[Openswan Users] Probelm with host reachability when ipsec
tunnel is operational
Phillip Gersekowski
philg at thenetworktech.net
Wed Jul 6 10:56:42 CEST 2005
Thanks for the help. The suggestions have lead me in the correct
direction and I have almost solved the problems.
I had disabled the OE. The problem was that I needed to configure
passthrough connections for traffic between the .7 and .26 networks.
I can now establish all IPSEC Connections (iexec, gallery.iexec,
administration, gallery.administration, exclude-eth0, exclude-eth1), and
can now connect the following:
192.168.7.100 -> 192.168.26.100 (Both Local to ADSL Gateway)
192.168.7.100 -> 192.168.3.100 (Local to ADSL Gateway to Remote Site -
iexec connection)
192.168.7.100 -> 192.168.34.50 (Local to ADSL Gateway to Remote Site -
administration connection)
192.168.26.100 -> 192.168.7.100 (Both Local to ADSL Gateway)
192.168.26.100 -> 192.168.3.100 (Local to ADSL Gateway to Remote Site -
iexec connection)
192.168.26.100 -> 192.168.34.50 (Local to ADSL Gateway to Remote Site -
administration connection)
But still cannot connect:
192.168.7.100 -> 192.168.7.253 (Local Network to ADSL Gateway Address)
192.168.26.100 -> 192.168.26.253 (Local Network to ADSL Gateway)
when I establish the iexec and gallery.iexec functions.
The latest ipsec.conf file and the output from ipsec.status included the
output of "ipsec auto --status" are included below below if this also helps.
#--------------------------------------------------------------
version 2.0
config setup
klipsdebug=ll
plutodebug=all
interfaces="ipsec0=dsl0 ipsec1=eth0:1"
uniqueids=yes
overridemtu=1400
forwardcontrol=on
nat_traversal=no
conn %default
authby=rsasig
auto=add
#conn exclude-lo
# authby=never
# left=127.0.0.1
# leftsubnet=127.0.0.0/8
# right=127.0.0.2
# rightsubnet=127.0.0.0/8
# type=passthrough
# auto=route
conn exclude-eth0
authby=never
left=192.168.26.253
leftsubnet=192.168.26.0/24
right=127.0.0.2
rightsubnet=192.168.7.0/24
type=passthrough
auto=route
conn exclude-eth1
authby=never
left=192.168.7.253
leftsubnet=192.168.7.0/24
right=127.0.0.2
rightsubnet=192.168.26.0/24
type=passthrough
auto=route
conn iexec
leftid=@logancentral.iexec.superamart.com
left=192.168.135.237
leftnexthop=192.168.135.238
leftsubnet=0.0.0.0/0
leftrsasigkey=xxx
rightid=@adsl.logancentral.iexec.superamart.com
right=192.168.252.7
rightnexthop=192.168.251.33
rightsubnet=192.168.7.0/24
rightupdown=/etc/ipsec/iexec
rightrsasigkey=xxx
auto=add
conn gallery.iexec
leftid=@gallery.logancentral.iexec.superamart.com
left=192.168.135.237
leftnexthop=192.168.135.238
leftsubnet=0.0.0.0/0
leftrsasigkey=xxx
rightid=@adsl.gallery.logancentral.superamart.com
right=192.168.252.7
rightnexthop=192.168.251.33
rightsubnet=192.168.26.0/24
rightupdown=/etc/ipsec/gallery.iexec
rightrsasigkey=xxx
auto=add
conn logancentral-backup
leftid=@backup.superamart.com
left=192.168.198.254
leftnexthop=192.168.198.253
leftsubnet=0.0.0.0/0
leftrsasigkey=xxx
rightid=@logancentral.backup.superamart.com
right=192.168.198.238
rightnexthop=192.168.198.237
rightsubnet=192.168.7.0/24
rightupdown=/etc/ipsec/logancentral-backup
rightrsasigkey=xxx
auto=add
conn administration
leftid=@logancentral.superamart.com
left=192.168.200.254
leftnexthop=192.168.200.253
leftsubnet=192.168.32.0/21
leftrsasigkey=xxx
rightid=@adsl.logancentral.superamart.com
right=192.168.252.7
rightnexthop=192.168.251.33
rightsubnet=192.168.7.0/24
rightupdown=/etc/ipsec/administration
rightrsasigkey=xxx
auto=start
conn gallery.administration
leftid=@gallery.logancentral.superamart.com
left=192.168.200.254
leftnexthop=192.168.200.253
leftsubnet=192.168.32.0/21
leftrsasigkey=xxx
rightid=@adsl.gallery.logancentral.superamart.com
right=192.168.252.7
rightnexthop=192.168.251.33
rightsubnet=192.168.26.0/24
rightupdown=/etc/ipsec/gallery.administration
rightrsasigkey=xxx
auto=start
conn gallery.logancentral-backup
leftid=@backup.superamart.com
left=192.168.198.238
leftnexthop=192.168.198.237
leftsubnet=192.168.26.0/24
leftupdown=/etc/ipsec/logancentral-backup
leftrsasigkey=xxx
rightid=@gallery.logancentral.backup.superamart.com
right=192.168.198.254
rightnexthop=192.168.198.253
rightsubnet=0.0.0.0/0
rightrsasigkey=xxx
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#--------------------------------------------------------------
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.26.254
000 interface eth0:1/eth0:1 192.168.26.253
