[Openswan Users] Cannot access IPSec gateway after IPSec tunnel comes up when using righsubnet=0.0.0.0/0

Alex alexb at eandj.homeip.net
Fri Nov 11 11:36:14 CET 2005


I've researched this issue but I have been able to find a solution.

We would like all traffic from the remote subnet to go through the 
tunnel, including Internet traffic.  When the tunnel comes up, it works 
as expected.  All traffic goes through the tunnel. 

Then, we experience two challenges.

1.  We can no longer access the external interface of the left gateway 
from the Internet.  When doing a tcpdump, we see our SSH requests coming 
in from the Internet but we see the replies being sent through the IPSec 
tunnel.  We can only access the left gateway through the IPSec tunnel 
from the right side.

After the tunnel comes up, this is the routing table.  Is this normal?  
Is that 128.0.0.0 route for opportunistic encryption?  What is that?

[root at state root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface

2.2.2.0      0.0.0.0   255.255.255.0 U 0 0 0 eth0
2.2.2.0      0.0.0.0   255.255.255.0 U 0 0 0 ipsec0
10.1.38.0  0.0.0.0   255.255.255.0 U 0 0 0 eth1
127.0.0.0  0.0.0.0   255.0.0.0 U 0 0 0 lo
0.0.0.0      2.2.2.1   128.0.0.0 UG 0 0 0 ipsec0
128.0.0.0  2.2.2.1   128.0.0.0 UG 0 0 0 ipsec0
0.0.0.0      2.2.2.1   0.0.0.0 UG 0 0 0 eth0
[root at state root]#



2.  After several hours, around 12, the tunnel will drop and it does not 
restart automatically.  The tunnel has to be restarted manually and we 
see the following errors in the log.

Nov  9 13:49:43 state pluto[8973]: packet from 1.1.1.2:4500: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Nov  9 13:49:43 state pluto[8973]: packet from 1.1.1.2:4500: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Nov  9 13:49:43 state pluto[8973]: packet from 1.1.1.2:4500: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov  9 13:49:43 state pluto[8973]: packet from 1.1.1.2:4500: initial 
Main Mode message received on 2.2.2.2:4500 but no connection has been 
authorized with policy=RSASIG
Nov  9 13:50:23 state pluto[8973]: packet from 1.1.1.2:4500: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Nov  9 13:50:23 state pluto[8973]: packet from 1.1.1.2:4500: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Nov  9 13:50:23 state pluto[8973]: packet from 1.1.1.2:4500: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov  9 13:50:23 state pluto[8973]: packet from 1.1.1.2:4500: initial 
Main Mode message received on 2.2.2.2:4500 but no connection has been 
authorized with policy=RSASIG

Why would it tell me no connection has been authorized with 
policy=RSASIG when I have it explicitly stated in the ipsec.conf?

Does anyone know how I can fix this?

Setup is as follows:

Net-to-Net
Openswan 1.0.7 on both gateways (One gateway behind NATed PIX).
Redhat 7.3 on both gateways

ipsec.conf for left side:
(IPs have been changed to protect the innocent)

# basic configuration
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=yes

conn %default
        keyingtries=0
        disablearrivalcheck=no

conn state-centraloffice
        authby=rsasig
        auto=add
        keyingtries=0
        left=%defaultroute
        leftid=@state.machine.com
        leftrsasigkey=[left rsasig....]
        leftsubnet=10.1.38.0/24
        right=1.1.1.2
        rightid=@centraloffice.machine.com
        rightnexthop=1.1.1.1
        rightrsasigkey=[right rsasig...]
        rightsubnet=0.0.0.0/0


Ipsec.conf for the right side (this one is behind the NATed PIX)

# basic configuration
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=all
        plutoload=%search
        plutostart=%search
        nat_traversal=yes
        uniqueids=yes

conn %default
        keyingtries=0
        disablearrivalcheck=no

conn state-centraloffice
        authby=rsasig
        auto=start
        keyingtries=0
        left=2.2.2.2
        leftid=@state.machine.com
        leftnexthop=2.2.2.1
        leftrsasigkey=[left rsasig . . .]
        leftsubnet=10.1.38.0/24
        right=%defaultroute
        rightnexthop=
        rightid=@centraloffice.machine.com
       rightrsasigkey=[right rsasig . . .]
        rightsubnet=0.0.0.0/0

Thanks for any help you can give.

Alex



More information about the Users mailing list