[Openswan Users] Hub and spoke routing issue when using Openswan
Mattias Mattsson
mm4748190 at gmail.com
Tue Feb 10 11:39:32 EST 2009
Hi All,
I'm having a problem when trying to upgrade from FreeS/WAN 1.99 to Openswan
2.6.18 (klips).
The setup is a hub and spoke VPN where two spoke sites (B and C) are
connecting into the hub site (A). The protected subnets are all different
(i.e. this is not an 'extruded subnet' setup) and eroutes are used to route
from B to C and vice versa.
On each of the spokes, an additional eroute is added with the local subnet
as the source and the other spokes subnet as the destination and the hub as
the gateway.
On the hub, two eroutes are added, each having one spoke as the source and
the other spoke as the destination.
This works fine when using Freeswan, but when using Openswan for the hub,
the Hub does not even accept the incoming traffic from the spoke, i.e. if I
do a tcpdump on ipsec0 I do not see the incoming traffic.
I'm including the configuration for the two setups, as well as some ping and
tcpdump output, note that they have different IP addresses (I set up two
setups to be able to run the tests at the same time). For both setups, the
WAN addresses are on the 192.168.1.x network and the LAN addresses are on
different 172.16.x.x subnets. Also note that in the Openswan setup, only the
hub is using Openswan, the two spokes are still Freeswan.
How do I make this work in Openswan?
Thanks / Mattias
-------------------------------------------------------------------------------------------------------------------------------------
For the Freeswan setup, the IP addresses are as follows:
Hub - 172.16.10.110 - 192.168.1.10
Spoke1 - 172.16.30.130 - 192.168.1.30
Spoke2 - 172.16.60.160 - 192.168.1.60
Hub's ipsec.conf
-----------------------
config setup
interfaces = "ipsec0=eth1"
klipsdebug = none
plutodebug = none
plutoload = %search
plutostart = %search
uniqueids = yes
hidetos = no
conn t10to30
type = tunnel
left = 192.168.1.10
right = 192.168.1.30
leftnexthop = 192.168.1.1
leftsubnet = 172.16.10.0/24
rightsubnet = 172.16.30.0/24
auto = start
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
esp = AES128-SHA1
pfs = yes
rekey = yes
leftid = 192.168.1.10
rightid = 192.168.1.30
ike = 3DES-SHA-MODP1024
ikelifetime = 28800s
keylife = 86400s
rekeymargin = 10m
rekeyfuzz = 20%
conn t10to60
type = tunnel
left = 192.168.1.10
right = 192.168.1.60
leftnexthop = 192.168.1.1
leftsubnet = 172.16.10.0/24
rightsubnet = 172.16.60.0/24
auto = start
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
esp = AES128-SHA1
pfs = yes
rekey = yes
leftid = 192.168.1.10
rightid = 192.168.1.60
ike = 3DES-SHA-MODP1024
ikelifetime = 28800s
keylife = 86400s
rekeymargin = 10m
rekeyfuzz = 20%
Hub's eroutes
-----------------------
0 172.16.10.0/24 -> 172.16.30.0/24 =>
tun0x101b at 192.168.1.30
0 172.16.10.0/24 -> 172.16.60.0/24 =>
tun0x101f at 192.168.1.60
26 172.16.30.0/24 -> 172.16.60.0/24 =>
tun0x101f at 192.168.1.60
26 172.16.60.0/24 -> 172.16.30.0/24 =>
tun0x101b at 192.168.1.30
Spoke1's ipsec.conf
-----------------------
config setup
interfaces = "ipsec0=eth1"
klipsdebug = none
plutodebug = none
plutoload = %search
plutostart = %search
uniqueids = yes
hidetos = no
conn t30to10
type = tunnel
left = 192.168.1.30
right = 192.168.1.10
leftnexthop = 192.168.1.1
