<div dir="ltr"><div class="gmail_quote"><div dir="ltr">Hi All,<div><br></div><div>I am having some difficulties in routing traffic on an openswan box. below is my setup:</div><div>(<a href="http://10.43.4.0/24" target="_blank">10.43.4.0/24</a>) <-> router <-> (<a href="http://10.43.6.0/24" target="_blank">10.43.6.0/24</a>) <->Openswan box <- IPSec VPN Tunnel -> Amazon VPC <-> (<a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a>)</div>
<div><br></div><div>The tunnels are up. I can ping back and forth between <a href="http://10.43.6.0/24" target="_blank">10.43.6.0/24</a> <-> <a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a>. Internally, I can ping between <a href="http://10.43.4.0/24" target="_blank">10.43.4.0/24</a> <-> <a href="http://10.43.6.0/24" target="_blank">10.43.6.0/24</a>. However, when I ping from <a href="http://10.43.4.0/24" target="_blank">10.43.4.0/24</a> to <a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a>, I can see the traffic flowing from 10.43.4.0 -> router -> <a href="http://10.43.6.0/24" target="_blank">10.43.6.0/24</a> -> VPN tunnel -> <a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a> -> VPN tunnel (stops here). The OpenSwan box on my side does not route the return traffic out of its internal interface to the next hop (the internal router to <a href="http://10.43.4.0/24" target="_blank">10.43.4.0/24</a> network). </div>
<div><br></div><div>Here is my routing table:</div><div><div>206.****.***.64/27 dev eth1 proto kernel scope link src 206.***.***.83 </div><div><a href="http://10.43.6.0/24" target="_blank">10.43.6.0/24</a> dev eth0 proto kernel scope link src 10.43.6.128 </div>
<div><a href="http://10.43.4.0/24" target="_blank">10.43.4.0/24</a> via 10.43.6.4 dev eth0 </div><div><a href="http://10.43.1.0/24" target="_blank">10.43.1.0/24</a> via 10.43.6.1 dev eth0 </div><div><a href="http://192.168.11.0/24" target="_blank">192.168.11.0/24</a> via 10.43.6.1 dev eth0 </div>
<div><a href="http://169.254.0.0/16" target="_blank">169.254.0.0/16</a> dev eth0 scope link metric 1002 </div><div><a href="http://169.254.0.0/16" target="_blank">169.254.0.0/16</a> dev eth1 scope link metric 1003 </div>
<div>default via 206.***.***.65 dev eth1 </div>
</div><div><br></div><div>I disabled firewall on the Openswan box, just to roll out the firewall. So there is *no* NAT, no filters, just straight routing.</div><div><br></div><div>Here is my Openswan configuration:<br></div>
<div>conn aws-vpc-10.43.6.x-10.43.7.x<br></div><div><div> leftsubnet=<a href="http://10.43.6.0/24" target="_blank">10.43.6.0/24</a></div><div><span style="white-space:pre-wrap"> </span>rightsubnet=<a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a></div>
<div><span style="white-space:pre-wrap"> </span>auto=start</div><div> left=206.***.***.83</div><div> right=72.***.***.225</div><div> authby=secret</div><div> ike=aes128-sha1;modp1024</div><div>
phase2=esp</div><div> phase2alg=aes128-sha1;modp1024</div><div> aggrmode=no</div><div> ikelifetime=8h</div><div> salifetime=1h</div><div> dpddelay=10</div><div> dpdtimeout=40</div>
<div> dpdaction=restart</div><div> type=tunnel</div><div><br></div><div>conn aws-vpc-10.43.4.x-10.43.7.x</div><div> leftsubnet=<a href="http://10.43.4.0/24" target="_blank">10.43.4.0/24</a></div><div>
rightsubnet=<a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a></div>
<div> auto=start</div><div> left=206.***.***.83</div><div> right=72.***.***.225</div><div> authby=secret</div><div> ike=aes128-sha1;modp1024</div><div> phase2=esp</div><div> phase2alg=aes128-sha1;modp1024</div>
<div> aggrmode=no</div><div> ikelifetime=8h</div><div> salifetime=1h</div><div> dpddelay=10</div><div> dpdtimeout=40</div><div> dpdaction=restart</div><div> type=tunnel</div>
</div><div><br></div><div><br></div><div>After started the IPsec tunnel:<br></div><div># service ipsec status</div><div><div>IPsec running - pluto pid: 38390</div><div>pluto pid 38390</div><div>2 tunnels up</div><div>some eroutes exist</div>
</div><div><br></div><div><div># ip xfrm policy</div><div>src <a href="http://10.43.4.0/24" target="_blank">10.43.4.0/24</a> dst <a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a> </div><div><span style="white-space:pre-wrap"> </span>dir out priority 2344 ptype main </div>
<div><span style="white-space:pre-wrap"> </span>tmpl src 206.191.2.83 dst 72.21.209.225</div><div><span style="white-space:pre-wrap"> </span>proto esp reqid 16389 mode tunnel</div><div>src <a href="http://10.43.6.0/24" target="_blank">10.43.6.0/24</a> dst <a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a> </div>
<div><span style="white-space:pre-wrap"> </span>dir out priority 2344 ptype main </div><div><span style="white-space:pre-wrap"> </span>tmpl src 206.191.2.83 dst 72.21.209.225</div><div><span style="white-space:pre-wrap"> </span>proto esp reqid 16385 mode tunnel</div>
