<div dir="ltr">Hello everyone,<div><br></div><div>First of all, I'm sorry. I'm very new to openswan, so I couldn't come up with a better subject, as I don't know where my problem lies exactly.</div><div><br>
</div><div>So on to the problem. In a nutshell, what I need is: to create a VPN subnet that will connect to an outer VPN (outside my control, controlled by cisco hardware) so I can connect machines on my VPN to a server lying on the outer VPN.</div>
<div><br></div><div>Let me parametrize some things:</div><div><br></div><div>We have a subnet of fixed public IPs, let's say: A.A.A.0/24</div><div>All of these IPs are blocked on all ports. Well, all but one, which is our public server, with ip let's say A.A.A.1 (let's call it machine A)</div>
<div><br></div><div>So, I installed openswan on machine A, and configured it so other computers could connect to it (using L2TP and PPP). Thus creating the a VPN subnet <a href="http://172.22.1.0/24">172.22.1.0/24</a>. That worked well, and I can connect to machine A from my laptop and access the internet through it (that is, I can see the traffic being routed through machine A). This is the configuration I used for ipsec.conf:</div>
<div><br></div><div><div><font face="courier new, monospace">config setup</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>dumpdir=/var/run/pluto/</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>nat_traversal=yes</font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.22.1.0/24,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.22.1.0/24,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>oe=off</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>protostack=netkey</font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span></font></div><div><font face="courier new, monospace">conn L2TP-PSK-NAT</font></div><div><font face="courier new, monospace"> rightsubnet=vhost:%priv</font></div>
<div><font face="courier new, monospace"> also=L2TP-PSK-noNAT</font></div><div><font face="courier new, monospace"> </font></div><div><font face="courier new, monospace">conn L2TP-PSK-noNAT</font></div><div><font face="courier new, monospace"> authby=secret</font></div>
<div><font face="courier new, monospace"> pfs=no</font></div><div><font face="courier new, monospace"> auto=add</font></div><div><font face="courier new, monospace"> keyingtries=3</font></div><div><font face="courier new, monospace"> rekey=no</font></div>
<div><font face="courier new, monospace"> dpddelay=30</font></div><div><font face="courier new, monospace"> dpdtimeout=120</font></div><div><font face="courier new, monospace"> dpdaction=clear</font></div><div><font face="courier new, monospace"> ikelifetime=8h</font></div>
<div><font face="courier new, monospace"> keylife=1h</font></div><div><font face="courier new, monospace"> type=transport</font></div><div><font face="courier new, monospace"> left=A.A.A.1</font></div><div><font face="courier new, monospace"> leftid=@A</font></div>
<div><font face="courier new, monospace"> leftprotoport=17/1701</font></div><div><font face="courier new, monospace"> right=%any</font></div><div><font face="courier new, monospace"> rightprotoport=17/%any</font></div>
<div><font face="courier new, monospace"> forceencaps=yes</font></div></div><div><br></div><div>The main purpose of this VPN was to connect it with the outer VPN I mentioned. So there is a VPN with subnet C.C.C.0/24 behind the public ip B.B.B.B (let's call this public IP machine B).</div>
<div><br></div><div>I configured the site-to-site tunnel with the following options on ipsec.conf:</div><div><br></div><div><div><font face="courier new, monospace">conn AtoB</font></div><div><font face="courier new, monospace"> authby=secret</font></div>
<div><font face="courier new, monospace"> forceencaps=yes</font></div><div><font face="courier new, monospace"> right=B.B.B.B</font></div><div><font face="courier new, monospace"> rightsubnet=C.C.C.0/24</font></div>
<div><font face="courier new, monospace"> rightid=B.B.B.B</font></div><div><font face="courier new, monospace"> left=</font><span style="font-family:'courier new',monospace">A.A.A.1</span></div><div><font face="courier new, monospace"> leftsubnet=<a href="http://172.22.1.0/24">172.22.1.0/24</a></font></div>
<div><font face="courier new, monospace"> leftid=A.A.A.1</font></div><div><font face="courier new, monospace"> leftsourceip=172.22.1.1</font></div><div><font face="courier new, monospace"> keyexchange=ike</font></div>
<div><font face="courier new, monospace"> ikelifetime=480m</font></div><div><font face="courier new, monospace"> keylife=60m</font></div><div><font face="courier new, monospace"> ike=3des-sha1;modp1024</font></div>
<div><font face="courier new, monospace"> phase2=esp</font></div><div><font face="courier new, monospace"> phase2alg=3des-sha1;modp1024</font></div><div><font face="courier new, monospace"> auto=start</font></div>