000 interface eth1/eth1 192.168.7.253
000 interface eth1:1/eth1:1 192.168.198.238
000 interface dsl0/dsl0 192.168.252.7
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "administration": 192.168.7.0/24===192.168.252.7[@adsl.logancentral.superamart.com]---192.168.251.33...192.168.200.253---192.168.200.254[@logancentral.superamart.com]===192.168.32.0/21; erouted; eroute owner: #3
000 "administration": srcip=unset; dstip=unset
000 "administration": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "administration": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 21,24; interface: dsl0;
000 "administration": newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "administration": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "exclude-eth0": 192.168.26.0/24===192.168.26.253...127.0.0.2===192.168.7.0/24; prospective erouted; eroute owner: #0
000 "exclude-eth0": srcip=unset; dstip=unset
000 "exclude-eth0": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "exclude-eth0": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE; prio: 24,24; interface: eth0:1;
000 "exclude-eth0": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "exclude-eth1": 192.168.7.0/24===192.168.7.253...127.0.0.2===192.168.26.0/24; prospective erouted; eroute owner: #0
000 "exclude-eth1": srcip=unset; dstip=unset
000 "exclude-eth1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "exclude-eth1": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE; prio: 24,24; interface: eth1;
000 "exclude-eth1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "gallery.administration": 192.168.26.0/24===192.168.252.7[@adsl.gallery.logancentral.superamart.com]---192.168.251.33...192.168.200.253---192.168.200.254[@gallery.logancentral.superamart.com]===192.168.32.0/21; erouted; eroute owner: #9
000 "gallery.administration": srcip=unset; dstip=unset
000 "gallery.administration": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "gallery.administration": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 21,24; interface: dsl0;
000 "gallery.administration": newest ISAKMP SA: #8; newest IPsec SA: #9;
000 "gallery.administration": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "gallery.iexec": 192.168.26.0/24===192.168.252.7[@adsl.gallery.logancentral.superamart.com]---192.168.251.33...192.168.135.238---192.168.135.237[@gallery.logancentral.iexec.superamart.com]===0.0.0.0/0; erouted; eroute owner: #14
000 "gallery.iexec": srcip=unset; dstip=unset
000 "gallery.iexec": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "gallery.iexec": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 0,24; interface: dsl0;
000 "gallery.iexec": newest ISAKMP SA: #12; newest IPsec SA: #14;
000 "gallery.iexec": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "gallery.logancentral-backup": 192.168.26.0/24===192.168.198.238[@backup.superamart.com]---192.168.198.237...192.168.198.253---192.168.198.254[@gallery.logancentral.backup.superamart.com]===0.0.0.0/0; unrouted; eroute owner: #0
000 "gallery.logancentral-backup": srcip=unset; dstip=unset
000 "gallery.logancentral-backup": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "gallery.logancentral-backup": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,0; interface: eth1:1;
000 "gallery.logancentral-backup": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "iexec": 192.168.7.0/24===192.168.252.7[@adsl.logancentral.iexec.superamart.com]---192.168.251.33...192.168.135.238---192.168.135.237[@logancentral.iexec.superamart.com]===0.0.0.0/0; erouted; eroute owner: #15
000 "iexec": srcip=unset; dstip=unset
000 "iexec": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "iexec": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 0,24; interface: dsl0;
000 "iexec": newest ISAKMP SA: #10; newest IPsec SA: #15;
000 "iexec": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "logancentral-backup": 192.168.7.0/24===192.168.198.238[@logancentral.backup.superamart.com]---192.168.198.237...192.168.198.253---192.168.198.254[@backup.superamart.com]===0.0.0.0/0; unrouted; eroute owner: #0
000 "logancentral-backup": srcip=unset; dstip=unset
000 "logancentral-backup": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "logancentral-backup": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 0,24; interface: eth1:1;
000 "logancentral-backup": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #3: "administration":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27434s; newest IPSEC; eroute owner
