[Openswan Users] Hub and spoke routing issue when using Openswan

Mattias Mattsson mm4748190 at gmail.com
Tue Feb 10 11:39:32 EST 2009


Hi All,

I'm having a problem when trying to upgrade from FreeS/WAN 1.99 to Openswan
2.6.18 (klips).

The setup is a hub and spoke VPN where two spoke sites (B and C) are
connecting into the hub site (A). The protected subnets are all different
(i.e. this is not an 'extruded subnet' setup) and eroutes are used to route
from B to C and vice versa.

On each of the spokes, an additional eroute is added with the local subnet
as the source and the other spokes subnet as the destination and the hub as
the gateway.

On the hub, two eroutes are added, each having one spoke as the source and
the other spoke as the destination.

This works fine when using Freeswan, but when using Openswan for the hub,
the Hub does not even accept the incoming traffic from the spoke, i.e. if I
do a tcpdump on ipsec0 I do not see the incoming traffic.

I'm including the configuration for the two setups, as well as some ping and
tcpdump output, note that they have different IP addresses (I set up two
setups to be able to run the tests at the same time). For both setups, the
WAN addresses are on the 192.168.1.x network and the LAN addresses are on
different 172.16.x.x subnets. Also note that in the Openswan setup, only the
hub is using Openswan, the two spokes are still Freeswan.

How do I make this work in Openswan?

Thanks / Mattias



-------------------------------------------------------------------------------------------------------------------------------------
For the Freeswan setup, the IP addresses are as follows:
Hub - 172.16.10.110 - 192.168.1.10
Spoke1 - 172.16.30.130 - 192.168.1.30
Spoke2 - 172.16.60.160 - 192.168.1.60

Hub's ipsec.conf
-----------------------
config setup
        interfaces = "ipsec0=eth1"
        klipsdebug = none
        plutodebug = none
        plutoload = %search
        plutostart = %search
        uniqueids = yes
        hidetos = no
conn t10to30
        type = tunnel
        left = 192.168.1.10
        right = 192.168.1.30
        leftnexthop = 192.168.1.1
        leftsubnet = 172.16.10.0/24
        rightsubnet = 172.16.30.0/24
        auto = start
        keyexchange = ike
        authby = secret
        auth = esp
        keyingtries = 0
        esp = AES128-SHA1
        pfs = yes
        rekey = yes
        leftid = 192.168.1.10
        rightid = 192.168.1.30
        ike = 3DES-SHA-MODP1024
        ikelifetime = 28800s
        keylife = 86400s
        rekeymargin = 10m
        rekeyfuzz = 20%
conn t10to60
        type = tunnel
        left = 192.168.1.10
        right = 192.168.1.60
        leftnexthop = 192.168.1.1
        leftsubnet = 172.16.10.0/24
        rightsubnet = 172.16.60.0/24
        auto = start
        keyexchange = ike
        authby = secret
        auth = esp
        keyingtries = 0
        esp = AES128-SHA1
        pfs = yes
        rekey = yes
        leftid = 192.168.1.10
        rightid = 192.168.1.60
        ike = 3DES-SHA-MODP1024
        ikelifetime = 28800s
        keylife = 86400s
        rekeymargin = 10m
        rekeyfuzz = 20%

Hub's eroutes
-----------------------
0          172.16.10.0/24     -> 172.16.30.0/24     =>
tun0x101b at 192.168.1.30
0          172.16.10.0/24     -> 172.16.60.0/24     =>
tun0x101f at 192.168.1.60
26         172.16.30.0/24     -> 172.16.60.0/24     =>
tun0x101f at 192.168.1.60
26         172.16.60.0/24     -> 172.16.30.0/24     =>
tun0x101b at 192.168.1.30

Spoke1's ipsec.conf
-----------------------
config setup
        interfaces = "ipsec0=eth1"
        klipsdebug = none
        plutodebug = none
        plutoload = %search
        plutostart = %search
        uniqueids = yes
        hidetos = no
conn t30to10
        type = tunnel
        left = 192.168.1.30
        right = 192.168.1.10
        leftnexthop = 192.168.1.1
        leftsubnet = 172.16.30.0/24
        rightsubnet = 172.16.10.0/24
        auto = start
        keyexchange = ike
        authby = secret
        auth = esp
        keyingtries = 0
        esp = AES128-SHA1
        pfs = yes
        rekey = yes
        leftid = 192.168.1.30
        rightid = 192.168.1.10
        ike = 3DES-SHA-MODP1024
        ikelifetime = 28800s
        keylife = 86400s
        rekeymargin = 10m
        rekeyfuzz = 20%

