[Openswan Users] Unable to pass traffic on site-to-site VPN

Robyn Orosz rorosz at gmail.com
Mon Jun 25 17:10:16 EDT 2007


Hi,



I am running into an intermittent issue where no traffic will pass on my
site to site VPN.  The tunnels are up but packets that match the subnets in
the proposal do not enter the tunnel.



Below I have replaced the local public IP address with  <local-ip> and the
remote public IP address with <remote-ip>.



Here is the ipsec.conf



version 2.0



config setup

        interfaces="ipsec0=eth0"

        nat_traversal=yes

        virtual_private="%v4:192.168.1.0/24,%v4:192.168.50.0/24"

        hidetos=yes

        syslog=daemon.debug

        plutodebug="all"



conn clear

        auto=ignore



conn clear-or-private

        auto=ignore



conn private-or-clear

        auto=ignore



conn private

        auto=ignore



conn block

        auto=ignore



conn packetdefault

        auto=ignore



conn peer-<remoteIP>-tunnel-44

        left=<localIP>

        right=<remoteIP>

        leftsubnet=192.168.44.0/24

        rightsubnet=192.168.50.0/24

        ike=3des-sha1-modp1536

        ikelifetime=28800s

        aggrmode=no

        dpddelay=30s

        dpdtimeout=120s

        dpdaction=clear

        esp=3des-sha1

        keylife=3600s

        rekeymargin=540s

        type=tunnel

        pfs=yes

        compress=no

        authby=secret

        auto=start



conn peer-<remote-ip>-tunnel-441

        left=<local-ip>

        right=<remote-ip>

        leftsubnet=192.168.44.0/24

        rightsubnet=192.168.1.0/24

        ike=3des-sha1-modp1536

        ikelifetime=28800s

        aggrmode=no

        dpddelay=30s

        dpdtimeout=120s

        dpdaction=clear

        esp=3des-sha1

        keylife=3600s

        rekeymargin=540s

        type=tunnel

        pfs=yes

        compress=no

        authby=secret

        auto=start



Setkey –D output



R1:/var/log# setkey -D

<local-ip> <remote-ip>

        esp mode=tunnel spi=2048910691(0x7a1fe563) reqid=16389(0x00004005)

        E: 3des-cbc  9d7be258 3b9ff24c 7b5d6794 affdf8f4 e161eeba 8095bdbd

        A: hmac-sha1  9a328e65 917521ad 4b404e3f 67b9389b d93a075b

        seq=0x00000000 replay=32 flags=0x00000000 state=mature

        created: Jun 25 15:33:23 2007   current: Jun 25 15:57:03 2007

        diff: 1420(s)   hard: 0(s)      soft: 0(s)

        last:                           hard: 0(s)      soft: 0(s)

        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)

        allocated: 0    hard: 0 soft: 0

        sadb_seq=1 pid=6498 refcnt=0

<remote-ip> <local-ip>

        esp mode=tunnel spi=522862167(0x1f2a3e57) reqid=16389(0x00004005)

        E: 3des-cbc  c0c4e0a1 757745f6 20021b18 79ee0dd1 1db8aad8 ca5a1206

        A: hmac-sha1  55d5b3e1 bd4ae006 0d573af1 ab74cb32 42447b18

        seq=0x00000000 replay=32 flags=0x00000000 state=mature

        created: Jun 25 15:33:23 2007   current: Jun 25 15:57:03 2007

        diff: 1420(s)   hard: 0(s)      soft: 0(s)

        last:                           hard: 0(s)      soft: 0(s)

        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)

        allocated: 0    hard: 0 soft: 0

        sadb_seq=2 pid=6498 refcnt=0

<local-ip> <remote-ip>

        esp mode=tunnel spi=3379750229(0xc972e555) reqid=16385(0x00004001)

        E: 3des-cbc  3118fe5e 1adf9eaf af96692e 299df671 c28b1d06 da25ece4

        A: hmac-sha1  5ae06280 cd83c245 fdbc20a5 63246d8e cf53a197

        seq=0x00000000 replay=32 flags=0x00000000 state=mature

        created: Jun 25 15:43:36 2007   current: Jun 25 15:57:03 2007

        diff: 807(s)    hard: 0(s)      soft: 0(s)

        last:                           hard: 0(s)      soft: 0(s)