000 #3: "administration" esp.5d34e9ac at 192.168.200.254 esp.92379712 at 192.168.252.7 tun.0 at 192.168.200.254 tun.0 at 192.168.252.7
000 #2: "administration":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27405s
000 #2: "administration" esp.5d34e9ab at 192.168.200.254 esp.e4921f0a at 192.168.252.7 tun.0 at 192.168.200.254 tun.0 at 192.168.252.7
000 #1: "administration":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2217s; newest ISAKMP; nodpd
000 #9: "gallery.administration":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27351s; newest IPSEC; eroute owner
000 #9: "gallery.administration" esp.5d34e9ad at 192.168.200.254 esp.f329c9c4 at 192.168.252.7 tun.0 at 192.168.200.254 tun.0 at 192.168.252.7
000 #8: "gallery.administration":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1975s; newest ISAKMP; nodpd
000 #14: "gallery.iexec":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27378s; newest IPSEC; eroute owner
000 #14: "gallery.iexec" esp.6c838fa6 at 192.168.135.237 esp.e0e7800e at 192.168.252.7 tun.0 at 192.168.135.237 tun.0 at 192.168.252.7
000 #13: "gallery.iexec":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2775s
000 #13: "gallery.iexec" esp.6c838fa5 at 192.168.135.237 esp.1fece394 at 192.168.252.7 tun.0 at 192.168.135.237 tun.0 at 192.168.252.7
000 #12: "gallery.iexec":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2774s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000 #15: "iexec":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27621s; newest IPSEC; eroute owner
000 #15: "iexec" esp.6c838fa7 at 192.168.135.237 esp.c8cbdb4e at 192.168.252.7 tun.0 at 192.168.135.237 tun.0 at 192.168.252.7
000 #11: "iexec":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2566s
000 #11: "iexec" esp.6c838fa3 at 192.168.135.237 esp.5f067189 at 192.168.252.7 tun.0 at 192.168.135.237 tun.0 at 192.168.252.7
000 #10: "iexec":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2565s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
000 192.168.7.23/32:0 -6-> 192.168.34.114/32:0 => %hold 0 %acquire-netlink
000 192.168.7.29/32:0 -6-> 192.168.34.114/32:0 => %hold 0 %acquire-netlink
000 192.168.7.21/32:0 -6-> 192.168.34.114/32:0 => %hold 0 %acquire-netlink
000 192.168.7.48/32:0 -6-> 192.168.34.50/32:0 => %hold 0 %acquire-netlink
000 192.168.7.22/32:0 -6-> 192.168.34.50/32:0 => %hold 0 %acquire-netlink
Paul Wouters wrote:
> On Tue, 5 Jul 2005, Phillip Gersekowski wrote:
>
>> I have recently upgrded to Linux Openswan U2.3.1/K2.6.11.4-20a-default
>> (netkey) from Freeswan-1.99 on Linux 2.4.20.
>>
>> I am having a problem with reachability of the IPSEC gateway host on
>> the local network.
>
>
> Without logs it is hard to say what is going on. Either your firewalls
> still assume an ipsecX device which is no longer there, your rp_filter
> settings changed, your nat/masq settings interfere, or perhaps you did
> not disable OE by including no_oe.conf
>
>>
>> The ADSL gateway provide 4 IPSec Connections: One Connection each from
>> the local networks (7 & 26) to our adminsitration center
>> (192.168.32.0/21) and One Connection from each local network to another
>> box used for "Internet" Connectivity.
>>
>> The 2 IPSEC connection to the internet is used to connection to all
>> other Sites within out WAN . These sites are number in the private
>> ranges (192.168., 10. and 172.) so we use a catch all 0.0.0.0/0 route
>> from the remote network on this ipsec connection. It also just happens
>> that this second IPSEC Connection is our connection to the internet, but
>> these remote locations do not have internet connectivity so this is not
>> actually used for web etc.
>
>
> If you are creating 'overlapping' networks, eg by having 10.0.0.0/8 on
> one
> end, and 10.0.x.0/24 on another end, then with KLIPS this worked but with
> NETKEY you will need extra passthrough connections to make it work.
>
>> The problem is that when I bring up the 2nd IPSEC Connection
>> (0.0.0.0/0) remote network. I lose the ability to reach the
>> 192.168.7.253 from any machine in 192.168.7.0/24 and also the lose
>> connectivity from 192.168.26.0/24 to 192.168.26.253, and also lose
>> connectivity between the 192.168.26.0/24 and 192.168.7.0/24 networks.
>
>
> Seems like you might have left OE enabled.
>
> Paul
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list