[Openswan Users]
Joern Bredereck
jb at bw-networx.net
Fri Jan 20 02:21:30 CET 2006
On Fri, 20 Jan 2006, Paul Wouters wrote:
>> A Linux router (Debian Linux with 2.4 kernel and FreeS/WAN2.x) connects
>> several IPSec tunnels on 2 physical interfaces (eth0,eth1) from several
>> peers (other linux router or hardware routers such as Draytek Vigor).
>
> Note: We ofcourse recommend upgrading to openswan, but....
upgrade to openswan is on my todo list, but for now I have to live with those
FreeS/WAN boxes for a while...
>> The routing between subnets, which are connected through ipsec0 and
>> subnets which are connected through ipsec1 works without any problems.
>>
>> What doesn't work is the routing between subnets, which are only
>> connected through ipsec1 for in- and outbound traffic
>
> You are aware you cannot just add routes to go over an ipsec interface
> using route add -net, and that you have to build a new tunnel for those
> routes instead?
Yes, of course. And the tunnel through ipsec1 work fine, when the traffic for
those tunnels come from ipsec0. If I had no working tunnels on ipsec1 then I
would have a real problem. :-)
>> firegate:~# ip route show
>> 213.xxx.xxx.64/28 via 192.168.153.1 dev ipsec0
>> 192.168.5.0/24 via 192.168.153.1 dev ipsec0
>> 192.168.151.0/24 via 192.168.153.1 dev eth0
>> 172.16.0.0/24 via 213.xxx.xxx.3 dev ipsec1
>> 10.10.98.0/24 via 213.xxx.xxx.3 dev ipsec1
>> 192.168.170.0/24 via 213.xxx.xxx.3 dev ipsec1
>> 192.168.154.0/24 via 192.168.153.1 dev eth0
>> 192.168.200.0/24 via 213.xxx.xxx.3 dev ipsec1
>> 10.10.94.0/24 via 213.xxx.xxx.3 dev ipsec1
>> 192.168.153.0/24 dev eth0 proto kernel scope link src 192.168.153.99
>> 192.168.153.0/24 dev ipsec0 proto kernel scope link src 192.168.153.99
>> 192.168.152.0/24 via 192.168.153.1 dev eth0
>> 213.xxx.xxx.0/24 dev eth1 proto kernel scope link src 213.xxx.xxx.23
>> 213.30.205.0/24 dev ipsec1 proto kernel scope link src 213.xxx.xxx.23
>> 192.168.27.0/24 via 213.xxx.xxx.3 dev ipsec1
>> 192.168.0.0/16 via 192.168.153.1 dev ipsec0
>> 172.16.0.0/12 via 192.168.153.1 dev eth0
>> 10.0.0.0/8 via 192.168.153.1 dev eth0
>> default via 213.xxx.xxx.3 dev eth1
>
> What does 'ipesc eroute' shows? Are there entries there for the "broken"
> routes?
firegate:~# ipsec eroute
4715 0.0.0.0/0 -> 213.30.233.64/28 => tun0x95b3 at 192.168.151.65
0 10.0.0.0/8 -> 192.168.27.0/24 => tun0x9475 at 194.231.29.121
2939 10.10.0.0/16 -> 192.168.5.0/24 => tun0x9447 at 192.168.151.97
0 10.11.1.0/24 -> 192.168.0.0/16 => tun0x944d at 192.168.151.97
0 172.16.0.0/24 -> 192.168.0.0/16 => tun0x9425 at 192.168.151.97
0 192.168.0.0/16 -> 172.16.0.0/24 => tun0x9485 at 217.146.142.98
52 192.168.0.0/16 -> 192.168.27.0/24 => tun0x9474 at 194.231.29.121
7 192.168.0.0/16 -> 192.168.170.0/24 => tun0x9659 at 84.56.238.219
0 192.168.0.0/16 -> 192.168.200.0/24 => tun0x94a9 at 217.146.142.98
0 192.168.5.0/24 -> 10.10.94.0/24 => tun0x962b at 194.231.29.120
0 192.168.5.0/24 -> 10.10.98.0/24 => tun0x9657 at 194.231.29.119
9 192.168.27.0/24 -> 192.168.0.0/16 => tun0x9642 at 192.168.151.97
1866 192.168.170.0/24 -> 192.168.0.0/16 => tun0x9507 at 192.168.151.97
0 192.168.200.0/24 -> 192.168.0.0/16 => tun0x948b at 192.168.151.97
The tunnels and routes are fine, as far as I can see.
