[Openswan Users] IPsec SA established but packets are not encapsulated

Dennison Williams dennison.williams at gmail.com
Mon Apr 12 21:52:32 EDT 2010 

An update on this issue:

I have now tried openswan 2.6.25 and 2.6.24 with the same results.  I
suppose it is absolutely possible that this is all the result of a lousy
router, I shouldn't get "IPsec SA Established"  if there is a bad router. 

My next guess is to look into how the route is setup afterwards.  What
are the other common issues for "IPsec SA Established" succeeding but
the link between the two endpoints not being encrypted in a NAT-T setup?


Dennison Williams wrote:
> Hello all,
>
> I sent an email yesterday titled "openswan + xl2tpd + iptables issues" 
> where I incorrectly diagnosed the problem to be one of iptables.  I now
> believe that the problem lies with packets not being correctly
> encapsulated between the two endpoints.  I expect that packets should be
> encapsulated to the openswan server from the client and that I should be
> able to reach addresses on the LAN but this is not happening.
>
> My network looks like follows:
> client (192.168.1.23) --> gateway (192.168.1.1) -> INTERNET -> openswan
> (24.21.203.123) -> LAN (10.66.6.0/24)
>
>
> The connection seems to come all the way up correctly:
> client# ipsec auto --up pptp-rw
> 104 "pptp-rw" #15: STATE_MAIN_I1: initiate
> 003 "pptp-rw" #15: received Vendor ID payload [Openswan (this version)
> 2.6.25 ]
> 003 "pptp-rw" #15: received Vendor ID payload [Dead Peer Detection]
> 003 "pptp-rw" #15: received Vendor ID payload [RFC 3947] method set to=109
> 106 "pptp-rw" #15: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "pptp-rw" #15: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
> both are NATed
> 108 "pptp-rw" #15: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "pptp-rw" #15: discarding duplicate packet; already STATE_MAIN_I3
> 010 "pptp-rw" #15: STATE_MAIN_I3: retransmission; will wait 20s for response
> 003 "pptp-rw" #15: received Vendor ID payload [CAN-IKEv2]
> 004 "pptp-rw" #15: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
> 117 "pptp-rw" #16: STATE_QUICK_I1: initiate
> 004 "pptp-rw" #16: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
> mode {ESP=>0xb1f1203e <0x8f21f2e4 xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD=24.21.203.123:4500 DPD=none}
>
> No new routing rules are setup to the LAN:
> # route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
> wlan0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0
> wlan0
> 0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0
> wlan0
>
> And packets do not seem to get incapsulated when doing a ping test from
> either end:
> client# tcpdump -i wlan0 -n host 24.21.203.123 and not port 22
> 13:48:00.656164 IP 24.21.203.123.4500 > 192.168.1.23.4500:
> isakmp-nat-keep-alive
> 13:48:05.005971 IP 192.168.1.23 > 24.21.203.123: ICMP echo request, id
> 42584, seq 1, length 64
> 13:48:05.133579 IP 24.21.203.123 > 192.168.1.23: ICMP echo reply, id
> 42584, seq 1, length 64
>
> As you can see the nat-keep-alive is coming through, but there are no
> ESP packets for the ping.  Things look about the same as you might
> expect on the server:
>
> server# ipsec auto --status|grep estab
> 000 #47: "pptp-rw"[7] 75.93.49.165:4500 STATE_QUICK_R2 (IPsec SA
> established); EVENT_SA_REPLACE in 3070s; newest IPSEC; eroute owner;
> isakmp#46; idle; import:not set
> 000 #46: "pptp-rw"[7] 75.93.49.165:4500 STATE_MAIN_R3 (sent MR3, ISAKMP
> SA established); EVENT_SA_EXPIRE in 3340s; newest ISAKMP;
> lastdpd=-1s(seq in:0 out:0); idle; import:not set
>
> Where as here we do see the route set up to the client:
> server# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 255.255.255.255 0.0.0.0         255.255.255.255 UH    0      0        0 eth2
> 10.66.6.0       0.0.0.0         255.255.255.0   U     0      0        0 eth2
> 24.21.200.0     0.0.0.0         255.255.248.0   U     0      0        0 eth1
> 0.0.0.0         24.21.200.1     0.0.0.0         UG    0      0        0 eth1
>
> But still no esp encapsulated packets (since the client is NAT-T the
> ping is initiated from the client):
> server# tcpdump -i eth1 -n \(host 75.93.49.165 and not port 22\) or
> \(host 192.168.1.23 and not port 22\)
> 13:55:22.888588 IP 24.21.203.123.4500 > 75.93.49.165.4500:
> isakmp-nat-keep-alive
> 13:55:26.117191 IP 75.93.49.165 > 24.21.203.123: ICMP echo request, id
> 64345, seq 1, length 64
> 13:55:26.117253 IP 24.21.203.123 > 75.93.49.165: ICMP echo reply, id
> 64345, seq 1, length 64
>
>
> In this test 75.93.49.165 is the public ip of the network the client is
> on.  We see the nat-keep-alive traffic, and we still see the clear text
> icmp traffic.
>
> I have been starring at this config issue for so long now, I am
> guessing my problem is obvious but can't seem to find it, so any
> feedback would be helpful at this point.
>
> Sincerely,
> Dennison Williams
>
> ipsec --version: Linux Openswan U2.6.25/K2.6.26-2-486 (netkey)
> compiled manually on both client and server
>
> Server ipsec config:
> version 2.0
> config setup
>         interfaces=%defaultroute
>         nat_traversal=yes
>        
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.66.6.0/24
>         protostack=netkey
>
> conn pptp-rw
>         leftcert=StorageCert.pem
>         leftrsasigkey=%cert
>         leftid=<x509_subject>
>         left=24.21.203.123	#%defaultroute is not working here for some reason
>         leftsourceip=10.66.6.1
>         leftsubnet=10.66.6.0/24
>         rightsubnet=vhost:%no,%priv
>         right=%any
>         auto=add
>         rightrsasigkey=%cert
>         rightid=<x509_subject>
>         authby=rsasig
>         pfs=no
>         rightca=%same
>         rekey=no
>
> conn block
>     auto=ignore
>
> conn private
>     auto=ignore
>
> conn private-or-clear
>     auto=ignore
>
> conn clear-or-private
>     auto=ignore
>
> conn clear
>     auto=ignore
>
> conn packetdefault
>     auto=ignore
>
> Client ipsec config:
> version 2.0
> config setup
>         interfaces=%defaultroute
>         nat_traversal=yes
>         protostack=netkey
>
> conn pptp-rw
>         left=192.168.1.23			#%defaultroute is not working here for some reason
>         leftrsasigkey=%cert
>         leftcert=<cert_file_name>
>         leftprotoport=17/1701
>         leftsourceip=192.168.1.23
>         right=24.21.203.123
>         rightid=<x509_subject>
>         rightsubnet=10.66.6.0/24
>         rightcert=StorageCert.pem
>         rightrsasigkey=%cert
>         rightca=%same
>         authby=rsasig
>         pfs=no
>         keyingtries=3
>         auto=add
>         rekey=yes
>         type=transport
>
> conn block
>     auto=ignore
>
> conn private
>     auto=ignore
>
> conn private-or-clear
>     auto=ignore
>
> conn clear-or-private
>     auto=ignore
>
> conn clear
>     auto=ignore
>
> conn packetdefault
>     auto=ignore
>
>

More information about the Users mailing list