[Openswan Users] lan2lan setup on vmware
Wappie MD
omight at gmail.com
Thu Mar 15 09:45:42 EDT 2007
Hey there,
I want to use ipsec lan2lan in a vmware setup.
1) I have the following: 4 centos clients in three virtual 'host only' networks.
4 (192.168.182.128 eth0) - 3 (192.168.182.129 eth0) network 1
3 (192.168.131.128 eth1) - 2 (192.168.131.129 eth0) network 2
2 (192.168.75.129 eth1) - 1 (192.168.75.128 eth0) network 3
So the tunnel should look like:
client ]-[ peer ::::::::::::: peer ]-[ client
192.168.182.128 ]-[ 192.168.131.128 ::::::::::::: 192.168.131.129 ]-[
192.168.75.128
04 centos ]-[ 03 centos ::::::::::::: 02 centos ]-[
01 centos
What I do is start ipsec on 2 and 3.
I have to add default routes on all 4 machines:
defaultroutes are always the host of the 4 vmware machines.
4 192.168.182.1
3 192.168.131.1
2 192.168.131.1
1 192.168.75.1
All 4 machines are able to ping their default gateway. Except: when
ipsec is started on 2 and 3 they can't ping any .1 machine they
previously could ping when ipsec is stopped.
Then I let 4 ping to 1
and I read the tcpdump on machine 1,2 and 3.
2) The problem is that I never get any icmp replies from machine 1.
Also I'm wondering if the setup I use is correct. The ipsec.conf and
ipsec.secrets on machine 2 and 3 is exactly the same.
I have flushed iptables and have set all iptables policies to ACCEPT.
The version ipsec is:
Linux Openswan U2.3.0/K2.6.9-42.ELsmp (netkey) on
CentOS 4.4 32 bit.
LOG of 01centos
###############
[01cent at localhost vmware]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.75.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
[01cent at localhost vmware]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:E1:E3:01
inet addr:192.168.75.128 Bcast:192.168.75.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fee1:e301/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:645 (645.0 b) TX bytes:936 (936.0 b)
Interrupt:177 Base address:0x1400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
[01cent at localhost vmware]# ping -c 1 192.168.75.129
PING 192.168.75.129 (192.168.75.129) 56(84) bytes of data.
64 bytes from 192.168.75.129: icmp_seq=0 ttl=64 time=10.8 ms
--- 192.168.75.129 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 10.842/10.842/10.842/0.000 ms, pipe 2
[01cent at localhost vmware]# route add default gw 192.168.75.129
[01cent at localhost vmware]# tcpdump -i any -n -p
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
###############
LOG of 02centos
###############
Script started on Sun 04 Mar 2007 05:11:32 PM CET
[02cent at localhost vmware]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.131.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.75.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
[02cent at localhost vmware]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
plutodebug="control"
conn %default
compress=no
disablearrivalcheck=no
forceencaps=yes
keylife=8h
keyingtries=5
pfs=no
type=transport
conn testing
left=192.168.131.128
leftsubnet=192.168.182.0/24
right=192.168.131.129
rightsubnet=192.168.75.0/24
#
auto=add
ike=3des-md5
esp=3des-md5
type=tunnel
authby=secret
[02cent at localhost vmware]# cat /etc/ipsec.secrets
# PSK test
192.168.131.128 192.168.131.129: PSK "testing"
[02cent at localhost vmware]# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/ipv4/ah4.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/ipv4/esp4.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/ipv4/ipcomp.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/crypto/des.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/crypto/aes.ko
ipsec_setup: no default route, %defaultroute cannot cope!!!
[02cent at localhost vmware]# route add default gw 192.168.131.1
[02cent at localhost vmware]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:77:7C:B1
inet addr:192.168.131.129 Bcast:192.168.131.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe77:7cb1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:603 (603.0 b) TX bytes:630 (630.0 b)
Interrupt:177 Base address:0x1400
eth1 Link encap:Ethernet HWaddr 00:0C:29:77:7C:BB
inet addr:192.168.75.129 Bcast:192.168.75.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe77:7cbb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:863 (863.0 b) TX bytes:1118 (1.0 KiB)
Interrupt:185 Base address:0x1480
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
[02cent at localhost vmware]# ping 192.168.131.128
PING 192.168.131.128 (192.168.131.128) 56(84) bytes of data.
