[Openswan Users] question about conn host-to-host or host-to-network

Mon Oct 6 08:15:35 EDT 2008

Hello,

I'm trying to make a tunnel between two linux on the same lan (kernel 
2.6.26.5 and openswan 2.6.16) with PSK.

192.168.42.154 -----------------192.168.42.254

My /etc/ipsec.conf on the host 192.168.42.254

conn client-to-concentrateur
        type=tunnel
        authby=secret
        pfs=no
        left=192.168.3.254              # left = local & right = remote
        leftsubnet=192.168.42.0/24
        right=%any                      # wildcard, don't know ip address
        rightid=192.168.3.71
        auto=add

conn linux-to-linux
        type=tunnel
        authby=secret
        pfs=yes
        left=192.168.42.254
        right=192.168.42.154
        auto=add

When i start the connection the tunnel seems to be on
ipsec whack --status

000 "linux-to-linux":     myip=unset; hisip=unset;
000 "linux-to-linux":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "linux-to-linux":   policy: 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: 
eth0;
000 "linux-to-linux":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "linux-to-linux":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #2: "linux-to-linux":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 25138s; newest IPSEC; eroute owner; 
isakmp#1; idle; import:admin initiate
000 #2: "linux-to-linux" esp.6e2045d2 at 192.168.42.154 
esp.b7de7312 at 192.168.42.254 tun.0 at 192.168.42.154 tun.0 at 192.168.42.254 
ref=0 refhim=4294901761
000 #1: "linux-to-linux":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 151s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); 
idle; import:admin initiate
000

but when i start : service ipsec status there are no tunnels up

[root at brennsecure etc]# service ipsec status
IPsec running  - pluto pid: 1277
pluto pid 1277
No tunnels up
[root at brennsecure etc]#

When i ping 192.168.42.154 from 192.168.42.254 i saw ESP packet but also 
icmp packets.

[root at brennsecure etc]# tcpdump -i eth0 -p esp or -p icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:03:51.223691 IP 192.168.42.154 > 192.168.42.254: 
ESP(spi=0xb7de7312,seq=0x1b), length 132
20:03:51.320544 IP 192.168.42.154 > 192.168.42.254: ICMP echo request, 
id 53517, seq 19, length 64
20:03:51.320600 IP 192.168.42.254 > 192.168.42.154: 
ESP(spi=0x6e2045d2,seq=0x1b), length 132
20:03:52.223686 IP 192.168.42.154 > 192.168.42.254: 
ESP(spi=0xb7de7312,seq=0x1c), length 132
20:03:52.223686 IP 192.168.42.154 > 192.168.42.254: ICMP echo request, 
id 53517, seq 20, length 64
20:03:52.223740 IP 192.168.42.254 > 192.168.42.154: 
ESP(spi=0x6e2045d2,seq=0x1c), length 132
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root at brennsecure etc]#

I have the same thing when i start a tunnel from a XP client and 
shrewsoft VPN (conn roadwarrior). The tunnel is up between the XP Client 
and the VPN interface with IP 192.168.3.254 in order to access to the 
lan 192.168.42.0/24

<client>192.168.42.200------------192.168.42.254<FIREWALL+CONCENTRATEURVPN>192.168.3.254--------192.168.3.100<windowsXP 
Client>

ESP packets are OK but there are ICMP echo REQUEST too.

I have two questions:

Is the command "service ipsec status" always operationnal or must i use 
" ipsec whack --status"
Why the icmp echo request use the tunnel and the network interface too ? 
What's wrong in my config ?

Thanks