[Openswan Users] Unable to pass traffic on site-to-site VPN
Robyn Orosz
rorosz at gmail.com
Mon Jun 25 17:10:16 EDT 2007
Hi,
I am running into an intermittent issue where no traffic will pass on my
site to site VPN. The tunnels are up but packets that match the subnets in
the proposal do not enter the tunnel.
Below I have replaced the local public IP address with <local-ip> and the
remote public IP address with <remote-ip>.
Here is the ipsec.conf
version 2.0
config setup
interfaces="ipsec0=eth0"
nat_traversal=yes
virtual_private="%v4:192.168.1.0/24,%v4:192.168.50.0/24"
hidetos=yes
syslog=daemon.debug
plutodebug="all"
conn clear
auto=ignore
conn clear-or-private
auto=ignore
conn private-or-clear
auto=ignore
conn private
auto=ignore
conn block
auto=ignore
conn packetdefault
auto=ignore
conn peer-<remoteIP>-tunnel-44
left=<localIP>
right=<remoteIP>
leftsubnet=192.168.44.0/24
rightsubnet=192.168.50.0/24
ike=3des-sha1-modp1536
ikelifetime=28800s
aggrmode=no
dpddelay=30s
dpdtimeout=120s
dpdaction=clear
esp=3des-sha1
keylife=3600s
rekeymargin=540s
type=tunnel
pfs=yes
compress=no
authby=secret
auto=start
conn peer-<remote-ip>-tunnel-441
left=<local-ip>
right=<remote-ip>
leftsubnet=192.168.44.0/24
rightsubnet=192.168.1.0/24
ike=3des-sha1-modp1536
ikelifetime=28800s
aggrmode=no
dpddelay=30s
dpdtimeout=120s
dpdaction=clear
esp=3des-sha1
keylife=3600s
rekeymargin=540s
type=tunnel
pfs=yes
compress=no
authby=secret
auto=start
Setkey –D output
R1:/var/log# setkey -D
<local-ip> <remote-ip>
esp mode=tunnel spi=2048910691(0x7a1fe563) reqid=16389(0x00004005)
E: 3des-cbc 9d7be258 3b9ff24c 7b5d6794 affdf8f4 e161eeba 8095bdbd
A: hmac-sha1 9a328e65 917521ad 4b404e3f 67b9389b d93a075b
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jun 25 15:33:23 2007 current: Jun 25 15:57:03 2007
diff: 1420(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=6498 refcnt=0
<remote-ip> <local-ip>
esp mode=tunnel spi=522862167(0x1f2a3e57) reqid=16389(0x00004005)
E: 3des-cbc c0c4e0a1 757745f6 20021b18 79ee0dd1 1db8aad8 ca5a1206
A: hmac-sha1 55d5b3e1 bd4ae006 0d573af1 ab74cb32 42447b18
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jun 25 15:33:23 2007 current: Jun 25 15:57:03 2007
diff: 1420(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=6498 refcnt=0
<local-ip> <remote-ip>
esp mode=tunnel spi=3379750229(0xc972e555) reqid=16385(0x00004001)
E: 3des-cbc 3118fe5e 1adf9eaf af96692e 299df671 c28b1d06 da25ece4
A: hmac-sha1 5ae06280 cd83c245 fdbc20a5 63246d8e cf53a197
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jun 25 15:43:36 2007 current: Jun 25 15:57:03 2007
diff: 807(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=6498 refcnt=0
<remote-ip> <local-ip>
esp mode=tunnel spi=4117748431(0xf56fdacf) reqid=16385(0x00004001)
E: 3des-cbc e6e79257 b017a44a ee6b513d a4594fd8 b4b85eb9 0f016f52
A: hmac-sha1 e6b5fd1e 4f2896a1 16293525 63516858 84755db0
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Jun 25 15:43:36 2007 current: Jun 25 15:57:03 2007
diff: 807(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=6498 refcnt=0
There are also 2 masquerade rules that are supposed to masquerade all other
traffic that is not destined for the tunnel. They seem to be working fine.
Internet traffic passes without issues.
157 8715 MASQUERADE 0 -- any eth0 192.168.44.0/24
!192.168.50.0/24
45 4092 MASQUERADE 0 -- any eth0 192.168.44.0/24
!192.168.1.0/24
Ping to google –
R1:/var/log# ping -I eth1 www.google.com
PING www.l.google.com (64.233.167.147) from 192.168.44.254 eth1: 56(84)
bytes of data.
64 bytes from py-in-f147.google.com (64.233.167.147): icmp_seq=1 ttl=244
time=36.1 ms
64 bytes from py-in-f147.google.com (64.233.167.147): icmp_seq=2 ttl=244
time=34.0 ms
64 bytes from py-in-f147.google.com (64.233.167.147): icmp_seq=3 ttl=244
time=34.3 ms
64 bytes from py-in-f147.google.com (64.233.167.147): icmp_seq=4 ttl=244
time=37.9 ms
64 bytes from py-in-f147.google.com (64.233.167.147): icmp_seq=5 ttl=244
time=34.0 ms
Ping to tunnel –
R1:/var/log# ping -I eth1 192.168.50.5
PING 192.168.50.5 (192.168.50.5) from 192.168.44.254 eth1: 56(84) bytes of
data.
>From <local-ip> icmp_seq=1 Destination Host Unreachable
>From <local-ip> icmp_seq=2 Destination Host Unreachable
>From <local-ip> icmp_seq=3 Destination Host Unreachable
>From <local-ip> icmp_seq=4 Destination Host Unreachable
>From <local-ip> icmp_seq=5 Destination Host Unreachable
>From <local-ip> icmp_seq=6 Destination Host Unreachable
>From the setkey –D output, it appears that no packets are entering the
tunnel. At times, restarting ipsec resolves the issue and everything works
fine.
Config on the other end:
conn peer-tunnel-44
authby=secret
ike=3des-sha1-96
ikelifetime=28800s
esp=3des-sha1-96
keylife=3600s
rekeymargin=540s
type=tunnel
right=0.0.0.0
rightsubnet=192.168.44.0/24
rightnexthop=%direct
left=<local-IP>
leftsubnet=192.168.50.0/24
leftnexthop=%direct
auto=add
conn peer-tunnel-441
authby=secret
ike=3des-sha1-96
ikelifetime=28800s
esp=3des-sha1-96
keylife=3600s
rekeymargin=540s
type=tunnel
right=0.0.0.0
rightsubnet=192.168.44.0/24
rightnexthop=%direct
left=<local-ip>
leftsubnet=192.168.1.0/24
leftnexthop=%direct
auto=add
Thank you so much for any suggestions you may have regarding this issue.
-Robyn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070625/757040ca/attachment-0001.html
More information about the Users
mailing list