[Openswan Users] Roadwarrior and route troubles

Vincent SCHULTZ vincent.schultz at wanadoo.fr
Wed Aug 31 16:07:33 CEST 2005


Hello All,

I try to set up a roadwarrior connection between a Linux FC4 (2.6.12, openswan 2.3.1) secure gateway and a mobile linux FC3 (2.6.9, openswan 2.3.1) but I did not manage to do that. The network (not connected to the Internet) configuration is the following :

The secure gateway has 2 interfaces : the "public" address (eth0) 152.18.31.45 on the 152.18.31.0/24 network, default gateway 152.18.31.173 (a simple router that I do not manage) and a private address (eth1) 10.10.45.1 on the private network 10.10.45.0/24.

The mobile has dynamic IP address on the 203.41.30.0/24 (gateway 203.41.30.254). I did not manage this network.

There is no NAT between the secure gateway and the client.

I would like that the client can connect on the 10.10.45.0/24 network with another private address such 192.168.10.X using x509 certificates.

When I start roadwarrior connection on the client everything seems OK :

# ipsec auto --up roadwarrior
104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: received Vendor ID payload [Openswan (this version) 2.3.1  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]
003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established
117 "roadwarrior" #2: STATE_QUICK_I1: initiate
004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x89345bb7 <0xf148d9f1 xfrm=AES_0-HMAC_SHA1}

But a ping from the mobile to the client 10.10.45.16 does not work, in fact the ping cannot reach the SGW. I have network and routes troubles then. When I do a route on the mobile client I have :

# route -n
Table de routage IP du noyau
Destination  Passerelle    Genmask        Indic Metric Ref Use Iface
203.41.30.0  0.0.0.0       255.255.255.0  U     0      0     0 eth0
10.10.45.0   203.41.30.254 255.255.255.0  UG    0      0     0 eth0
169.254.0.0  0.0.0.0       255.255.0.0    U     0      0     0 eth0
0.0.0.0      203.41.30.254 0.0.0.0        UG    0      0     0 eth0

It's a bit weird to have 203.41.30.254 as gateway to reach the 10.10.45.0 network, isn't it ? It should be 152.18.31.45.

Here is my ipsec.conf of the SWG :

version 2.0 
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:192.168.10.0/24
        klipsdebug=none
        plutodebug="control"
conn %default
        compress=no
        authby=rsasig
conn roadwarrior
        left=152.18.31.45
        leftsubnet=10.10.45.0/24
        leftrsasigkey=%cert
        leftcert=sgw1-crt.pem
        right=%any
        rightsubnet=vhost:%priv
        #rightsubnet=vhost:%no,%priv
        rightrsasigkey=%cert
        auto=add
include /etc/ipsec.d/examples/no_oe.conf

And ipsec.conf on the linux mobile :

version 2.0
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        klipsdebug=none
        plutodebug=none
conn %default
        compress=no
        authby=rsasig
conn roadwarrior
        left=%defaultroute
        leftsubnet=192.168.10.222/32
        leftrsasigkey=%cert
        leftcert=mclient1-crt.pem
        right=152.18.31.45
        rightsubnet=10.10.45.0/24
        rightrsasigkey=%cert
        rightcert=sgw1-crt.pem
        auto=add
include /etc/ipsec.d/examples/no_oe.conf

Where is my mistake ? I cannot see it.
Can you help me please ?

Thank you,

Vincent



More information about the Users mailing list