can't send packet back to the other end.<br>
<br>Here is my setup:<br>hostA(192.168.2.128) ---->GW(192.168.2.129,no NAT,10.1.1.1)--->10.1.1.10(hostB)<br><br>ipsec.conf of hostA<br>====================================================<br>version 2.0 # conforms to second version of ipsec.conf specification<br>
config setup<br> protostack=netkey<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16">10.0.0.0/8,%v4:192.168.0.0/16</a><br> oe=off<br> nhelpers=0<br>
conn tklips<br> left=192.168.2.128<br> leftrsasigkey=xxxxxxxxxxxxxxxxx<br> right=10.1.1.10<br> rightrsasigkey=xxxxxxxxxxxxxxxxxxx<br> auto=add<br>=====================================================<br>
<br><br>ipsec.conf of hostB<br>=====================================================<br>version 2.0 # conforms to second version of ipsec.conf specification<br>config setup<br> nat_traversal=yes<br> oe=off<br>
protostack=auto<br>conn tklips<br> left=192.168.2.128<br> leftrsasigkey=xxxxxxxxxxxx<br> right=10.1.1.10<br> rightrsasigkey=xxxxxxxxxxxxxxx<br> auto=start<br><br>===================================================<br>
<br><br>on hostA, before bring the tunnel:<br>==================================================<br>traceroute 10.1.1.10<br>traceroute to 10.1.1.10 (10.1.1.10), 30 hops max, 40 byte packets<br> 1 192.168.2.129 (192.168.2.129) 0.928 ms 0.743 ms 0.666 ms<br>
2 10.1.1.10 (10.1.1.10) 4.381 ms 4.769 ms 4.663 ms<br>==================================================<br><br>on hostA, after bring up the tunnel, use the above config file<br>==================================================<br>
#traceroute 10.1.1.10<br>traceroute to 10.1.1.10 (10.1.1.10), 30 hops max, 40 byte packets<br> 1 10.1.1.10 (10.1.1.10) 18.820 ms 19.484 ms 19.291 ms<br>==================================================<br><br>But I want to use klips, so ,on hostB, I installed the klips module, and set protostack=klips in ipsec.conf.<br>
=========================================================<br>#ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>
Linux Openswan 2.6.31 (klips)<br>Checking for IPsec support in kernel [OK]<br>KLIPS detected, checking for NAT Traversal support [OK]<br>SAref kernel support [N/A]<br>
Checking that pluto is running [OK]<br>Pluto listening for IKE on udp 500 [OK]<br>Pluto listening for NAT-T on udp 4500 [OK]<br>Two or more interfaces found, checking IP forwarding [FAILED]<br>
Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br>
<br># ifconfig<br>eth0 Link encap:Ethernet HWaddr 00:0c:29:05:14:07<br> inet addr:10.1.1.10 Bcast:10.1.1.255 Mask:255.255.255.0<br> inet6 addr: fe80::20c:29ff:fe05:1407/64 Scope:Link<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
RX packets:2754 errors:0 dropped:0 overruns:0 frame:0<br> TX packets:1675 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:1000<br> RX bytes:270748 (270.7 KB) TX bytes:273601 (273.6 KB)<br>
Interrupt:19 Base address:0x2000<br><br>ipsec0 Link encap:Ethernet HWaddr 00:0c:29:05:14:07<br> inet addr:10.1.1.10 Mask:255.255.255.0<br> inet6 addr: fe80::20c:29ff:fe05:1407/64 Scope:Link<br>
UP RUNNING NOARP MTU:1500 Metric:1<br> RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br> TX packets:0 errors:0 dropped:3 overruns:0 carrier:0<br> collisions:0 txqueuelen:10<br> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<br>
<br>lo Link encap:Local Loopback<br> inet addr:127.0.0.1 Mask:255.0.0.0<br> inet6 addr: ::1/128 Scope:Host<br> UP LOOPBACK RUNNING MTU:16436 Metric:1<br> RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br>
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br> collisions:0 txqueuelen:0<br> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<br><br>mast0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00<br>
