[Openswan Users] problem with tunnel and roadwarrior connections simultaneously

David david at claror.net
Wed May 23 05:45:03 EDT 2007 

Hi to all.

first of all, sorry for my english. it is not
my native language.

I've to ask for some advice, because I'm not able
to properly setup this configuration.

I've built 3 tunnels with openswan, which works well
from a couple of years (I started using freewsan 1).
they are Net-to-Net connectons. (using RSA keys)

I've setup a roadwarrior using PSK as Jacco tells at
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
(the roadwarrior is a windows XP using l2tpd over ipsec)
The roadwarrior connects without NAT-T from internet to
VPN Server A



     LAN A                  |------------ VPN server B-----LAN B
      |                     |
      |                     |
 VPN server A ---------- internet ------- VPN server C-----LAN C
            |                 |
            --------------|   |   
                          |   |
                          |   |------------ VPN server D-----LAN D
                          |  
                          |  
                          |  
                          |Roadwarriors   




The roadwarrior connects without problems to VPN Server A, it validates 
user to
Active directory, and, when connected, can ping to all of the hosts
in lans A, B, C and D

The problem is:
When the roadwarrior is connected, I cannot ping
from a VPN Server A to the rest of the vpn (B,C,D)
but LAN A CAN ping to B,C ,D and Roadwarrior

The strange thing is that when roadwarrior disconnects
the ping from VPN Server A works perfectly !
I have observed this behaviour doing a ping
from VPN Server A to VPN Server B, and then connecting
and disconnecting the roadwarrior.
!during the time the roadwarrior is connected, the ping stops responding

I think is not an issue on firewall, because I set iptables
to accept all (even without masquerading or snat) and the
behaviour is the same.

Also think is not a matter of l2tpd, because if I stop it,
while roadwarrior tries to negotiate the l2tp, the ping from
VPN Server A does not work!, until roadwarrior reaches timeout


Maybe I haven't configured vhost on rightsubnet in L2TP-PSK ??

I don't know what to test. Any suggestions?

Many thanks to all in advance........





My configuration is as follows:

VPN Server A has two dsl links with public IP assigned to each.


The routing table, when roadwarrior is connected:

172.16.0.240  0.0.0.0 255.255.255.255 UH  0 0  0 ppp0 *(the roadwarrior)
213.98.xx/26 dev eth0  proto kernel  scope link  src 213.98.xx
80.39.xxx/26 dev eth2  proto kernel  scope link  src 80.39.xxx
172.16.2.0/24 dev eth0  scope link  src 172.16.0.22
172.16.3.0/24 dev eth0  scope link  src 172.16.0.22
172.16.0.0/24 dev eth1  proto kernel  scope link  src 172.16.0.22
172.16.1.0/24 dev eth0  scope link  src 172.16.0.22
default
        nexthop via 213.98.xxx  dev eth0 weight 1
        nexthop via 80.39.xxx  dev eth2 weight 4

more detailed routing table:
+ ip rule list
0:    from all lookup local
10:    from 213.98.xx lookup adsl
10:    from 213.98.xx lookup adsl
11:    from 80.39.xx lookup adsl2
11:    from 80.39.xx lookup adsl2
32766:    from all lookup main
32767:    from all lookup default

ip route list table adsl
213.98.xx/26 dev eth0  scope link  src 213.98.xx
172.16.0.0/24 dev eth1  scope link  src 172.16.0.22
127.0.0.0/8 dev lo  scope link
default via 213.98.xx dev eth0

ip route list table adsl2
80.39.xx dev eth2  scope link  src 80.39.xx
172.16.0.0/24 dev eth1  scope link  src 172.16.0.22
127.0.0.0/8 dev lo  scope link
default via 80.39.xx dev eth2



Ipsec configuration
#< /etc/ipsec.conf 1
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
# basic configuration
version 2.0
config setup
    interfaces=%defaultroute
    nat_traversal=yes

conn NET A-NET B
    also=default
    also=default-adsl
    right=217.126.xx
    rightid=217.126.xx
    rightsubnet=172.16.1.0/24
    rightsourceip=172.16.1.22
    # RSA 2048 bits   sserver   Thu Oct  3 08:36:13 2002
    rightrsasigkey=[keyid AQNcHG1W9]
    auto=start
#the rest of tunnels are similar changing RSA key, public ip and subnet.



