[Openswan Users] privnet <-> openswan <-> juniper <-> privnet; tunnel routing only inbound linux side

Zack Train zack at voltage.com
Thu Apr 24 21:14:12 EDT 2008


It turns out it was working. I had evidently done tcpdump on the wrong interface on the router. My packets were making it through both gateways and getting dropped by iptables on the target host in the other privnet...

Thanks---Z>m<T

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Zack Train
Sent: Monday, April 21, 2008 6:33 PM
To: users at openswan.org
Subject: [Openswan Users] privnet <-> openswan <-> juniper <-> privnet; tunnel routing only inbound linux side

I am trying to set up a VPN between sites. I am using netkey on a 2.6.9 kernel (CentOS 4.x) and openswan 2.5.17 on an iptables firewall box on my linux side and a j2320 on JUNOS ES on the other. All negotiation issues have been worked out, etc. The tunnel works fantastically from the juniper side into my privnet on the linux side.

Going the other way (linux privnet to juniper privnet), I see the traffic hit the tunnel and become ESP packets on the external interface like so (example of pings going out):
18:20:24.360717 IP (tos 0x0, ttl  64, id 32581, offset 0, flags [DF], proto 50, length: 136) linuxGW > juniperGW: ESP(spi=0x7c9cacb7,seq=0x799)

Now, I think I have found what the problem is in the startup debug. My ipsec barf doesn't produce much output (complains of unexpected EOF). However, it appears that the _updown script adds a good route inbound, but fails to "replace" the outbound route (from /var/log/secure w/ names & IPs changed):
Apr 21 17:48:00 linuxGW pluto[8591]: | add inbound eroute juniper-privnet/24:0 --0-> linux-privnet/24:0 => tun.10000 at 128.242.
105.30 (raw_eroute)
Apr 21 17:48:00 linuxGW pluto[8591]: | raw_eroute result=1
Apr 21 17:48:00 linuxGW pluto[8591]: | set up incoming SA, ref=0/4294901761
Apr 21 17:48:00 linuxGW pluto[8591]: | sr for #2: prospective erouted
Apr 21 17:48:00 linuxGW pluto[8591]: | route owner of "TITAN" prospective erouted: self; eroute owner: self
Apr 21 17:48:00 linuxGW pluto[8591]: | route_and_eroute with c: TITAN (next: none) ero:TITAN esr:{(nil)} ro:TITAN ro
sr:{(nil)} and state: 2
Apr 21 17:48:00 linuxGW pluto[8591]: | eroute_connection replace eroute linux-privnet/24:0 --0-> juniper-privnet/24:0 => tun.
0 at juniperGW_ip (raw_eroute)
Apr 21 17:48:00 linuxGW pluto[8591]: | raw_eroute result=1
Apr 21 17:48:00 linuxGW pluto[8591]: | command executing up-client
Apr 21 17:48:00 linuxGW pluto[8591]: | executing up-client: 2>&1 PLUTO_VERSION='2.0' PLUTO_VERB='up-client' PLUTO_CONNECTION='TITAN' PLUTO_NEXT_HOP='linux_nexthop_ip' PLUTO_INTERFACE='eth1' PLUTO_ME='linuxGW_ip' PLUTO_MY_ID='linuxgw_ip' PLUTO_MY_CLIENT='linux-privnet/24' PLUTO_MY_CLIENT_NET='linux-privnet' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='juniperGW_ip' PLUTO_PEER_ID='juniperGW_ip' PLUTO_PEER_CLIENT='juniper-privnet/24' PLUTO_PEER_CLIENT_NET='juniper-privnet' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+UP' PLUTO_XAUTH_USERNAME=''  ipsec _updown
Apr 21 17:48:00 linuxGW pluto[8591]: | route_and_eroute: firewall_notified: true
Apr 21 17:48:00 linuxGW pluto[8591]: | route_and_eroute: instance "TITAN", setting eroute_owner {spd=0x9938430,sr=0x
9938430} to #2 (was #0) (newest_ipsec_sa=#0)

How can I get it to properly route outbound? I started looking into the _updown.netkey script. I think I'm looking at the relevant section, but I'm not sure how I should tweak it to correct this behavior.

I've been tearing my hair out since last Thurs. night and I needed this up and running then. Any help would be greatly appreciated.

Thanks---Z>m<T
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list