[Openswan Users] problem when routing decapsulated ESP packets
Trevor Hennion
trevor-os at thennion.demon.co.uk
Thu Feb 17 18:37:50 CET 2005
On Thursday 17 February 2005 18:11, Peter Kersch wrote:
> Hello,
>
> I`ve set up a simple net-to-net VPN using openswan like this:
>
> net_A --- gw_A --- router --- gw_B --- net_B
> ^ ^ ^
> 192.168.1.0/24 | | 192.168.2.0/24
> eth1 eth0
> ^ ^
> 192.168.1.1 10.0.1.2
>
> the ipsec tunnel is brought up without problem but there is a strange
> phenomena when I try to ping a machine in net_A from a machine in net_B:
> The ECHO_REQUEST packet is encapsulated at gw_B and passes through the
> tunnel without problem. But instead of sending the decapsulated
> ECHO_REQUEST packet through eth1, gw_A sends it through interface eth0.
> I really don't understand why, my routing table seems to be correct..
>
> Here is a tcpdump log captured at the interface eth0 of gw_A
>
> 15:06:47.460942 10.0.2.2 > 10.0.1.2: ESP(spi=0x8be73ab4,seq=0x14) (DF)
> 15:06:47.461301 192.168.2.2 > 192.168.1.2: icmp: echo request (DF)
>
> and the routing table of gw_A (seems to be correct..):
>
> Destination Gateway Genmask Flags Metric Ref Use
> Iface 192.168.2.0 10.0.1.1 255.255.255.0 UG 0 0
> 0 eth0 10.0.1.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth1 0.0.0.0 10.0.1.1 128.0.0.0 UG 0 0
> 0 eth0 128.0.0.0 10.0.1.1 128.0.0.0 UG 0 0
> 0 eth0 0.0.0.0 10.0.1.1 0.0.0.0 UG 0 0
> 0 eth0
>
> I'm using Openswan 2.3.1dr3 with native 2.6 ipsec (2.6.10 kernel) and here
> is the respective conn section in ipsec.conf on both gateways:
>
> conn sample
> leftid=@xxx
> left=10.0.1.2
> leftsubnet=192.168.1.0/24
> leftnexthop=10.0.1.1
> leftrsasigkey=0sAQPdBxTZxR....
> rightid=@yyy
> right=10.0.2.2
> rightsubnet=192.168.2.0/24
> rightnexthop=10.0.2.1
> rightrsasigkey=0sAQNRS+2C...
> authby=rsasig
>
> Does anyone have an idea?
>
> Peter
Peter,
You don't show where 10.0.1.1 is on your 'chart', but in your routing table it
is the gateway to eth0. Your 'leftnexthop=10.0.1.1' may be the problem -
should that be 192.168.1.1 perhaps?
Regards
Trevor Hennion
More information about the Users
mailing list