[Openswan Users] Roadwarrior and route troubles

John A. Sullivan III jsullivan at opensourcedevel.com
Thu Sep 1 08:30:17 CEST 2005 

On Thu, 2005-09-01 at 12:22 +0200, Vincent SCHULTZ wrote:
> Hello,
> 
> Can someone answer my mail please or point me in the right direction ? I am really stuck and I don't understand why.
> 
> Thank you,
> 
> Vincent
> 
> Le mercredi 31 août 2005 à 16:11 +0200, Vincent SCHULTZ a écrit :
> Paul and the list,
> > 
> > Ok, I clean my configurations files of comments and tests, here they are on the SGW :
> > 
> > version 2.0 
> > config setup
> >         interfaces=%defaultroute
> >         nat_traversal=yes
> >         virtual_private=%v4:192.168.10.0/24
> >         klipsdebug=none
> >         plutodebug="control"
> > conn %default
> >         compress=no
> >         authby=rsasig
> > conn roadwarrior
> >         left=152.18.31.45
> >         leftsubnet=10.10.45.0/24
> >         leftrsasigkey=%cert
> >         leftcert=sgw1-crt.pem
> >         right=%any
> >         rightsubnet=vhost:%priv
> >         rightrsasigkey=%cert
> >         auto=add
> > include /etc/ipsec.d/examples/no_oe.conf
> > 
> > And on the mobile Linux :
> > 
> > version 2.0
> > config setup
> >         interfaces=%defaultroute
> >         nat_traversal=yes
> >         klipsdebug=none
> >         plutodebug="control"
> > conn %default
> >         compress=no
> >         authby=rsasig
> > conn roadwarrior
> >         left=%defaultroute
> >         leftsubnet=192.168.10.222/32
> >         leftrsasigkey=%cert
> >         leftcert=mclient1-crt.pem
> >         right=152.18.31.45
> >         rightsubnet=10.10.45.0/24
> >         rightrsasigkey=%cert
> >         rightcert=sgw1-crt.pem
> >         auto=add
> > include /etc/ipsec.d/examples/no_oe.conf
> > 
> > >From the mobile I can ping the SGW :
> > 
> > # ping 152.18.31.45
> > PING 152.18.31.45 (152.18.31.45) 56(84) bytes of data.
> > 64 bytes from 152.18.31.45: icmp_seq=0 ttl=63 time=1.40 ms
> > 64 bytes from 152.18.31.45: icmp_seq=1 ttl=63 time=0.249 ms
> > 
> > When I start the connexion on the mobile computer :
> > 
> > # ipsec auto --up roadwarrior
> > 104 "roadwarrior" #1: STATE_MAIN_I1: initiate
> > 003 "roadwarrior" #1: received Vendor ID payload [Openswan (this version) 2.3.1  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
> > 003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]
> > 003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set to=109
> > 106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> > 003 "roadwarrior" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> > 108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> > 004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established
> > 117 "roadwarrior" #2: STATE_QUICK_I1: initiate
> > 004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x77d63dbc <0x9c8c9dea xfrm=AES_0-HMAC_SHA1}
> > 
> > But I cannot ping a client in the 10.10.45.0 LAN, the paquet does not reach the SGW.
> > 
> > On the SGW :
> > 
> > # more /proc/sys/net/ipv4/conf/all/rp_filter
> > 0
> > # more /proc/sys/net/ipv4/ip_forward
> > 1
> > 
> > And some questions in the text :
> > 
> > Le mercredi 31 août 2005 à 15:31 +0200, Paul Wouters a écrit :
> > On Wed, 31 Aug 2005, Vincent SCHULTZ wrote:
> > > 
> > > > When I start roadwarrior connection on the client everything seems OK :
> > > 
> > > > 004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x89345bb7 <0xf148d9f1 xfrm=AES_0-HMAC_SHA1}
> > > 
> > > > But a ping from the mobile to the client 10.10.45.16 does not work, in fact the ping cannot reach the SGW. I have network and routes troubles then. When I do a route on the mobile client I have :
> > > 
> > > check with 'ipsec verify'
> > > 
> > > > # route -n
> > > > Table de routage IP du noyau
> > > > Destination  Passerelle    Genmask        Indic Metric Ref Use Iface
> > > > 203.41.30.0  0.0.0.0       255.255.255.0  U     0      0     0 eth0
> > > > 10.10.45.0   203.41.30.254 255.255.255.0  UG    0      0     0 eth0
> > > > 169.254.0.0  0.0.0.0       255.255.0.0    U     0      0     0 eth0
> > > > 0.0.0.0      203.41.30.254 0.0.0.0        UG    0      0     0 eth0
> > > >
> > > > It's a bit weird to have 203.41.30.254 as gateway to reach the 10.10.45.0 network, isn't it ? It should be 152.18.31.45.
> > > 
> > > The ip address must come from somewhere. I
> > > 
> > This is the gateway on the other network where the mobile linux is located.
> > 
<snip>
If you trace the packets leaving the external interface of the mobile
device when you ping 10.10.45.16 (eg., with tcpdump: tcpdump -l -n -i
eth? host 203.41.30.?, what do you see? Do you see pings directed to
10.10.45.16 or do you see ESP packets directed to 152.18.31.45?
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

More information about the Users mailing list