64 bytes from 192.168.131.128: icmp_seq=0 ttl=64 time=6.87 ms
--- 192.168.131.128 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 6.878/6.878/6.878/0.000 ms, pipe 2
[02cent at localhost vmware]# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/ipv4/xfrm4_tunnel.ko
[02cent at localhost vmware]# ipsec auto --up testing
104 "testing" #1: STATE_MAIN_I1: initiate
003 "testing" #1: received Vendor ID payload [Dead Peer Detection]
106 "testing" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "testing" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "testing" #1: STATE_MAIN_I4: ISAKMP SA established
117 "testing" #2: STATE_QUICK_I1: initiate
004 "testing" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP/NAT=>0x54a7fa55 <0x6a0904d3}
[02cent at localhost vmware]# setkey -D
192.168.131.129 192.168.131.128
esp mode=tunnel spi=1420294741(0x54a7fa55) reqid=16401(0x00004011)
E: 3des-cbc 1b422563 a92667f6 0ca6773a 15f89f17 b2431980 6367789d
A: hmac-md5 e17dc9dd a8b654a0 ca180462 2ad2bdeb
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Mar 4 17:15:22 2007 current: Mar 4 17:15:26 2007
diff: 4(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=4390 refcnt=0
192.168.131.128 192.168.131.129
esp mode=tunnel spi=1778975955(0x6a0904d3) reqid=16401(0x00004011)
E: 3des-cbc 742f3b9c 8484e7c8 89e7b78e 41d0949c 1163b71e 3f564f16
A: hmac-md5 e274d3b5 9d84d1ec 98e3596f 2b2100ea
seq=0x00000000 replay=64 flags=0x00000000 state=mature
created: Mar 4 17:15:22 2007 current: Mar 4 17:15:26 2007
diff: 4(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=4390 refcnt=0
[02cent at localhost vmware]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.131.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.182.0 192.168.131.128 255.255.255.0 UG 0 0 0 eth0
192.168.75.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 192.168.131.1 128.0.0.0 UG 0 0 0 eth0
128.0.0.0 192.168.131.1 128.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.131.1 0.0.0.0 UG 0 0 0 eth0
[02cent at localhost vmware]# tcpdump -i any -n -p
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
17:17:41.280308 arp who-has 192.168.75.254 tell 192.168.75.128
17:17:50.431957 arp who-has 192.168.131.129 tell 192.168.131.128
17:17:50.432776 arp reply 192.168.131.129 is-at 00:0c:29:77:7c:b1
17:17:50.437607 IP 192.168.131.128 > 192.168.131.129:
ESP(spi=0x6a0904d3,seq=0x1)
17:17:50.437607 IP 192.168.182.128 > 192.168.75.128: icmp 64: echo request seq 0
17:17:51.274298 IP 192.168.131.128 > 192.168.131.129:
ESP(spi=0x6a0904d3,seq=0x2)
17:17:51.274298 IP 192.168.182.128 > 192.168.75.128: icmp 64: echo request seq 1
17:17:52.668517 IP 192.168.131.128 > 192.168.131.129:
ESP(spi=0x6a0904d3,seq=0x3)
17:17:52.668517 IP 192.168.182.128 > 192.168.75.128: icmp 64: echo request seq 2
17 packets captured
17 packets received by filter
0 packets dropped by kernel
[02cent at localhost vmware]# tcpdump -i eth0 -n -p
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:18:06.191373 IP 192.168.131.128 > 192.168.131.129:
ESP(spi=0x6a0904d3,seq=0x11)
17:18:06.191822 IP 192.168.182.128 > 192.168.75.128: icmp 64: echo
request seq 16
17:18:07.386255 IP 192.168.131.128 > 192.168.131.129:
ESP(spi=0x6a0904d3,seq=0x12)
17:18:07.386255 IP 192.168.182.128 > 192.168.75.128: icmp 64: echo
request seq 17
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[02cent at localhost vmware]# tcpdump -i eth1 -n -p
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
###############
LOG of 03centos
###############
Script started on Sun 04 Mar 2007 04:28:36 AM CET
[03cent at localhost vmware]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.131.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.182.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
[03cent at localhost vmware]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:2F:D3:00
inet addr:192.168.182.129 Bcast:192.168.182.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe2f:d300/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:645 (645.0 b) TX bytes:1114 (1.0 KiB)
Interrupt:177 Base address:0x1400
eth1 Link encap:Ethernet HWaddr 00:0C:29:2F:D3:0A
inet addr:192.168.131.128 Bcast:192.168.131.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe2f:d30a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:243 (243.0 b) TX bytes:630 (630.0 b)
Interrupt:185 Base address:0x1480
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
[03cent at localhost vmware]# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/ipv4/ah4.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/ipv4/esp4.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/ipv4/ipcomp.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/crypto/des.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/crypto/aes.ko
ipsec_setup: no default route, %defaultroute cannot cope!!!
