[Openswan Users] VPN client IP addressing configuration issues

Rolando Zappacosta zappacor at yahoo.com.ar
Thu Sep 4 06:09:41 EDT 2008 

Hi all,

I'm trying to connect a laptop to an IPsec secured intranet through the internet:

LAPTOP <-> DSL ROUTER OR 3G USB DEVICE <=> INTERNET CLOUD <=> IPSEC VPN SERVER <-> INTRANET

where the DSL router and the 3G USB device public addresses get dynamically assigned by the respective ISPs while the IPSec VPN server one is fixed.

  In a first stage I'd like to have all the laptop's outgoing traffic sent out through the IPSec tunnel but once it's up I can see the ICMP packets destinated to an IP address within the intranet sent unencapsulated (not through the tunnel).

  I googled a lot and tried several different configurations for left/rightsubnet, left/right, etc but no luck.

 How can I debug this or trace the packets flows?
 How can I handle the fact that the DSL router and the USB stick public IP addresses are different and change (each time I connect for the later)?

  My current configuration is:
******* ipsec.conf BEGIN *****
version 2.0
config setup
        nat_traversal=yes
        interfaces=%defaultroute

conn Intranet
        ike=3des-sha1-modp1024
        esp=3des-sha1
        aggrmode=yes
        xauth=yes
        keyexchange=ike
        keylife=24h
        ikelifetime=24h
        auth=esp
        type=tunnel
        authby=secret
        # *********** This is for the PC (local):
        left=<The 3G stick public IP address it gets each time>
        leftxauthclient=yes
        leftid="!@#$%"
        # *********** This is for the GW (remote):
        right=<The IPsec server public IP address>
        rightxauthserver=yes
        rightmodecfgserver=yes
        pfs=no
        #compress=no
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
******* ipsec.conf END *****

and this is the output for what I could debug:
******* ipsec verify BEGIN *****
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.13/K2.6.26-tuxonice (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
******* ipsec verify END *****

******* ipsec look BEGIN (connected by means of a 3G USB device though) *****
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.64.64.64     0.0.0.0         UG        0 0          0 ppp0
0.0.0.0         <The IPsec server public IP address>  0.0.0.0         UG        0 0          0 ppp0
10.64.64.64     0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
<The IPsec server public IP address subnet>       <The IPsec server public IP address>  255.0.0.0       UG        0 0          0 ppp0
<The IPsec server public IP address>  0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
******* ipsec look END *****

More information about the Users mailing list