[Openswan Users] (fwd) FreeSWAN: Probleme mit IP-Forwarding zwischen Tunneln

Joern Bredereck jb at bw-networx.net
Fri Jan 20 00:17:03 CET 2006 

Hi,

I would be glad, if someone could help me with the following problem 
(sorry, for my poor English, btw).

A Linux router (Debian Linux with 2.4 kernel and FreeS/WAN2.x) connects 
several IPSec tunnels on 2 physical interfaces (eth0,eth1) from several 
peers (other linux router or hardware routers such as Draytek Vigor).

The routing between subnets, which are connected through ipsec0 and 
subnets which are connected through ipsec1 works without any problems.

What doesn't work is the routing between subnets, which are only 
connected through ipsec1 for in- and outbound traffic

IP forwarding is activated on all interfaces:

firegate:~# cat /proc/sys/net/ipv4/ip_forward
1

firegate:~# for i in `ls /proc/sys/net/ipv4/conf`; do echo "$i: `cat 
/proc/sys/net/ipv4/conf/$i/forwarding`"; done
all: 1
default: 1
eth0: 1
eth1: 1
ipsec0: 1
ipsec1: 1
lo: 1

there are no blocking iptables rules (I unloaded iptables completely to 
make sure iptables doesn't block anything).

I disabled the source routing filter:

firegate:~# for i in `ls /proc/sys/net/ipv4/conf`; do echo "$i: `cat 
/proc/sys/net/ipv4/conf/$i/rp_filter`"; done
all: 0
default: 0
eth0: 0
eth1: 0
ipsec0: 0
ipsec1: 0
lo: 0

The routing table looks like this (public IPs replaced by x for privacy 
reasons):


firegate:~# ip route show
213.xxx.xxx.64/28 via 192.168.153.1 dev ipsec0
192.168.5.0/24 via 192.168.153.1 dev ipsec0
192.168.151.0/24 via 192.168.153.1 dev eth0
172.16.0.0/24 via 213.xxx.xxx.3 dev ipsec1
10.10.98.0/24 via 213.xxx.xxx.3 dev ipsec1
192.168.170.0/24 via 213.xxx.xxx.3 dev ipsec1
192.168.154.0/24 via 192.168.153.1 dev eth0
192.168.200.0/24 via 213.xxx.xxx.3 dev ipsec1
10.10.94.0/24 via 213.xxx.xxx.3 dev ipsec1
192.168.153.0/24 dev eth0  proto kernel  scope link  src 192.168.153.99
192.168.153.0/24 dev ipsec0  proto kernel  scope link  src 192.168.153.99
192.168.152.0/24 via 192.168.153.1 dev eth0
213.xxx.xxx.0/24 dev eth1  proto kernel  scope link  src 213.xxx.xxx.23
213.30.205.0/24 dev ipsec1  proto kernel  scope link  src 213.xxx.xxx.23
192.168.27.0/24 via 213.xxx.xxx.3 dev ipsec1
192.168.0.0/16 via 192.168.153.1 dev ipsec0
172.16.0.0/12 via 192.168.153.1 dev eth0
10.0.0.0/8 via 192.168.153.1 dev eth0
default via 213.xxx.xxx.3 dev eth1

Pinging from subnet 192.168.170.0 to subnet 192.168.27.0 I can see an 
echo request with tcpdump on the router:

03:44:40.393518 192.168.170.99 > 192.168.27.1: icmp: echo request
03:44:40.393582 192.168.170.99 > 192.168.27.1: icmp: echo request

Tcpdump on the IPSec router of the subnet 192.168.27.0 doesn't show any 
incoming traffic at all. It looks as if the central router (firegate) 
doesn't forward the packets into the tunnel to the subnet 192.168.27.0.

Pinging from ipsec0-subnets to ipsec1 subnets and vice versa works 
without any problems:


03:48:50.908279 192.168.170.99 > 192.168.2.98: icmp: echo request
03:48:50.925251 192.168.2.98 > 192.168.170.99: icmp: echo reply

03:58:41.549279 192.168.2.98 > 192.168.27.1: icmp: echo request (DF)
03:58:41.619835 192.168.27.1 > 192.168.2.98: icmp: echo reply (DF)

Any idea what could cause this? Why are there no packets being forwarded 
between ipsec1 tunnels? What can I do to troubleshoot this problem? Any 
help appreciated!

Thanks in advance!

Joern

More information about the Users mailing list