[Openswan Users] Linux-Linux IPsec Tunnel ends at the gateway: no ping over the gateway in the next subnet

foren titze foren.titze at gmx.net
Tue Jul 5 12:46:32 CEST 2005 

Hello,

Now I have a working config on both sides. Both uses Openswan 2.3.1 with 
kernel 2.6.
Although I have make conn roadwarrior and roadwarrior-net my ping from the 
roadwarrior to the subnet behind the vpn-gateway doesn't go through.


Here my configs:
Server:
------------

version 2
config setup
     interfaces=%defaultroute
     klipsdebug=none
     plutodebug=none
     forwardcontrol=on
     nat_traversal=yes
     uniqueids=yes
     #virtual_private=%v4:10.0.0.0/24,%v4:192.168.121.0/24

conn %default
     leftrsasigkey=%cert
     rightrsasigkey=%cert
     leftid="C=DE/"
     leftcert=vpncert.pem
     dpdaction=clear
     keylife=2h
     rekeymargin=9m
     keyingtries=3
     disablearrivalcheck=no
     type=tunnel
     ike="aes128-sha,aes128-md5,3des-md5,3des-sha"
     esp="aes128-sha1,aes128-md5,3des-md5,3des-sha1"
     left=195.1xx.xxx.22
     #left=10.0.0.58

conn tit-linux-net
     leftsubnet=192.168.121.0/24
     also=titze-linux

conn tit-linux
     rightnexthop=192.168.121.1
     rightid="/C=DE ..."
     right=%any
     #rightcert=certs/tit.pem
     leftnexthop=%defaultroute
     #leftnexthop=192.168.121.1
     auto=add
     pfs=yes
     compress=yes
     authby=rsasig
     disablearrivalcheck=no
     keyingtries=1

include /etc/ipsec.d/examples/no_oe.conf

------------------------

and from the roadwarrior:
-----------------------
version 2.0     # conforms to second version of ipsec.conf specification
config setup
        interfaces=%defaultroute
        #nat_traversal=yes

conn %default
        keyingtries=1
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        ike="aes128-sha,aes128-md5,3des-md5,3des-sha"
        esp="aes128-sha1,aes128-md5,3des-md5,3des-sha1"

conn tit-linux-net
        leftsubnet=192.168.121.0/24
        also=tit-linux
	
conn tit-linux
        left=195.1xx.xxx.22
        leftnexthop=xxx.47.27.1
        leftcert=vpncert.pem
        leftid="C=DE"
        right=%defaultroute
        rightid="/C=DE/"
        rightcert=tit-linux_cert.pem
        auto=add
        pfs=yes

include /etc/ipsec/ipsec.d/examples/no_oe.conf


Here the auth.log from Server and Roadwarrior:
--------

Jul  5 11:11:12 linux-vpn2 pluto[25122]: "tit-linux"[1] xxx.xxx.1xx.30 #1: 
deleting connection "brosowski" instance with peer xxx.xxx.1xx.30 
{isakmp=#0/ipsec=#0}
Jul  5 11:11:12 linux-vpn2 pluto[25122]: "tit-linux"[1] xxx.xxx.1xx.30 #1: I 
am sending my cert
Jul  5 11:11:12 linux-vpn2 pluto[25122]: "tit-linux"[1] xxx.xxx.1xx.30 #1: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul  5 11:11:12 linux-vpn2 pluto[25122]: "tit-linux"[1] xxx.xxx.1xx.30 #1: 
sent MR3, ISAKMP SA established
Jul  5 11:11:12 linux-vpn2 pluto[25122]: "tit-linux"[1] xxx.xxx.1xx.30 #2: 
responding to Quick Mode {msgid:e57a5180}
Jul  5 11:11:12 linux-vpn2 pluto[25122]: "tit-linux"[1] xxx.xxx.1xx.30 #2: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul  5 11:11:13 linux-vpn2 pluto[25122]: "tit-linux"[1] xxx.xxx.1xx.30 #2: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul  5 11:11:13 linux-vpn2 pluto[25122]: "tit-linux"[1] xxx.xxx.1xx.30 #2: 
IPsec SA established {ESP=>0xd17964e7 <0xddc60824 xfrm=AES_128-HMAC_SHA1}
Jul  5 11:11:31 linux-vpn2 pluto[25122]: "tit-linux-net"[1] xxx.xxx.1xx.30 #3: 
responding to Quick Mode {msgid:57e2e962}
Jul  5 11:11:31 linux-vpn2 pluto[25122]: "tit-linux-net"[1] xxx.xxx.1xx.30 #3: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul  5 11:11:31 linux-vpn2 pluto[25122]: "tit-linux-net"[1] xxx.xxx.1xx.30 #3: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul  5 11:11:31 linux-vpn2 pluto[25122]: "tit-linux-net"[1] xxx.xxx.1xx.30 #3: 
IPsec SA established {ESP=>0xcd91b883 <0xe82be46c xfrm=AES_128-HMAC_SHA1
-----------------

