[Openswan Users] Roadwarrior unable to ping beyond Gateway

Mike.Peters at mfs.misys.co.uk Mike.Peters at mfs.misys.co.uk
Mon Mar 13 17:28:49 CET 2006 

Hi,

I'm trying to set up an OpenSwan - OpenSwan roadwarrior connection:

192.168.1.2	Roadwarrior
       |
82.X.X.21	NAT Router
       |
Internet
       |
81.X.X.133	Router
       |
81.X.X.135	IpSec Gateway (External IP address)
2.3.2.9		IpSec Gateway (Internal IP address)
       |
2.0.0.0/8	LAN

Currently I can establish the connection and ping the gateway's LAN IP address but no further. The ipsec.conf files for the roadwarrior and router are as follows:

**************************************
# Roadwarrior:
config setup
   klipsdebug=all
   plutodebug=all
   nat_traversal=yes
   virtual_private=%v4:192.168.1.0/24

conn road
  left=%defaultroute
  leftid=@rw1.myvpn
  leftsubnet=192.168.1.0/24
  leftrsasigkey=0s - Left public key
  right=81.X.X.135
  rightid=@sg1.myvpn
  rightsubnet=2.0.0.0/8
  rightnexthop=81.X.X.133
  rightrsasigkey=0s - Right public key
  auto=add
  authby=rsasig
*******************************************

*******************************************
# Gateway
config setup
  klipsdebug=all
  plutodebug=all
  nat_traversal=yes

conn %default
  keyingtries=3
  compress=yes
  disablearrivalcheck=no
  ikelifetime=20m
  keylife=1h

conn road
  forceencaps=yes
  left=0.0.0.0
  leftid=@rw1.myvpn
  leftsubnet=192.168.1.0/24
  rightrsasigkey=0s - Right Public key
  right=81.X.X.135
  rightid=@sg1.myvpn
  rightsubnet=2.0.0.0/8
  leftrsasigkey=0s - Left public key
  auto=add
  authby=rsasig
  leftnexthop=81.X.X.133
  rightnexthop=2.4.2.4
********************************************

ipsec verify shows, on the roadwarrior:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.5rc5/K2.6.14.6 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

and on the gateway:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan U2.2.0/K2.6.11.4-21.11-smp (native)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets)                       [OK]
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
Checking for 'curl' command for CRL fetching                            [OK]
Checking for 'setkey' command for native IPsec stack support            [OK]

tcpdump on the gateway shows pings to the internal network arriving but not getting any further (I can't see them leaving eth1 on the LAN side) but, as mentioned I can ping the LAN side of the gateway:

13:43:47.492842 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)
13:43:47.492842 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 1
13:43:47.492842 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 1
13:43:48.505737 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)
13:43:48.505737 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 2
13:43:48.505737 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 2
13:43:49.506640 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)
13:43:49.506640 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 3
13:43:49.506640 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 3
13:43:49.937455 IP 82.X.X.21.4500 > 81.X.X.135.4500: UDP, length: 1
13:43:49.953568 IP 82.X.X.21.4500 > 81.X.X.135.4500: UDP, length: 384
13:43:50.506544 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)
13:43:50.506544 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 4
13:43:50.506544 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 4
13:43:51.505948 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)
13:43:51.505948 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 5
13:43:51.505948 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 5
13:43:53.761322 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)
13:43:53.761322 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 1
13:43:53.761322 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 1
13:43:53.761436 IP 81.X.X.135.4500 > 82.X.X.21.4500: UDP, length: 132
13:43:54.766098 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)
13:43:54.766098 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 2
13:43:54.766098 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 2
13:43:54.766191 IP 81.X.X.135.4500 > 82.X.X.21.4500: UDP, length: 132
13:43:55.769748 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)
13:43:55.769748 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 3
13:43:55.769748 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 3
13:43:55.769830 IP 81.X.X.135.4500 > 82.X.X.21.4500: UDP, length: 132
13:43:55.954605 IP 81.X.X.135.4500 > 82.X.X.21.4500: UDP, length: 1
13:43:56.773650 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)
13:43:56.773650 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 4
13:43:56.773650 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 4
13:43:56.773740 IP 81.X.X.135.4500 > 82.X.X.21.4500: UDP, length: 132

route -n on the gateway gives:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
81.X.X.132  0.0.0.0         255.255.255.248 U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
2.0.0.0         0.0.0.0         255.0.0.0       U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         81.X.X.134  0.0.0.0         UG    0      0        0 eth0

I guess I'm missing something simple (at least I hope so). Can anyone give me an idea where I'm going wrong with this configuration.

Thanks in advance.

Mike Peters

This message is intended for the named recipient only and may be privileged and/or confidential.  If you are not the intended or named recipient or have received this email in error then you should not copy forward or disclose it to any other persons.  If you have received this email in error you should destroy it and contact the sender so that we may take appropriate action.   The views and opinions expressed in this email may not represent the views and opinions of Misys plc or any of its subsidiaries and are made without prejudice and subject to contract.  The Company Reserves the right to intercept and review all email communications.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060313/62598675/attachment-0001.htm

More information about the Users mailing list