[Openswan Users] Problem: Ping to subnet is unencrypted (openswan 2.4.9 netkey)
Paul Wouters
paul at xelerance.com
Thu May 8 09:21:29 EDT 2008
On Thu, 8 May 2008, Michael Roessler wrote:
>
> pinging from external interface of openwan-gw1 to internal interface of open-gw2 looks unencrypted, tcp-dump on the router.
> 16:35:07.924013 IP fedora81_ext(194.170.30.1) > fedora82_int(192.168.2.1): ICMP echo request, id 26380, seq 1, length 64
> 16:35:07.924498 IP fedora82_int(192.168.2.1) > fedora81_ext(194.170.30.1): ICMP echo reply, id 26380, seq 1, length 64
That's netkey's artifact. Check from the other machine and you'll see
the packets encrypted. They are encrypted after tcpdump sees them.
Paul
> pinging between external interface of openwan-gw looks encrypted, tcp-dump on the router.
> 16:34:54.882081 IP fedora81_ext(194.170.30.1) > fedora82_ext(194.170.31.1): ESP(spi=0xdf6dc6dd,seq=0x4), length 132
> 16:34:54.883622 IP fedora82_ext(194.170.31.1) > fedora81_ext(194.170.30.1): ESP(spi=0xcfa9712d,seq=0x4), length 132
>
> No running firewall.
>
> Could you please let me know, if it is possible to encrypt the traffic of the local subnets? Do I need a openswan client for this?
>
> Please have a look to the further information. I hope this is convenient for you.
>
> Cheers,
>
> Michael
>
>
> Background-information:
> Here you will find information about the network, ipsec.conf and routing table.
> ---
> network: I have created five following VirtualMachines.
> router: debian403, eth0 unused, eth1 194.170.30.254, eth2 194.170.31.254.
> openswan-gw1: fedora81, eth1 194.170.30.1 , eth0 192.168.1.1 .
> openswan-gw2: fedora82, eth1 194.170.31.1 , eth0 192.168.2.1 .
> debian401, eth0 192.168.1.2 Function: should be vpn-client for fedora81
> debian402, eth0 192.168.2.2 Function: should be vpn-client for fedora82
> ---
> ipsec.conf on fedora81 and fedora82 is based on the book "Building and integrating Virtual Private Networks with Openswan":
> version 2
>
> config setup
> interfaces=%defaultroute
> #nat_traversal=yes
> #virtual_private=%v4:192.168.0.0/16
>
> conn %default
> authby=rsasig
>
> conn west-east
> left=194.170.30.1
> leftrsasigkey=0sAQ...
> right=194.170.31.1
> rightrsasigkey=0sAQOrY..
> type=tunnel
> auto=start
>
> conn sunset-sunrise
> left=194.170.30.1
> leftsubnet=192.168.1.0/24
> right=194.170.31.1
> rightsubnet=192.168.2.0/24
> leftrsasigkey=0sAQPD..
> rightrsasigkey=0sAQOrYnR0z..
> auto=add
>
> conn west-sunrise
> left=194.170.30.1
> # leftsubnet=192.168.1.0/24
> right=194.170.31.1
> rightsubnet=192.168.2.0/24
> leftrsasigkey=0sAQPDo..
> rightrsasigkey=0sAQOrYnR0zk..
> auto=add
>
> conn east-sunset
> left=194.170.30.1
> leftsubnet=192.168.1.0/24
> right=194.170.31.1
> # rightsubnet=192.168.2.0/24
> leftrsasigkey=0sAQPDoX..
> rightrsasigkey=0sAQOrYn..
> auto=add
>
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> conn clear-or-private
> auto=ignore
> ---
> route-table on Openswan-gw1 fedora81:
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 194.170.31.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 194.170.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
> 0.0.0.0 194.170.30.1 0.0.0.0 UG 0 0 0 eth0
>
> route-table on Openswan-gw2 fedora82:
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 194.170.30.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 194.170.31.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
> 0.0.0.0 194.170.31.1 0.0.0.0 UG 0 0 0 eth0
>
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list