[Openswan Users] VPN Only Working one direction
Myron Williams
list at wcstc.com
Wed May 20 17:13:33 EDT 2009
Hi All,
I am having a difficult problem that I have not been able to find the
answer to. I am trying to get a tunnel working between 2 CentOS boxes
running Openswan.
According to the logs the tunnel gets established as can be seen from
the "ipsec whack --status" below (ISAKMP SA established). The tunnel
works from one side but not the other. I can ping though the tunnel
from the 192.168.0.0 network to the 192.168.30.0 network but I can not
ping from the 192.168.30.0 network to the 192.168.0.0 network. When I
do I get this error "icmp_seq=15 Packet filtered".
Any ideas as to what might be happening and a bump in the right
direction on how to fix it. I have searched google without success.
Please help.
Myron Williams
Systems Administrator
EZ-NetTools.net
configuration files:
ipsec.conf
version 2.0
config setup
klipsdebug=none
plutodebug=none
protostack=netkey
nat_traversal=yes
include /etc/ipsec.d/*.conf
#Disable Opportunistic Encryption
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
ipsec.d/ipsec.office-rexburg.conf
conn OFFICE-REXBURG
left=67.158.135.226
leftsubnet=192.168.0.0/24
leftid=@shadow.eznettools.net
leftnexthop=67.158.135.225
right=67.158.135.126
rightsubnet=192.168.30.0/24
rightid=@office.eznettools.net
rightnexthop=67.158.135.125
auto=start
disablearrivalcheck=no
compress=yes
pfs=yes
authby=rsasig
leftrsasigkey=0sAQO...
rightrsasigkey=0sAQP...
# ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.14/K2.6.18-128.1.6.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support
[DISABLED]
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
67.158.135.124 0.0.0.0 255.255.255.252 U 0 0 0
eth0
192.168.30.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
0.0.0.0 67.158.135.125 0.0.0.0 UG 0 0 0
eth0
# ipsec whack --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 192.168.30.1
000 interface eth1/eth1 192.168.30.1
000 interface eth0/eth0 67.158.135.126
000 interface eth0/eth0 67.158.135.126
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "OFFICE-REXBURG":
192.168.30.0/24===67.158.135.126<67.158.135.126>[@office.eznettools.net,
+S=C]---67.158.135.125...67.158.135.225---67.158.135.226<67.158.135.226>[@shadow.eznettools.net,+S=C]===192.168.0.0/24; erouted; eroute owner: #2
000 "OFFICE-REXBURG": myip=unset; hisip=unset;
000 "OFFICE-REXBURG": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "OFFICE-REXBURG": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP
+IKEv2ALLOW; prio: 24,24; interface: eth0;
000 "OFFICE-REXBURG": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "OFFICE-REXBURG": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #2: "OFFICE-REXBURG":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27855s; newest IPSEC; eroute owner;
isakmp#1; idle; import:admin initiate
000 #2: "OFFICE-REXBURG" esp.ead3836f at 67.158.135.226
esp.7cae9340 at 67.158.135.126 tun.0 at 67.158.135.226 tun.0 at 67.158.135.126
ref=0 refhim=4294901761
000 #1: "OFFICE-REXBURG":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 3058s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000
# ip xfrm policy
src 192.168.0.0/24 dst 192.168.30.0/24
dir in priority 2344
tmpl src 67.158.135.226 dst 67.158.135.126
proto esp reqid 16385 mode tunnel
src 192.168.30.0/24 dst 192.168.0.0/24
dir out priority 2344
tmpl src 67.158.135.126 dst 67.158.135.226
proto esp reqid 16385 mode tunnel
src 192.168.0.0/24 dst 192.168.30.0/24
dir fwd priority 2344
tmpl src 67.158.135.226 dst 67.158.135.126
proto esp reqid 16385 mode tunnel
More information about the Users
mailing list