[Openswan Users] Multiple interfaces ipsec/l2tp vpn openswan 2.6.26

Willie Gillespie wgillespie+openswan at es2eng.com
Wed Jun 23 17:09:31 EDT 2010 

I'm curious if you do a tcpdump looking at -i eth0 during that same time period if you see packets trying to head out that way.

-----Original Message-----
From: "Federico Viel" <fviel at bellunum.com>
Sent: Wednesday, June 23, 2010 8:11am
To: users at openswan.org
Subject: [Openswan Users] Multiple interfaces ipsec/l2tp vpn openswan 2.6.26

          {==========}
          { INTERNET }
          {==========}
            /      \
           /        \
        [ISP1]     [ISP2]
          |          |
    [HDSL Modem]  [DSL Modem]
          |          | 
          |eth4      |eth0
  eth2__[ Linux Router ]___eth3
                |eth1
                |
        [Internal Network]

This is my router conf
eth0 (IP= xx.yy.zz.246) is default internet traffic route interfaces
eth4 (IP= x.y.z.206) is the "dedicated" interface to vpns
eth1 (IP= 10.6.100.254) is lan interface
eth3 is DMZ interface
eth2 is another lan interface

   On eth4 I got
      2 net-to-tet VPN configured
      - The first  is an openswan router to opensan router VPN
      - The second is an    "       "    to cisco      "   VPN
   And
      1 IPSEC/L2TP road warrior VPN (xp client) ("conn L2TP-PSK" on
ipsec.conf)


On eth0 I had
     1 IPSEC/L2TP road warrior VPN ("conn L2TP-PSK2" on ipsec.conf)

Since my upgrade from opensan 2.4.6 to 2.6.26 and xl2tpd to 1.2.6 l2tp/ipsec
road warrior vpn on adsl also works fine, the 2 net-to-net vpns on HDSL work
fine,
but the road warrior ipsec/l2tp vpn on the same interface does not work
anymore.
Or better... it works iff I change the default route on my router through
eth4/gw = xx.yy.zz.193 (=> affecting fw functionality:
no more internet connection because nat...)


It looks like something on esp packet went wrong when routing decision have
to
be takenon l2tp/ipsec connection (the 2 ipsec net-to-net VPNs routed through
the
same interface work fine):
(below tcpdump example of roadwarrior connection try: no response from
router after phase 2)


multifw:/etc/init.d# tcpdump -i eth4 src R.W.I.P or dst R.W.I.P
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 96 bytes
12:44:14.357096 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase 1 I
ident
12:44:14.358010 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase 1 R
ident
12:44:15.301166 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase 1 I
ident
12:44:15.306807 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase 1 R
ident
12:44:15.627204 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase 1 I
ident[E]
12:44:15.627477 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase 1 R
ident[E]
12:44:16.657183 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase
2/others I oakley-quick[E]
12:44:16.658494 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase
2/others R oakley-quick[E]
12:44:17.924862 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase
2/others I oakley-quick[E]
12:44:17.925459 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase
2/others R inf
12:44:17.928529 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase
2/others I oakley-quick[E]
12:44:17.931368 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x1), length
164
12:44:17.977159 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x2), length
164
12:44:20.135689 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x3), length
164
12:44:24.298083 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x4), length
164
12:44:32.677495 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x5), length
164
12:44:42.397244 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x6), length
164



This is my "advanced" multi-path-route script and my "no more working"
ipsec/l2tp ipsec.conf
road-warrior conn section


#!/bin/sh
ip route flush T2

#Clear out old rules
ip rule show | grep -Ev '^(0|32766|32767):|iif lo' \
  | while read PRIO NATRULE; do
  ip rule del prio ${PRIO%%:*} $( echo $NATRULE | sed 's|all|0/0|' )
done

ip route flush cache
# routing eth4
ip route add xx.yy.zz.192/28 dev eth4 table T2
ip route add table T2 default via xx.yy.zz.193 dev eth4

#use tabel T2 for marked packet 
#use table T2 to route packet from x.y.z.206
ip rule add from x.y.z.206 table T2

#add default route (even useful to lan pc internet access)
route add default gw x.y.z.241 
----------------------------------------


conn L2TP-PSK
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=x.y.z.206
        leftsourceip=x.y.z.206
        leftnexthop=xx.yy.zz.193
        leftprotoport=17/1701
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/%any
        auto=add



Thank you all in advance for any help.


Dr. Federico Viel

Bellunum srl
Via Marisiga, 111
32100 Belluno (Italy)

E-Mail: fviel at bellunum.com

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list