[Openswan Users] Hub and spoke routing issue when using Openswan
hiren joshi
joshihirenn at gmail.com
Wed Feb 11 05:59:01 EST 2009
Are you sure leftsubnet/rightsubnet configuration is right?
I think it should be something like:
y'
|
x' -- X -- Y -- Z -- z'
X(spoke-1):
leftsubnet x'
rightsubnect z'
left X
right Y
Z(spoke-2):
leftsubnet z'
rightsubnect x'
left Z
right Y
Y: C-1 Y: C-2
leftsubnet x' leftsubnet z'
rightsubnect z' rightsubnect x'
left Y left Y
right Z right X
Regards,
hiren
On Tue, Feb 10, 2009 at 10:09 PM, Mattias Mattsson <mm4748190 at gmail.com> wrote:
> Hi All,
>
> I'm having a problem when trying to upgrade from FreeS/WAN 1.99 to Openswan
> 2.6.18 (klips).
>
> The setup is a hub and spoke VPN where two spoke sites (B and C) are
> connecting into the hub site (A). The protected subnets are all different
> (i.e. this is not an 'extruded subnet' setup) and eroutes are used to route
> from B to C and vice versa.
>
> On each of the spokes, an additional eroute is added with the local subnet
> as the source and the other spokes subnet as the destination and the hub as
> the gateway.
>
> On the hub, two eroutes are added, each having one spoke as the source and
> the other spoke as the destination.
>
> This works fine when using Freeswan, but when using Openswan for the hub,
> the Hub does not even accept the incoming traffic from the spoke, i.e. if I
> do a tcpdump on ipsec0 I do not see the incoming traffic.
>
> I'm including the configuration for the two setups, as well as some ping and
> tcpdump output, note that they have different IP addresses (I set up two
> setups to be able to run the tests at the same time). For both setups, the
> WAN addresses are on the 192.168.1.x network and the LAN addresses are on
> different 172.16.x.x subnets. Also note that in the Openswan setup, only the
> hub is using Openswan, the two spokes are still Freeswan.
>
> How do I make this work in Openswan?
>
> Thanks / Mattias
>
>
>
> -------------------------------------------------------------------------------------------------------------------------------------
> For the Freeswan setup, the IP addresses are as follows:
> Hub - 172.16.10.110 - 192.168.1.10
> Spoke1 - 172.16.30.130 - 192.168.1.30
> Spoke2 - 172.16.60.160 - 192.168.1.60
>
> Hub's ipsec.conf
> -----------------------
> config setup
> interfaces = "ipsec0=eth1"
> klipsdebug = none
> plutodebug = none
> plutoload = %search
> plutostart = %search
> uniqueids = yes
> hidetos = no
> conn t10to30
> type = tunnel
> left = 192.168.1.10
> right = 192.168.1.30
> leftnexthop = 192.168.1.1
> leftsubnet = 172.16.10.0/24
> rightsubnet = 172.16.30.0/24
> auto = start
> keyexchange = ike
> authby = secret
> auth = esp
> keyingtries = 0
> esp = AES128-SHA1
> pfs = yes
> rekey = yes
> leftid = 192.168.1.10
> rightid = 192.168.1.30
> ike = 3DES-SHA-MODP1024
> ikelifetime = 28800s
> keylife = 86400s
> rekeymargin = 10m
> rekeyfuzz = 20%
> conn t10to60
> type = tunnel
> left = 192.168.1.10
> right = 192.168.1.60
> leftnexthop = 192.168.1.1
> leftsubnet = 172.16.10.0/24
> rightsubnet = 172.16.60.0/24
> auto = start
> keyexchange = ike
> authby = secret
> auth = esp
> keyingtries = 0
> esp = AES128-SHA1
> pfs = yes
> rekey = yes
> leftid = 192.168.1.10
> rightid = 192.168.1.60
> ike = 3DES-SHA-MODP1024
> ikelifetime = 28800s
> keylife = 86400s
> rekeymargin = 10m
> rekeyfuzz = 20%
>
> Hub's eroutes
> -----------------------
> 0 172.16.10.0/24 -> 172.16.30.0/24 =>
> tun0x101b at 192.168.1.30
> 0 172.16.10.0/24 -> 172.16.60.0/24 =>
> tun0x101f at 192.168.1.60
> 26 172.16.30.0/24 -> 172.16.60.0/24 =>
> tun0x101f at 192.168.1.60
> 26 172.16.60.0/24 -> 172.16.30.0/24 =>
> tun0x101b at 192.168.1.30
>
> Spoke1's ipsec.conf
> -----------------------