[03cent at localhost vmware]# route add default gw 192.168.131.1
[03cent at localhost vmware]# service ipsec start
ipsec_setup: Starting Openswan IPsec 2.3.0...
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.9-42.ELsmp/kernel/net/ipv4/xfrm4_tunnel.ko
[03cent at localhost vmware]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.131.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.182.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.75.0 192.168.131.129 255.255.255.0 UG 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 192.168.131.1 128.0.0.0 UG 0 0 0 eth1
128.0.0.0 192.168.131.1 128.0.0.0 UG 0 0 0 eth1
0.0.0.0 192.168.131.1 0.0.0.0 UG 0 0 0 eth1
[03cent at localhost vmware]# tcpdump -i eth1 -n -p
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
04:35:48.360736 IP 192.168.131.128 > 192.168.131.129:
ESP(spi=0x6a0904d3,seq=0x42)
04:35:49.833587 IP 192.168.131.128 > 192.168.131.129:
ESP(spi=0x6a0904d3,seq=0x43)
04:35:50.471554 IP 192.168.131.128 > 192.168.131.129:
ESP(spi=0x6a0904d3,seq=0x44)
04:35:51.340337 IP 192.168.131.128 > 192.168.131.129:
ESP(spi=0x6a0904d3,seq=0x45)
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[03cent at localhost vmware]# tcpdump -i eth0 -n -p
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
04:35:54.331837 IP 192.168.182.128 > 192.168.75.128: icmp 64: echo
request seq 71
04:35:55.834055 IP 192.168.182.128 > 192.168.75.128: icmp 64: echo
request seq 72
04:35:56.495438 IP 192.168.182.128 > 192.168.75.128: icmp 64: echo
request seq 73
3 packets captured
3 packets received by filter
0 packets dropped by kernel
###############
LOG of 04centos
###############
Script started on Wed 07 Feb 2007 02:45:52 AM CET
[04cent at localhost vmware]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.182.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
[04cent at localhost vmware]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:60:AE:4E
inet addr:192.168.182.128 Bcast:192.168.182.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe60:ae4e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3 errors:0 dropped:0 overruns:0 frame:0
TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:645 (645.0 b) TX bytes:938 (938.0 b)
Interrupt:177 Base address:0x1400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:560 (560.0 b) TX bytes:560 (560.0 b)
[04cent at localhost vmware]# ping 192.168.182.129
PING 192.168.182.129 (192.168.182.129) 56(84) bytes of data.
64 bytes from 192.168.182.129: icmp_seq=0 ttl=64 time=16.0 ms
^X64 bytes from 192.168.182.129: icmp_seq=1 ttl=64 time=1.98 ms
--- 192.168.182.129 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 1.989/9.023/16.057/7.034 ms, pipe 2
[04cent at localhost vmware]# ping 192.168.75.128
connect: Network is unreachable
[04cent at localhost vmware]# route add default gw 192.168.182.129
[04cent at localhost vmware]# ping 192.168.75.128
PING 192.168.75.128 (192.168.75.128) 56(84) bytes of data.
--- 192.168.75.128 ping statistics ---
102 packets transmitted, 0 received, 100% packet loss, time 101084ms
###############
3) Is this setup analogous to using 4 real machines?
The difference might be that the host that is running the vmware
machines is the gateway (.1) on all 4 networks?
Thanks heaps for any input!
Muha.
More information about the Users
mailing list