[Openswan Users]

Phillip T. George phillip at eacsi.com
Sat Jul 22 21:47:07 CEST 2006


Greg,

What interface is tcpdump monitoring?  What other arguments are you
using when you run tcpdump?

Also...routing tables from both sides would be useful...

-Phillip

Greg Scott wrote:
> I must be missing something basic here.  I am trying to a simple tunnel
> with 2 subnets.  Here is the scenario below.  Apologies if an emailer
> somewhere along the line butchers the line wrapping. 
>
> Roseville
> Lakeville
> Left
> Right
>                Left Firewall  <-Internet--> Right Firewall
> 10.13.1.0/24  eth1       eth0             eth0             eth1
> 10.15.1.0/24
>               10.13.1.1  71.216.115.33    209.130.212.154  10.15.1.75
>
> The left firewall and right firewall are running fc5 with the netkey
> stack and kernel 2.6.17.2 from kernel.org.  
>
> When I watch /var/log/secure on both systems, I see a series of
> messages, ending with messages like this:
>
> Jul 22 18:17:02 lakeville-fw pluto[5492]: "Roseville-Lakeville" #5:
> transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 22 18:17:02 lakeville-fw pluto[5492]: "Roseville-Lakeville" #5:
> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xad5f74c3}
>
> This tells me the SA is established between the subnets, so
> communication between the two subnets should go over the tunnel.  But
> that's not what happens.  When a host in either subnet tries to ping the
> other side, tcpdump on the sending firewall tells me the packets route
> in the clear out across the Internet.  I should see esp messages going
> to/from the other subnet.  But instead, I see icmp echo request messages
> coming from the sending subnet.  Yuck!
>
> I must be missing a simple setup step but I don't see it.  
>
> Here is ipsec.conf I am using, along with the included files and my conn
> definition.  I like the way fc5 packages these config files, except that
> it isn't working for me:
>
> [root at lakeville-fw gregs]# 
> [root at lakeville-fw gregs]# cd /etc
> [root at lakeville-fw etc]# more ipsec.conf
> # /etc/ipsec.conf - Openswan IPsec configuration file
> #
> # Manual:     ipsec.conf.5
> #
> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
>         # klipsdebug=none
>         # plutodebug="control parsing"
>         nat_traversal=yes
>
> include /etc/ipsec.d/*.conf
> [root at lakeville-fw etc]# 
> [root at lakeville-fw etc]# 
> [root at lakeville-fw etc]# 
> [root at lakeville-fw etc]# ls /etc/ipsec.d
> examples  hostkey.secrets  no_oe.conf  policies
> Roseville-Lakeville.conf
> [root at lakeville-fw etc]# 
> [root at lakeville-fw etc]# 
> [root at lakeville-fw etc]# more ipsec.d/no_oe.conf
> # 'include' this file to disable Opportunistic Encryption.
> # See /usr/share/doc/openswan/policygroups.html for details.
> #
> # RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
> conn block 
>     auto=ignore
>
> conn private 
>     auto=ignore
>
> conn private-or-clear 
>     auto=ignore
>
> conn clear-or-private 
>     auto=ignore
>
> conn clear 
>     auto=ignore
>
> conn packetdefault 
>     auto=ignore
> [root at lakeville-fw etc]# 
> [root at lakeville-fw etc]# 
> [root at lakeville-fw etc]# more ipsec.d/Roseville-Lakeville.conf
> # /etc/ipsec.d/Lakeville-Roseville.conf - IPsec configuration file for
> this conn
> ection.
> # The HOME office in Lakeville is always on the right.  ("Make yerself
> RIGHT at 
> home!",
> # while the other branch stores have LEFT home.)
> #
> # Openswan bundled with fc5 - see thee include directive from
> /etc/ipsec.conf.
> #
> #       Here are some useful commands:
> #
> #       /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
> --right
> #       /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
> --left
> #
> #       /usr/sbin/ipsec showhostkey --file /etc/ipsec.d/hostkey.secrets
> --right 
>   
>> rightkey.txt
>>     
> #       Show this host's public key in a format suitable to insert into 
> #       ipsec.conf.  This host can be either the left or right key.
> #
> #       /usr/sbin/ipsec auto --down london-farout
> #       Brings down the tunnel named london-farout
> #
> #       /usr/sbin/ipsec auto --up london-farout
> #       Brings up the tunnel named london-farount
> #
> #       /usr/local/sbin/ipsec look
> #       To observe all kinds of stuff about the IPSEC tunnels
> #
> #       /usr/local/sbin/ipsec showhostkey > junk.tmp
> #       Generates a DNS key record into the file junk.tmp for later 
> #       insertion into a DNS zone file
> #
> #       These were some equivalent commands under prior versions of Open
> S/WAN
> #       /usr/sbin/ipsec showhostkey --left
> #       /usr/sbin/ipsec showhostkey --right
> #       /usr/sbin/ipsec showhostkey --left > junk.tmp
> #
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
>
> conn Roseville-Lakeville
>         left=71.216.115.33
>         leftsubnet=10.15.1.0/24
>         leftnexthop=71.216.115.38
>         leftid=@roseville.local
>         # RSA 2192 bits   roseville-fw   Thu Jul 20 18:47:26 2006
>         leftrsasigkey=0sAQPHZAiDY....
>         #
>         # Right security gateway, subnet behind it, next hop toward
> left.
>         right=209.130.212.154
>         rightsubnet=10.13.1.0/24
>         rightnexthop=209.130.212.153
>         rightid=@lakeville.local
>         # RSA 2192 bits   lakeville-fw   Wed Jul 19 21:09:32 2006
>         rightrsasigkey=0sAQNb9diw....
>         #
>         auto=start
>
> [root at lakeville-fw etc]# 
>
> This is what ipsec verify tells me:
>
> [root at lakeville-fw etc]# /usr/sbin/ipsec verify
> Checking your system to see if IPsec got installed and started
> correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.4/K2.6.17.2fw21 (netkey)
> Checking for IPsec support in kernel                            [OK]
> Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
> hostname: Unknown host
> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                              
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
> Opportunistic Encryption Support
> [DISABLED]
> [root at lakeville-fw etc]# 
>
> It says the RSA private key failed - but it isn't really a failure
> because of the way fc5 packages ipsec.secrets, like this:
> [root at lakeville-fw etc]# 
> [root at lakeville-fw etc]# more /etc/ipsec.secrets
> include /etc/ipsec.d/*.secrets
> [root at lakeville-fw etc]# 
>
> And I know the RSA keys are good because I establish an SA.  I must be
> missing a simple setup someplace - but what??
>
> Thanks for any advice.  
>
> - Greg Scott
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060722/2950356b/attachment-0001.htm


More information about the Users mailing list