[Openswan Users] Half-Open tunnel ?

Tue Oct 5 16:12:46 CEST 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,
i've this strange problem:

[MyNET 10.0.0.0/24]----[GW]====(VPN)=====[GW]---[OtherNET 10.0.2.0/24]

If, from OtherNET, i ping a machine in MyNET all work well. If, from MyNet, 
ping an host inside OtherNET, it don't work. Here's related ipsec.conf:

[MyNET's ipsec.conf]
conn tunnel
        ikelifetime=3h
        keylife=1h
        # MyNET
        leftsubnet=10.0.0.0/24
        # OtherNET
        right=GW Public IP
        rightnexthop=Router
        rightsubnet=10.0.2.0/24
        # -
        leftrsasigkey=[CUT]
        rightrsasigkey=[CUT]
        authby=rsasig
        leftupdown=/usr/local/lib/ipsec/_updown.x509
        auto=start

[OtherNET's ipsec.conf]
conn tunnel
        # MyNET
        left=GW
        leftsubnet=10.0.0.0/24
        leftnexthop=Router
        # OtherNET
        right=GW
        rightsubnet=10.0.2.0/24
        rightnexthop=Router
        rightupdown=/usr/local/lib/ipsec/_updown.x509
	# -
        leftrsasigkey=
        rightrsasigkey=
        auto=start

Some tests with TCPDUMP, if i ping from 10.0.0.9 to 10.0.2.200 (both alive):
[On MyNET's GW]
root at bastion:~# tcpdump -i ipsec0 dst 10.0.2.200
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 68 bytes
15:01:52.085904 IP GW > 10.0.2.200: icmp 64: echo request seq 838
15:01:53.085738 IP GW > 10.0.2.200: icmp 64: echo request seq 839
15:01:54.085595 IP GW > 10.0.2.200: icmp 64: echo request seq 840

[On OtherNET's GW]
...nothing...

Of course tunnel is open (as shown in ipsec whack --status):
...cut...
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,662,36} 
trans={0,662,96} attrs={0,662,160}
000
000 "tunnel": 10.0.0.0/24===GW---Router...Router---GW===10.0.2.0/24
000 "tunnel":   CAs: '%any'...'%any'
000 "tunnel":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 0
000 "tunnel":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted
000 "tunnel":   newest ISAKMP SA: #1331; newest IPsec SA: #1330; eroute owner: 
#1330
000 "tunnel":   IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 
5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "tunnel":   IKE algorithms found:  5_192-1_128-5, 5_192-2_160-5, 
5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "tunnel":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "tunnel":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "tunnel":   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "tunnel":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>

Here's IPTABLES dump on both GW:
[MyNET's GW]
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  10.0.2.0/24          localnet/24
ACCEPT     all  --  localnet/24          10.0.2.0/24
Note:localnet=10.0.0.0

[OtherNET's GW]
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  10.0.0.0/24          localnet/24
ACCEPT     all  --  localnet/24          10.0.0.0/24
Note: localnet=10.0.2.0

Some ideas ? Thanks ! Oz
- -- 
Fourth Law of Revision:
	It is usually impractical to worry beforehand about
	interferences -- if you have none, someone will make one for you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBYp3RYuBSFbgkEysRAsQ7AKD2Cj0YGEITkec5gI6qn5krVq0g4ACgrht6
EcQXFV4gTgwe21hn1diODks=
=gw23
-----END PGP SIGNATURE-----