[Openswan Users] Problem in site 2 site communication

Pascal Fuks pascal at financial-art.be
Fri Aug 21 02:08:23 EDT 2009 

Hello,
I do have a configuration with a centralsite (call it AS with public IP
4.2.3.226 on eth4 and 172.16.254.65 on eth5(public MPLS network)) that
connect (without problem) to 6 sites.
I¹d like to have all sites communicating together, through central site
tunnels
Each site can communicate with the central site networks, but is not able to
communicate with other sites.
When tracerouting from distant site RUNGIS client to distant site IER, we
see packets trying to go outside through the 4.2.3.226 (Public IP)
address...
Any idea / question are welcome ;-)

Here are my ip addresses:
[root at bemersfw01 ipsec.d]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    inet 172.16.0.66/24 brd 172.16.0.255 scope global eth0
    inet 172.16.222.66/24 brd 172.16.222.255 scope global eth0:1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    inet 10.10.1.126/24 brd 10.10.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:1b:21:3f:e1:e5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.66/24 brd 192.168.0.255 scope global eth3
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    inet 4.2.3.226/27 brd 194.78.61.255 scope global eth4
    inet 4.2.3.227/27 brd 194.78.61.255 scope global secondary eth4:227
    inet 4.2.3.228/27 brd 194.78.61.255 scope global secondary eth4:228
    inet 4.2.3.229/27 brd 194.78.61.255 scope global secondary eth4:229
    inet 4.2.3.230/27 brd 194.78.61.255 scope global secondary eth4:230
    inet 4.2.3.242/27 brd 194.78.61.255 scope global secondary eth4:242
    inet 4.2.3.243/27 brd 194.78.61.255 scope global secondary eth4:243
    inet 4.2.3.244/27 brd 194.78.61.255 scope global secondary eth4:244
    inet 4.2.3.245/27 brd 194.78.61.255 scope global secondary eth4:245
7: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:1b:21:3f:ee:69 brd ff:ff:ff:ff:ff:ff
    inet 172.16.254.65/24 brd 172.16.254.255 scope global eth5
8: eth6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    inet 172.20.0.66/24 brd 172.20.0.255 scope global eth6
9: eth7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
10: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0


Here is my ipsec.conf file :

config setup
    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
     klipsdebug=none
    plutodebug=none
    # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
    plutowait=no

    interfaces="ipsec0=eth5 ipsec1=eth4"
    protostack=netkey
    nat_traversal=yes

include /etc/ipsec.d/*.conf


In ipsec.d we have the following files :
-rw-r--r-- 1 root root  793 Aug  9 07:08 aix.conf
-rw-r--r-- 1 root root  150 Aug  9 06:53 aix.secrets
-rw-r--r-- 1 root root  884 Aug  9 07:11 blyes.conf
-rw-r--r-- 1 root root   55 Aug  9 06:09 blyes.secrets
-rw-r--r-- 1 root root  354 Aug  8 15:46 canada.conf
-rw-r--r-- 1 root root   47 Aug  8 16:58 canada.secrets
-rw-r--r-- 1 root root  805 Aug 13 15:38 ier.conf
-rw-r--r-- 1 root root   49 Aug 12 18:19 ier.secrets
-rw-r--r-- 1 root root  880 Aug  9 08:31 nyc.conf
-rw-r--r-- 1 root root   46 Aug  9 07:52 nyc.secrets
-rw-r--r-- 1 root root  921 Aug 13 12:38 rungis.conf
-rw-r--r-- 1 root root   47 Aug  9 05:31 rungis.secrets

And here are 2 configs files (say if you need more)
Rungis.conf
----------------
conn Rungis1
   leftsubnet=172.16.0.0/23
   also=Rungis

conn Rungis2
    leftsubnet=172.24.0.0/16
    also=Rungis
 
conn Rungis3
    leftsubnet=212.155.183.226/32
    also=Rungis
 
conn Rungis4
     leftsubnet=10.123.32.0/24
     also=Rungis
  
conn Rungis5
   leftsubnet=172.16.3.0/24
   also=Rungis
 
conn Rungis6
   leftsubnet=172.16.4.0/24
   also=Rungis

conn Rungis7
   leftsubnet=172.16.222.0/24
   also=Rungis

conn Rungis8
   leftsubnet=172.16.30.0/24
   also=Rungis

conn Rungis9
   leftsubnet=172.16.40.0/24
   also=Rungis
 
conn Rungis10
   leftsubnet=172.16.5.0/24
   also=Rungis

conn Rungis
   authby=secret
   pfs=no
   auto=start
   keyingtries=3
   disablearrivalcheck=no
   keyexchange=ike
   ikelifetime=240m
   type=tunnel
   auth=esp
   compress=no
   keylife=60m
   right=4.4.3.21
   rightsubnet=172.16.10.0/24
   rightnexthop=4.4.3.22
   left=4.2.3.226
   leftnexthop=4.2.3.254


IER.conf
------------
conn IERB
   leftsubnet=172.16.0.0/24
   rightsubnet=172.24.0.0/18
   also=IER

conn IERF
   leftsubnet=172.16.10.0/24
   rightsubnet=172.24.0.0/18
   also=IER

conn BOLLOREB
   leftsubnet=172.16.0.0/24
   rightsubnet=10.128.0.0/11
   also=IER

conn BOLLOREF
   leftsubnet=172.16.10.0/24
   rightsubnet=10.128.0.0/11
   also=IER

conn BOLLOREB1
   leftsubnet=172.16.0.0/24
   rightsubnet=10.123.0.0/16
   also=IER

conn BOLLOREF1
   leftsubnet=172.16.10.0/24
   rightsubnet=10.123.0.0/16
   also=IER

conn IER
   authby=secret
   pfs=yes
   auto=start
   keyingtries=3
   disablearrivalcheck=no
   keyexchange=ike
   ikelifetime=86400s
   type=tunnel
   auth=esp
   compress=no
   keylife=14400s
   right=4.3.3.20
   left=4.2.3.226
   leftnexthop=4.2.3.254
   esp=aes128-sha1
   ike=3des-sha



---
Pascal Fuks
Network & Security Consultant - CEO

Financial Art S.A.
Rue des Pâquerettes 12
Braine-l'Alleud, B 1420 Belgium
http://www.financial-art.be

Work: +32 2 387 0800
Mobile: +32 475 26 8902
Fax: +32 2 387 0706
Email: Pascal at financial-art.be
IM: pascal at financial-art (MSN)

Before printing, think if it's really necessary and think in the environment
impact


"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. 

Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. 
If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".
Thank you for your cooperation. 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090821/7350773b/attachment-0001.html

More information about the Users mailing list