[Openswan Users] routing problem

Gunnar Weikamp gw at csw-com.de
Sat Sep 25 10:00:55 CEST 2004 

Hi all.

I am currently working on a openswan connection between the office
network and my dial-up network at home.

Whatever I do pluto does not setup the routing the way it should.
After reading thousands of docs and howtos I am at the point where
I really need a little help. Perhaps you can point me to the problem.

On both sides I have a debian-stable (with some testing/unstable parts)
with debian-kernel 2.4.26. Klips is compiles and used. Openswan is at 
hydra:~# dpkg -l | grep openswan
ii  openswan       2.1.3-1        IPSEC utilities for Openswan
ii  openswan-modul 2.1.3-1        IPSEC kernel modules source for Openswan
on both ends.

Authentication works with x509 and PSK. For the sake of simplicity I
am testing with PSK only. This works on both sides:
Sep 24 11:04:20 io pluto[4137]: "roadwarrior"[1] 80.x.y.1 #3: IPsec SA established {ESP=>0x6f34a028 <0x2625bddd}
and
Sep 24 11:00:32 hydra pluto[3795]: "roadwarrior" #3: sent QI2, IPsec SA established {ESP=>0x2625bddd <0x6f34a028}

The problem is that pluto cannot setup routes properly.
The network is like this

Office-Net:
10.1.2.0/24
     |
     |
10.1.2.1 - 202.9.100.195 - 202.9.100.193 - 112.19.177.150
  eth3        eth2              eth1           eth 0
             ipsec0                              |
                                                 |
                                            112.19.177.149
                                               (Router)
                                                 |
                                                 |
                                             The Internet
                                                 |
                                                 |
                                             80.x.y.1
                                              DUP-IP
                                           on DLink 664
                                           IPsec thru is
                                          OK for IKE (500)
                                          and ESP 50 datagrams.
                                           192.168.192.165
                                                  |
                                                  |
             10.1.1.30 ------------------- 192.168.192.77
               eth0                             eth1
                |                              ipsec0
                |
            10.1.1.0/24
            Home Network


When swan comes up I get this routes:
@office:
0          10.1.2.0/24        -> 10.1.1.0/24        => tun0x1003 at 80.x.y.1
0          202.9.100.195/32   -> 217.94.167.176/32  => tun0x1004 at 80.x.y.1
@home:
0          10.1.1.0/24        -> 10.1.2.0/24        => tun0x1002 at 202.9.100.195
0          192.168.192.77/32  -> 202.9.100.195/32   => tun0x1004 at 202.9.100.195
AFAIK this looks ok.

The problem is in the Office logs I get:
/usr/lib/ipsec/_updown: doroute `ip route add 80.x.y.1/32 via 80.x.y.1 dev ipsec0 ' failed (RTNETLINK answers: Network is unreachable)

tcpdump -i ipsec0 when i want to ping the other end from each side:
tcpdump: listening on ipsec0
@home & office.
traceroute shows me that on both sides packets are sent to the routers
instead of using that ipsec-route.

hydra:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan 2.1.3 (klips)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets)                       [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing                                          [N/A]
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
@home & office. RSA can be ignored as it s only for IKE/authent, I think.
OE is excluded by conf and fails here, but that does not matter, I also think.

On request I could do an ipsec barf, but I did not see any hints there, so
I skip this here to avoid growing this mail...

The basic .conf are (thanks, Nate Carlson, Jean-Francois Nadeau, SwanWiki
and millions others who wrote HowTos) are this:

@office
version 2

config setup
  interfaces="ipsec0=eth2"

conn %default
  keyingtries=1
  compress=yes
  authby=secret

conn roadwarrior-net
  leftsubnet=10.1.2.0/24
  rightsubnet=10.1.1.0/24
  also=roadwarrior

conn roadwarrior
  left=202.9.100.195
  right=%any
  rightid=@hydra
  auto=add

include /etc/ipsec.d/examples/no_oe.conf


@home
version 2

config setup
  interfaces="ipsec0=eth1"

conn %default
  keyingtries=1
  compress=yes
  authby=secret

conn roadwarrior-net
  leftsubnet=10.1.2.0/24
  rightsubnet=10.1.1.0/24
  also=roadwarrior

conn roadwarrior
  left=202.9.100.195
  right=192.168.192.77
  rightid=@hydra
  auto=start

include /etc/ipsec.d/examples/no_oe.conf

I played with virtual private, left/right nexthop which do not
change anything. nat-traversal is not required, as the 80.x.y.1
gets directly mapped to the swan-IP in the private net.

iptables -L -n is empty for all chains on both sides so there are
no problems with firewalling.

The only problem is that the routing does not work, packets do
not use the tunnel.

Most propably I only have a small problem in setup/understanding
but I do no find it. Thx. for your ideas and sorry for a mail that big.


Regards & thx for reading
--
Gunnar.Weikamp at csw-com.de | Fon:+49/(0)711 - 4799 - 393 | IT Services
http://www.csw-com.de     | Fax:+49/(0)711 - 4799 - 595 | & Solutions

More information about the Users mailing list