[Openswan Users] Problem in site 2 site communication
Pascal Fuks
pascal at financial-art.be
Tue Aug 25 02:21:50 EDT 2009
Hi Paul,
Thanks for your answer. Is KLIPS more carefull on specificity of routes (I
do prefer to stick on NetKey, but if needed...)?
I was using traceroute just to show evidence of wrong behaviour of the
tunnel ;-)
If having:
10.16.3.0/24 --OpenSwanA---Internet---OpenSwanB----10.16.0.0/24
|
|
OpenSwanC---10.16.30.0/24
OpenSwanA opens tunnels to OpenSwanB, and OpenSwanC open tunnels to
OpenSwanB (B is the central site), should I create the passthrough
connection in B specifying 10.16.3.0/24 (leftsubnet) and 10.16.30.0/24
(rightsubnet) ?
In tgis case what address is right (the internal IP of OpenSwanA???) and
waht address is left?
What addres should I set up on RightNextHop and LeftNextHop?
Regards
---
Pascal Fuks
Network & Security Consultant - CEO
Financial Art S.A.
Rue des Pâquerettes 12
Braine-l'Alleud, B 1420 Belgium
http://www.financial-art.be
Work: +32 2 387 0800
Mobile: +32 475 26 8902
Fax: +32 2 387 0706
Email: Pascal at financial-art.be
IM: pascal at financial-art (MSN)
Before printing, think if it's really necessary and think in the environment
impact
> From: Paul Wouters <paul at xelerance.com>
> Reply-To: <paul at xelerance.com>
> Date: Fri, 21 Aug 2009 10:01:33 -0400 (EDT)
> To: Pascal Fuks <pascal at financial-art.be>
> Cc: <users at openswan.org>
> Subject: Re: [Openswan Users] Problem in site 2 site communication
>
> On Fri, 21 Aug 2009, Pascal Fuks wrote:
>
>> I do have a configuration with a centralsite (call it AS with public IP
>> 4.2.3.226 on eth4 and 172.16.254.65
>> on eth5(public MPLS network)) that connect (without problem) to 6 sites.
>> I¹d like to have all sites communicating together, through central site
>> tunnels
>> Each site can communicate with the central site networks, but is not able to
>> communicate with other sites.
>> When tracerouting from distant site RUNGIS client to distant site IER, we see
>> packets trying to go outside
>> through the 4.2.3.226 (Public IP) address...
>
> If you are using netkey, you might need to add passthrough connections, as
> netkey policies are not based on 'most specific route first'. So tunnels
> from 10.0.0.0/8 to 10.1.2.0/24 do not work as expected. The
> /etc/ipsec.d/examples
> directory should have a passthrough example.
>
> Other then that, also check your firewalls for dropping RFC1918 address,
> and verify you are not NAT'ing anything destined for an IPsec tunnel.
>
> Using traceroute has very limited value, as the entire tunnel is 1 hop, and
> often does not use the internal but external ip address, bypassing most
> subnet tunnel definitions.
>
> Paul
>
>>
>> Here are my ip addresses:
>> [root at bemersfw01 ipsec.d]# ip addr show
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
>> 1000
>> inet 172.16.0.66/24 brd 172.16.0.255 scope global eth0
>> inet 172.16.222.66/24 brd 172.16.222.255 scope global eth0:1
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
>> 1000
>> inet 10.10.1.126/24 brd 10.10.1.255 scope global eth1
>> 4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
>> 5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
>> 1000
>> link/ether 00:1b:21:3f:e1:e5 brd ff:ff:ff:ff:ff:ff
>> inet 192.168.0.66/24 brd 192.168.0.255 scope global eth3
>> 6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
>> 1000
>> inet 4.2.3.226/27 brd 194.78.61.255 scope global eth4
>> inet 4.2.3.227/27 brd 194.78.61.255 scope global secondary eth4:227
>> inet 4.2.3.228/27 brd 194.78.61.255 scope global secondary eth4:228
>> inet 4.2.3.229/27 brd 194.78.61.255 scope global secondary eth4:229
>> inet 4.2.3.230/27 brd 194.78.61.255 scope global secondary eth4:230
>> inet 4.2.3.242/27 brd 194.78.61.255 scope global secondary eth4:242
>> inet 4.2.3.243/27 brd 194.78.61.255 scope global secondary eth4:243
>> inet 4.2.3.244/27 brd 194.78.61.255 scope global secondary eth4:244
>> inet 4.2.3.245/27 brd 194.78.61.255 scope global secondary eth4:245
>> 7: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
>> 1000
>> link/ether 00:1b:21:3f:ee:69 brd ff:ff:ff:ff:ff:ff
>> inet 172.16.254.65/24 brd 172.16.254.255 scope global eth5
>> 8: eth6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
>> 1000
>> inet 172.20.0.66/24 brd 172.20.0.255 scope global eth6
>> 9: eth7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
>> 10: sit0: <NOARP> mtu 1480 qdisc noop
>> link/sit 0.0.0.0 brd 0.0.0.0
>>
>>
>> Here is my ipsec.conf file :
>>
>> config setup
>> # Debug-logging controls: "none" for (almost) none, "all" for lots.
