[Openswan Users] Roadwarrior and route troubles
Paul Wouters
paul at xelerance.com
Wed Aug 31 16:31:06 CEST 2005
On Wed, 31 Aug 2005, Vincent SCHULTZ wrote:
> When I start roadwarrior connection on the client everything seems OK :
> 004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x89345bb7 <0xf148d9f1 xfrm=AES_0-HMAC_SHA1}
> But a ping from the mobile to the client 10.10.45.16 does not work, in fact the ping cannot reach the SGW. I have network and routes troubles then. When I do a route on the mobile client I have :
check with 'ipsec verify'
> # route -n
> Table de routage IP du noyau
> Destination Passerelle Genmask Indic Metric Ref Use Iface
> 203.41.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 10.10.45.0 203.41.30.254 255.255.255.0 UG 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 0.0.0.0 203.41.30.254 0.0.0.0 UG 0 0 0 eth0
>
> It's a bit weird to have 203.41.30.254 as gateway to reach the 10.10.45.0 network, isn't it ? It should be 152.18.31.45.
The ip address must come from somewhere. I
> Here is my ipsec.conf of the SWG :
>
> version 2.0
> config setup
> interfaces=%defaultroute
> nat_traversal=yes
> virtual_private=%v4:192.168.10.0/24
> klipsdebug=none
> plutodebug="control"
> conn %default
> compress=no
> authby=rsasig
> conn roadwarrior
> left=152.18.31.45
> leftsubnet=10.10.45.0/24
> leftrsasigkey=%cert
> leftcert=sgw1-crt.pem
> right=%any
> rightsubnet=vhost:%priv
> #rightsubnet=vhost:%no,%priv
> rightrsasigkey=%cert
> auto=add
I see there is no rightsubnet defined here.
> include /etc/ipsec.d/examples/no_oe.conf
>
> And ipsec.conf on the linux mobile :
>
> version 2.0
> config setup
> interfaces=%defaultroute
> nat_traversal=yes
> klipsdebug=none
> plutodebug=none
> conn %default
> compress=no
> authby=rsasig
> conn roadwarrior
> left=%defaultroute
> leftsubnet=192.168.10.222/32
But there is one here. I do not believe your logs posted were actually
using this configuration file. This would never give you an IPsec SA
established.
> leftrsasigkey=%cert
> leftcert=mclient1-crt.pem
> right=152.18.31.45
> rightsubnet=10.10.45.0/24
> rightrsasigkey=%cert
> rightcert=sgw1-crt.pem
> auto=add
> include /etc/ipsec.d/examples/no_oe.conf
If you're back to a configuration that works. Check ip_forwarding (should
be enabled on each side that has a subnet behind it ) and rp_filter
(rp_filter needs to be off)
Paul
More information about the Users
mailing list