[Openswan Users] Problem in site 2 site communication

Pascal Fuks Pascal at financial-art.be
Wed Aug 19 13:06:34 EDT 2009 

Hello,
I do have a configuration with a centralsite (call it AS with public IP
4.2.3.226 on eth4 and 172.16.254.65 on eth5(public MPLS network)) that
connect (without problem) to 6 sites.
I¹d like to have all sites communicating together, through central site
tunnels
Each site can communicate with the central site networks, but is not able to
communicate with other sites.
When tracerouting from distant site RUNGIS client to distant site IER, we
see packets trying to go outside through the 4.2.3.226 (Public IP)
address...
Any idea / question are welcome ;-)

Here are my ip addresses:
[root at bemersfw01 ipsec.d]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:1b:21:3f:e1:e0 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.66/24 brd 172.16.0.255 scope global eth0
    inet 172.16.222.66/24 brd 172.16.222.255 scope global eth0:1
    inet6 fe80::21b:21ff:fe3f:e1e0/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:1b:21:3f:e1:e1 brd ff:ff:ff:ff:ff:ff
    inet 10.10.1.126/24 brd 10.10.1.255 scope global eth1
    inet6 fe80::21b:21ff:fe3f:e1e1/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
    link/ether 00:1b:21:3f:e1:e4 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:1b:21:3f:e1:e5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.66/24 brd 192.168.0.255 scope global eth3
    inet6 fe80::21b:21ff:fe3f:e1e5/64 scope link
       valid_lft forever preferred_lft forever
6: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:1b:21:3f:ee:68 brd ff:ff:ff:ff:ff:ff
    inet 4.2.3.226/27 brd 194.78.61.255 scope global eth4
    inet 4.2.3.227/27 brd 194.78.61.255 scope global secondary eth4:227
    inet 4.2.3.228/27 brd 194.78.61.255 scope global secondary eth4:228
    inet 4.2.3.229/27 brd 194.78.61.255 scope global secondary eth4:229
    inet 4.2.3.230/27 brd 194.78.61.255 scope global secondary eth4:230
    inet 4.2.3.242/27 brd 194.78.61.255 scope global secondary eth4:242
    inet 4.2.3.243/27 brd 194.78.61.255 scope global secondary eth4:243
    inet 4.2.3.244/27 brd 194.78.61.255 scope global secondary eth4:244
    inet 4.2.3.245/27 brd 194.78.61.255 scope global secondary eth4:245
    inet6 fe80::21b:21ff:fe3f:ee68/64 scope link
       valid_lft forever preferred_lft forever
7: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:1b:21:3f:ee:69 brd ff:ff:ff:ff:ff:ff
    inet 172.16.254.65/24 brd 172.16.254.255 scope global eth5
    inet6 fe80::21b:21ff:fe3f:ee69/64 scope link
       valid_lft forever preferred_lft forever
8: eth6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
    link/ether 00:1b:21:3f:ee:6c brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.66/24 brd 172.20.0.255 scope global eth6
    inet6 fe80::21b:21ff:fe3f:ee6c/64 scope link
       valid_lft forever preferred_lft forever
9: eth7: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
    link/ether 00:1b:21:3f:ee:6d brd ff:ff:ff:ff:ff:ff
10: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0


Here is my ipsec.conf file :

config setup
    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
     klipsdebug=none
    plutodebug=none
    # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
    plutowait=no

    interfaces="ipsec0=eth5 ipsec1=eth4"
    protostack=netkey
    nat_traversal=yes

include /etc/ipsec.d/*.conf


In ipsec.d we have the following files :
-rw-r--r-- 1 root root  793 Aug  9 07:08 aix.conf
-rw-r--r-- 1 root root  150 Aug  9 06:53 aix.secrets
-rw-r--r-- 1 root root  884 Aug  9 07:11 blyes.conf
-rw-r--r-- 1 root root   55 Aug  9 06:09 blyes.secrets
-rw-r--r-- 1 root root  354 Aug  8 15:46 canada.conf
-rw-r--r-- 1 root root   47 Aug  8 16:58 canada.secrets
-rw-r--r-- 1 root root  805 Aug 13 15:38 ier.conf
-rw-r--r-- 1 root root   49 Aug 12 18:19 ier.secrets
-rw-r--r-- 1 root root  880 Aug  9 08:31 nyc.conf
-rw-r--r-- 1 root root   46 Aug  9 07:52 nyc.secrets
-rw-r--r-- 1 root root  921 Aug 13 12:38 rungis.conf
-rw-r--r-- 1 root root   47 Aug  9 05:31 rungis.secrets

And here are 2 configs files (say if you need more)
Rungis.conf
----------------
conn Rungis1
   leftsubnet=172.16.0.0/23
   also=Rungis

conn Rungis2
    leftsubnet=172.24.0.0/16
    also=Rungis
 
conn Rungis3
    leftsubnet=212.155.183.226/32
    also=Rungis
 
conn Rungis4
     leftsubnet=10.123.32.0/24
     also=Rungis
  
conn Rungis5
   leftsubnet=172.16.3.0/24
   also=Rungis
 
conn Rungis6
   leftsubnet=172.16.4.0/24
   also=Rungis

conn Rungis7
   leftsubnet=172.16.222.0/24
   also=Rungis

conn Rungis8
   leftsubnet=172.16.30.0/24
   also=Rungis

conn Rungis9
   leftsubnet=172.16.40.0/24
   also=Rungis
 
conn Rungis10
   leftsubnet=172.16.5.0/24
   also=Rungis

conn Rungis
   authby=secret
   pfs=no
   auto=start
   keyingtries=3
   disablearrivalcheck=no
   keyexchange=ike
   ikelifetime=240m
   type=tunnel
   auth=esp
   compress=no
   keylife=60m
   right=4.4.3.21
   rightsubnet=172.16.10.0/24
   rightnexthop=4.4.3.22
   left=4.2.3.226
   leftnexthop=4.2.3.254


IER.conf
------------
conn IERB
   leftsubnet=172.16.0.0/24
   rightsubnet=172.24.0.0/18
   also=IER

conn IERF
   leftsubnet=172.16.10.0/24
   rightsubnet=172.24.0.0/18
   also=IER

conn BOLLOREB
   leftsubnet=172.16.0.0/24
   rightsubnet=10.128.0.0/11
   also=IER

conn BOLLOREF
   leftsubnet=172.16.10.0/24
   rightsubnet=10.128.0.0/11
   also=IER

conn BOLLOREB1
   leftsubnet=172.16.0.0/24
   rightsubnet=10.123.0.0/16
   also=IER

conn BOLLOREF1
   leftsubnet=172.16.10.0/24
   rightsubnet=10.123.0.0/16
   also=IER

conn IER
   authby=secret
   pfs=yes
   auto=start
   keyingtries=3
   disablearrivalcheck=no
   keyexchange=ike
   ikelifetime=86400s
   type=tunnel
   auth=esp
   compress=no
   keylife=14400s
   right=4.3.3.20
   left=4.2.3.226
   leftnexthop=4.2.3.254
   esp=aes128-sha1
   ike=3des-sha



---
Pascal Fuks
Network & Security Consultant - CEO

Financial Art S.A.
Rue des Pâquerettes 12
Braine-l'Alleud, B 1420 Belgium
http://www.financial-art.be

Work: +32 2 387 0800
Mobile: +32 475 26 8902
Fax: +32 2 387 0706
Email: Pascal at financial-art.be
IM: pascal at financial-art (MSN)

Before printing, think if it's really necessary and think in the environment
impact

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090819/ded33f8a/attachment-0001.html

More information about the Users mailing list