>> klipsdebug=none
>> plutodebug=none
>> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>> plutowait=no
>>
>> interfaces="ipsec0=eth5 ipsec1=eth4"
>> protostack=netkey
>> nat_traversal=yes
>>
>> include /etc/ipsec.d/*.conf
>>
>>
>> In ipsec.d we have the following files :
>> -rw-r--r-- 1 root root 793 Aug 9 07:08 aix.conf
>> -rw-r--r-- 1 root root 150 Aug 9 06:53 aix.secrets
>> -rw-r--r-- 1 root root 884 Aug 9 07:11 blyes.conf
>> -rw-r--r-- 1 root root 55 Aug 9 06:09 blyes.secrets
>> -rw-r--r-- 1 root root 354 Aug 8 15:46 canada.conf
>> -rw-r--r-- 1 root root 47 Aug 8 16:58 canada.secrets
>> -rw-r--r-- 1 root root 805 Aug 13 15:38 ier.conf
>> -rw-r--r-- 1 root root 49 Aug 12 18:19 ier.secrets
>> -rw-r--r-- 1 root root 880 Aug 9 08:31 nyc.conf
>> -rw-r--r-- 1 root root 46 Aug 9 07:52 nyc.secrets
>> -rw-r--r-- 1 root root 921 Aug 13 12:38 rungis.conf
>> -rw-r--r-- 1 root root 47 Aug 9 05:31 rungis.secrets
>>
>> And here are 2 configs files (say if you need more)
>> Rungis.conf
>> ----------------
>> conn Rungis1
>> leftsubnet=172.16.0.0/23
>> also=Rungis
>>
>> conn Rungis2
>> leftsubnet=172.24.0.0/16
>> also=Rungis
>>
>> conn Rungis3
>> leftsubnet=212.155.183.226/32
>> also=Rungis
>>
>> conn Rungis4
>> leftsubnet=10.123.32.0/24
>> also=Rungis
>>
>> conn Rungis5
>> leftsubnet=172.16.3.0/24
>> also=Rungis
>>
>> conn Rungis6
>> leftsubnet=172.16.4.0/24
>> also=Rungis
>>
>> conn Rungis7
>> leftsubnet=172.16.222.0/24
>> also=Rungis
>>
>> conn Rungis8
>> leftsubnet=172.16.30.0/24
>> also=Rungis
>>
>> conn Rungis9
>> leftsubnet=172.16.40.0/24
>> also=Rungis
>>
>> conn Rungis10
>> leftsubnet=172.16.5.0/24
>> also=Rungis
>>
>> conn Rungis
>> authby=secret
>> pfs=no
>> auto=start
>> keyingtries=3
>> disablearrivalcheck=no
>> keyexchange=ike
>> ikelifetime=240m
>> type=tunnel
>> auth=esp
>> compress=no
>> keylife=60m
>> right=4.4.3.21
>> rightsubnet=172.16.10.0/24
>> rightnexthop=4.4.3.22
>> left=4.2.3.226
>> leftnexthop=4.2.3.254
>>
>>
>> IER.conf
>> ------------
>> conn IERB
>> leftsubnet=172.16.0.0/24
>> rightsubnet=172.24.0.0/18
>> also=IER
>>
>> conn IERF
>> leftsubnet=172.16.10.0/24
>> rightsubnet=172.24.0.0/18
>> also=IER
>>
>> conn BOLLOREB
>> leftsubnet=172.16.0.0/24
>> rightsubnet=10.128.0.0/11
>> also=IER
>>
>> conn BOLLOREF
>> leftsubnet=172.16.10.0/24
>> rightsubnet=10.128.0.0/11
>> also=IER
>>
>> conn BOLLOREB1
>> leftsubnet=172.16.0.0/24
>> rightsubnet=10.123.0.0/16
>> also=IER
>>
>> conn BOLLOREF1
>> leftsubnet=172.16.10.0/24
>> rightsubnet=10.123.0.0/16
>> also=IER
>>
>> conn IER
>> authby=secret
>> pfs=yes
>> auto=start
>> keyingtries=3
>> disablearrivalcheck=no
>> keyexchange=ike
>> ikelifetime=86400s
>> type=tunnel
>> auth=esp
>> compress=no
>> keylife=14400s
>> right=4.3.3.20
>> left=4.2.3.226
>> leftnexthop=4.2.3.254
>> esp=aes128-sha1
>> ike=3des-sha
>>
>>
>>
>> ---
>> Pascal Fuks
>> Network & Security Consultant - CEO
>>
>> Financial Art S.A.
>> Rue des Pâquerettes 12
>> Braine-l'Alleud, B 1420 Belgium
>> http://www.financial-art.be
>>
>> Work: +32 2 387 0800
>> Mobile: +32 475 26 8902
>> Fax: +32 2 387 0706
>> Email: Pascal at financial-art.be
>> IM: pascal at financial-art (MSN)
>>
>> Before printing, think if it's really necessary and think in the environment
>> impact
>>
>> "This e-mail and any attachment thereto may contain information which is
>> confidential and/or protected by
>> intellectual property rights and are intended for the sole use of the
>> recipient(s) named above.
>> Any use of the information contained herein (including, but not limited to,
>> total or partial reproduction,
>> communication or distribution in any form) by other persons than the
>> designated recipient(s) is prohibited.
>> If you have received this e-mail in error, please notify the sender either by
>> telephone or by e-mail and
>> delete the material from any computer".
>>
>> Thank you for your cooperation.
>>
>>
>>
>
More information about the Users
mailing list