>> Pinging from subnet 192.168.170.0 to subnet 192.168.27.0 I can see an
>> echo request with tcpdump on the router:
>>
>> 03:44:40.393518 192.168.170.99 > 192.168.27.1: icmp: echo request
>> 03:44:40.393582 192.168.170.99 > 192.168.27.1: icmp: echo request
>
> Looks like there is just no policy for those routes defined, and they go
> out cleartext.
this should be the right policy:
52 192.168.0.0/16 -> 192.168.27.0/24 => tun0x9474 at 194.231.29.121
And this tunnel works like a charme, when the traffic comes from an
ipsec0-tunnel:
03:58:41.549279 192.168.2.98 > 192.168.27.1: icmp: echo request
03:58:41.619835 192.168.27.1 > 192.168.2.98: icmp: echo reply
> I am not sure if I understand your problem or situation entirely though.
here is my ipsec.conf:
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/config.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/adv_config.html
#
# Policy groups are enabled by default. See:
# http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/policygroups.html
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/examples
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth0 ipsec1=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
# plutodebug=dns
conn %default
keyingtries=1
keyexchange=ike
disablearrivalcheck=no
authby=secret
auto=add
auth=esp
pfs=no
compress=no
# Add connections here.
conn pf-versatel
left=192.168.151.65
leftsubnet=213.30.233.64/255.255.255.240
leftnexthop=192.168.151.1
# Right security gateway, subnet behind it, next hop toward left.
right=192.168.153.99
rightsubnet=0.0.0.0/0.0.0.0
rightnexthop=192.168.153.1
auto=add
auth=esp
authby=secret
conn pf-teleworker
left=192.168.151.97
leftnexthop=192.168.151.1
leftsubnet=192.168.5.0/24
right=192.168.153.99
rightnexthop=192.168.153.1
rightsubnet=10.10.0.0/16
auto=start
conn stark
left=213.30.205.23
leftnexthop=213.30.205.3
leftsubnet=192.168.5.0/24
right=194.231.29.119
rightsubnet=10.10.98.0/24
auto=add
conn kurz
left=213.30.205.23
leftnexthop=213.30.205.3
leftsubnet=192.168.5.0/24
right=194.231.29.120
rightsubnet=10.10.94.0/24
auto=add
#conn meyer
# left=213.30.205.23
# leftnexthop=213.30.205.3
# leftsubnet=192.168.5.0/24
# right=194.231.29.121
# rightsubnet=10.10.96.0/24
# auto=add
conn juergen
left=213.30.205.23
leftnexthop=213.30.205.3
leftsubnet=192.168.0.0/16
right=0.0.0.0
rightsubnet=192.168.170.0/24
auto=add
conn pf-juergen
left=192.168.151.97
leftnexthop=192.168.151.1
leftsubnet=192.168.0.0/16
right=192.168.153.99
rightnexthop=192.168.153.1
rightsubnet=192.168.170.0/24
auto=start
conn pf-juergen-openvpn
left=192.168.151.97
leftnexthop=192.168.151.1
leftsubnet=192.168.0.0/16
right=192.168.153.99
rightnexthop=192.168.153.1
rightsubnet=10.11.1.0/24
auto=start
conn leonberg-pforzheim
left=192.168.151.97
leftsubnet=192.168.0.0/255.255.0.0
leftnexthop=192.168.151.1
right=192.168.153.99
rightnexthop=192.168.153.1
rightsubnet=192.168.27.0/24
auto=start
keylife=60m
conn leo-pf
left=213.30.205.23
leftsubnet=192.168.0.0/255.255.0.0
leftnexthop=213.30.205.3
right=194.231.29.121
rightnexthop=194.231.190.1
rightsubnet=192.168.27.0/255.255.255.0
auto=start
conn leo-pf10
left=213.30.205.23
leftsubnet=10.0.0.0/255.0.0.0
leftnexthop=213.30.205.3
right=194.231.29.121
rightsubnet=192.168.27.0/255.255.255.0
rightnexthop=194.231.190.1
auto=start
conn bwnet200-pf
left=213.30.205.23
leftsubnet=192.168.0.0/255.255.0.0
leftnexthop=213.30.205.3
right=217.146.142.98
rightnexthop=217.146.142.97
rightsubnet=192.168.200.0/255.255.255.0
auto=start
conn bwnet172-pf
left=213.30.205.23
leftsubnet=192.168.0.0/255.255.0.0
leftnexthop=213.30.205.3
right=217.146.142.98
rightnexthop=217.146.142.97
rightsubnet=172.16.0.0/255.255.255.0
auto=start
conn dhp-bwnet172
left=192.168.151.97
leftnexthop=192.168.151.1
leftsubnet=192.168.0.0/16
right=192.168.153.99
rightnexthop=192.168.153.1
rightsubnet=172.16.0.0/24
auto=start
auth=esp
authby=secret
conn dhp-bwnet200
left=192.168.151.97
leftnexthop=192.168.151.1
leftsubnet=192.168.0.0/16
right=192.168.153.99
rightnexthop=192.168.153.1
rightsubnet=192.168.200.0/24
auto=start
auth=esp
authby=secret
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
Any more ideas? Can you see any mistakes in the config?
Thanks!
Joern
More information about the Users
mailing list