[Openswan Users] problem when routing decapsulated ESP packets

Peter Kersch kpeti at sch.bme.hu
Thu Feb 17 19:11:58 CET 2005


Hello,

I`ve set up a simple net-to-net VPN using openswan like this:

net_A     ---       gw_A --- router --- gw_B --- net_B
    ^             ^      ^
192.168.1.0/24    |      |                       192.168.2.0/24
                 eth1   eth0
                  ^      ^
           192.168.1.1  10.0.1.2

the ipsec tunnel is brought up without problem but there is a strange
phenomena when I try to ping a machine in net_A from a machine in net_B:
The ECHO_REQUEST packet is encapsulated at gw_B and passes through the
tunnel without problem. But instead of sending the decapsulated
ECHO_REQUEST packet through eth1, gw_A sends it through interface eth0.
I really don't understand why, my routing table seems to be correct..

Here is a tcpdump log captured at the interface eth0 of gw_A

15:06:47.460942 10.0.2.2 > 10.0.1.2: ESP(spi=0x8be73ab4,seq=0x14) (DF)
15:06:47.461301 192.168.2.2 > 192.168.1.2: icmp: echo request (DF)

and the routing table of gw_A (seems to be correct..):

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     10.0.1.1        255.255.255.0   UG    0      0        0 eth0
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         10.0.1.1        128.0.0.0       UG    0      0        0 eth0
128.0.0.0       10.0.1.1        128.0.0.0       UG    0      0        0 eth0
0.0.0.0         10.0.1.1        0.0.0.0         UG    0      0        0 eth0

I'm using Openswan 2.3.1dr3 with native 2.6 ipsec (2.6.10 kernel) and here
is the respective conn section in ipsec.conf on both gateways:

conn sample
        leftid=@xxx
        left=10.0.1.2
        leftsubnet=192.168.1.0/24
        leftnexthop=10.0.1.1
        leftrsasigkey=0sAQPdBxTZxR....
        rightid=@yyy
        right=10.0.2.2
        rightsubnet=192.168.2.0/24
        rightnexthop=10.0.2.1
        rightrsasigkey=0sAQNRS+2C...
        authby=rsasig

Does anyone have an idea?

Peter


More information about the Users mailing list