leftsubnet = 172.16.30.0/24
rightsubnet = 172.16.10.0/24
auto = start
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
esp = AES128-SHA1
pfs = yes
rekey = yes
leftid = 192.168.1.30
rightid = 192.168.1.10
ike = 3DES-SHA-MODP1024
ikelifetime = 28800s
keylife = 86400s
rekeymargin = 10m
rekeyfuzz = 20%
Spoke1's eroutes
-----------------------
0 172.16.30.0/24 -> 172.16.10.0/24 =>
tun0x1004 at 192.168.1.10
26 172.16.30.0/24 -> 172.16.60.0/24 =>
tun0x1004 at 192.168.1.10
Spoke2's ipsec.conf
-----------------------
config setup
interfaces = "ipsec0=eth1"
klipsdebug = none
plutodebug = none
plutoload = %search
plutostart = %search
uniqueids = yes
hidetos = no
conn t60to10
type = tunnel
left = 192.168.1.60
right = 192.168.1.10
leftnexthop = 192.168.1.1
leftsubnet = 172.16.60.0/24
rightsubnet = 172.16.10.0/24
auto = start
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
esp = AES128-SHA1
pfs = yes
rekey = yes
leftid = 192.168.1.60
rightid = 192.168.1.10
ike = 3DES-SHA-MODP1024
ikelifetime = 28800s
keylife = 86400s
rekeymargin = 10m
rekeyfuzz = 20%
Spoke2's eroutes
-----------------------
0 172.16.60.0/24 -> 172.16.10.0/24 =>
tun0x1004 at 192.168.1.10
62 172.16.60.0/24 -> 172.16.30.0/24 =>
tun0x1004 at 192.168.1.10
When pinging from spoke1 to hub:
# ping -I 172.16.30.130 172.16.10.110
PING 172.16.10.110 (172.16.10.110): 56 data bytes
64 bytes from 172.16.10.110: icmp_seq=0 ttl=64 time=3.2 ms
64 bytes from 172.16.10.110: icmp_seq=1 ttl=64 time=2.3 ms
When pinging from spoke1 to spoke2:
# ping -I 172.16.30.130 172.16.60.160
PING 172.16.60.160 (172.16.60.160): 56 data bytes
64 bytes from 172.16.60.160: icmp_seq=0 ttl=63 time=12.7 ms
64 bytes from 172.16.60.160: icmp_seq=1 ttl=63 time=4.6 ms
Tcpdump on spoke1 when pinging from spoke1 to spoke2:
# tcpdump -ni ipsec0 icmp
tcpdump: listening on ipsec0
00:34:17.262268 172.16.30.130 > 172.16.60.160: icmp: echo request (DF)
00:34:17.266201 172.16.60.160 > 172.16.30.130: icmp: echo reply
And tcpdump on hub when pinging from spoke1 to spoke2:
# tcpdump -ni ipsec0 icmp
tcpdump: listening on ipsec0
16:29:56.543048 172.16.30.130 > 172.16.60.160: icmp: echo request (DF)
16:29:56.543527 172.16.30.130 > 172.16.60.160: icmp: echo request (DF)
16:29:56.545636 172.16.60.160 > 172.16.30.130: icmp: echo reply
16:29:56.546168 172.16.60.160 > 172.16.30.130: icmp: echo reply
-------------------------------------------------------------------------------------------------------------------------------------
For the Openswan setup, the IP addresses are as follows:
Hub - 172.16.50.150 - 192.168.1.50
Spoke1 - 172.16.40.140 - 192.168.1.40
Spoke2 - 172.16.20.120 - 192.168.1.20
Hub's ipsec.conf
-----------------------
config setup
interfaces = "ipsec0=eth1"
klipsdebug = none
plutodebug = none
uniqueids = yes
hidetos = no
conn t50to40
type = tunnel
left = 192.168.1.50
right = 192.168.1.40
leftnexthop = 192.168.1.1
leftsubnet = 172.16.50.0/24
rightsubnet = 172.16.40.0/24
auto = start
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
esp = AES128-SHA1
pfs = yes
rekey = yes
leftid = 192.168.1.50
rightid = 192.168.1.40
ike = 3DES-SHA-MODP1024
ikelifetime = 28800s
keylife = 86400s
rekeymargin = 10m
rekeyfuzz = 20%
conn t50to20
type = tunnel
left = 192.168.1.50
right = 192.168.1.20
leftnexthop = 192.168.1.1
leftsubnet = 172.16.50.0/24
rightsubnet = 172.16.20.0/24
