[Openswan Users] Problems setting up a net-to-net configuration
Frank Meerkoetter
frank at betaversion.net
Tue Jun 15 10:47:13 CEST 2004
Hi,
i've some problems connecting two subnets.
A picture of my net setup can be found here:
http://stud.fbi.fh-darmstadt.de/~meerkoetter/uml_net.png
Basic ip connectivity is working (u1 is able to ping u3).
I've configured r1 and r3 as ipsec gateways connecting the
subnets 192.168.0.0/24 and 192.168.22.0/24. But something isn't
working right. After starting the ipsec tunnel u1 is no longer able
to ping u3.
r1:~# cat /etc/ipsec.conf
conn net-to-net
left=10.0.0.254
leftsubnet=192.168.0.0/24
leftid=@r1
leftrsasigkey=0sAQPgfHMh....II/OUfZaITnUfar
leftnexthop=%defaultroute
right=10.0.1.253
rightsubnet=192.168.22.0/24
rightid=@r3
rightrsasigkey=0sAQOz3nf....QvRKuvHa2rtYjC5yR
rightnexthop=%defaultroute
auto=add
r1:~# ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.1.2 (klips)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
r3 produces the same output.
r1:~# ipsec auto --up net-to-net
104 "net-to-net" #1: STATE_MAIN_I1: initiate
106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA established
112 "net-to-net" #2: STATE_QUICK_I1: initiate
004 "net-to-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xd117f895 <0x13667528}
Everything according to the documention so far.
But i'm not able to send a ping from 192.168.0.1 to 192.168.22.1.
I'm running a sniffer at r2 which produces the following output while
running the ping.
21:57:08.731424 10.0.0.254 > 10.0.1.253: ESP(spi=0xd117f895,seq=0x1c)
21:57:22.061810 10.0.0.254 > 10.0.1.253: ESP(spi=0xd117f895,seq=0x1d)
21:57:22.978935 10.0.0.254 > 10.0.1.253: ESP(spi=0xd117f895,seq=0x1e)
[...]
Ipsec traffic is only going in one direction.
If i try to send a ping from 192.168.22.1 to 192.168.0.1 i also don't
get a reply but the sniffer at r2 shows yet another picture:
07:38:24.307729 192.168.22.1 > 192.168.0.1: icmp: echo request (DF)
07:38:24.308763 10.0.0.254 > 10.0.1.253: ESP(spi=0xd117f896,seq=0x281f)
07:38:25.703089 192.168.22.1 > 192.168.0.1: icmp: echo request (DF)
07:38:25.704212 10.0.0.254 > 10.0.1.253: ESP(spi=0xd117f896,seq=0x2820)
It can be seen, that the ip tunnel is only used in one direction.
r1:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.22.0 10.0.0.253 255.255.255.0 UG 0 0 0
ipsec0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth2
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 10.0.0.253 0.0.0.0 UG 0 0 0
eth2
r3:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.22.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
0.0.0.0 10.0.1.254 0.0.0.0 UG 0 0 0
eth1
All machines involved are User Mode Linux processes:
r1:~# uname -a
Linux r1 2.4.26-1um #1 Mon Jun 14 17:50:54 CEST 2004 i686 unknown
r1:~# ipsec version
Linux Openswan 2.1.2 (klips)
Can anyone help my to figure out what's wrong?
TIA Frank
More information about the Users
mailing list