[Openswan Users]
Phillip T. George
phillip at eacsi.com
Sat Jul 22 21:47:07 CEST 2006
Greg,
What interface is tcpdump monitoring? What other arguments are you
using when you run tcpdump?
Also...routing tables from both sides would be useful...
-Phillip
Greg Scott wrote:
> I must be missing something basic here. I am trying to a simple tunnel
> with 2 subnets. Here is the scenario below. Apologies if an emailer
> somewhere along the line butchers the line wrapping.
>
> Roseville
> Lakeville
> Left
> Right
> Left Firewall <-Internet--> Right Firewall
> 10.13.1.0/24 eth1 eth0 eth0 eth1
> 10.15.1.0/24
> 10.13.1.1 71.216.115.33 209.130.212.154 10.15.1.75
>
> The left firewall and right firewall are running fc5 with the netkey
> stack and kernel 2.6.17.2 from kernel.org.
>
> When I watch /var/log/secure on both systems, I see a series of
> messages, ending with messages like this:
>
> Jul 22 18:17:02 lakeville-fw pluto[5492]: "Roseville-Lakeville" #5:
> transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 22 18:17:02 lakeville-fw pluto[5492]: "Roseville-Lakeville" #5:
> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xad5f74c3}
>
> This tells me the SA is established between the subnets, so
> communication between the two subnets should go over the tunnel. But
> that's not what happens. When a host in either subnet tries to ping the
> other side, tcpdump on the sending firewall tells me the packets route
> in the clear out across the Internet. I should see esp messages going
> to/from the other subnet. But instead, I see icmp echo request messages
> coming from the sending subnet. Yuck!
>
> I must be missing a simple setup step but I don't see it.
>
> Here is ipsec.conf I am using, along with the included files and my conn
> definition. I like the way fc5 packages these config files, except that
> it isn't working for me:
>
> [root at lakeville-fw gregs]#
> [root at lakeville-fw gregs]# cd /etc
> [root at lakeville-fw etc]# more ipsec.conf
> # /etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual: ipsec.conf.5
> #
> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for
> lots.
> # klipsdebug=none
> # plutodebug="control parsing"
> nat_traversal=yes
>
> include /etc/ipsec.d/*.conf
> [root at lakeville-fw etc]#
> [root at lakeville-fw etc]#
> [root at lakeville-fw etc]#
> [root at lakeville-fw etc]# ls /etc/ipsec.d
> examples hostkey.secrets no_oe.conf policies
> Roseville-Lakeville.conf
> [root at lakeville-fw etc]#
> [root at lakeville-fw etc]#
> [root at lakeville-fw etc]# more ipsec.d/no_oe.conf
> # 'include' this file to disable Opportunistic Encryption.
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
> [root at lakeville-fw etc]#
> [root at lakeville-fw etc]#
> [root at lakeville-fw etc]# more ipsec.d/Roseville-Lakeville.conf
> # /etc/ipsec.d/Lakeville-Roseville.conf - IPsec configuration file for
> this conn
> ection.
> # The HOME office in Lakeville is always on the right. ("Make yerself
> RIGHT at
> home!",
> # while the other branch stores have LEFT home.)
> #
> # Openswan bundled with fc5 - see thee include directive from
> /etc/ipsec.conf.
> #
> # Here are some useful commands:
> #
> # /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
> --right
> # /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
> --left
> #
> # /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
> --right
>
>> rightkey.txt
>>
> # Show this host's public key in a format suitable to insert into
> # ipsec.conf. This host can be either the left or right key.
> #
> # /usr/sbin/ipsec auto --down london-farout
> # Brings down the tunnel named london-farout
> #
> # /usr/sbin/ipsec auto --up london-farout
> # Brings up the tunnel named london-farount
> #
> # /usr/local/sbin/ipsec look
> # To observe all kinds of stuff about the IPSEC tunnels
> #
> # /usr/local/sbin/ipsec showhostkey > junk.tmp
> # Generates a DNS key record into the file junk.tmp for later
> # insertion into a DNS zone file
> #
> # These were some equivalent commands under prior versions of Open
> S/WAN
> # /usr/sbin/ipsec showhostkey --left
> # /usr/sbin/ipsec showhostkey --right
> # /usr/sbin/ipsec showhostkey --left > junk.tmp
> #
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
>
> conn Roseville-Lakeville
> left=71.216.115.33
> leftsubnet=10.15.1.0/24
> leftnexthop=71.216.115.38
> leftid=@roseville.local
> # RSA 2192 bits roseville-fw Thu Jul 20 18:47:26 2006
> leftrsasigkey=0sAQPHZAiDY....
> #
> # Right security gateway, subnet behind it, next hop toward
> left.
> right=209.130.212.154
> rightsubnet=10.13.1.0/24
> rightnexthop=209.130.212.153
> rightid=@lakeville.local
> # RSA 2192 bits lakeville-fw Wed Jul 19 21:09:32 2006
> rightrsasigkey=0sAQNb9diw....
> #
> auto=start
>
> [root at lakeville-fw etc]#
>
> This is what ipsec verify tells me:
>
> [root at lakeville-fw etc]# /usr/sbin/ipsec verify
> Checking your system to see if IPsec got installed and started
> correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.4.4/K2.6.17.2fw21 (netkey)
> Checking for IPsec support in kernel [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
> hostname: Unknown host
> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Checking for 'setkey' command for NETKEY IPsec stack support [OK]
> Opportunistic Encryption Support
> [DISABLED]
> [root at lakeville-fw etc]#
>
> It says the RSA private key failed - but it isn't really a failure
> because of the way fc5 packages ipsec.secrets, like this:
> [root at lakeville-fw etc]#
> [root at lakeville-fw etc]# more /etc/ipsec.secrets
> include /etc/ipsec.d/*.secrets
> [root at lakeville-fw etc]#
>
> And I know the RSA keys are good because I establish an SA. I must be
> missing a simple setup someplace - but what??
>
> Thanks for any advice.
>
> - Greg Scott
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060722/2950356b/attachment-0001.htm
More information about the Users
mailing list