[Openswan Users] Routing Problem

Stefan Keller stefan.keller at risksys.com
Wed Nov 9 15:11:29 CET 2005


Hi all

I want to setup a VPN in a simple environment, in order to extend it 
lateron over a firewall for a "roadwoarrior" connection. The connection 
and the key sharing process are working fine, but from the VPN client, I 
can not pass over the VPN gateway, there seem to be routing problems.

The setup:

There is a private network, 192.168.0.0/24, with the usual services and 
192.168.0.1 as default gateway. Without ipsec turned on, the hosts 
vpngateway on 192.168.0.34 and vpnclient on 192.168.0.37 are ordinary 
members of the private network. My intention is that as soon as ipsec is 
started on the involved hosts, the vpnclient has only a VPN connection 
to the vpngateway, all requests to that host and further should go over 
that. This situation could be used as well for securing WLAN.

Both involved hosts run Debian in a mixed stable/testing environment 
with the current testing version of openswan, 2.4.0-3.

ipsec.conf on vpngateway (192.168.0.34):

version 2.0
config setup
        interfaces=%defaultroute
        nat_traversal=no
        plutodebug=all

conn %default
        leftcert=%cert
        rightcert=%cert
        authby=rsasig

conn roadwarrior
        left=192.168.0.34
        leftid=@vpngateawy.example.com
        leftsubnet=0.0.0.0/0
        leftcert=vpngateawy.example.com_cert.pem
        right=%any
        auto=add


ipsec.conf on vpnclient (192.168.0.37):

version 2.0
config setup
        interfaces="ipsec0=eth0"
        nat_traversal=no
        plutodebug=all

conn %default
        authby=rsasig

conn roadwarrior
        left=192.168.0.37
        leftid=@vpnclient.example.com
        leftcert=vpnclient.example.com_cert.pem
        right=192.168.0.34
        rightid=@vpngateway.example.com
        rightsubnet=0.0.0.0/0
        rightcert=vpngateway.example.com_cert.pem
        auto=add

(remark to ipsec.conf on vpnclient: I do not use 
"interface=%defaultroute" and "left=%defaultroute", since this would 
point to 192.168.0.1, which is not involved in this setup)

On both sides, ipsec is started over the init script. And then, on the 
vpnclient, I start the connection with

# ipsec auto --up roadwarrior

and check the status on both sides with

# ipsec auto --status

The result looks good, there is an "IPsec SA established" on both sides. 
And data can be exchanged, e.g. a ping or ssh from the vpnclient to the 
vpngateway and vice versa is working, while the tcpdump shows all this 
ESP connections and only them.

But any other destination behind the vpngateway can not be reached. For 
example, lets run a ping on the vpnclient to any valid destination, lets 
take 192.168.0.3 in the private network, which can be resolved to 
anydestination.example.com. tcpdump on vpnclient gives:

14:50:05.020033 IP 192.168.0.37 > 192.168.0.34: 
ESP(spi=0x75c766d8,seq=0xd43)

tcpdump on vpngateway gives:

14:50:05.231591 IP vpnclient.example.com > vpngateway.example.com: 
ESP(spi=0x75c766d8,seq=0xdc6)
14:50:05.231591 IP vpnclient.example.com > anydestination.example.com: 
icmp 64: echo request seq 1

As can be seen, the vpngateway gets the ESP data and passes the request 
further to the host anydestination - but the request leaves the 
vpngateway in the name of the vpnclient. The host anydestination on the 
other hand does not see anything from this request, at least not with 
tcpdump, and does not give any answer. Therefore, vpngateway does not 
get an answer, neither vpnclient does.


I assume I missed something in order to get a proper routing - are there 
any ideas?

Stefan



More information about the Users mailing list