auto = start
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
esp = AES128-SHA1
pfs = yes
rekey = yes
leftid = 192.168.1.50
rightid = 192.168.1.20
ike = 3DES-SHA-MODP1024
ikelifetime = 28800s
keylife = 86400s
rekeymargin = 10m
rekeyfuzz = 20%
Hub's eroutes
-----------------------
0 172.16.20.0/24 -> 172.16.40.0/24 =>
tun0x1016 at 192.168.1.40
0 172.16.40.0/24 -> 172.16.20.0/24 =>
tun0x1014 at 192.168.1.20
2 172.16.50.0/24 -> 172.16.20.0/24 =>
tun0x1014 at 192.168.1.20
12 172.16.50.0/24 -> 172.16.40.0/24 =>
tun0x1016 at 192.168.1.40
Spoke1's ipsec.conf
-----------------------
config setup
interfaces = "ipsec0=eth1"
klipsdebug = none
plutodebug = none
plutoload = %search
plutostart = %search
uniqueids = yes
hidetos = no
conn t40to50
type = tunnel
left = 192.168.1.40
right = 192.168.1.50
leftnexthop = 192.168.1.1
leftsubnet = 172.16.40.0/24
rightsubnet = 172.16.50.0/24
auto = start
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
esp = AES128-SHA1
pfs = yes
rekey = yes
leftid = 192.168.1.40
rightid = 192.168.1.50
ike = 3DES-SHA-MODP1024
ikelifetime = 28800s
keylife = 86400s
rekeymargin = 10m
rekeyfuzz = 20%
Spoke1's eroutes
-----------------------
2 172.16.20.0/24 -> 172.16.40.0/24 =>
tun0x1008 at 192.168.1.50
2 172.16.20.0/24 -> 172.16.50.0/24 =>
tun0x1008 at 192.168.1.50
Spoke2's ipsec.conf
-----------------------
config setup
interfaces = "ipsec0=eth1"
klipsdebug = none
plutodebug = none
plutoload = %search
plutostart = %search
uniqueids = yes
hidetos = no
conn t20to50
type = tunnel
left = 192.168.1.20
right = 192.168.1.50
leftnexthop = 192.168.1.1
leftsubnet = 172.16.20.0/24
rightsubnet = 172.16.50.0/24
auto = start
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
esp = AES128-SHA1
pfs = yes
rekey = yes
leftid = 192.168.1.20
rightid = 192.168.1.50
ike = 3DES-SHA-MODP1024
ikelifetime = 28800s
keylife = 86400s
rekeymargin = 10m
rekeyfuzz = 20%
Spoke2's eroutes
-----------------------
549 172.16.40.0/24 -> 172.16.20.0/24 =>
tun0x100c at 192.168.1.50
12 172.16.40.0/24 -> 172.16.50.0/24 =>
tun0x100c at 192.168.1.50
When pinging from spoke1 to hub:
# ping -I 172.16.20.120 172.16.50.150
PING 172.16.50.150 (172.16.50.150): 56 data bytes
64 bytes from 172.16.50.150: icmp_seq=0 ttl=64 time=12.4 ms
64 bytes from 172.16.50.150: icmp_seq=1 ttl=64 time=10.4 ms
When pinging from spoke1 to spoke2:
# ping -I 172.16.20.120 172.16.40.140
PING 172.16.40.140 (172.16.40.140): 56 data bytes
--- 172.16.40.140 ping statistics ---
8 packets transmitted, 0 packets received, 100% packet loss
Tcpdump on spoke1 when pinging from spoke1 to spoke2:
# tcpdump -ni ipsec0 icmp
tcpdump: listening on ipsec0
16:33:49.927435 172.16.20.120 > 172.16.40.140: icmp: echo request (DF)
16:33:50.927440 172.16.20.120 > 172.16.40.140: icmp: echo request (DF)
And tcpdump on hub when pinging from spoke1 to spoke2:
# tcpdump -ni ipsec0 icmp
tcpdump: listening on ipsec0
0 packets received by filter
0 packets dropped by kernel
I can ping from the hub to spoke2:
# ping -I 172.16.50.150 172.16.40.140
PING 172.16.40.140 (172.16.40.140): 56 data bytes
64 bytes from 172.16.40.140: icmp_seq=0 ttl=64 time=3.3 ms
64 bytes from 172.16.40.140: icmp_seq=1 ttl=64 time=2.1 ms
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090210/1a012479/attachment-0001.html
More information about the Users
mailing list