[Openswan Users] Problem in site 2 site communication

Paul Wouters paul at xelerance.com
Fri Aug 21 10:01:33 EDT 2009


On Fri, 21 Aug 2009, Pascal Fuks wrote:

> I do have a configuration with a centralsite (call it AS with public IP 4.2.3.226 on eth4 and 172.16.254.65
> on eth5(public MPLS network)) that connect (without problem) to 6 sites.
> I’d like to have all sites communicating together, through central site tunnels
> Each site can communicate with the central site networks, but is not able to communicate with other sites.
> When tracerouting from distant site RUNGIS client to distant site IER, we see packets trying to go outside
> through the 4.2.3.226 (Public IP) address...

If you are using netkey, you might need to add passthrough connections, as
netkey policies are not based on 'most specific route first'. So tunnels
from 10.0.0.0/8 to 10.1.2.0/24 do not work as expected. The /etc/ipsec.d/examples
directory should have a passthrough example.

Other then that, also check your firewalls for dropping RFC1918 address,
and verify you are not NAT'ing anything destined for an IPsec tunnel.

Using traceroute has very limited value, as the entire tunnel is 1 hop, and
often does not use the internal but external ip address, bypassing most
subnet tunnel definitions.

Paul

> 
> Here are my ip addresses:
> [root at bemersfw01 ipsec.d]# ip addr show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     inet 172.16.0.66/24 brd 172.16.0.255 scope global eth0
>     inet 172.16.222.66/24 brd 172.16.222.255 scope global eth0:1
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     inet 10.10.1.126/24 brd 10.10.1.255 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:1b:21:3f:e1:e5 brd ff:ff:ff:ff:ff:ff
>     inet 192.168.0.66/24 brd 192.168.0.255 scope global eth3
> 6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     inet 4.2.3.226/27 brd 194.78.61.255 scope global eth4
>     inet 4.2.3.227/27 brd 194.78.61.255 scope global secondary eth4:227
>     inet 4.2.3.228/27 brd 194.78.61.255 scope global secondary eth4:228
>     inet 4.2.3.229/27 brd 194.78.61.255 scope global secondary eth4:229
>     inet 4.2.3.230/27 brd 194.78.61.255 scope global secondary eth4:230
>     inet 4.2.3.242/27 brd 194.78.61.255 scope global secondary eth4:242
>     inet 4.2.3.243/27 brd 194.78.61.255 scope global secondary eth4:243
>     inet 4.2.3.244/27 brd 194.78.61.255 scope global secondary eth4:244
>     inet 4.2.3.245/27 brd 194.78.61.255 scope global secondary eth4:245
> 7: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:1b:21:3f:ee:69 brd ff:ff:ff:ff:ff:ff
>     inet 172.16.254.65/24 brd 172.16.254.255 scope global eth5
> 8: eth6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     inet 172.20.0.66/24 brd 172.20.0.255 scope global eth6
> 9: eth7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
> 10: sit0: <NOARP> mtu 1480 qdisc noop
>     link/sit 0.0.0.0 brd 0.0.0.0
> 
> 
> Here is my ipsec.conf file :
> 
> config setup
>     # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>      klipsdebug=none
>     plutodebug=none
>     # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>     plutowait=no
> 
>     interfaces="ipsec0=eth5 ipsec1=eth4"
>     protostack=netkey
>     nat_traversal=yes
> 
> include /etc/ipsec.d/*.conf
> 
> 
> In ipsec.d we have the following files :
> -rw-r--r-- 1 root root  793 Aug  9 07:08 aix.conf
> -rw-r--r-- 1 root root  150 Aug  9 06:53 aix.secrets
> -rw-r--r-- 1 root root  884 Aug  9 07:11 blyes.conf