Spoke1's eroutes
-----------------------
0          172.16.30.0/24     -> 172.16.10.0/24     =>
tun0x1004 at 192.168.1.10
26         172.16.30.0/24     -> 172.16.60.0/24     =>
tun0x1004 at 192.168.1.10


Spoke2's ipsec.conf
-----------------------
config setup
        interfaces = "ipsec0=eth1"
        klipsdebug = none
        plutodebug = none
        plutoload = %search
        plutostart = %search
        uniqueids = yes
        hidetos = no
conn t60to10
        type = tunnel
        left = 192.168.1.60
        right = 192.168.1.10
        leftnexthop = 192.168.1.1
        leftsubnet = 172.16.60.0/24
        rightsubnet = 172.16.10.0/24
        auto = start
        keyexchange = ike
        authby = secret
        auth = esp
        keyingtries = 0
        esp = AES128-SHA1
        pfs = yes
        rekey = yes
        leftid = 192.168.1.60
        rightid = 192.168.1.10
        ike = 3DES-SHA-MODP1024
        ikelifetime = 28800s
        keylife = 86400s
        rekeymargin = 10m
        rekeyfuzz = 20%

Spoke2's eroutes
-----------------------
0          172.16.60.0/24     -> 172.16.10.0/24     =>
tun0x1004 at 192.168.1.10
62         172.16.60.0/24     -> 172.16.30.0/24     =>
tun0x1004 at 192.168.1.10


When pinging from spoke1 to hub:
# ping -I 172.16.30.130 172.16.10.110
PING 172.16.10.110 (172.16.10.110): 56 data bytes
64 bytes from 172.16.10.110: icmp_seq=0 ttl=64 time=3.2 ms
64 bytes from 172.16.10.110: icmp_seq=1 ttl=64 time=2.3 ms

When pinging from spoke1 to spoke2:
# ping -I 172.16.30.130 172.16.60.160
PING 172.16.60.160 (172.16.60.160): 56 data bytes
64 bytes from 172.16.60.160: icmp_seq=0 ttl=63 time=12.7 ms
64 bytes from 172.16.60.160: icmp_seq=1 ttl=63 time=4.6 ms

Tcpdump on spoke1 when pinging from spoke1 to spoke2:
# tcpdump -ni ipsec0 icmp
tcpdump: listening on ipsec0
00:34:17.262268 172.16.30.130 > 172.16.60.160: icmp: echo request (DF)
00:34:17.266201 172.16.60.160 > 172.16.30.130: icmp: echo reply

And tcpdump on hub when pinging from spoke1 to spoke2:
# tcpdump -ni ipsec0 icmp
tcpdump: listening on ipsec0
16:29:56.543048 172.16.30.130 > 172.16.60.160: icmp: echo request (DF)
16:29:56.543527 172.16.30.130 > 172.16.60.160: icmp: echo request (DF)
16:29:56.545636 172.16.60.160 > 172.16.30.130: icmp: echo reply
16:29:56.546168 172.16.60.160 > 172.16.30.130: icmp: echo reply


-------------------------------------------------------------------------------------------------------------------------------------
For the Openswan setup, the IP addresses are as follows:
Hub - 172.16.50.150 - 192.168.1.50
Spoke1 - 172.16.40.140 - 192.168.1.40
Spoke2 - 172.16.20.120 - 192.168.1.20

Hub's ipsec.conf
-----------------------
config setup
        interfaces = "ipsec0=eth1"
        klipsdebug = none
        plutodebug = none
        uniqueids = yes
        hidetos = no
conn t50to40
        type = tunnel
        left = 192.168.1.50
        right = 192.168.1.40
        leftnexthop = 192.168.1.1
        leftsubnet = 172.16.50.0/24
        rightsubnet = 172.16.40.0/24
        auto = start
        keyexchange = ike
        authby = secret
        auth = esp
        keyingtries = 0
        esp = AES128-SHA1
        pfs = yes
        rekey = yes
        leftid = 192.168.1.50
        rightid = 192.168.1.40
        ike = 3DES-SHA-MODP1024
        ikelifetime = 28800s
        keylife = 86400s
        rekeymargin = 10m
        rekeyfuzz = 20%
conn t50to20
        type = tunnel
        left = 192.168.1.50
        right = 192.168.1.20
        leftnexthop = 192.168.1.1
        leftsubnet = 172.16.50.0/24
        rightsubnet = 172.16.20.0/24
        auto = start
        keyexchange = ike
        authby = secret
        auth = esp
        keyingtries = 0
        esp = AES128-SHA1
        pfs = yes
        rekey = yes
        leftid = 192.168.1.50
        rightid = 192.168.1.20
        ike = 3DES-SHA-MODP1024
        ikelifetime = 28800s
        keylife = 86400s
        rekeymargin = 10m
        rekeyfuzz = 20%

