[Openswan Users] two vpn route problem

Kosa Attila atkosa at mithrandir.hu
Tue Apr 21 11:35:58 EDT 2009 

Hy,

----       ----           ----    ----
|1 |-------|2 |__ipsec0___| 3|----| 4|
|  |       |  |           |  |    |  |
----       ----           ----    ----
            |
            |            ----    ----
            |            | 5|    | 6|
            |___ipsec1___|  |----|  |
                         ----    ----

1 - linux PC
2 - linux firewall
3 - Cisco router
4 - unknown PC
5 - probably a linux firewall
6 - unknown PC

PC '1' is in the 192.168.0.0/16 network. The '4' and '6' and also
the '3' and '5' PC has different, C class address. From routing
point of view, they all have different networks. (at least the
netmask size differs) In the ipsec.conf file, the 'nat_traversal'
parameter is yes.

The PC '2' linux firewall does SNAT to both ipsec network. All
'outsider' PC appears to have 100.100.32.23 IP in the ipsec1
network and 123.36.97.2 on ipsec0. The ipsec0 network is on
eth1:4, ipsec1 is on eth1:1.

If I ping PC '4' from PC '1', it works fine, I got the ping
replies. If I start a telnet session from PC '1' to PC '6' the
first packet of the handshake goes to the right 'ipsec1'
interface, but the reply appears on the 'ipsec0' interface, and
never reaches PC '1'. (PC '6' has only port 1521 opened, hence
the telnet not ping) In tcpdump I see that the reply from PC '6'
has 100.100.32.23 destination IP (this is the SNAT addres of PC
'1' to PC '6'), so it should be directed towards PC '1', but
instead it appears on the ipsec0 interface.

Tcpdump runs on PC '2'. I can only access PC '1' and PC '2'.

If I exchange the two ipsec interface, the telnet works fine, and
the ping replies goes to the wrong interface.

I tried to log all the packets going out on one interface
(-A FORWARD -o ipsec0 -j LOG --log-prefix "ipsec0 outgoing: ")
but the reply packets (which goes to the wrong interface) didn't
get logged. Because of this I guess it also can not put a mark on
the packet and therefore I can not use this to route the packets.

I found this similar problem with Google, but there is no
solution there: http://bugs.xelerance.com/view.php?id=540

PC '2' has Debian Etch installed with official kernel and
packages, so it has linux-image-2.6.18-6-686 and openswan
2.4.6+dfsg.2-1.1+etch1.

What should I read and from where to be able to solve the
problem?

-- 
		By
				    Zsiga

More information about the Users mailing list