[Openswan Users] Roadwarrior and route troubles
Vincent SCHULTZ
vincent.schultz at wanadoo.fr
Thu Sep 1 13:22:41 CEST 2005
Hello,
Can someone answer my mail please or point me in the right direction ? I am really stuck and I don't understand why.
Thank you,
Vincent
Le mercredi 31 août 2005 à 16:11 +0200, Vincent SCHULTZ a écrit :
Paul and the list,
>
> Ok, I clean my configurations files of comments and tests, here they are on the SGW :
>
> version 2.0
> config setup
> interfaces=%defaultroute
> nat_traversal=yes
> virtual_private=%v4:192.168.10.0/24
> klipsdebug=none
> plutodebug="control"
> conn %default
> compress=no
> authby=rsasig
> conn roadwarrior
> left=152.18.31.45
> leftsubnet=10.10.45.0/24
> leftrsasigkey=%cert
> leftcert=sgw1-crt.pem
> right=%any
> rightsubnet=vhost:%priv
> rightrsasigkey=%cert
> auto=add
> include /etc/ipsec.d/examples/no_oe.conf
>
> And on the mobile Linux :
>
> version 2.0
> config setup
> interfaces=%defaultroute
> nat_traversal=yes
> klipsdebug=none
> plutodebug="control"
> conn %default
> compress=no
> authby=rsasig
> conn roadwarrior
> left=%defaultroute
> leftsubnet=192.168.10.222/32
> leftrsasigkey=%cert
> leftcert=mclient1-crt.pem
> right=152.18.31.45
> rightsubnet=10.10.45.0/24
> rightrsasigkey=%cert
> rightcert=sgw1-crt.pem
> auto=add
> include /etc/ipsec.d/examples/no_oe.conf
>
> >From the mobile I can ping the SGW :
>
> # ping 152.18.31.45
> PING 152.18.31.45 (152.18.31.45) 56(84) bytes of data.
> 64 bytes from 152.18.31.45: icmp_seq=0 ttl=63 time=1.40 ms
> 64 bytes from 152.18.31.45: icmp_seq=1 ttl=63 time=0.249 ms
>
> When I start the connexion on the mobile computer :
>
> # ipsec auto --up roadwarrior
> 104 "roadwarrior" #1: STATE_MAIN_I1: initiate
> 003 "roadwarrior" #1: received Vendor ID payload [Openswan (this version) 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
> 003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=109
> 106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "roadwarrior" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> 108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established
> 117 "roadwarrior" #2: STATE_QUICK_I1: initiate
> 004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x77d63dbc <0x9c8c9dea xfrm=AES_0-HMAC_SHA1}
>
> But I cannot ping a client in the 10.10.45.0 LAN, the paquet does not reach the SGW.
>
> On the SGW :
>
> # more /proc/sys/net/ipv4/conf/all/rp_filter
> 0
> # more /proc/sys/net/ipv4/ip_forward
> 1
>
> And some questions in the text :
>
> Le mercredi 31 août 2005 à 15:31 +0200, Paul Wouters a écrit :
> On Wed, 31 Aug 2005, Vincent SCHULTZ wrote:
> >
> > > When I start roadwarrior connection on the client everything seems OK :
> >
> > > 004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x89345bb7 <0xf148d9f1 xfrm=AES_0-HMAC_SHA1}
> >
> > > But a ping from the mobile to the client 10.10.45.16 does not work, in fact the ping cannot reach the SGW. I have network and routes troubles then. When I do a route on the mobile client I have :
> >
> > check with 'ipsec verify'
> >
> > > # route -n
> > > Table de routage IP du noyau
> > > Destination Passerelle Genmask Indic Metric Ref Use Iface
> > > 203.41.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> > > 10.10.45.0 203.41.30.254 255.255.255.0 UG 0 0 0 eth0
> > > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> > > 0.0.0.0 203.41.30.254 0.0.0.0 UG 0 0 0 eth0
> > >
> > > It's a bit weird to have 203.41.30.254 as gateway to reach the 10.10.45.0 network, isn't it ? It should be 152.18.31.45.
> >
> > The ip address must come from somewhere. I
> >
> This is the gateway on the other network where the mobile linux is located.
>
>
> > > Here is my ipsec.conf of the SWG :
> > >
> > > version 2.0
> > > config setup
> > > interfaces=%defaultroute
> > > nat_traversal=yes
> > > virtual_private=%v4:192.168.10.0/24
> > > klipsdebug=none
> > > plutodebug="control"
> > > conn %default
> > > compress=no
> > > authby=rsasig
> > > conn roadwarrior
> > > left=152.18.31.45
> > > leftsubnet=10.10.45.0/24
> > > leftrsasigkey=%cert
> > > leftcert=sgw1-crt.pem
> > > right=%any
> > > rightsubnet=vhost:%priv
> > > #rightsubnet=vhost:%no,%priv
> > > rightrsasigkey=%cert
> > > auto=add
> >
> > I see there is no rightsubnet defined here.
> >
> And the rightsubnet=vhost:%priv is not a good one ??
>
> > include /etc/ipsec.d/examples/no_oe.conf
> > >
> > > And ipsec.conf on the linux mobile :
> > >
> > > version 2.0
> > > config setup
> > > interfaces=%defaultroute
> > > nat_traversal=yes
> > > klipsdebug=none
> > > plutodebug=none
> > > conn %default
> > > compress=no
> > > authby=rsasig
> > > conn roadwarrior
> > > left=%defaultroute
> > > leftsubnet=192.168.10.222/32
> >
> > But there is one here. I do not believe your logs posted were actually
> > using this configuration file. This would never give you an IPsec SA
> > established.
> >
> The 192.168.10.222 is the private IP address I want to give to the mobile box to access the private LAN 10.10.45.0
>
> > leftrsasigkey=%cert
> > > leftcert=mclient1-crt.pem
> > > right=152.18.31.45
> > > rightsubnet=10.10.45.0/24
> > > rightrsasigkey=%cert
> > > rightcert=sgw1-crt.pem
> > > auto=add
> > > include /etc/ipsec.d/examples/no_oe.conf
> >
> > If you're back to a configuration that works. Check ip_forwarding (should
> > be enabled on each side that has a subnet behind it ) and rp_filter
> > (rp_filter needs to be off)
> >
> > Paul
>
> Thank you,
>
> Vincent
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
More information about the Users
mailing list