inet addr:10.1.1.10 Mask:255.255.255.255<br> UP RUNNING NOARP MTU:1452 Metric:1<br> RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 txqueuelen:10<br> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)<br><br><br>#ipsec auto --status<br>000 using kernel interface: mast<br>000 interface mast0/eth0 10.1.1.10<br>000 interface mast0/eth0 10.1.1.10<br>
000 %myid = (none)<br>000 debug none<br>000<br>000 virtual_private (%priv):<br>000 - allowed 0 subnets:<br>000 - disallowed 0 subnets:<br>000 WARNING: Either virtual_private= is not specified, or there is a syntax<br>000 error in that line. 'left/rightsubnet=vhost:%priv' will not work!<br>
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have<br>000 private address space in internal use, it should be excluded!<br>000<br>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192<br>
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256<br>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>
000<br>000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128<br>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128<br>
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>000<br>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}<br>000<br>000 "tklips": 10.1.1.10<10.1.1.10>[+S=C]...192.168.2.128<192.168.2.128>[+S=C]; erouted; eroute owner: #2<br>
000 "tklips": myip=unset; hisip=unset;<br>000 "tklips": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>000 "tklips": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 32,32; interface: eth0;<br>
000 "tklips": newest ISAKMP SA: #1; newest IPsec SA: #2;<br>000 "tklips": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048<br>000<br>000 #2: "tklips":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27778s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate<br>
000 #2: "tklips" <a href="mailto:esp.8d3f82a5@192.168.2.128">esp.8d3f82a5@192.168.2.128</a> <a href="mailto:esp.1e9dd485@10.1.1.10">esp.1e9dd485@10.1.1.10</a> <a href="mailto:tun.1001@192.168.2.128">tun.1001@192.168.2.128</a> <a href="mailto:tun.1002@10.1.1.10">tun.1002@10.1.1.10</a> ref=3 refhim=1<br>
000 #1: "tklips":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2548s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate<br>000<br><br>=============================================================<br>
<br>When I ping hostB from hostA, not respone, but I can see those packet from ipsec0.<br>===============================================<br>#tcpdump -i ipsec0<br>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
listening on ipsec0, link-type EN10MB (Ethernet), capture size 65535 bytes<br>18:55:44.716399 IP 192.168.2.128 > <a href="http://10.1.1.10">10.1.1.10</a>: ICMP echo request, id 60237, seq 7, length 64<br>18:55:45.925541 IP 192.168.2.128 > <a href="http://10.1.1.10">10.1.1.10</a>: ICMP echo request, id 60237, seq 8, length 64<br>
18:55:47.130018 IP 192.168.2.128 > <a href="http://10.1.1.10">10.1.1.10</a>: ICMP echo request, id 60237, seq 9, length 64<br>18:55:48.314226 IP 192.168.2.128 > <a href="http://10.1.1.10">10.1.1.10</a>: ICMP echo request, id 60237, seq 10, length 64<br>
18:55:49.533390 IP 192.168.2.128 > <a href="http://10.1.1.10">10.1.1.10</a>: ICMP echo request, id 60237, seq 11, length 64<br>=====================================================================<br><br>and ipsec eroute show nothing.<br>
<br>I am definitely sure that tunnel traffic can go from hostA to hostB, but why cann't it go from hostB to hostA?<br>environment of hostB:<br><br>ubuntu 10.10<br>dpkg -l | grep openswan<br>ii openswan 1:2.6.31-1xelerance1 Internet Key Exchange daemon<br>
ii openswan-modules-dkms 1:2.6.31-1xelerance1 Internet Key Exchange daemon - DKMS source<br><br><br>Can any one kindly help me out, this has trapped me for several days.<br><br><br><br><br><br>
<br><br>