</div><div><font face="courier new, monospace"><br></font></div><div>(also, the shared key is on ipsec.secrets)</div><div><br></div><div>From what i see in /var/log/auth.log, the tunnel seems to be up correctly:</div><div>
<br></div><div><font face="courier new, monospace">STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x22ce104a <0xee6f5fcf xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=B.B.B.B:4500 DPD=none}</font><br></div><div>
<br clear="all"><div>This is what <b>ipsec setup status</b> says:</div><div><br></div><div><div><font face="courier new, monospace">IPsec running - pluto pid: 16468</font></div><div><font face="courier new, monospace">pluto pid 16468</font></div>
<div><font face="courier new, monospace">6 tunnels up</font></div><div><font face="courier new, monospace">some eroutes exist</font></div></div><div><br></div><div>Output from <b>ip xfrm policy</b>:</div><div><br></div><div>
<div><font face="courier new, monospace">src <a href="http://172.22.1.0/24">172.22.1.0/24</a> dst C.C.C.0/24 </font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>dir out priority 2344 </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>tmpl src A.A.A.1 dst B.B.B.B</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>proto esp reqid 16393 mode tunnel</font></div>
<div><font face="courier new, monospace">src C.C.C.0/24 dst <a href="http://172.22.1.0/24">172.22.1.0/24</a> </font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>dir fwd priority 2344 </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>tmpl src B.B.B.B dst A.A.A.1</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>proto esp reqid 16393 mode tunnel</font></div>
<div><font face="courier new, monospace">src C.C.C.0/24 dst <a href="http://172.22.1.0/24">172.22.1.0/24</a> </font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>dir in priority 2344 </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>tmpl src B.B.B.B dst A.A.A.1</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>proto esp reqid 16393 mode tunnel</font></div>
<div><font face="courier new, monospace">src ::/0 dst ::/0 </font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket out priority 0 </font></div><div><font face="courier new, monospace">src ::/0 dst ::/0 </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket in priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket out priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket in priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket out priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket in priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket out priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket in priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket out priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket in priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket out priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket in priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket out priority 0 </font></div><div><font face="courier new, monospace">src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a> </font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>socket in priority 0</font></div></div><div><br></div><div>Output from <b>ip xfrm state</b>:<br></div><div><br></div><div><div><font face="courier new, monospace">src B.B.B.B dst A.A.A.1</font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>proto esp spi 0xd975bef6 reqid 16393 mode tunnel</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>replay-window 32 flag af-unspec</font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>auth-trunc hmac(sha1) 0xb8f35f24c4e6e5b8b276ff87c54ff505f81516ce 96</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>enc cbc(des3_ede) 0x697f5905b38b0253745796600db14eae49ed07858df03477</font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</font></div><div><font face="courier new, monospace">src A.A.A.1 dst B.B.B.B</font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>proto esp spi 0xfc41a87b reqid 16393 mode tunnel</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>replay-window 32 flag af-unspec</font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>auth-trunc hmac(sha1) 0xa6e92befa1f12f71ed9ecb480f6e4c52669f9c8f 96</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>enc cbc(des3_ede) 0xe6f9383a1b8db9344a97934471a8cd63eb0f85e072a66f2f</font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</font></div></div><div><br></div><div><br></div><div>So, as far as I know, everything should be working! But I can't access any ip on the C.C.C.0/24 subnet. I tried doing some traceroutes, and it goes through machine A, but from there it tries to find the IP C.C.C.1 directly, and not through the IP B.B.B.B (machine B, the outer VPN gateway).</div>
<div><br></div><div>I'm running openswan 2.6.37-1 on Ubuntu 12.04 kernel 3.2.0-52-generic-pae!</div><div><br></div>Any input will be appreciated! If any other info is required, just mention and I'll send it!</div>
<div><br></div><div>Thanks,</div><div>Felipe</div></div>