[Openswan Users] Problem with 2 tunnels to same network
dleece at newnet21.com
Wed Dec 6 23:33:20 EST 2006
Thanks for taking the time on this one, I ran a few checks and this looks worse than I thought.
Indeed teh rp_filter was set to 1 on the external interface, I know it should be 0, did that and suddnely tunnels work as expected. Since I moved platforms I had to change a bunch of stuff and I must have missed that one.
The second matter is this error message I get when I run ipsec verify.
Checking tun0x109c at 220.127.116.11 from 192.168.100.0/24 to 192.168.59.0/27 [FAILED]
eth0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 0.0.0.0/0 -> 192.168.59.0/27
Checking tun0x109a at 18.104.22.168 from 192.168.100.0/24 to 192.168.150.0/24 [FAILED]
eth0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 0.0.0.0/0 -> 192.168.150.0/24
Checking tun0x109e at 22.214.171.124 from 192.168.100.0/24 to 192.168.200.0/24 [FAILED]
eth0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 0.0.0.0/0 -> 192.168.200.0/24
Checking tun0x10aa at 126.96.36.199 from 192.168.100.0/24 to 188.8.131.52/32 [FAILED]
eth0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 0.0.0.0/0 -> 184.108.40.206/32
Checking tun0x10a0 at 220.127.116.11 from 192.168.100.0/24 to 18.104.22.168/32 [FAILED]
eth0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 0.0.0.0/0 -> 22.214.171.124/32
This looks like it is an IPTABLES issue but the traffic is flowing just the same. The strange thing is I don't want a tunnel from 0.0.0.0/0 -> 192.168.59.0/27 for example, the tunnels are either lan to lan or gateway to lan, we don't use the ipsec gateways for road warriors. Any ideas on that? have I incorrectly defined the ipsec interface in ipsec.conf?
# basic configuration
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
# Debug-logging controls: "none" for (almost) none, "all" for lots.
Thanks again for the tip on rp_filter, I was really starting to wonder about these problems I was having.
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Tuesday, December 05, 2006 11:50 PM
To: Douglas Leece
Cc: users at openswan.org
Subject: Re: [Openswan Users] Problem with 2 tunnels to same network
On Tue, 5 Dec 2006, Douglas Leece wrote:
> I have been a freeswan users for years and never really had a lot of issues with it, unfortunatly I have found Openswan to be a bit more difficult to get going. The Freeswan config I am replacing required a tunnel from LAN A to LAN B and that was easy to replicate. The problem seems to come in with the second tunnel that goes from the external IP of LAN B's gateway to LAN A. We use this second tunnel to replicate DNS zone data from LAN A to the Gateway serving LAN B.
What does ipsec verify say? Does it complain about rp_filter or
redirects that should be changed?
What happens if you add "failureshunt=clear" to config setup? It's not the
right solution, but it might give us an idea where the problem is.
> I have rolled back to 2.4-33 on Fedora because I can't seem to get Openswan to run on any version of 2.6 using netkey. We ran for years with almost no issues using 2.4.18 and superfreeswan 1.99 on Debian and I used these configs as the basis for the new build because I thought we where just upgrading.
Let's hope klips and netkey merge soon.....
> Can Openswan support such a configuration? There are two seperate routes on the machines one for the lan to lan and the other for lan to gateway external IP. Both tunnels negotiate and connect fine but the traffic from LAN A to LAN B does not flow when the gateway to LAN A tunnel is also up. When the gateway to LAN tunnel comes down then it seems to work fine.
It should work.
> On a second note, is there any version of OpenSwan that works on a current Linux distro with out patching the kernel? I have been through memory leaks, daemons crashing, mismatched tunnels and terrrible service trying to use various version of 2.6 kernel and the openswan tools. I like Debian but I can certainly use RHEL or even Unbutu if there is a trouble free build out there, I am quite concerned that patching 2.6 with klips might cause problems with upgrades later so if I can stay with a stock kernel that would be a lot better.
If you have issues with 2.4.7, please let us know so we can address them.
Building and integrating Virtual Private Networks with Openswan:
More information about the Users