[Openswan Users] Roadwarrior and route troubles

Paul Wouters paul at xelerance.com
Wed Aug 31 16:31:06 CEST 2005 

On Wed, 31 Aug 2005, Vincent SCHULTZ wrote:

> When I start roadwarrior connection on the client everything seems OK :

> 004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x89345bb7 <0xf148d9f1 xfrm=AES_0-HMAC_SHA1}

> But a ping from the mobile to the client 10.10.45.16 does not work, in fact the ping cannot reach the SGW. I have network and routes troubles then. When I do a route on the mobile client I have :

check with 'ipsec verify'

> # route -n
> Table de routage IP du noyau
> Destination  Passerelle    Genmask        Indic Metric Ref Use Iface
> 203.41.30.0  0.0.0.0       255.255.255.0  U     0      0     0 eth0
> 10.10.45.0   203.41.30.254 255.255.255.0  UG    0      0     0 eth0
> 169.254.0.0  0.0.0.0       255.255.0.0    U     0      0     0 eth0
> 0.0.0.0      203.41.30.254 0.0.0.0        UG    0      0     0 eth0
>
> It's a bit weird to have 203.41.30.254 as gateway to reach the 10.10.45.0 network, isn't it ? It should be 152.18.31.45.

The ip address must come from somewhere. I

> Here is my ipsec.conf of the SWG :
>
> version 2.0
> config setup
>        interfaces=%defaultroute
>        nat_traversal=yes
>        virtual_private=%v4:192.168.10.0/24
>        klipsdebug=none
>        plutodebug="control"
> conn %default
>        compress=no
>        authby=rsasig
> conn roadwarrior
>        left=152.18.31.45
>        leftsubnet=10.10.45.0/24
>        leftrsasigkey=%cert
>        leftcert=sgw1-crt.pem
>        right=%any
>        rightsubnet=vhost:%priv
>        #rightsubnet=vhost:%no,%priv
>        rightrsasigkey=%cert
>        auto=add

I see there is no rightsubnet defined here.

> include /etc/ipsec.d/examples/no_oe.conf
>
> And ipsec.conf on the linux mobile :
>
> version 2.0
> config setup
>        interfaces=%defaultroute
>        nat_traversal=yes
>        klipsdebug=none
>        plutodebug=none
> conn %default
>        compress=no
>        authby=rsasig
> conn roadwarrior
>        left=%defaultroute
>        leftsubnet=192.168.10.222/32

But there is one here. I do not believe your logs posted were actually
using this configuration file. This would never give you an IPsec SA 
established.

>        leftrsasigkey=%cert
>        leftcert=mclient1-crt.pem
>        right=152.18.31.45
>        rightsubnet=10.10.45.0/24
>        rightrsasigkey=%cert
>        rightcert=sgw1-crt.pem
>        auto=add
> include /etc/ipsec.d/examples/no_oe.conf

If you're back to a configuration that works. Check ip_forwarding (should
be enabled on each side that has a subnet behind it ) and rp_filter
(rp_filter needs to be off)

Paul

More information about the Users mailing list