Roadwarrior: 
---------
Jul  5 11:11:19 [pluto] "tit-linux" #1: initiating Main Mode
Jul  5 11:11:19 [pluto] "tit-linux" #1: received Vendor ID payload [Openswan 
(this version) 2.3.1  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Jul  5 11:11:19 [pluto] "tit-linux" #1: received Vendor ID payload [Dead Peer 
Detection]
Jul  5 11:11:19 [pluto] "tit-linux" #1: transition from state STATE_MAIN_I1 to 
state STATE_MAIN_I2
Jul  5 11:11:19 [pluto] "tit-linux" #1: I am sending my cert
Jul  5 11:11:19 [pluto] "tit-linux" #1: I am sending a certificate request
Jul  5 11:11:19 [pluto] "tit-linux" #1: transition from state STATE_MAIN_I2 to 
state STATE_MAIN_I3
Jul  5 11:11:20 [pluto] "tit-linux" #1: Main mode peer ID is ID_DER_ASN1_DN: 
'C=DE,'
Jul  5 11:11:20 [pluto] "tit-linux" #1: no crl from issuer "C=DE," f
ound (strict=no)
Jul  5 11:11:20 [pluto] "tit-linux" #1: transition from state STATE_MAIN_I3 to 
state STATE_MAIN_I4
Jul  5 11:11:20 [pluto] "tit-linux" #1: ISAKMP SA established
Jul  5 11:11:20 [pluto] "tit-linux" #2: initiating Quick Mode 
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
Jul  5 11:11:20 [pluto] "tit-linux" #2: transition from state STATE_QUICK_I1 
to state STATE_QUICK_I2
Jul  5 11:11:20 [pluto] "tit-linux" #2: sent QI2, IPsec SA established 
{ESP=>0xddc60824 <0xd17964e7 xfrm=AES_128-HMAC_SHA1}
Jul  5 11:11:39 [pluto] "tit-linux-net" #3: initiating Quick Mode 
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
Jul  5 11:11:39 [pluto] "tit-linux-net" #3: transition from state 
STATE_QUICK_I1 to state STATE_QUICK_I2
Jul  5 11:11:39 [pluto] "tit-linux-net" #3: sent QI2, IPsec SA established 
{ESP=>0xe82be46c <0xcd91b883 xfrm=AES_128-HMAC_SHA1
-----------------------

ip route on roadwarrior after tit-linux abd tit-linux-net UP:

195.1xxx.xxx.22 via xxx.xxx.130.1 dev eth0 
xxx.xxx.x30.0/25 dev eth0  proto kernel  scope link  src xxx.xxx.130.30 
192.168.121.0/24 via xxx.xxx.130.1 dev eth0 
127.0.0.0/8 dev lo  scope link 
default via xxx.xxx.130.1 dev eth


I see tcpdump on the Server when I am pinging any machine behind the server:

linux-vpn2:/var/log# tcpdump -n 
tcpdump: listening on eth0
11:32:29.806896 arp who-has 195.1xx.xxx.22 tell 195.1xx.xxx.2
11:32:29.807785 arp reply 195.1xx.xxx.22 is-at 0:50:4:35:e4:24
11:32:29.806929 xxx.xxx.130.30 > 195.1xx.xxx.22: ESP(spi=0xe82be46c,seq=0x9)
11:32:29.806929 xxx.xxx.130.30.46602 > 192.168.121.202.33435:  udp 12 [ttl 1]
11:32:29.807423 195.1xx.xxx.22 > xxx.xxx.130.30: ESP(spi=0xd17964e7,seq=0x7) 
[tos 0xc0] 
11:32:29.836448 xxx.xxx.130.30 > 195.1xx.xxx.22: ESP(spi=0xe82be46c,seq=0xa)
11:32:29.836448 xxx.xxx.130.30.46602 > 192.168.121.202.33436:  udp 12 [ttl 1]
11:32:29.836748 195.1xx.xxx.22 > xxx.xxx.130.30: ESP(spi=0xd17964e7,seq=0x8) 
[tos 0xc0] 
11:32:29.866418 xxx.xxx.130.30 > 195.1xx.xxx.22: ESP(spi=0xe82be46c,seq=0xb)
11:32:29.866418 xxx.xxx.130.30.46602 > 192.168.121.202.33437:  udp 12 [ttl 1]
11:32:29.866598 195.1xx.xxx.22 > xxx.xxx.130.30: ESP(spi=0xd17964e7,seq=0x9) 
[tos 0xc0] 
11:32:29.896419 xxx.xxx.130.30 > 195.1xx.xxx.22: ESP(spi=0xe82be46c,seq=0xc)
11:32:29.896419 xxx.xxx.130.30.46602 > 192.168.121.202.33438:  udp 12
11:32:34.805669 arp who-has 195.135.186.1 tell 195.1xx.xxx.22
11:32:34.805784 arp reply 195.135.186.1 is-at 0:80:c8:cf:d5:af
11:32:34.897355 xxx.xxx.130.30 > 195.1xx.xxx.22: ESP(spi=0xe82be46c,seq=0xd)
11:32:34.897355 xxx.xxx.130.30.46602 > 192.168.121.202.33439:  udp 12


Can anybody help my situation. The only thing I can ping from the roadwarrior 
is the internal IP of the server 192.168.121.140.



THX

Ben

More information about the Users mailing list