[Openswan Users] Problem with IPsec-Tunnel

Christoph Dietzschold cd at hoerbe.net
Wed May 23 07:15:45 EDT 2007 

Hello,

I have got a Problem connecting two machines via Openswan-IPSec

Linux fw1 2.6.21.1
Linux Openswan U2.4.7/K2.6.21.1 (netkey) and

Linux fw2 2.6.18.2
Linux Openswan U2.4.4/K2.4.6 (klips)


If I am going to send Packets from a host in the subnet behind fw2 the
requests are passed through to a host in the subnet behing fw1.

Vice versa it is not possible to reach a host behind fw2 from a host
behind fw1. The packages are not send through the tunnel I think.

The outside-interface does not send ESP/ or any packet to fw2.

The next-hop of fw1 gives an ICMP-Destination Unreachable (seen in tcpdump)

The iptables-Scripts are checked twice, there is no blocking-rule inside.

The tunnels are up as expected in ipsec auto --status.

I tried to build a Kernel on fw1 with Openswan 2.4.7.klips-patch but I
didn't get far because of an pfkey_error. I am not able to solve this
problem by myself and would thank you for any advise or debugging idea.

Kernelbuild - error

[...]

  CC      net/ipsec/ipsec_init.o
  CC      net/ipsec/ipsec_sa.o
  CC      net/ipsec/ipsec_radij.o
  CC      net/ipsec/radij.o
  CC      net/ipsec/ipsec_life.o
  CC      net/ipsec/ipsec_proc.o
  CC      net/ipsec/ipsec_tunnel.o
  CC      net/ipsec/ipsec_xmit.o
  CC      net/ipsec/ipsec_rcv.o
  CC      net/ipsec/ipsec_ipip.o
  CC      net/ipsec/ipsec_snprintf.o
  CC      net/ipsec/sysctl_net_ipsec.o
  CC      net/ipsec/pfkey_v2.o
net/ipsec/pfkey_v2.c: In function 'pfkey_cleanup':
net/ipsec/pfkey_v2.c:1506: error: void value not ignored as it ought to be
make[2]: *** [net/ipsec/pfkey_v2.o] Error 1
make[1]: *** [net/ipsec] Error 2
make: *** [net] Error 2




#setkey -D on fw1 shows the following lines:

ip.fw.1 ip.fw.2
        esp mode=tunnel spi=2633966729(0x9cff2489) reqid=16393(0x00004009)
        E: aes-cbc  c6dfadfd 58279ef4 5da39502 2bd020e0
        A: hmac-sha1  fea3e984 16d2c5a4 2a44119b 42f6d829 1c94deeb
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: May 23 07:27:36 2007   current: May 23 11:55:23 2007
        diff: 16067(s)  hard: 0(s)      soft: 0(s)
        last: May 23 11:41:48 2007      hard: 0(s)      soft: 0(s)
        current: 1800(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 15   hard: 0 soft: 0
        sadb_seq=1 pid=20179 refcnt=0
ip.fw.2 ip.fw.1
        esp mode=tunnel spi=3946568964(0xeb3bdd04) reqid=16393(0x00004009)
        E: aes-cbc  49c4f70c 9542957e 89f7804f 58f47f5e
        A: hmac-sha1  51f253f1 19f97c65 c2978652 4e5751ec 7bdf3b15
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: May 23 07:27:36 2007   current: May 23 11:55:23 2007
        diff: 16067(s)  hard: 0(s)      soft: 0(s)
        last: May 23 11:41:48 2007      hard: 0(s)      soft: 0(s)
        current: 900(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 15   hard: 0 soft: 0
        sadb_seq=0 pid=20179 refcnt=0

#setkey -dP on fw1 shows the following lines:

192.168.87.0/24[any] 10.0.0.0/8[any] any
        in prio high + 1073738968 ipsec
        esp/tunnel/ip.fw2-ip.fw1/unique#16393
        created: May 22 15:52:21 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1800 seq=1 pid=20195
        refcnt=1
10.0.0.0/8[any] 192.168.87.0/24[any] any
        out prio high + 1073738968 ipsec
        esp/tunnel/ip.fw1-ip.fw2/unique#16393
        created: May 23 07:27:36 2007  lastused: May 23 11:46:14 2007
        lifetime: 0(s) validtime: 0(s)
        spid=1817 seq=2 pid=20195
        refcnt=1
192.168.87.0/24[any] 10.0.0.0/8[any] any
        fwd prio high + 1073738968 ipsec
        esp/tunnel/ip.fw2-ip.fw1/unique#16393
        created: May 22 15:52:21 2007  lastused: May 23 11:46:14 2007
        lifetime: 0(s) validtime: 0(s)
        spid=1810 seq=3 pid=20195
        refcnt=1
(per-socket policy)
        in none
        created: May 22 15:40:02 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1739 seq=4 pid=20195
        refcnt=1
(per-socket policy)
        in none
        created: May 22 15:40:02 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1723 seq=5 pid=20195
        refcnt=1
(per-socket policy)
        in none
        created: May 22 15:40:02 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1707 seq=6 pid=20195
        refcnt=1
(per-socket policy)
        in none
        created: May 22 15:40:02 2007  lastused: May 23 11:33:38 2007
        lifetime: 0(s) validtime: 0(s)
        spid=1691 seq=7 pid=20195
        refcnt=1
(per-socket policy)
        in none
        created: May 22 15:40:02 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1675 seq=8 pid=20195
        refcnt=1
(per-socket policy)
        out none
        created: May 22 15:40:02 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1748 seq=9 pid=20195
        refcnt=1
(per-socket policy)
        out none
        created: May 22 15:40:02 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1732 seq=10 pid=20195
        refcnt=1
(per-socket policy)
        out none
        created: May 22 15:40:02 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1716 seq=11 pid=20195
        refcnt=1
(per-socket policy)
        out none
        created: May 22 15:40:02 2007  lastused: May 23 11:33:38 2007
        lifetime: 0(s) validtime: 0(s)
        spid=1700 seq=12 pid=20195
        refcnt=1
(per-socket policy)
        out none
        created: May 22 15:40:02 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=1684 seq=0 pid=20195
        refcnt=1

More information about the Users mailing list