[Openswan Users] problem when routing decapsulated ESP packets
Peter Kersch
kpeti at sch.bme.hu
Thu Feb 17 19:11:58 CET 2005
Hello,
I`ve set up a simple net-to-net VPN using openswan like this:
net_A --- gw_A --- router --- gw_B --- net_B
^ ^ ^
192.168.1.0/24 | | 192.168.2.0/24
eth1 eth0
^ ^
192.168.1.1 10.0.1.2
the ipsec tunnel is brought up without problem but there is a strange
phenomena when I try to ping a machine in net_A from a machine in net_B:
The ECHO_REQUEST packet is encapsulated at gw_B and passes through the
tunnel without problem. But instead of sending the decapsulated
ECHO_REQUEST packet through eth1, gw_A sends it through interface eth0.
I really don't understand why, my routing table seems to be correct..
Here is a tcpdump log captured at the interface eth0 of gw_A
15:06:47.460942 10.0.2.2 > 10.0.1.2: ESP(spi=0x8be73ab4,seq=0x14) (DF)
15:06:47.461301 192.168.2.2 > 192.168.1.2: icmp: echo request (DF)
and the routing table of gw_A (seems to be correct..):
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 10.0.1.1 255.255.255.0 UG 0 0 0 eth0
10.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 10.0.1.1 128.0.0.0 UG 0 0 0 eth0
128.0.0.0 10.0.1.1 128.0.0.0 UG 0 0 0 eth0
0.0.0.0 10.0.1.1 0.0.0.0 UG 0 0 0 eth0
I'm using Openswan 2.3.1dr3 with native 2.6 ipsec (2.6.10 kernel) and here
is the respective conn section in ipsec.conf on both gateways:
conn sample
leftid=@xxx
left=10.0.1.2
leftsubnet=192.168.1.0/24
leftnexthop=10.0.1.1
leftrsasigkey=0sAQPdBxTZxR....
rightid=@yyy
right=10.0.2.2
rightsubnet=192.168.2.0/24
rightnexthop=10.0.2.1
rightrsasigkey=0sAQNRS+2C...
authby=rsasig
Does anyone have an idea?
Peter
More information about the Users
mailing list