<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-15">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi all!<br>
<br>
I am a new openswan user and I start to enjoy this tool.<br>
<br>
I'm configuring a site to site ipsec tunnel, and I have some
problems: the tunnel is up but no traffic is passing through. In the
following the description of the scenario.<br>
<br>
I have to establish a ipsec tunnel between our customer site(on
amazon cloud) and a provider site. An host in our customer site
needs to connect to two different host in the provider site, through
the ipsec tunnel. The ipsec endpoint for our customer is a linux
server; the linux server is behind a firewall and doesn't have a
pubblic ip. The ipsec endpoint of the provider is a Cisco ASA: i
have no control on this endpoint. The endpoint LAN ip address is
192.168.60.10 and the host who needs to use the ipsec tunnel has ip
192.168.50.4. For a requirement of the provider, we have to use as
encrypted domain (our left subnet) the network 10.129.46.168/29; so
i have configured a SNAT that translate the ip of the host
(192.168.50.4) to an ip of the encrypted domain (10.129.46.169). On
the provider side, the encryption domain (the right subnet) is
composed by two different ip: 10.129.128.101/32,10.128.243.223/32,
so in the configuration you can find the "righsubnets" parameter.<br>
<br>
I have the following ipsec.conf:<br>
<br>
# /etc/ipsec.conf - Openswan IPsec configuration file<br>
<br>
# This file: /usr/share/doc/openswan/ipsec.conf-sample<br>
#<br>
# Manual: ipsec.conf.5<br>
<br>
<br>
version 2.0 # conforms to second version of ipsec.conf
specification<br>
<br>
# basic configuration<br>
config setup<br>
# Do not set debug options to debug configuration issues!<br>
# plutodebug / klipsdebug = "all", "none" or a combation from
below:<br>
# "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"<br>
# eg:<br>
# plutodebug="control parsing"<br>
#<br>
# enable to get logs per-peer<br>
plutoopts="--perpeerlog"<br>
#<br>
# Again: only enable plutodebug or klipsdebug when asked by a
developer<br>
#<br>
# NAT-TRAVERSAL support, see README.NAT-Traversal<br>
nat_traversal=yes<br>
# exclude networks used on server side by adding %v4:!a.b.c.0/24<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12<br>
# OE is now off by default. Uncomment and change to on, to
enable.<br>
#oe=off<br>
# which IPsec stack to use. auto will try netkey, then klips
then mast<br>
protostack=netkey<br>
interfaces=%defaultroute<br>
klipsdebug=all<br>
plutodebug=all<br>
plutostderrlog=/var/log/pluto.log<br>
conn provider<br>
type=tunnel<br>
left=192.168.60.10<br>
leftnexthop=%defaultroute<br>
leftsubnet=10.129.46.168/29<br>
right=PROVIDER_PUBLIC_IP<br>
#rightnexthop=%defaultroute<br>
#rightsubnet=10.129.128.101/32<br>
rightsubnets={10.129.128.101/32,10.128.243.223/32}<br>
ike=3des-md5;modp1024<br>
auth=esp<br>
phase2alg=3des-md5<br>
keyexchange=ike<br>
authby=secret<br>
pfs=no<br>
auto=start<br>
aggrmode=no <br>
ikelifetime=28800s<br>
salifetime=3600s<br>
forceencaps=yes <br>
<br>
<br>
and the tunnel seems to be up:<br>
<br>
#/etc/init.d/ipsec status<br>
IPsec running - pluto pid: 28315<br>
pluto pid 28315<br>
2 tunnels up<br>
some eroutes exist<br>
<br>
and ipsec auto --status:<br>
000 #460: "provider/0x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 1678s; newest IPSEC; eroute owner;
isakmp#458; idle; import:admin initiate<br>
000 #460: "provider/0x1" esp.908d713a@PROVIDER_PUBLIC_IP
<a class="moz-txt-link-abbreviated" href="mailto:esp.43855675@192.168.60.10">esp.43855675@192.168.60.10</a> tun.0@PROVIDER_PUBLIC_IP
<a class="moz-txt-link-abbreviated" href="mailto:tun.0@192.168.60.10">tun.0@192.168.60.10</a> ref=0 refhim=4294901761<br>
000 #458: "provider/0x1":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 27088s; newest ISAKMP; lastdpd=17s(seq in:0
out:0); idle; import:admin initiate<br>
000 #459: "provider/0x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 1947s; newest IPSEC; eroute owner;
isakmp#458; idle; import:admin initiate<br>
000 #459: "provider/0x2" esp.5efdb3f7@PROVIDER_PUBLIC_IP
<a class="moz-txt-link-abbreviated" href="mailto:esp.67195cef@192.168.60.10">esp.67195cef@192.168.60.10</a> tun.0@PROVIDER_PUBLIC_IP
<a class="moz-txt-link-abbreviated" href="mailto:tun.0@192.168.60.10">tun.0@192.168.60.10</a> ref=0 refhim=4294901761<br>
000 <br>
<br>
<br>
Here is the Source Nat configuration on the ipsec endpoint:<br>
<br>
Chain POSTROUTING (policy ACCEPT)<br>
target prot opt source destination <br>
SNAT all -- 192.168.50.4 10.129.128.101
to:10.129.46.170 <br>
SNAT all -- 192.168.50.4 10.128.243.223
to:10.129.46.169 <br>
MASQUERADE all -- 192.168.50.0/24 anywhere <br>
<br>
If I try a telnet from the host on the customer site to one of the
host in provider site, the telnet doesn't work. I can see in the
file of the nat translation the following:<br>
packets=6 bytes=360 [UNREPLIED] src=10.129.128.101 dst=10.129.46.170
sport=23 dport=46032 packets=0 bytes=0 mark=0 secmark=0 use=2<br>
<br>
I've asked to the provider IT Group to check if they receive traffic
from our host...They used an ACL to log the traffic from our host;
they confirmed that the tunnels are up but no traffic was arrived
