[Openswan Users] Roadwarrior and route troubles
Vincent SCHULTZ
vincent.schultz at wanadoo.fr
Wed Aug 31 17:11:37 CEST 2005
Paul and the list,
Ok, I clean my configurations files of comments and tests, here they are on the SGW :
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:192.168.10.0/24
klipsdebug=none
plutodebug="control"
conn %default
compress=no
authby=rsasig
conn roadwarrior
left=152.18.31.45
leftsubnet=10.10.45.0/24
leftrsasigkey=%cert
leftcert=sgw1-crt.pem
right=%any
rightsubnet=vhost:%priv
rightrsasigkey=%cert
auto=add
include /etc/ipsec.d/examples/no_oe.conf
And on the mobile Linux :
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
klipsdebug=none
plutodebug="control"
conn %default
compress=no
authby=rsasig
conn roadwarrior
left=%defaultroute
leftsubnet=192.168.10.222/32
leftrsasigkey=%cert
leftcert=mclient1-crt.pem
right=152.18.31.45
rightsubnet=10.10.45.0/24
rightrsasigkey=%cert
rightcert=sgw1-crt.pem
auto=add
include /etc/ipsec.d/examples/no_oe.conf
>From the mobile I can ping the SGW :
# ping 152.18.31.45
PING 152.18.31.45 (152.18.31.45) 56(84) bytes of data.
64 bytes from 152.18.31.45: icmp_seq=0 ttl=63 time=1.40 ms
64 bytes from 152.18.31.45: icmp_seq=1 ttl=63 time=0.249 ms
When I start the connexion on the mobile computer :
# ipsec auto --up roadwarrior
104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: received Vendor ID payload [Openswan (this version) 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]
003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established
117 "roadwarrior" #2: STATE_QUICK_I1: initiate
004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x77d63dbc <0x9c8c9dea xfrm=AES_0-HMAC_SHA1}
But I cannot ping a client in the 10.10.45.0 LAN, the paquet does not reach the SGW.
On the SGW :
# more /proc/sys/net/ipv4/conf/all/rp_filter
0
# more /proc/sys/net/ipv4/ip_forward
1
And some questions in the text :
Le mercredi 31 août 2005 à 15:31 +0200, Paul Wouters a écrit :
On Wed, 31 Aug 2005, Vincent SCHULTZ wrote:
>
> > When I start roadwarrior connection on the client everything seems OK :
>
> > 004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x89345bb7 <0xf148d9f1 xfrm=AES_0-HMAC_SHA1}
>
> > But a ping from the mobile to the client 10.10.45.16 does not work, in fact the ping cannot reach the SGW. I have network and routes troubles then. When I do a route on the mobile client I have :
>
> check with 'ipsec verify'
>
> > # route -n
> > Table de routage IP du noyau
> > Destination Passerelle Genmask Indic Metric Ref Use Iface
> > 203.41.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> > 10.10.45.0 203.41.30.254 255.255.255.0 UG 0 0 0 eth0
> > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> > 0.0.0.0 203.41.30.254 0.0.0.0 UG 0 0 0 eth0
> >
> > It's a bit weird to have 203.41.30.254 as gateway to reach the 10.10.45.0 network, isn't it ? It should be 152.18.31.45.
>
> The ip address must come from somewhere. I
>
This is the gateway on the other network where the mobile linux is located.
> > Here is my ipsec.conf of the SWG :
> >
> > version 2.0
> > config setup
> > interfaces=%defaultroute
> > nat_traversal=yes
> > virtual_private=%v4:192.168.10.0/24
> > klipsdebug=none
> > plutodebug="control"
> > conn %default
> > compress=no
> > authby=rsasig
> > conn roadwarrior
> > left=152.18.31.45
> > leftsubnet=10.10.45.0/24
> > leftrsasigkey=%cert
> > leftcert=sgw1-crt.pem
> > right=%any
> > rightsubnet=vhost:%priv
> > #rightsubnet=vhost:%no,%priv
> > rightrsasigkey=%cert
> > auto=add
>
> I see there is no rightsubnet defined here.
>
And the rightsubnet=vhost:%priv is not a good one ??
> include /etc/ipsec.d/examples/no_oe.conf
> >
> > And ipsec.conf on the linux mobile :
> >
> > version 2.0
> > config setup
> > interfaces=%defaultroute
> > nat_traversal=yes
> > klipsdebug=none
> > plutodebug=none
> > conn %default
> > compress=no
> > authby=rsasig
> > conn roadwarrior
> > left=%defaultroute
> > leftsubnet=192.168.10.222/32
>
> But there is one here. I do not believe your logs posted were actually
> using this configuration file. This would never give you an IPsec SA
> established.
>
The 192.168.10.222 is the private IP address I want to give to the mobile box to access the private LAN 10.10.45.0
> leftrsasigkey=%cert
> > leftcert=mclient1-crt.pem
> > right=152.18.31.45
> > rightsubnet=10.10.45.0/24
> > rightrsasigkey=%cert
> > rightcert=sgw1-crt.pem
> > auto=add
> > include /etc/ipsec.d/examples/no_oe.conf
>
> If you're back to a configuration that works. Check ip_forwarding (should
> be enabled on each side that has a subnet behind it ) and rp_filter
> (rp_filter needs to be off)
>
> Paul
Thank you,
Vincent
More information about the Users
mailing list