[Openswan Users] Asynchronous ipsec traffic
Sven Schiwek
ml-openswan at svenux.de
Wed Oct 14 06:51:15 EDT 2009
Hi,
I have an interesting ipsec traffic...
My VPN server (Openswan 2.4.15) has one public interface and multiple
virtual interfaces (eth0, eth0:1, eth0:2,...) with public IP addresses.
I have configured one connection on "eth0 (111.111.111.111) ->
ipsec0" (it's working fine) and one on eth0:3 (222.222.222.222) ->
ipsec1.
It's interesting that the second connection uses both ipsec
interfaces. Outgoing traffic goes through ipsec1 and incoming traffic
over ipsec0.
The VPN partner for this second connection has configured the public
IP address of eth0:3 so why can I see the traffic on ipsec0 and not on
ipsec1?
$> tcpdump -n -i ipsec1 host 192.168.12.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ipsec1, link-type EN10MB (Ethernet), capture size 96 bytes
04:56:22.393460 IP 192.168.10.1 > 192.168.12.1: ICMP echo request, id
2887, seq 1, length 64
04:56:23.396411 IP 192.168.10.1 > 192.168.12.1: ICMP echo request, id
2887, seq 2, length 64
04:56:24.401918 IP 192.168.10.1 > 192.168.12.1: ICMP echo request, id
2887, seq 3, length 64
$> tcpdump -n -i ipsec0 host 192.168.12.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 96 bytes
04:56:52.432435 IP 192.168.12.1 > 192.168.10.1: ICMP echo reply, id
20807, seq 1, length 64
04:56:53.438754 IP 192.168.12.1 > 192.168.10.1: ICMP echo reply, id
20807, seq 2, length 64
04:56:54.444316 IP 192.168.12.1 > 192.168.10.1: ICMP echo reply, id
20807, seq 3, length 64
The encrypted traffic looks fine:
$> tcpdump -n host 333.333.333.333
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
05:35:20.974658 IP 222.222.222.222 > 333.333.333.333:
ESP(spi=0x2a30e588,seq=0x48), length 132
05:35:21.093186 IP 333.333.333.333 > 222.222.222.222:
ESP(spi=0xccdfa4a1,seq=0x48), length 132
05:35:21.981960 IP 222.222.222.222 > 333.333.333.333:
ESP(spi=0x2a30e588,seq=0x49), length 132
05:35:22.100460 IP 333.333.333.333 > 222.222.222.222:
ESP(spi=0xccdfa4a1,seq=0x49), length 132
05:35:22.990032 IP 222.222.222.222 > 333.333.333.333:
ESP(spi=0x2a30e588,seq=0x4a), length 132
05:35:23.108426 IP 333.333.333.333 > 222.222.222.222:
ESP(spi=0xccdfa4a1,seq=0x4a), length 132
But there is no incoming traffic on ipsec1!
$> ifconfig ipsec0
ipsec0 Link encap:Ethernet HWaddr 00:40:d0:b0:ea:bc
inet addr:111.111.111.111 Mask:255.255.255.192
inet6 addr: abcd::abc:abcd:abcd:abcd/64 Scope:Link
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:2823783 errors:0 dropped:0 overruns:0 frame:0
TX packets:3943622 errors:0 dropped:8 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:319993402 (305.1 MiB) TX bytes:4242378948 (3.9 GiB)
$> ifconfig ipsec1
ipsec1 Link encap:Ethernet HWaddr 00:40:d0:b0:ea:bc
inet addr:222.222.222.222 Mask:255.255.255.128
inet6 addr: abcd::abc:abcd:abcd:abcd/64 Scope:Link
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:737765 errors:0 dropped:7 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:738350302 (704.1 MiB)
My ipsec.conf look like this:
----8<----
config setup
interfaces="ipsec0=eth0 ipsec1=eth0:3"
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
nat_traversal=yes
plutowait=yes
nhelpers=0
klipsdebug=none
plutodebug=none
uniqueids=yes
conn rv042
type=tunnel
compress=no
authby=secret
pfs=no
keyingtries=1
ikelifetime=12h
keylife=12h
rekey=no
left= 111.111.111.111
leftsubnet=0.0.0.0/0
right=%any
rightsubnet=192.168.11.0/24
auto=add
dpddelay=30
dpdtimeout=120
dpdaction=clear
conn euus
type=tunnel
compress=no
authby=secret
pfs=no
keyingtries=3
ikelifetime=1h
keylife=1h
rekey=yes
left= 222.222.222.222
leftsubnet=192.168.10.1/24
right=333.333.333.333
rightsubnet=192.168.12.1/24
auto=start
dpddelay=30
dpdtimeout=120
dpdaction=clear
---->8----
Any help is greatly appreciated. Thanks,
Sven
More information about the Users
mailing list