> -rw-r--r-- 1 root root   55 Aug  9 06:09 blyes.secrets
> -rw-r--r-- 1 root root  354 Aug  8 15:46 canada.conf
> -rw-r--r-- 1 root root   47 Aug  8 16:58 canada.secrets
> -rw-r--r-- 1 root root  805 Aug 13 15:38 ier.conf
> -rw-r--r-- 1 root root   49 Aug 12 18:19 ier.secrets
> -rw-r--r-- 1 root root  880 Aug  9 08:31 nyc.conf
> -rw-r--r-- 1 root root   46 Aug  9 07:52 nyc.secrets
> -rw-r--r-- 1 root root  921 Aug 13 12:38 rungis.conf
> -rw-r--r-- 1 root root   47 Aug  9 05:31 rungis.secrets
> 
> And here are 2 configs files (say if you need more)
> Rungis.conf
> ----------------
> conn Rungis1
>    leftsubnet=172.16.0.0/23
>    also=Rungis
> 
> conn Rungis2
>     leftsubnet=172.24.0.0/16
>     also=Rungis
>  
> conn Rungis3
>     leftsubnet=212.155.183.226/32
>     also=Rungis
>  
> conn Rungis4
>      leftsubnet=10.123.32.0/24
>      also=Rungis
>   
> conn Rungis5
>    leftsubnet=172.16.3.0/24
>    also=Rungis
>  
> conn Rungis6
>    leftsubnet=172.16.4.0/24
>    also=Rungis
> 
> conn Rungis7
>    leftsubnet=172.16.222.0/24
>    also=Rungis
> 
> conn Rungis8
>    leftsubnet=172.16.30.0/24
>    also=Rungis
> 
> conn Rungis9
>    leftsubnet=172.16.40.0/24
>    also=Rungis
>  
> conn Rungis10
>    leftsubnet=172.16.5.0/24
>    also=Rungis
> 
> conn Rungis
>    authby=secret
>    pfs=no
>    auto=start
>    keyingtries=3
>    disablearrivalcheck=no
>    keyexchange=ike
>    ikelifetime=240m
>    type=tunnel
>    auth=esp
>    compress=no
>    keylife=60m
>    right=4.4.3.21
>    rightsubnet=172.16.10.0/24
>    rightnexthop=4.4.3.22
>    left=4.2.3.226
>    leftnexthop=4.2.3.254
> 
> 
> IER.conf
> ------------
> conn IERB
>    leftsubnet=172.16.0.0/24
>    rightsubnet=172.24.0.0/18
>    also=IER
> 
> conn IERF
>    leftsubnet=172.16.10.0/24
>    rightsubnet=172.24.0.0/18
>    also=IER
> 
> conn BOLLOREB
>    leftsubnet=172.16.0.0/24
>    rightsubnet=10.128.0.0/11
>    also=IER
> 
> conn BOLLOREF
>    leftsubnet=172.16.10.0/24
>    rightsubnet=10.128.0.0/11
>    also=IER
> 
> conn BOLLOREB1
>    leftsubnet=172.16.0.0/24
>    rightsubnet=10.123.0.0/16
>    also=IER
> 
> conn BOLLOREF1
>    leftsubnet=172.16.10.0/24
>    rightsubnet=10.123.0.0/16
>    also=IER
> 
> conn IER
>    authby=secret
>    pfs=yes
>    auto=start
>    keyingtries=3
>    disablearrivalcheck=no
>    keyexchange=ike
>    ikelifetime=86400s
>    type=tunnel
>    auth=esp
>    compress=no
>    keylife=14400s
>    right=4.3.3.20
>    left=4.2.3.226
>    leftnexthop=4.2.3.254
>    esp=aes128-sha1
>    ike=3des-sha
> 
> 
> 
> ---
> Pascal Fuks
> Network & Security Consultant - CEO
> 
> Financial Art S.A.
> Rue des Pâquerettes 12
> Braine-l'Alleud, B 1420 Belgium
> http://www.financial-art.be
> 
> Work: +32 2 387 0800
> Mobile: +32 475 26 8902
> Fax: +32 2 387 0706
> Email: Pascal at financial-art.be
> IM: pascal at financial-art (MSN)
> 
> Before printing, think if it's really necessary and think in the environment impact
> 
> "This e-mail and any attachment thereto may contain information which is confidential and/or protected by
> intellectual property rights and are intended for the sole use of the recipient(s) named above.
> Any use of the information contained herein (including, but not limited to, total or partial reproduction,
> communication or distribution in any form) by other persons than the designated recipient(s) is prohibited.
> If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and
> delete the material from any computer".
> 
> Thank you for your cooperation.
> 
> 
>


More information about the Users mailing list