[Openswan Users] One Side of Constructed Tunnels Broken
Jerry R. Keene
jkeene at scsengineers.com
Fri Mar 18 14:23:06 CET 2005
All:
I've properly set up vpns between a newly relocated office with a new ISP
and our home office. Both linux endpoints are using 2.4 kernels. The
Weston endpoint is running freeswan 2.06 and the Rinchester endpoint is
running openswan 2.30.
The new ISP is a small operation, and, while they have attempted to be
helpful, there seems to be a blockade on their cisco router that won't
allow 10. traffic to go through. The cause of this blockade seems outside
their experience.
I'm not giving a lot of specific information, because all the normail
specific information seems to be fine. I believe both freeswan and
openswan are doing what they are supposed to do.
Weston <---------------------------------->Rinchester
------------ -------------
192.168.98.131 (eth0) 10.2.1.216 (eth1) 192.168.206.(eth0) 10.2.25.1 (eth1)
When the tunnels are up, traffic from Weston to the 10.2.25.0 network is
fine with normal functionality for all tunnels.
On the Rinchester box, the ipsec0 virtual interface appears normal. When I
run "ipsec eroute" (see below), it shows four completed tunnels.
Most saliently though, on the Rinchester linux box, despite a proper
looking routing table (see below), when I try to traceroute from
Rinchester to 10.2.1.216, my traceroute goes via the internet rather than
via the proper tunnel. Obviously it fails.
>From my testing the problem seems to be with reaching Rinchester's
192.168.206.1 address. My traceroutes from Weston to that address fail to
reach it. I can, however, ping that address. My ISP says he's not
filtering on the 192.168.206.1 interface, but, if so, why can I do a
normal traceroute to it.
The 192.168.206.5 linux box is entirely reachable, evidence that the ISP
is not filtering traffic for that address.
The IPS certainly wants to help, but can see anything on the Cisco side
that's blocking my Richester to Weston 10. traffic.
I'd appreciate any advice on the nature of the Cisco-side block here. I'm
not very familiar with Ciso configs, but I know both Freeswan and Openswan
are very interoperable with cisco routers...I'd think then that some
config options need tweaked on the cisco interface?
Kernel IP routing table (for Rinchester)
Destination Gateway Genmask Flags MSS Window irtt
Iface
255.255.255.255 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.98.131 192.168.206.1 255.255.255.255 UGH 0 0 0
ipsec0
192.168.206.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.206.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
10.0.0.0 192.168.206.1 255.255.255.0 UG 0 0 0
ipsec0
10.2.25.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
224.0.0.0 0.0.0.0 240.0.0.0 U 0 0 0 eth0
0.0.0.0 192.168.206.1 0.0.0.0 UG 0 0 0 eth1
Results of Rinchester "ipsec eroute"
0 10.2.25.0/24 -> 10.0.0.0/24 =>
tun0x1032 at 192.168.98.131
0 10.2.25.0/24 -> 192.168.98.131/32 =>
tun0x1036 at 65.168.98.131
0 192.168.206.5/32 -> 10.0.0.0/24 =>
tun0x1038 at 192.168.98.131
0 192.168.206.5/32 -> 65.168.98.131/32 =>
tun0x1034 at 192.168.98.131
--
Jerry Keene
More information about the Users
mailing list