[Openswan Users] Problem: Ping to subnet is unencrypted (openswan 2.4.9 netkey)
Michael Roessler
michroes at gmx.de
Thu May 8 04:05:09 EDT 2008
Hello to all,
pinging from external interface of openwan-gw1 to internal interface of open-gw2 looks unencrypted, tcp-dump on the router.
16:35:07.924013 IP fedora81_ext(194.170.30.1) > fedora82_int(192.168.2.1): ICMP echo request, id 26380, seq 1, length 64
16:35:07.924498 IP fedora82_int(192.168.2.1) > fedora81_ext(194.170.30.1): ICMP echo reply, id 26380, seq 1, length 64
pinging between external interface of openwan-gw looks encrypted, tcp-dump on the router.
16:34:54.882081 IP fedora81_ext(194.170.30.1) > fedora82_ext(194.170.31.1): ESP(spi=0xdf6dc6dd,seq=0x4), length 132
16:34:54.883622 IP fedora82_ext(194.170.31.1) > fedora81_ext(194.170.30.1): ESP(spi=0xcfa9712d,seq=0x4), length 132
No running firewall.
Could you please let me know, if it is possible to encrypt the traffic of the local subnets? Do I need a openswan client for this?
Please have a look to the further information. I hope this is convenient for you.
Cheers,
Michael
Background-information:
Here you will find information about the network, ipsec.conf and routing table.
---
network: I have created five following VirtualMachines.
router: debian403, eth0 unused, eth1 194.170.30.254, eth2 194.170.31.254.
openswan-gw1: fedora81, eth1 194.170.30.1 , eth0 192.168.1.1 .
openswan-gw2: fedora82, eth1 194.170.31.1 , eth0 192.168.2.1 .
debian401, eth0 192.168.1.2 Function: should be vpn-client for fedora81
debian402, eth0 192.168.2.2 Function: should be vpn-client for fedora82
---
ipsec.conf on fedora81 and fedora82 is based on the book "Building and integrating Virtual Private Networks with Openswan":
version 2
config setup
interfaces=%defaultroute
#nat_traversal=yes
#virtual_private=%v4:192.168.0.0/16
conn %default
authby=rsasig
conn west-east
left=194.170.30.1
leftrsasigkey=0sAQ...
right=194.170.31.1
rightrsasigkey=0sAQOrY..
type=tunnel
auto=start
conn sunset-sunrise
left=194.170.30.1
leftsubnet=192.168.1.0/24
right=194.170.31.1
rightsubnet=192.168.2.0/24
leftrsasigkey=0sAQPD..
rightrsasigkey=0sAQOrYnR0z..
auto=add
conn west-sunrise
left=194.170.30.1
# leftsubnet=192.168.1.0/24
right=194.170.31.1
rightsubnet=192.168.2.0/24
leftrsasigkey=0sAQPDo..
rightrsasigkey=0sAQOrYnR0zk..
auto=add
conn east-sunset
left=194.170.30.1
leftsubnet=192.168.1.0/24
right=194.170.31.1
# rightsubnet=192.168.2.0/24
leftrsasigkey=0sAQPDoX..
rightrsasigkey=0sAQOrYn..
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn clear-or-private
auto=ignore
---
route-table on Openswan-gw1 fedora81:
Destination Gateway Genmask Flags Metric Ref Use Iface
194.170.31.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
194.170.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 194.170.30.1 0.0.0.0 UG 0 0 0 eth0
route-table on Openswan-gw2 fedora82:
Destination Gateway Genmask Flags Metric Ref Use Iface
194.170.30.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
194.170.31.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 194.170.31.1 0.0.0.0 UG 0 0 0 eth0
--
GMX startet ShortView.de. Hier findest Du Leute mit Deinen Interessen!
Jetzt dabei sein: http://www.shortview.de/?mc=sv_ext_mf@gmx
More information about the Users
mailing list