[Openswan Users] OpenSWAN 2.4.9 with fc8 does not want to route
Greg Scott
GregScott at InfraSupportEtc.com
Tue Apr 1 21:04:06 EDT 2008
Hello -
I am trying to set up an IPSEC tunnel with fc8 and OpenSWAN 2.4.9 with
the stock 2.6.23.1-42.fc8 kernel. So it's the native Netkey and not
KLIPS.
When I start the tunnels up and look at /var/log/secure, I see SA
Established messages and the tunnels seem OK. Until I try to ping from
a system on one side to the other. I have a Linux router in-between
both test endpoints so I can watch packets with tcpdump from my
home-brewed router. The bottom line is, nothing wants to route thru the
tunnel - it all routes outside the tunnel and ends up in the bitbucket.
What's really puzzling is, I've done this before with earlier versions
and it all works fine. But now I can't get anything to route through my
tunnel to save my life. Maybe it's been a long day and I am missing
something obvious - but I sure don't see it...
Any advice would be appreciated.
Here is the layout - with real IP Addresses:
Left side Right side
Host IPSEC fw Simulated Internet IPSEC fw Host
192.168.13.2 192.168.13.1 74.94.87.94 192.168.0.1 192.168.0.2
74.94.87.89 67.107.38.9 67.107.38.14
Here are details:
First /etc/ipsec.conf - pretty much out of the RedHat box and almost
identical on both systems:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=none
# plutodebug="control parsing"
nat_traversal=yes
##include /etc/ipsec.d/*.conf
include /etc/ipsec.d/no_oe.conf
include /etc/ipsec.d/hq-ipsec.conf
Now the right side - hq-ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
conn david-everywhere
type=tunnel
#
# Left security gateway, subnet behind it, next hop toward
right.
#
also=david
#
# Right security gateway, subnet behind it, next hop toward
left.
#
also=hq
rightupdown=/etc/ipsec.d/hq-updown.sh
auto=start
include /etc/ipsec.d/sites.conf
Here is hq-updown.sh
#!/bin/sh
LOCALNET1=192.168.0.0/24
LOCALNET2=172.17.0.0/24
/usr/lib/ipsec/_updown $*
if [ "$PLUTO_VERB" = "route-host" -o "$PLUTO_VERB" = "route-client" ];
then
for dir in in out; do
ip xfrm policy update dir $dir src $LOCALNET1 dst $LOCALNET1
ip xfrm policy update dir $dir src $LOCALNET2 dst $LOCALNET2
done
fi
# Routes to branches
/sbin/ip route change 192.168.13.0/24 dev eth0 src 192.168.0.1 mtu 1400
Now the left side - david-ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
conn david-everywhere
type=tunnel
#
# Left security gateway, subnet behind it, next hop toward
right.
#
also=david
leftupdown=/etc/ipsec.d/david-updown.sh
#
# Right security gateway, subnet behind it, next hop toward
left.
#
also=hq
auto=start
include /etc/ipsec.d/sites.conf
And here is david-updown.sh
#!/bin/sh
LOCALNET1=192.168.13.0/24
/usr/lib/ipsec/_updown $*
if [ "$PLUTO_VERB" = "route-host" -o "$PLUTO_VERB" = "route-client" ];
then
for dir in in out; do
ip xfrm policy update dir $dir src $LOCALNET1 dst $LOCALNET1
done
fi
# Route to HQ
/sbin/ip route change 192.168.0.0/24 dev eth0 src 192.168.13.1 mtu 1400
And now sites.conf (identical on both systems)
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
conn hq
right=67.107.38.14
rightnexthop=67.107.38.9
rightsubnet=192.168.0.0/24
rightsourceip=192.168.0.1
rightid=@hq.local
# RSA 2192 bits hq-fw Wed Apr 2 11:52:17 2008
rightrsasigkey=0sAQOk7GEfbq0.....
conn david
left=74.94.87.89
leftnexthop=74.94.87.94
leftsubnet=192.168.13.0/24
leftsourceip=192.168.13.1
leftid=@david.local
# RSA 2192 bits LMDS-fw Wed Apr 2 13:28:19 2008
leftrsasigkey=0sAQNu9f6A.....
I tried commenting out both the leftupdown and rightupdown lines, but
this didn't help.