#this is to eventualy change the tunnels going out by
#one or other adsl
conn default-adsl
        left=213.98.164.100
        leftid=213.98.164.100
    leftnexthop=213.98.164.65

conn default
    type=tunnel
    compress=no
    disablearrivalcheck=yes
    keylife=30m
    ikelifetime=5h
    rekeymargin=3m
    # RSA authentication with keys from DNS.
    authby=rsasig
    leftsourceip=172.16.0.22
    leftsubnet=172.16.0.0/24
    # RSA 2048 bits   xserver   Fri Jan  4 08:30:00 2002
    leftrsasigkey=[keyid AQNyNac++]


conn L2TP-PSK
    authby=secret
    pfs=no
        rekey=no
        keyingtries=3
    left=213.98.164.100
        leftprotoport=17/1701
        right=%any
    rightprotoport=17/%any
    auto=add



an extract of ipsec barf with the state of the tunnels

000 "LAN A-LAN D": 
172.16.0.0/24===213.98\.xx---213.98.xx...213.98.xx===172.16.3.0/24; 
erouted; eroute owner: #4
000 "LAN A-LAN D":     srcip=172.16.0.22; dstip=unset; srcup=ipsec 
_updown; dstup=ipsec _updown;
000 "LAN A-LAN D":   ike_life: 18000s; ipsec_life: 1800s; rekey_margin: 
180s; rekey_fuzz: 100%; keyingtries: 0
000 "LAN A-LAN D":   policy: 
RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+UP; prio: 24,24; 
interface: eth0;
000 "LAN A-LAN D":   newest ISAKMP SA: #1; newest IPsec SA: #4;
000 "LAN A-LAN D":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "LAN A-LAN C": 
172.16.0.0/24===213.98.xx---213.98.xx...80.35.xx===172.16.2.0/24; 
erouted; eroute owner: #8
000 "LAN A-LAN C":     srcip=172.16.0.22; dstip=unset; srcup=ipsec 
_updown; dstup=ipsec _updown;
000 "LAN A-LAN C":   ike_life: 18000s; ipsec_life: 1800s; rekey_margin: 
180s; rekey_fuzz: 100%; keyingtries: 0
000 "LAN A-LAN C":   policy: 
RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+UP; prio: 24,24; 
interface: eth0;
000 "LAN A-LAN C":   newest ISAKMP SA: #3; newest IPsec SA: #8;
000 "LAN A-LAN C":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "LAN A-LAN B": 
172.16.0.0/24===213.98.xx---213.98.xx...217.126.xx===172.16.1.0/24; 
erouted; eroute owner: #6
000 "LAN A-LAN B":     srcip=172.16.0.22; dstip=172.16.1.22; srcup=ipsec 
_updown; dstup=ipsec _updown;
000 "LAN A-LAN B":   ike_life: 18000s; ipsec_life: 1800s; rekey_margin: 
180s; rekey_fuzz: 100%; keyingtries: 0
000 "LAN A-LAN B":   policy: 
RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK+UP; prio: 24,24; 
interface: eth0;
000 "LAN A-LAN B":   newest ISAKMP SA: #2; newest IPsec SA: #6;
000 "LAN A-LAN B":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "L2TP-PSK": 213.98.xx:17/1701...%any:17/%any; unrouted; eroute owner: #0
000 "L2TP-PSK":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "L2TP-PSK":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; 
interface: eth0;
000 "L2TP-PSK":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP-PSK"[1]: 213.98.xx:17/1701...80.29.xx:17/1701; erouted; eroute 
owner: #11
000 "L2TP-PSK"[1]:     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "L2TP-PSK"[1]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK"[1]:   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,32; 
interface: eth0;
000 "L2TP-PSK"[1]:   newest ISAKMP SA: #9; newest IPsec SA: #11;
000 "L2TP-PSK"[1]:   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP2048

More information about the Users mailing list