[Openswan Users] CentOS/OpenSwan to Draytek site-to-site VPN routing problem

Wed Aug 12 07:58:36 EDT 2009

Hi,

I hope someone can help. I'm trying to get a site-to-site VPN going
between a Draytek router and a CentOS 5.2/OpenSwan/Shorewall firewall.

The VPN establishes itself OK. The VPN show a connection and shows
packets being transmitted down the VPN from the Draytek to the CentOS
box.  However no packets return.

Here are the messages from /var/log/secure 

Aug 11 16:27:52 fw pluto[11226]: "onebyte" #6: responding to Main Mode

Aug 11 16:27:52 fw pluto[11226]: "onebyte" #6: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1

Aug 11 16:27:52 fw pluto[11226]: "onebyte" #6: STATE_MAIN_R1: sent MR1,
expecting MI2

Aug 11 16:27:52 fw pluto[11226]: "onebyte" #6: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2

Aug 11 16:27:52 fw pluto[11226]: "onebyte" #6: STATE_MAIN_R2: sent MR2,
expecting MI3

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #6: ignoring informational
payload, type IPSEC_INITIAL_CONTACT msgid=00000000

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #6: Main mode peer ID is
ID_IPV4_ADDR: 'RRR.RRR.RRR.RRR'

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #6: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #6: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #6: the peer proposed:
10.27.0.0/24:0/0 -> 10.0.14.0/24:0/0

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #6: alloc_bytes1() was
mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state,
please report to dev at openswan.org

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #6: alloc_bytes1() was
mistakenly asked to malloc 0 bytes for st_skey_er in duplicate_state,
please report to dev at openswan.org

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #6: alloc_bytes1() was
mistakenly asked to malloc 0 bytes for st_skey_pi in duplicate_state,
please report to dev at openswan.org

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #6: alloc_bytes1() was
mistakenly asked to malloc 0 bytes for st_skey_pr in duplicate_state,
please report to dev at openswan.org

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #7: responding to Quick Mode
proposal {msgid:6dac2b2a}

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #7:     us:
10.27.0.0/24===LLL.LLL.LLL.LLL< LLL.LLL.LLL.LLL >[+S=C]

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #7:   them: RRR.RRR.RRR.RRR <
RRR.RRR.RRR.RRR >[+S=C]===10.0.14.0/24

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #7: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1

Aug 11 16:27:53 fw pluto[11226]: "onebyte" #7: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2

Aug 11 16:27:54 fw pluto[11226]: "onebyte" #7: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2

Aug 11 16:27:54 fw pluto[11226]: "onebyte" #7: STATE_QUICK_R2: IPsec SA
established tunnel mode {ESP=>0x7bad136b <0xde297880
xfrm=3DES_0-HMAC_SHA1 NATOA=<invalid> NATD=<invalid>:500 DPD=enabled}

As I stated above if I try and access anything in the left subnet
(10.27.0.0) from the right subnet (10.0.14.0) I can see the TX packet
count increase on the Draytek but not the RX count.

I'm not sure what information to attach to help resolve this problem.
Please let me know and I will provide it for you.

Thanks

Simon

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of Onebyte. This email has been scanned for viruses and has been certified as clean by Symantec, Kapersky & Clam AV. Onebyte is the trading name of Landmark Computer Services and is a limited company registered in England & Wales. Registered number: 5329402. Registered Office 145-157 St. John Street, London, EC1V 4PY
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090812/7ad2f17f/attachment-0001.html 