[Openswan Users] Clients in the right network are OK but packtes from rightserver misroute

Peter McGill petermcgill at goco.net
Wed Feb 7 08:54:43 EST 2007


> -----Original Message-----
> Date: Wed, 07 Feb 2007 10:11:24 -0200
> From: Augusto Pizarro <augusto.pizarro at siemconsub.com.br>
> Subject: [Openswan Users] Clients in the right network are OK but
> 	packtes	from rightserver	misroute
> To: users at openswan.org
> 
> The machines are not in production and the internet is emulated by
> another linux box with only ip_forward = 1.
> 
> Right Network            Right
> Server                                            Left
> Server                                Left Network
> 10.210.21.0------10.210.21.1/192.168.200.100
> ---(internet)---200.178.78.1/10.20.10.60-----10.20.0.0
>                              eth1               
> eth0                                         eth0                 eth1
>               
> Any network test from the Right Clients to the Left Network are OK.
> Ane test directly from the Right Server to the Left Network 
> are NOT OK.
> 
> RESUMING: The Right clients are OK bur the Right server itself DONT!!!
> Really stupid!!
> 
> The IPSEC tunnel is ok, the packets are encripted between the eth0's,
> but only if they come from the Right Network Clients.
> Another information, the Left Server can ping the Right 
> Server but only
> if we do an "ping 10.210.21.1 -I eth1".
> 
> In  the IPTRAF I can see "ICMP dest unrch from 10.210.21.1 to
> 10.210.21.1 on lo" in the Right Server wen trying to ping the Left
> Server.
> 
> Maybe I have to create another tunnel just for the traffic from the
> server to the Left Network.

Yes you need to add more tunnels, or use left/rightsourceip.

On older versions of openswan for full connectivity you need 4 tunnels.
Left LAN/Net to Right LAN/Net
Left Server to Right Server
Left Server to Right LAN/Net
Left LAN/Net to Right Server

However on the newer versions this is no longer necessary.
I'm not sure which version it started with, but it's in 2.4.7 for sure.
Setup Left LAN/Net to Right LAN/Net, then add:
Leftsourceip=<left server public ip>
Rightsourceip=<right server public ip>

Peter

> ------------------------------
> Date: Wed, 07 Feb 2007 11:36:17 -0200
> From: Augusto Pizarro <augusto.pizarro at siemconsub.com.br>
> Subject: Re: [Openswan Users] Clients in the right network 
> are OK	but
> 	packtesfrom rightserver	misroute
> To: users at openswan.org
> 
> that I reallize, but what route?
> 
> I have everything to 10.20.0.0 routed to ipsec0. Here is my routes in
> the Right Server:
> 
> Kernel IP routing table
> Destination        Gateway         Genmask         Flags Metric Ref   
> Use Iface
> 10.210.21.0        0.0.0.0         255.255.255.0    U     0     
> 0        0 eth1
> 192.168.200.0    0.0.0.0         255.255.255.0    U     0     
>  0       
> 0 eth0
> 10.20.0.0          0.0.0.0         255.255.0.0        U     0     
> 0        0 ipsec0
> 127.0.0.0            0.0.0.0         255.0.0.0           U     0     
> 0        0 lo
> 0.0.0.0        192.168.200.200 0.0.0.0             UG    0    
>   0       
> 0 eth0
> 
> I had a "192.168.200.0  0.0.0.0  255.255.255.0 ipsec0" but I ripped it
> off to test.
> I also tried to change the "leftnexthop" and "rightnexthop" if no
> effect.
> 
> This server ( the Right Server ), will have Qmail, Squid and other
> services that MUST comunicate directly to servers inside the Left
> Network, and its imperative that the traffic must be secure.
> 
> Em Qua, 2007-02-07 ?s 11:12, Fernando Blankleder escreveu:
> 
> > ? 
> > Hi Ping Packets originated from Server are going out from LO, not
> > ETH1, and tunnel only encrypts packets comming from ETH1
> > You Need To Add a Route.

Wrong, you cannot mannually add routes to the openswan, ipsecX interfaces,
It will not work, you must add a tunnel configuration, then openswan will
Automatically create an appropriate route. Do not manually alter the routes.

Peter



More information about the Users mailing list