[Openswan Users] problem when routing decapsulated ESP packets

Trevor Hennion trevor-os at thennion.demon.co.uk
Thu Feb 17 18:37:50 CET 2005 

On Thursday 17 February 2005 18:11, Peter Kersch wrote:
> Hello,
>
> I`ve set up a simple net-to-net VPN using openswan like this:
>
> net_A     ---       gw_A --- router --- gw_B --- net_B
>     ^             ^      ^
> 192.168.1.0/24    |      |                       192.168.2.0/24
>                  eth1   eth0
>                   ^      ^
>            192.168.1.1  10.0.1.2
>
> the ipsec tunnel is brought up without problem but there is a strange
> phenomena when I try to ping a machine in net_A from a machine in net_B:
> The ECHO_REQUEST packet is encapsulated at gw_B and passes through the
> tunnel without problem. But instead of sending the decapsulated
> ECHO_REQUEST packet through eth1, gw_A sends it through interface eth0.
> I really don't understand why, my routing table seems to be correct..
>
> Here is a tcpdump log captured at the interface eth0 of gw_A
>
> 15:06:47.460942 10.0.2.2 > 10.0.1.2: ESP(spi=0x8be73ab4,seq=0x14) (DF)
> 15:06:47.461301 192.168.2.2 > 192.168.1.2: icmp: echo request (DF)
>
> and the routing table of gw_A (seems to be correct..):
>
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface 192.168.2.0     10.0.1.1        255.255.255.0   UG    0      0       
> 0 eth0 10.0.1.0        0.0.0.0         255.255.255.0   U     0      0      
>  0 eth0 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0     
>   0 eth1 0.0.0.0         10.0.1.1        128.0.0.0       UG    0      0    
>    0 eth0 128.0.0.0       10.0.1.1        128.0.0.0       UG    0      0   
>     0 eth0 0.0.0.0         10.0.1.1        0.0.0.0         UG    0      0  
>      0 eth0
>
> I'm using Openswan 2.3.1dr3 with native 2.6 ipsec (2.6.10 kernel) and here
> is the respective conn section in ipsec.conf on both gateways:
>
> conn sample
>         leftid=@xxx
>         left=10.0.1.2
>         leftsubnet=192.168.1.0/24
>         leftnexthop=10.0.1.1
>         leftrsasigkey=0sAQPdBxTZxR....
>         rightid=@yyy
>         right=10.0.2.2
>         rightsubnet=192.168.2.0/24
>         rightnexthop=10.0.2.1
>         rightrsasigkey=0sAQNRS+2C...
>         authby=rsasig
>
> Does anyone have an idea?
>
> Peter

Peter,

You don't show where 10.0.1.1 is on your 'chart', but in your routing table it 
is the gateway to eth0. Your 'leftnexthop=10.0.1.1' may be the problem - 
should that be 192.168.1.1 perhaps?

Regards

Trevor Hennion

More information about the Users mailing list