[Openswan Users] Huge_IPSec_problem

Steven Schlegel steven.schlegel1988 at googlemail.com
Fri Oct 9 14:41:55 EDT 2009 

Hey guys,

first of all my english is not the best ;)


Well i've got a huge IPSec-Problem....

I've tried to set up the following scenario:


client1: 192.168.240.50 ----> vpn-router1: 82.144.x.130
-->|-------TUNNEL-------|<-- vpn-router2: 82.113.x.27 ----> client2:
82.113.x.65

My vpn-router1 has 3 network-cards:

eth0 with 10.254.0.1
eth1 with 10.254.0.2
eth2 with 82.144.x.130


Note: I don't have any access on vpn-router2, because it is a router from a
different network.

The Tunnel between vpn-router1 and vpn-router2 is setup correctly, because
i'll get an "ISAKMP SA established" - Message.

So i tried to ping from my vpn-router1 to vpn-router2 and it works, BUT as i
did a traceroute to vpn-router2, i noticed
that all the traffic goes through the internet and not through the
ipsec-tunnel. I believe this is an routing issue, but i can't figure what
is going wrong.

So any help will preciated ;)

Here are my configs:

/etc/ipsec.d/vpn-conf:

conn o2
        authby=secret
        left=82.144.x.130
        leftsubnet=192.168.240.50/32
        #
        right=82.113.x.27
        rightsubnet=82.113.x.65/32
        rightnexthop=
        #
        ike=3des-sha1
        esp=3des-sha1
        pfsgroup=modp1024
        #
        auto=add


Output from "route -n":

Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use
Iface
82.113.x.65   0.0.0.0         255.255.255.255 UH    0      0        0 eth2
192.168.240.1   10.254.0.6      255.255.255.255 UGH   0      0        0 eth0
192.168.240.2   0.0.0.0         255.255.255.255 UH    0      0        0 eth2
192.168.200.44  10.254.0.4      255.255.255.255 UGH   0      0        0 eth0
192.168.240.45  10.254.0.6      255.255.255.255 UGH   0      0        0 eth0
192.168.225.1   10.254.0.4      255.255.255.255 UGH   0      0        0 eth0
192.168.200.1   10.254.0.4      255.255.255.255 UGH   0      0        0 eth0
10.254.0.11     10.254.0.2      255.255.255.255 UGH   0      0        0 eth0
212.6.x.0      0.0.0.0         255.255.255.240 U     0      0        0 eth2
82.144.x.128   0.0.0.0         255.255.255.240 U     0      0        0 eth2
192.168.240.0   0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.7.0     10.254.0.11     255.255.255.0   UG    0      0        0 eth0
192.168.100.0   10.254.0.11     255.255.255.0   UG    0      0        0 eth0
192.168.6.0     10.254.0.11     255.255.255.0   UG    0      0        0 eth0
192.168.225.0   10.254.0.4      255.255.255.0   UG    0      0        0 eth0
192.168.5.0     10.254.0.11     255.255.255.0   UG    0      0        0 eth0
192.168.4.0     10.254.0.11     255.255.255.0   UG    0      0        0 eth0
192.168.210.0   10.254.0.6      255.255.255.0   UG    0      0        0 eth0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.245.0   10.254.0.6      255.255.255.0   UG    0      0        0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0
dummy0
192.168.230.0   10.254.0.8      255.255.255.0   UG    30     0        0 eth0
192.168.0.0     10.254.0.5      255.255.255.0   UG    0      0        0 eth0
192.168.200.0   10.254.0.4      255.255.255.0   UG    0      0        0 eth0
10.254.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.254.1.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.120.0   10.254.0.8      255.255.255.0   UG    20     0        0 eth0
10.254.4.0      10.254.0.7      255.255.255.0   UG    20     0        0 eth0
10.10.0.0       10.254.0.8      255.255.248.0   UG    0      0        0 eth0
0.0.0.0         82.144.x.129   0.0.0.0         UG    100    0        0 eth2


