[Openswan Users] Interop with Linksys: SA established, but no traffic coming through
Michael Tinsay
tinsami1 at yahoo.com
Tue Dec 4 22:52:14 EST 2007
Here's my setup:
Servers with static public IPs <------> main router (static IP)
A A
| |
| V
+---> Linksys Router (static IP) <--> Internet
A
|
Branch A <--> Linksys Router (static IP) <----+
|
Branch B <--> Linksys Router (static IP) <----+
|
Roadwarrior (gets dynamic public IP) <--------+
All linksys routers connect the local subnets behind them via to the servers via VPN.
The linksys in the servers subnet is for VPN traffic.
The roadwarrior is a PC with Ubuntu 7.10 with OpenSWAN 2.4.8 installed. It uses PPP
to gain Internet access using a GPRS/HSDPA modem.
The roadwarrior can connect and establish a tunnel with the servers' Linksys router
(it's an RV042). But no traffic seems to go through the tunnel. It behaves the
same whether the firewall is up or down.
Pinging a servers behind the Linksys router gives me 'TTL exceed' errors, which
makes me suspect the traffic is not going through the tunnel.
I hope somebody can tell me what I'm missing.
Below are some, hopefully, pertinent data. I've replaced static IP addresses with
bogus ones.
Regards.
--- mike t.
Here's my ipsec.conf:
---BEGIN
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
plutodebug="none"
klipsdebug="none"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
nhelpers=1
# Add connections here
# We keep with tradition - left = local, right = remote
conn office
#
left=%defaultroute
leftid=@roadie
leftsubnet=192.168.45.0/24
#leftnexthop=%defaultroute
#
right=111.111.111.111
rightsubnet=222.222.222.0/24
#
keyexchange=ike
ikelifetime=480m
keylife=60m
pfs=yes
compress=no
authby=secret
auto=start
aggrmode=yes
ike=3des-md5-modp1536
esp=3des-md5
pfsgroup=modp1536
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
---END
Here's the output of route -n after the tunnel has been established:
---BEGIN
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.45.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
222.222.222.0 0.0.0.0 255.255.255.0 U 0 0 0 ppp0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
---END
ifconfig's (at roadwarrior's end) output:
---BEGIN
eth0 Link encap:Ethernet HWaddr 00:19:DB:83:C9:15
inet addr:192.168.45.20 Bcast:192.168.45.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:18 Base address:0xe400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ppp0 Link encap:Point-to-Point Protocol
inet addr:122.52.36.27 P-t-P:10.64.64.64 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1272 Metric:1
RX packets:99961 errors:0 dropped:0 overruns:0 frame:0
TX packets:79733 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:109641293 (104.5 MB) TX bytes:6484561 (6.1 MB)
---END
and the output of setkey -DP (also at roadwarrior's end):
---BEGIN
222.222.222.0/24[any] 192.168.45.0/24[any] any
in ipsec
esp/tunnel/111.111.111.111-122.52.36.27/unique#16385
created: Dec 5 09:54:32 2007 lastused:
lifetime: 0(s) validtime: 0(s)
spid=112 seq=1 pid=10457
refcnt=1
192.168.45.0/24[any] 222.222.222.0/24[any] any
out ipsec
esp/tunnel/122.52.36.27-111.111.111.111/unique#16385
created: Dec 5 09:54:32 2007 lastused:
lifetime: 0(s) validtime: 0(s)
spid=105 seq=2 pid=10457
refcnt=1
222.222.222.0/24[any] 192.168.45.0/24[any] any
fwd ipsec
esp/tunnel/111.111.111.111-122.52.36.27/unique#16385
created: Dec 5 09:54:32 2007 lastused:
lifetime: 0(s) validtime: 0(s)
spid=122 seq=3 pid=10457
refcnt=1
(per-socket policy)
in none
created: Dec 5 09:54:29 2007 lastused:
lifetime: 0(s) validtime: 0(s)
spid=91 seq=4 pid=10457
refcnt=1
(per-socket policy)
in none
created: Dec 5 09:54:29 2007 lastused:
lifetime: 0(s) validtime: 0(s)
spid=75 seq=5 pid=10457
refcnt=1
(per-socket policy)
in none
created: Dec 5 09:54:29 2007 lastused: Dec 5 10:18:24 2007
lifetime: 0(s) validtime: 0(s)
spid=59 seq=6 pid=10457
refcnt=1
(per-socket policy)
out none
created: Dec 5 09:54:29 2007 lastused:
lifetime: 0(s) validtime: 0(s)
spid=100 seq=7 pid=10457
refcnt=1
(per-socket policy)
out none
created: Dec 5 09:54:29 2007 lastused:
lifetime: 0(s) validtime: 0(s)
spid=84 seq=8 pid=10457
refcnt=1
(per-socket policy)
out none
created: Dec 5 09:54:29 2007 lastused: Dec 5 10:18:24 2007
lifetime: 0(s) validtime: 0(s)
spid=68 seq=0 pid=10457
refcnt=1
---END
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071204/3bc979a0/attachment.html
More information about the Users
mailing list