into their network:<br>
<br>
access-list outside_cryptomap_161 extended permit ip host
10.129.128.101 10.129.46.168 255.255.255.248<br>
<br>
local ident (addr/mask/prot/port):
(10.129.128.101/255.255.255.255/0/0)<br>
<br>
remote ident (addr/mask/prot/port):
(10.129.46.168/255.255.255.248/0/0)<br>
<br>
current_peer: CUSTOMER_PUBLIC_IP<br>
<br>
<br>
<br>
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0<br>
<br>
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify:<br>
<br>
Here there are the ip xfrm policy:<br>
<br>
src 10.129.46.168/29 dst 10.129.128.101/32 <br>
dir out priority 2176 ptype main <br>
tmpl src 192.168.60.10 dst PROVIDER_PUBLIC_IP<br>
proto esp reqid 16385 mode tunnel<br>
src 10.129.46.168/29 dst 10.128.243.223/32 <br>
dir out priority 2176 ptype main <br>
tmpl src 192.168.60.10 dst PROVIDER_PUBLIC_IP<br>
proto esp reqid 16389 mode tunnel<br>
src 10.128.243.223/32 dst 10.129.46.168/29 <br>
dir fwd priority 2176 ptype main <br>
tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10<br>
proto esp reqid 16389 mode tunnel<br>
src 10.128.243.223/32 dst 10.129.46.168/29 <br>
dir in priority 2176 ptype main <br>
tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10<br>
proto esp reqid 16389 mode tunnel<br>
src 10.129.128.101/32 dst 10.129.46.168/29 <br>
dir fwd priority 2176 ptype main <br>
tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10<br>
proto esp reqid 16385 mode tunnel<br>
src 10.129.128.101/32 dst 10.129.46.168/29 <br>
dir in priority 2176 ptype main <br>
tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10<br>
proto esp reqid 16385 mode tunnel<br>
src ::/0 dst ::/0 <br>
dir 4 priority 0 ptype main <br>
src ::/0 dst ::/0 <br>
dir 3 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 4 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 3 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 4 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 3 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 4 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 3 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 4 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 3 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 4 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 3 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 4 priority 0 ptype main <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
dir 3 priority 0 ptype main <br>
<br>
<br>
Here is the traceroute from the customer host:<br>
traceroute to 10.129.128.101 (10.129.128.101), 30 hops max, 60 byte
packets<br>
1 192.168.60.10 (192.168.60.10) 0.356 ms 0.335 ms 0.344 ms<br>
2 * * *<br>
3 * * *<br>
4 * * *<br>
5 * * *<br>
6 * * *<br>
<br>
<br>
I haven't iptables rules that are blocking the traffic:<br>
<br>
iptables -L<br>
Chain INPUT (policy ACCEPT)<br>
target prot opt source destination <br>
DROP all -- MALICIUS_HOST_IP anywhere (old
rule,it's not related to the ipsec tunnel) <br>
<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination <br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt source destination <br>
<br>
<br>
Here is the ipsec verify output:<br>
<br>
perl: warning: Setting locale failed.<br>
perl: warning: Please check that your locale settings:<br>
LANGUAGE = (unset),<br>
LC_ALL = (unset),<br>
LANG = "it_IT.UTF-8"<br>
are supported and installed on your system.<br>
perl: warning: Falling back to the standard locale ("C").<br>
Checking your system to see if IPsec got installed and started
correctly:<br>
Version check and ipsec on-path [OK]<br>
Linux Openswan U2.6.28/K2.6.32-5-xen-686 (netkey)<br>
Checking for IPsec support in kernel [OK]<br>
NETKEY detected, testing for disabled ICMP send_redirects [OK]<br>
NETKEY detected, testing for disabled ICMP accept_redirects [OK]<br>
Checking that pluto is running [OK]<br>
Pluto listening for IKE on udp 500 [OK]<br>
Pluto listening for NAT-T on udp 4500 [OK]<br>
Two or more interfaces found, checking IP forwarding [OK]<br>
Checking NAT and MASQUERADEing <br>
Checking for 'ip' command [OK]<br>
Checking for 'iptables' command [OK]<br>
Opportunistic Encryption Support
[DISABLED]<br>
<br>
<br>
I also tried to enable or disable the forceencaps, but nothing
changed.<br>
<br>
So, it seems that the traffic from the customer host isn't send
through the ipsec tunnel.but why?<br>
I really appreciate if someone can provide any helps!<br>
<br>
Thank You!<br>
<br>
<br>
<br>
<br>
<br>
<br>
<div class="moz-signature">-- <br>
<div>
<p><span style="font-size: 7.5pt; font-family: Tahoma; color:
gray;">-----------------------------------------------------------<br>
<b>Giovanni Messina</b><br>
Systems Operations<br>
tel: <b>+39 095 388583</b><br>
tel/fax: <b>+39 095 382521</b><br>
internet: <a href="http://www.bizmate.it/"
title="http://www.bizmate.it/"><font style="font-size:
7.5pt; font-family: Tahoma;">www.bizmate.it</font></a><br>
mail: <a href="mailto:giovanni.messina@bizmate.it"
title="mailto:giovanni.messina@bizmate.it"><font
style="font-size: 7.5pt; font-family: Tahoma;">giovanni.messina@bizmate.it</font></a><br>
-----------------------------------------------------------<br>
Bizmate S.r.l. - confidenziale - Tutti i diritti riservati</span></p>
</div>
</div>
</body>
</html>