[Openswan Users] problem when routing decapsulated ESP packets

Peter Kersch kpeti at sch.bme.hu
Thu Feb 17 23:59:27 CET 2005 

Hi Trevor,

Here is the exact configuration with all IP addresses. I don't think that
it is routing table configuration problem but don't have any other idea..

> I`ve set up a simple net-to-net VPN using openswan like this:

                     10.0.1.1   10.0.2.1
                           |     |
net_A     ---      gw_A --- router --- gw_B --- net_B
    ^             ^     ^             ^     ^
192.168.1.0/24    |     |             |     |     192.168.2.0/24
                eth1   eth0        eth0    eth1
                 ^      ^           ^       ^
        192.168.1.1  10.0.1.2  10.0.2.2  192.168.2.1

> the ipsec tunnel is brought up without problem but there is a strange
> phenomena when I try to ping a machine in net_A from a machine in net_B:
> The ECHO_REQUEST packet is encapsulated at gw_B and passes through the
> tunnel without problem. But instead of sending the decapsulated
> ECHO_REQUEST packet through eth1, gw_A sends it through interface eth0.
> I really don't understand why, my routing table seems to be correct..
>
> Here is a tcpdump log captured at the interface eth0 of gw_A
>
> 15:06:47.460942 10.0.2.2 > 10.0.1.2: ESP(spi=0x8be73ab4,seq=0x14) (DF)
> 15:06:47.461301 192.168.2.2 > 192.168.1.2: icmp: echo request (DF)
>
> and the routing table of gw_A (seems to be correct..):
>
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface 192.168.2.0     10.0.1.1        255.255.255.0   UG    0      0
> 0 eth0 10.0.1.0        0.0.0.0         255.255.255.0   U     0      0
>  0 eth0 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0
>   0 eth1 0.0.0.0         10.0.1.1        128.0.0.0       UG    0      0
>    0 eth0 128.0.0.0       10.0.1.1        128.0.0.0       UG    0      0
>     0 eth0 0.0.0.0         10.0.1.1        0.0.0.0         UG    0      0
>      0 eth0
>
> I'm using Openswan 2.3.1dr3 with native 2.6 ipsec (2.6.10 kernel) and here
> is the respective conn section in ipsec.conf on both gateways:
>
> conn sample
>         leftid=@xxx
>         left=10.0.1.2
>         leftsubnet=192.168.1.0/24
>         leftnexthop=10.0.1.1
>         leftrsasigkey=0sAQPdBxTZxR....
>         rightid=@yyy
>         right=10.0.2.2
>         rightsubnet=192.168.2.0/24
>         rightnexthop=10.0.2.1
>         rightrsasigkey=0sAQNRS+2C...
>         authby=rsasig
>
> Does anyone have an idea?
>
> Peter

Peter,

You don't show where 10.0.1.1 is on your 'chart', but in your routing table it
is the gateway to eth0. Your 'leftnexthop=10.0.1.1' may be the problem -
should that be 192.168.1.1 perhaps?

Regards

Trevor Hennion
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list