> config setup
> interfaces = "ipsec0=eth1"
> klipsdebug = none
> plutodebug = none
> plutoload = %search
> plutostart = %search
> uniqueids = yes
> hidetos = no
> conn t30to10
> type = tunnel
> left = 192.168.1.30
> right = 192.168.1.10
> leftnexthop = 192.168.1.1
> leftsubnet = 172.16.30.0/24
> rightsubnet = 172.16.10.0/24
> auto = start
> keyexchange = ike
> authby = secret
> auth = esp
> keyingtries = 0
> esp = AES128-SHA1
> pfs = yes
> rekey = yes
> leftid = 192.168.1.30
> rightid = 192.168.1.10
> ike = 3DES-SHA-MODP1024
> ikelifetime = 28800s
> keylife = 86400s
> rekeymargin = 10m
> rekeyfuzz = 20%
>
> Spoke1's eroutes
> -----------------------
> 0 172.16.30.0/24 -> 172.16.10.0/24 =>
> tun0x1004 at 192.168.1.10
> 26 172.16.30.0/24 -> 172.16.60.0/24 =>
> tun0x1004 at 192.168.1.10
>
>
> Spoke2's ipsec.conf
> -----------------------
> config setup
> interfaces = "ipsec0=eth1"
> klipsdebug = none
> plutodebug = none
> plutoload = %search
> plutostart = %search
> uniqueids = yes
> hidetos = no
> conn t60to10
> type = tunnel
> left = 192.168.1.60
> right = 192.168.1.10
> leftnexthop = 192.168.1.1
> leftsubnet = 172.16.60.0/24
> rightsubnet = 172.16.10.0/24
> auto = start
> keyexchange = ike
> authby = secret
> auth = esp
> keyingtries = 0
> esp = AES128-SHA1
> pfs = yes
> rekey = yes
> leftid = 192.168.1.60
> rightid = 192.168.1.10
> ike = 3DES-SHA-MODP1024
> ikelifetime = 28800s
> keylife = 86400s
> rekeymargin = 10m
> rekeyfuzz = 20%
>
> Spoke2's eroutes
> -----------------------
> 0 172.16.60.0/24 -> 172.16.10.0/24 =>
> tun0x1004 at 192.168.1.10
> 62 172.16.60.0/24 -> 172.16.30.0/24 =>
> tun0x1004 at 192.168.1.10
>
>
> When pinging from spoke1 to hub:
> # ping -I 172.16.30.130 172.16.10.110
> PING 172.16.10.110 (172.16.10.110): 56 data bytes
> 64 bytes from 172.16.10.110: icmp_seq=0 ttl=64 time=3.2 ms
> 64 bytes from 172.16.10.110: icmp_seq=1 ttl=64 time=2.3 ms
>
> When pinging from spoke1 to spoke2:
> # ping -I 172.16.30.130 172.16.60.160
> PING 172.16.60.160 (172.16.60.160): 56 data bytes
> 64 bytes from 172.16.60.160: icmp_seq=0 ttl=63 time=12.7 ms
> 64 bytes from 172.16.60.160: icmp_seq=1 ttl=63 time=4.6 ms
>
> Tcpdump on spoke1 when pinging from spoke1 to spoke2:
> # tcpdump -ni ipsec0 icmp
> tcpdump: listening on ipsec0
> 00:34:17.262268 172.16.30.130 > 172.16.60.160: icmp: echo request (DF)
> 00:34:17.266201 172.16.60.160 > 172.16.30.130: icmp: echo reply
>
> And tcpdump on hub when pinging from spoke1 to spoke2:
> # tcpdump -ni ipsec0 icmp
> tcpdump: listening on ipsec0
> 16:29:56.543048 172.16.30.130 > 172.16.60.160: icmp: echo request (DF)
> 16:29:56.543527 172.16.30.130 > 172.16.60.160: icmp: echo request (DF)
> 16:29:56.545636 172.16.60.160 > 172.16.30.130: icmp: echo reply
> 16:29:56.546168 172.16.60.160 > 172.16.30.130: icmp: echo reply
>
>
> -------------------------------------------------------------------------------------------------------------------------------------
> For the Openswan setup, the IP addresses are as follows:
> Hub - 172.16.50.150 - 192.168.1.50
> Spoke1 - 172.16.40.140 - 192.168.1.40
> Spoke2 - 172.16.20.120 - 192.168.1.20
>
> Hub's ipsec.conf
> -----------------------
> config setup
> interfaces = "ipsec0=eth1"
> klipsdebug = none
> plutodebug = none
> uniqueids = yes
> hidetos = no
> conn t50to40
> type = tunnel
> left = 192.168.1.50
> right = 192.168.1.40
> leftnexthop = 192.168.1.1
> leftsubnet = 172.16.50.0/24
> rightsubnet = 172.16.40.0/24
> auto = start
> keyexchange = ike
> authby = secret
> auth = esp
> keyingtries = 0
> esp = AES128-SHA1
> pfs = yes
> rekey = yes
> leftid = 192.168.1.50
> rightid = 192.168.1.40
> ike = 3DES-SHA-MODP1024
> ikelifetime = 28800s
> keylife = 86400s
> rekeymargin = 10m
> rekeyfuzz = 20%
> conn t50to20