The Output from ipsec auto --up vpn-conf:

root at vpn-router1:~# ipsec auto --up vpn-conf
104 "o2" #1: STATE_MAIN_I1: initiate
003 "o2" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
method set to=108
106 "o2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "o2" #1: received Vendor ID payload [Cisco-Unity]
003 "o2" #1: received Vendor ID payload [Dead Peer Detection]
003 "o2" #1: ignoring unknown Vendor ID payload
[aa9f2d2a2ca9c8697632c1290dfa7179]
003 "o2" #1: received Vendor ID payload [XAUTH]
003 "o2" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
no NAT detected
108 "o2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "o2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "o2" #2: STATE_QUICK_I1: initiate
003 "o2" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
004 "o2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x490d945d
<0x35ccf61f xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}


Output from "iptables-save":

root at vpn-router1:~# iptables-save
# Generated by iptables-save v1.4.1.1 on Fri Oct  9 20:34:10 2009
*nat
:PREROUTING ACCEPT [12356738:1126281944]
:POSTROUTING ACCEPT [199775:13301675]
:OUTPUT ACCEPT [39239:3256355]
:or10er - [0:0]
-A PREROUTING -p tcp -m tcp --dport 22022 -j DNAT --to-destination
192.168.240.130:22
-A PREROUTING -p tcp -m tcp --dport 22023 -j DNAT --to-destination
192.168.240.131:22
-A PREROUTING -d 82.144.x.130/32 -p tcp -m tcp --dport 8081 -j DNAT
--to-destination 192.168.210.210:8081
-A PREROUTING -d 192.168.2.4/32 -j DNAT --to-destination 192.168.0.4
-A PREROUTING -d 192.168.2.3/32 -j DNAT --to-destination 192.168.0.3
-A PREROUTING -d 192.168.2.5/32 -j DNAT --to-destination 192.168.0.5
-A PREROUTING -d 192.168.2.10/32 -j DNAT --to-destination 192.168.0.10
-A PREROUTING -d 82.144.x.130/32 -p tcp -m tcp --dport 17971 -j DNAT
--to-destination 192.168.240.94:80
-A PREROUTING -d 192.168.2.150/32 -j DNAT --to-destination 192.168.245.150
-A PREROUTING -d 192.168.2.151/32 -j DNAT --to-destination 192.168.245.151
-A PREROUTING -d 192.168.2.235/32 -j DNAT --to-destination 192.168.240.235
-A PREROUTING -d 82.144.x.130/32 -p tcp -m tcp --dport 21 -j DNAT
--to-destination 192.168.240.50:21
-A PREROUTING -d 82.144.x.130/32 -p tcp -m tcp --dport 20 -j DNAT
--to-destination 192.168.240.50:20
-A PREROUTING -i eth2 -p tcp -m tcp --dport 2000:30000 -j DNAT
--to-destination 192.168.0.10
-A PREROUTING -d 82.144.x.130/32 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.0.10:80
-A PREROUTING -d 82.144.x.130/32 -p tcp -m tcp --dport 4434 -j DNAT
--to-destination 192.168.0.10:4434
-A POSTROUTING -s 212.6.x.0/28 -d 192.168.245.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.3.0/24 -d 192.168.0.0/24 -j MASQUERADE
-A POSTROUTING -o eth2 -j MASQUERADE
-A POSTROUTING -d 192.168.240.94/32 -j MASQUERADE
-A POSTROUTING -d 192.168.0.10/32 -o eth0 -j MASQUERADE
-A POSTROUTING -d 192.168.0.10/32 -o eth1 -j MASQUERADE
COMMIT
# Completed on Fri Oct  9 20:34:10 2009
# Generated by iptables-save v1.4.1.1 on Fri Oct  9 20:34:10 2009
*mangle
:PREROUTING ACCEPT [1579535223:989589268388]
:INPUT ACCEPT [13365691:2167215608]
:FORWARD ACCEPT [1565049027:987281194415]
:OUTPUT ACCEPT [2091035:339136033]
:POSTROUTING ACCEPT [1566938084:987591423846]
COMMIT
# Completed on Fri Oct  9 20:34:10 2009
# Generated by iptables-save v1.4.1.1 on Fri Oct  9 20:34:10 2009
*filter
:INPUT ACCEPT [13329201:2164008631]
:FORWARD ACCEPT [1564853173:987158653555]
:OUTPUT ACCEPT [1888870:310192555]
COMMIT
# Completed on Fri Oct  9 20:34:10 2009


I hope you can help me with this problem...


Greetz to you

Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091009/2a9b3408/attachment.html

More information about the Users mailing list