        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)

        allocated: 0    hard: 0 soft: 0

        sadb_seq=3 pid=6498 refcnt=0

<remote-ip> <local-ip>

        esp mode=tunnel spi=4117748431(0xf56fdacf) reqid=16385(0x00004001)

        E: 3des-cbc  e6e79257 b017a44a ee6b513d a4594fd8 b4b85eb9 0f016f52

        A: hmac-sha1  e6b5fd1e 4f2896a1 16293525 63516858 84755db0

        seq=0x00000000 replay=32 flags=0x00000000 state=mature

        created: Jun 25 15:43:36 2007   current: Jun 25 15:57:03 2007

        diff: 807(s)    hard: 0(s)      soft: 0(s)

        last:                           hard: 0(s)      soft: 0(s)

        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)

        allocated: 0    hard: 0 soft: 0

        sadb_seq=0 pid=6498 refcnt=0



There are also 2 masquerade rules that are supposed to masquerade all other
traffic that is not destined for the tunnel.  They seem to be working fine.
Internet traffic passes without issues.

   157  8715 MASQUERADE  0    --  any    eth0    192.168.44.0/24
!192.168.50.0/24
   45  4092 MASQUERADE  0    --  any    eth0    192.168.44.0/24
!192.168.1.0/24

Ping to google –



R1:/var/log# ping -I eth1 www.google.com

PING www.l.google.com (64.233.167.147) from 192.168.44.254 eth1: 56(84)
bytes of data.

64 bytes from py-in-f147.google.com (64.233.167.147): icmp_seq=1 ttl=244
time=36.1 ms

64 bytes from py-in-f147.google.com (64.233.167.147): icmp_seq=2 ttl=244
time=34.0 ms

64 bytes from py-in-f147.google.com (64.233.167.147): icmp_seq=3 ttl=244
time=34.3 ms

64 bytes from py-in-f147.google.com (64.233.167.147): icmp_seq=4 ttl=244
time=37.9 ms

64 bytes from py-in-f147.google.com (64.233.167.147): icmp_seq=5 ttl=244
time=34.0 ms



Ping to tunnel –



R1:/var/log# ping -I eth1 192.168.50.5

PING 192.168.50.5 (192.168.50.5) from 192.168.44.254 eth1: 56(84) bytes of
data.

>From <local-ip> icmp_seq=1 Destination Host Unreachable

>From <local-ip> icmp_seq=2 Destination Host Unreachable

>From <local-ip> icmp_seq=3 Destination Host Unreachable

>From <local-ip> icmp_seq=4 Destination Host Unreachable

>From <local-ip> icmp_seq=5 Destination Host Unreachable

>From <local-ip> icmp_seq=6 Destination Host Unreachable



>From the setkey –D output, it appears that no packets are entering the
tunnel.  At times, restarting ipsec resolves the issue and everything works
fine.



Config on the other end:


conn peer-tunnel-44

    authby=secret

    ike=3des-sha1-96

    ikelifetime=28800s

    esp=3des-sha1-96

    keylife=3600s

    rekeymargin=540s

    type=tunnel

    right=0.0.0.0
    rightsubnet=192.168.44.0/24

    rightnexthop=%direct

    left=<local-IP>
    leftsubnet=192.168.50.0/24

    leftnexthop=%direct

    auto=add



conn peer-tunnel-441

    authby=secret

    ike=3des-sha1-96

    ikelifetime=28800s

    esp=3des-sha1-96

    keylife=3600s

    rekeymargin=540s

    type=tunnel

    right=0.0.0.0
    rightsubnet=192.168.44.0/24

    rightnexthop=%direct

    left=<local-ip>
    leftsubnet=192.168.1.0/24

    leftnexthop=%direct

    auto=add

Thank you so much for any suggestions you may have regarding this issue.

-Robyn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070625/757040ca/attachment-0001.html 


More information about the Users mailing list