[Openswan Users] Roadwarrior and route troubles
Vincent SCHULTZ
vincent.schultz at wanadoo.fr
Wed Aug 31 16:07:33 CEST 2005
Hello All,
I try to set up a roadwarrior connection between a Linux FC4 (2.6.12, openswan 2.3.1) secure gateway and a mobile linux FC3 (2.6.9, openswan 2.3.1) but I did not manage to do that. The network (not connected to the Internet) configuration is the following :
The secure gateway has 2 interfaces : the "public" address (eth0) 152.18.31.45 on the 152.18.31.0/24 network, default gateway 152.18.31.173 (a simple router that I do not manage) and a private address (eth1) 10.10.45.1 on the private network 10.10.45.0/24.
The mobile has dynamic IP address on the 203.41.30.0/24 (gateway 203.41.30.254). I did not manage this network.
There is no NAT between the secure gateway and the client.
I would like that the client can connect on the 10.10.45.0/24 network with another private address such 192.168.10.X using x509 certificates.
When I start roadwarrior connection on the client everything seems OK :
# ipsec auto --up roadwarrior
104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: received Vendor ID payload [Openswan (this version) 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]
003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established
117 "roadwarrior" #2: STATE_QUICK_I1: initiate
004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x89345bb7 <0xf148d9f1 xfrm=AES_0-HMAC_SHA1}
But a ping from the mobile to the client 10.10.45.16 does not work, in fact the ping cannot reach the SGW. I have network and routes troubles then. When I do a route on the mobile client I have :
# route -n
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use Iface
203.41.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.10.45.0 203.41.30.254 255.255.255.0 UG 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 203.41.30.254 0.0.0.0 UG 0 0 0 eth0
It's a bit weird to have 203.41.30.254 as gateway to reach the 10.10.45.0 network, isn't it ? It should be 152.18.31.45.
Here is my ipsec.conf of the SWG :
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:192.168.10.0/24
klipsdebug=none
plutodebug="control"
conn %default
compress=no
authby=rsasig
conn roadwarrior
left=152.18.31.45
leftsubnet=10.10.45.0/24
leftrsasigkey=%cert
leftcert=sgw1-crt.pem
right=%any
rightsubnet=vhost:%priv
#rightsubnet=vhost:%no,%priv
rightrsasigkey=%cert
auto=add
include /etc/ipsec.d/examples/no_oe.conf
And ipsec.conf on the linux mobile :
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
klipsdebug=none
plutodebug=none
conn %default
compress=no
authby=rsasig
conn roadwarrior
left=%defaultroute
leftsubnet=192.168.10.222/32
leftrsasigkey=%cert
leftcert=mclient1-crt.pem
right=152.18.31.45
rightsubnet=10.10.45.0/24
rightrsasigkey=%cert
rightcert=sgw1-crt.pem
auto=add
include /etc/ipsec.d/examples/no_oe.conf
Where is my mistake ? I cannot see it.
Can you help me please ?
Thank you,
Vincent
More information about the Users
mailing list