> type = tunnel
> left = 192.168.1.50
> right = 192.168.1.20
> leftnexthop = 192.168.1.1
> leftsubnet = 172.16.50.0/24
> rightsubnet = 172.16.20.0/24
> auto = start
> keyexchange = ike
> authby = secret
> auth = esp
> keyingtries = 0
> esp = AES128-SHA1
> pfs = yes
> rekey = yes
> leftid = 192.168.1.50
> rightid = 192.168.1.20
> ike = 3DES-SHA-MODP1024
> ikelifetime = 28800s
> keylife = 86400s
> rekeymargin = 10m
> rekeyfuzz = 20%
>
> Hub's eroutes
> -----------------------
> 0 172.16.20.0/24 -> 172.16.40.0/24 =>
> tun0x1016 at 192.168.1.40
> 0 172.16.40.0/24 -> 172.16.20.0/24 =>
> tun0x1014 at 192.168.1.20
> 2 172.16.50.0/24 -> 172.16.20.0/24 =>
> tun0x1014 at 192.168.1.20
> 12 172.16.50.0/24 -> 172.16.40.0/24 =>
> tun0x1016 at 192.168.1.40
>
>
> Spoke1's ipsec.conf
> -----------------------
> config setup
> interfaces = "ipsec0=eth1"
> klipsdebug = none
> plutodebug = none
> plutoload = %search
> plutostart = %search
> uniqueids = yes
> hidetos = no
> conn t40to50
> type = tunnel
> left = 192.168.1.40
> right = 192.168.1.50
> leftnexthop = 192.168.1.1
> leftsubnet = 172.16.40.0/24
> rightsubnet = 172.16.50.0/24
> auto = start
> keyexchange = ike
> authby = secret
> auth = esp
> keyingtries = 0
> esp = AES128-SHA1
> pfs = yes
> rekey = yes
> leftid = 192.168.1.40
> rightid = 192.168.1.50
> ike = 3DES-SHA-MODP1024
> ikelifetime = 28800s
> keylife = 86400s
> rekeymargin = 10m
> rekeyfuzz = 20%
>
> Spoke1's eroutes
> -----------------------
> 2 172.16.20.0/24 -> 172.16.40.0/24 =>
> tun0x1008 at 192.168.1.50
> 2 172.16.20.0/24 -> 172.16.50.0/24 =>
> tun0x1008 at 192.168.1.50
>
> Spoke2's ipsec.conf
> -----------------------
> config setup
> interfaces = "ipsec0=eth1"
> klipsdebug = none
> plutodebug = none
> plutoload = %search
> plutostart = %search
> uniqueids = yes
> hidetos = no
> conn t20to50
> type = tunnel
> left = 192.168.1.20
> right = 192.168.1.50
> leftnexthop = 192.168.1.1
> leftsubnet = 172.16.20.0/24
> rightsubnet = 172.16.50.0/24
> auto = start
> keyexchange = ike
> authby = secret
> auth = esp
> keyingtries = 0
> esp = AES128-SHA1
> pfs = yes
> rekey = yes
> leftid = 192.168.1.20
> rightid = 192.168.1.50
> ike = 3DES-SHA-MODP1024
> ikelifetime = 28800s
> keylife = 86400s
> rekeymargin = 10m
> rekeyfuzz = 20%
>
> Spoke2's eroutes
> -----------------------
> 549 172.16.40.0/24 -> 172.16.20.0/24 =>
> tun0x100c at 192.168.1.50
> 12 172.16.40.0/24 -> 172.16.50.0/24 =>
> tun0x100c at 192.168.1.50
>
>
> When pinging from spoke1 to hub:
> # ping -I 172.16.20.120 172.16.50.150
> PING 172.16.50.150 (172.16.50.150): 56 data bytes
> 64 bytes from 172.16.50.150: icmp_seq=0 ttl=64 time=12.4 ms
> 64 bytes from 172.16.50.150: icmp_seq=1 ttl=64 time=10.4 ms
>
> When pinging from spoke1 to spoke2:
> # ping -I 172.16.20.120 172.16.40.140
> PING 172.16.40.140 (172.16.40.140): 56 data bytes
>
> --- 172.16.40.140 ping statistics ---
> 8 packets transmitted, 0 packets received, 100% packet loss
>
> Tcpdump on spoke1 when pinging from spoke1 to spoke2:
> # tcpdump -ni ipsec0 icmp
> tcpdump: listening on ipsec0
> 16:33:49.927435 172.16.20.120 > 172.16.40.140: icmp: echo request (DF)
> 16:33:50.927440 172.16.20.120 > 172.16.40.140: icmp: echo request (DF)
>
> And tcpdump on hub when pinging from spoke1 to spoke2:
> # tcpdump -ni ipsec0 icmp
> tcpdump: listening on ipsec0
>
> 0 packets received by filter
> 0 packets dropped by kernel
>
>
> I can ping from the hub to spoke2:
> # ping -I 172.16.50.150 172.16.40.140
> PING 172.16.40.140 (172.16.40.140): 56 data bytes
> 64 bytes from 172.16.40.140: icmp_seq=0 ttl=64 time=3.3 ms
> 64 bytes from 172.16.40.140: icmp_seq=1 ttl=64 time=2.1 ms
>
>
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
More information about the Users
mailing list