<div>src <a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a> dst <a href="http://10.43.6.0/24" target="_blank">10.43.6.0/24</a> </div><div><span style="white-space:pre-wrap"> </span>dir fwd priority 2344 ptype main </div>
<div><span style="white-space:pre-wrap"> </span>tmpl src 72.21.209.225 dst 206.191.2.83</div>
<div><span style="white-space:pre-wrap"> </span>proto esp reqid 16385 mode tunnel</div><div>src <a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a> dst <a href="http://10.43.6.0/24" target="_blank">10.43.6.0/24</a> </div>
<div><span style="white-space:pre-wrap"> </span>dir in priority 2344 ptype main </div>
<div><span style="white-space:pre-wrap"> </span>tmpl src 72.21.209.225 dst 206.191.2.83</div><div><span style="white-space:pre-wrap"> </span>proto esp reqid 16385 mode tunnel</div><div>src <a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a> dst <a href="http://10.43.4.0/24" target="_blank">10.43.4.0/24</a> </div>
<div><span style="white-space:pre-wrap"> </span>dir fwd priority 2344 ptype main </div><div><span style="white-space:pre-wrap"> </span>tmpl src 72.21.209.225 dst 206.191.2.83</div><div><span style="white-space:pre-wrap"> </span>proto esp reqid 16389 mode tunnel</div>
<div>src <a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a> dst <a href="http://10.43.4.0/24" target="_blank">10.43.4.0/24</a> </div><div><span style="white-space:pre-wrap"> </span>dir in priority 2344 ptype main </div>
<div><span style="white-space:pre-wrap"> </span>tmpl src 72.21.209.225 dst 206.191.2.83</div>
<div><span style="white-space:pre-wrap"> </span>proto esp reqid 16389 mode tunnel</div></div><div>(not sure why there are duplicates??)</div><div><br></div><div>when try to capture openswan internal interface while I am pinging from <a href="http://10.43.4.0/24" target="_blank">10.43.4.0/24</a> to <a href="http://10.43.7.0/24" target="_blank">10.43.7.0/24</a>, I got request traffic only. This matches what I see on the internal router side, which sees request traffic only.</div>
<div><br></div><div># tcpdump -i eth0 icmp<br></div><div><div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode</div><div>listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes</div>
<div>12:22:19.461204 IP 10.43.4.31 > <a href="http://10.43.7.235" target="_blank">10.43.7.235</a>: ICMP echo request, id 39768, seq 1322, length 64</div><div>12:22:20.468601 IP 10.43.4.31 > <a href="http://10.43.7.235" target="_blank">10.43.7.235</a>: ICMP echo request, id 39768, seq 1323, length 64</div>
<div>12:22:21.474766 IP 10.43.4.31 > <a href="http://10.43.7.235" target="_blank">10.43.7.235</a>: ICMP echo request, id 39768, seq 1324, length 64</div><div>12:22:22.475330 IP 10.43.4.31 > <a href="http://10.43.7.235" target="_blank">10.43.7.235</a>: ICMP echo request, id 39768, seq 1325, length 64</div>
</div><div><br></div><div><br></div><div>this is what I got when capture traffic on external interface of the openswan:</div><div># tcpdump -n -i eth1 esp<br></div><div><div>12:22:26.502736 IP 206.191.2.83 > <a href="http://72.21.209.225" target="_blank">72.21.209.225</a>: ESP(spi=0x1a303937,seq=0x569), length 132</div>
<div>12:22:26.534199 IP 72.21.209.225 > <a href="http://206.191.2.83" target="_blank">206.191.2.83</a>: ESP(spi=0x7a9d5b06,seq=0x13132a6), length 132</div><div>12:22:27.512736 IP 206.191.2.83 > <a href="http://72.21.209.225" target="_blank">72.21.209.225</a>: ESP(spi=0x1a303937,seq=0x56a), length 132</div>
<div>12:22:27.544249 IP 72.21.209.225 > <a href="http://206.191.2.83" target="_blank">206.191.2.83</a>: ESP(spi=0x7a9d5b06,seq=0x13132a7), length 132</div><div>12:22:28.521535 IP 206.191.2.83 > <a href="http://72.21.209.225" target="_blank">72.21.209.225</a>: ESP(spi=0x1a303937,seq=0x56b), length 132</div>
<div>12:22:28.552389 IP 72.21.209.225 > <a href="http://206.191.2.83" target="_blank">206.191.2.83</a>: ESP(spi=0x7a9d5b06,seq=0x13132a8), length 132</div><div>12:22:29.520932 IP 206.191.2.83 > <a href="http://72.21.209.225" target="_blank">72.21.209.225</a>: ESP(spi=0x1a303937,seq=0x56c), length 132</div>
<div>12:22:29.552522 IP 72.21.209.225 > <a href="http://206.191.2.83" target="_blank">206.191.2.83</a>: ESP(spi=0x7a9d5b06,seq=0x13132a9), length 132</div></div><div><br></div><div>This suggest the ping traffic was encrypted and sent, and the return traffic was received at the openswan box external interface. However, it doesn't send out the return traffic to <a href="http://10.43.4.0/24" target="_blank">10.43.4.0/24</a> network.</div>
<div><br></div><div>I am not sure if this is openswan who failed to decrypt the traffic or simply a routing problem. I could not figure out what was incorrect. Can someone please help? Any hints would be much appreciated!</div>
<div><br></div><div>Cheers,</div><div><br></div><div>Bo</div></div>
</div><br></div>