Hub's eroutes
-----------------------
0          172.16.20.0/24     -> 172.16.40.0/24     =>
tun0x1016 at 192.168.1.40
0          172.16.40.0/24     -> 172.16.20.0/24     =>
tun0x1014 at 192.168.1.20
2          172.16.50.0/24     -> 172.16.20.0/24     =>
tun0x1014 at 192.168.1.20
12         172.16.50.0/24     -> 172.16.40.0/24     =>
tun0x1016 at 192.168.1.40


Spoke1's ipsec.conf
-----------------------
config setup
        interfaces = "ipsec0=eth1"
        klipsdebug = none
        plutodebug = none
        plutoload = %search
        plutostart = %search
        uniqueids = yes
        hidetos = no
conn t40to50
        type = tunnel
        left = 192.168.1.40
        right = 192.168.1.50
        leftnexthop = 192.168.1.1
        leftsubnet = 172.16.40.0/24
        rightsubnet = 172.16.50.0/24
        auto = start
        keyexchange = ike
        authby = secret
        auth = esp
        keyingtries = 0
        esp = AES128-SHA1
        pfs = yes
        rekey = yes
        leftid = 192.168.1.40
        rightid = 192.168.1.50
        ike = 3DES-SHA-MODP1024
        ikelifetime = 28800s
        keylife = 86400s
        rekeymargin = 10m
        rekeyfuzz = 20%

Spoke1's eroutes
-----------------------
2          172.16.20.0/24     -> 172.16.40.0/24     =>
tun0x1008 at 192.168.1.50
2          172.16.20.0/24     -> 172.16.50.0/24     =>
tun0x1008 at 192.168.1.50

Spoke2's ipsec.conf
-----------------------
config setup
        interfaces = "ipsec0=eth1"
        klipsdebug = none
        plutodebug = none
        plutoload = %search
        plutostart = %search
        uniqueids = yes
        hidetos = no
conn t20to50
        type = tunnel
        left = 192.168.1.20
        right = 192.168.1.50
        leftnexthop = 192.168.1.1
        leftsubnet = 172.16.20.0/24
        rightsubnet = 172.16.50.0/24
        auto = start
        keyexchange = ike
        authby = secret
        auth = esp
        keyingtries = 0
        esp = AES128-SHA1
        pfs = yes
        rekey = yes
        leftid = 192.168.1.20
        rightid = 192.168.1.50
        ike = 3DES-SHA-MODP1024
        ikelifetime = 28800s
        keylife = 86400s
        rekeymargin = 10m
        rekeyfuzz = 20%

Spoke2's eroutes
-----------------------
549        172.16.40.0/24     -> 172.16.20.0/24     =>
tun0x100c at 192.168.1.50
12         172.16.40.0/24     -> 172.16.50.0/24     =>
tun0x100c at 192.168.1.50


When pinging from spoke1 to hub:
# ping -I 172.16.20.120 172.16.50.150
PING 172.16.50.150 (172.16.50.150): 56 data bytes
64 bytes from 172.16.50.150: icmp_seq=0 ttl=64 time=12.4 ms
64 bytes from 172.16.50.150: icmp_seq=1 ttl=64 time=10.4 ms

When pinging from spoke1 to spoke2:
# ping -I 172.16.20.120 172.16.40.140
PING 172.16.40.140 (172.16.40.140): 56 data bytes

--- 172.16.40.140 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss

Tcpdump on spoke1 when pinging from spoke1 to spoke2:
# tcpdump -ni ipsec0 icmp
tcpdump: listening on ipsec0
16:33:49.927435 172.16.20.120 > 172.16.40.140: icmp: echo request (DF)
16:33:50.927440 172.16.20.120 > 172.16.40.140: icmp: echo request (DF)

And tcpdump on hub when pinging from spoke1 to spoke2:
# tcpdump -ni ipsec0 icmp
tcpdump: listening on ipsec0

0 packets received by filter
0 packets dropped by kernel


I can ping from the hub to spoke2:
# ping -I 172.16.50.150 172.16.40.140
PING 172.16.40.140 (172.16.40.140): 56 data bytes
64 bytes from 172.16.40.140: icmp_seq=0 ttl=64 time=3.3 ms
64 bytes from 172.16.40.140: icmp_seq=1 ttl=64 time=2.1 ms
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090210/1a012479/attachment-0001.html 


More information about the Users mailing list