[Openswan Users]
Cannot access IPSec gateway after IPSec tunnel comes up when using
righsubnet=0.0.0.0/0
Alex
alexb at eandj.homeip.net
Fri Nov 11 11:36:14 CET 2005
I've researched this issue but I have been able to find a solution.
We would like all traffic from the remote subnet to go through the
tunnel, including Internet traffic. When the tunnel comes up, it works
as expected. All traffic goes through the tunnel.
Then, we experience two challenges.
1. We can no longer access the external interface of the left gateway
from the Internet. When doing a tcpdump, we see our SSH requests coming
in from the Internet but we see the replies being sent through the IPSec
tunnel. We can only access the left gateway through the IPSec tunnel
from the right side.
After the tunnel comes up, this is the routing table. Is this normal?
Is that 128.0.0.0 route for opportunistic encryption? What is that?
[root at state root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
2.2.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
2.2.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
10.1.38.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 2.2.2.1 128.0.0.0 UG 0 0 0 ipsec0
128.0.0.0 2.2.2.1 128.0.0.0 UG 0 0 0 ipsec0
0.0.0.0 2.2.2.1 0.0.0.0 UG 0 0 0 eth0
[root at state root]#
2. After several hours, around 12, the tunnel will drop and it does not
restart automatically. The tunnel has to be restarted manually and we
see the following errors in the log.
Nov 9 13:49:43 state pluto[8973]: packet from 1.1.1.2:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Nov 9 13:49:43 state pluto[8973]: packet from 1.1.1.2:4500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Nov 9 13:49:43 state pluto[8973]: packet from 1.1.1.2:4500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 9 13:49:43 state pluto[8973]: packet from 1.1.1.2:4500: initial
Main Mode message received on 2.2.2.2:4500 but no connection has been
authorized with policy=RSASIG
Nov 9 13:50:23 state pluto[8973]: packet from 1.1.1.2:4500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Nov 9 13:50:23 state pluto[8973]: packet from 1.1.1.2:4500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Nov 9 13:50:23 state pluto[8973]: packet from 1.1.1.2:4500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Nov 9 13:50:23 state pluto[8973]: packet from 1.1.1.2:4500: initial
Main Mode message received on 2.2.2.2:4500 but no connection has been
authorized with policy=RSASIG
Why would it tell me no connection has been authorized with
policy=RSASIG when I have it explicitly stated in the ipsec.conf?
Does anyone know how I can fix this?
Setup is as follows:
Net-to-Net
Openswan 1.0.7 on both gateways (One gateway behind NATed PIX).
Redhat 7.3 on both gateways
ipsec.conf for left side:
(IPs have been changed to protect the innocent)
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
conn %default
keyingtries=0
disablearrivalcheck=no
conn state-centraloffice
authby=rsasig
auto=add
keyingtries=0
left=%defaultroute
leftid=@state.machine.com
leftrsasigkey=[left rsasig....]
leftsubnet=10.1.38.0/24
right=1.1.1.2
rightid=@centraloffice.machine.com
rightnexthop=1.1.1.1
rightrsasigkey=[right rsasig...]
rightsubnet=0.0.0.0/0
Ipsec.conf for the right side (this one is behind the NATed PIX)
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=all
plutoload=%search
plutostart=%search
nat_traversal=yes
uniqueids=yes
conn %default
keyingtries=0
disablearrivalcheck=no
conn state-centraloffice
authby=rsasig
auto=start
keyingtries=0
left=2.2.2.2
leftid=@state.machine.com
leftnexthop=2.2.2.1
leftrsasigkey=[left rsasig . . .]
leftsubnet=10.1.38.0/24
right=%defaultroute
rightnexthop=
rightid=@centraloffice.machine.com
rightrsasigkey=[right rsasig . . .]
rightsubnet=0.0.0.0/0
Thanks for any help you can give.
Alex
More information about the Users
mailing list