Here is an extract from /var/log/secure on the hq system:
[root at hq-fw ipsec.d]# tail /var/log/secure
Apr 1 19:41:58 hq-fw pluto[5215]: "david-everywhere" #5: responding to
Main Mode
Apr 1 19:41:58 hq-fw pluto[5215]: "david-everywhere" #5: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 1 19:41:58 hq-fw pluto[5215]: "david-everywhere" #5: STATE_MAIN_R1:
sent MR1, expecting MI2
Apr 1 19:41:58 hq-fw pluto[5215]: "david-everywhere" #5: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal): no NAT detected
Apr 1 19:41:58 hq-fw pluto[5215]: "david-everywhere" #5: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 1 19:41:58 hq-fw pluto[5215]: "david-everywhere" #5: STATE_MAIN_R2:
sent MR2, expecting MI3
Apr 1 19:41:58 hq-fw pluto[5215]: "david-everywhere" #5: Main mode peer
ID is ID_FQDN: '@david.local'
Apr 1 19:41:58 hq-fw pluto[5215]: "david-everywhere" #5: I did not send
a certificate because I do not have one.
Apr 1 19:41:58 hq-fw pluto[5215]: "david-everywhere" #5: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 1 19:41:58 hq-fw pluto[5215]: "david-everywhere" #5: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
And here is ipsec look from both sides:
[root at hq-fw ipsec.d]# ipsec look
hq-fw Tue Apr 1 19:43:30 CDT 2008
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 67.107.38.9 0.0.0.0 UG 0 0 0
eth0
192.168.13.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
67.107.38.8 0.0.0.0 255.255.255.248 U 0 0 0
eth0
[root at LMDS-fw ipsec.d]# ipsec look
LMDS-fw Tue Apr 1 19:41:07 CDT 2008
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 74.94.87.94 0.0.0.0 UG 0 0 0
eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
74.94.87.88 0.0.0.0 255.255.255.248 U 0 0 0
eth0
And ip route show from both sides:
[root at hq-fw ipsec.d]# ip route show
67.107.38.8/29 dev eth0 proto kernel scope link src 67.107.38.14
192.168.1.0/24 via 192.168.0.215 dev eth1
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
192.168.13.0/24 dev eth0 scope link src 192.168.0.1 mtu 1400
10.10.10.0/24 dev eth2 proto kernel scope link src 10.10.10.88
172.17.0.0/24 dev eth2 proto kernel scope link src 172.17.0.1
169.254.0.0/16 dev eth2 scope link
default via 67.107.38.9 dev eth0
[root at LMDS-fw ipsec.d]# ip route show
74.94.87.88/29 dev eth0 proto kernel scope link src 74.94.87.89
192.168.0.0/24 dev eth0 scope link src 192.168.13.1 mtu 1400
192.168.13.0/24 dev eth1 proto kernel scope link src 192.168.13.1
10.10.10.0/24 dev eth2 proto kernel scope link src 10.10.10.77
169.254.0.0/16 dev eth2 scope link
default via 74.94.87.94 dev eth0
192.168.0.2 is a host on the right side.
192.168.13.2 is a host on the left side.
Both sides can ping their ipsec routers and both ipsec routers can ping
my simulated router in the middle. But packets that should be in the
tunnel are not:
[root at hq-fw ipsec.d]# ping 192.168.13.2 -I 192.168.0.1
PING 192.168.13.2 (192.168.13.2) from 192.168.0.1 : 56(84) bytes of
data.
>From 67.107.38.14 icmp_seq=2 Destination Host Unreachable
>From 67.107.38.14 icmp_seq=3 Destination Host Unreachable
>From 67.107.38.14 icmp_seq=4 Destination Host Unreachable
--- 192.168.13.2 ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time
4000ms
, pipe 3
[root at hq-fw ipsec.d]# traceroute -n 192.168.13.2
traceroute to 192.168.13.2 (192.168.13.2), 30 hops max, 40 byte packets
1 67.107.38.14 2999.155 ms !H 2999.108 ms !H 2999.039 ms !H
[root at hq-fw ipsec.d]#
[root at hq-fw ipsec.d]#
[root at hq-fw ipsec.d]# traceroute -n 74.94.87.89
traceroute to 74.94.87.89 (74.94.87.89), 30 hops max, 40 byte packets
1 67.107.38.9 0.410 ms 0.194 ms 0.173 ms
2 74.94.87.89 0.608 ms 0.584 ms 0.574 ms
[root at hq-fw ipsec.d]#
Thanks
- Greg Scott
More information about the Users
mailing list