[Openswan Users] privnet <-> openswan <-> juniper <-> privnet; tunnel routing only inbound linux side
Zack Train
zack at voltage.com
Mon Apr 21 21:32:50 EDT 2008
I am trying to set up a VPN between sites. I am using netkey on a 2.6.9 kernel (CentOS 4.x) and openswan 2.5.17 on an iptables firewall box on my linux side and a j2320 on JUNOS ES on the other. All negotiation issues have been worked out, etc. The tunnel works fantastically from the juniper side into my privnet on the linux side.
Going the other way (linux privnet to juniper privnet), I see the traffic hit the tunnel and become ESP packets on the external interface like so (example of pings going out):
18:20:24.360717 IP (tos 0x0, ttl 64, id 32581, offset 0, flags [DF], proto 50, length: 136) linuxGW > juniperGW: ESP(spi=0x7c9cacb7,seq=0x799)
Now, I think I have found what the problem is in the startup debug. My ipsec barf doesn't produce much output (complains of unexpected EOF). However, it appears that the _updown script adds a good route inbound, but fails to "replace" the outbound route (from /var/log/secure w/ names & IPs changed):
Apr 21 17:48:00 linuxGW pluto[8591]: | add inbound eroute juniper-privnet/24:0 --0-> linux-privnet/24:0 => tun.10000 at 128.242.
105.30 (raw_eroute)
Apr 21 17:48:00 linuxGW pluto[8591]: | raw_eroute result=1
Apr 21 17:48:00 linuxGW pluto[8591]: | set up incoming SA, ref=0/4294901761
Apr 21 17:48:00 linuxGW pluto[8591]: | sr for #2: prospective erouted
Apr 21 17:48:00 linuxGW pluto[8591]: | route owner of "TITAN" prospective erouted: self; eroute owner: self
Apr 21 17:48:00 linuxGW pluto[8591]: | route_and_eroute with c: TITAN (next: none) ero:TITAN esr:{(nil)} ro:TITAN ro
sr:{(nil)} and state: 2
Apr 21 17:48:00 linuxGW pluto[8591]: | eroute_connection replace eroute linux-privnet/24:0 --0-> juniper-privnet/24:0 => tun.
0 at juniperGW_ip (raw_eroute)
Apr 21 17:48:00 linuxGW pluto[8591]: | raw_eroute result=1
Apr 21 17:48:00 linuxGW pluto[8591]: | command executing up-client
Apr 21 17:48:00 linuxGW pluto[8591]: | executing up-client: 2>&1 PLUTO_VERSION='2.0' PLUTO_VERB='up-client' PLUTO_CONNECTION='TITAN' PLUTO_NEXT_HOP='linux_nexthop_ip' PLUTO_INTERFACE='eth1' PLUTO_ME='linuxGW_ip' PLUTO_MY_ID='linuxgw_ip' PLUTO_MY_CLIENT='linux-privnet/24' PLUTO_MY_CLIENT_NET='linux-privnet' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='juniperGW_ip' PLUTO_PEER_ID='juniperGW_ip' PLUTO_PEER_CLIENT='juniper-privnet/24' PLUTO_PEER_CLIENT_NET='juniper-privnet' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+UP' PLUTO_XAUTH_USERNAME='' ipsec _updown
Apr 21 17:48:00 linuxGW pluto[8591]: | route_and_eroute: firewall_notified: true
Apr 21 17:48:00 linuxGW pluto[8591]: | route_and_eroute: instance "TITAN", setting eroute_owner {spd=0x9938430,sr=0x
9938430} to #2 (was #0) (newest_ipsec_sa=#0)
How can I get it to properly route outbound? I started looking into the _updown.netkey script. I think I'm looking at the relevant section, but I'm not sure how I should tweak it to correct this behavior.
I've been tearing my hair out since last Thurs. night and I needed this up and running then. Any help would be greatly appreciated.
Thanks---Z>m<T
More information about the Users
mailing list