[Openswan Users] Multiple interfaces ipsec/l2tp vpn openswan 2.6.26

Federico Viel fviel at bellunum.com
Thu Jun 24 05:15:21 EDT 2010


The answer is: nothing!!!
This is tcpdump during attempt to conn via ETH4:

tcpdump -i eth0 src R.W.I.P or dst R.W.I.P 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

0 packets captured
0 packets received by filter
0 packets dropped by kernel

---------------------------------------------------------------
Instead this is a "normal" RoadWarrior successful conn to eth0.

tcpdump -i eth0 src R.W.I.P or dst R.W.I.P 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:56:03.727606 IP R.W.I.P .isakmp > xx.yy.zz.246.isakmp: isakmp: phase 1 I ident
10:56:03.728482 IP xx.yy.zz.246.isakmp > R.W.I.P .isakmp: isakmp: phase 1 R ident
10:56:04.168316 IP R.W.I.P .isakmp > xx.yy.zz.246.isakmp: isakmp: phase 1 I ident
10:56:04.173780 IP xx.yy.zz.246.isakmp > R.W.I.P .isakmp: isakmp: phase 1 R ident
10:56:04.497174 IP R.W.I.P .isakmp > xx.yy.zz.246.isakmp: isakmp: phase 1 I ident[E]
10:56:04.497461 IP xx.yy.zz.246.isakmp > R.W.I.P .isakmp: isakmp: phase 1 R ident[E]
10:56:04.690208 IP R.W.I.P .isakmp > xx.yy.zz.246.isakmp: isakmp: phase 2/others I oakley-quick[E]
10:56:04.691704 IP xx.yy.zz.246.isakmp > R.W.I.P .isakmp: isakmp: phase 2/others R oakley-quick[E]
10:56:04.867739 IP R.W.I.P .isakmp > xx.yy.zz.246.isakmp: isakmp: phase 2/others I oakley-quick[E]
10:56:04.877762 IP R.W.I.P > xx.yy.zz.246: ESP(spi=0xaa528360,seq=0x1), length 164
10:56:04.879500 IP xx.yy.zz.246 > R.W.I.P : ESP(spi=0xb150c9e5,seq=0x1), length 140
10:56:05.047801 IP R.W.I.P > xx.yy.zz.246: ESP(spi=0xaa528360,seq=0x2), length 60
10:56:05.048039 IP R.W.I.P > xx.yy.zz.246: ESP(spi=0xaa528360,seq=0x3), length 92
10:56:05.048067 IP xx.yy.zz.246 > R.W.I.P : ESP(spi=0xb150c9e5,seq=0x2), length 52
10:56:05.049086 IP xx.yy.zz.246 > R.W.I.P : ESP(spi=0xb150c9e5,seq=0x3), length 68
10:56:05.049111 IP xx.yy.zz.246 > R.W.I.P : ESP(spi=0xb150c9e5,seq=0x4), length 52
.....


I'm quite sure the problem arising from openswan because I tried the following conf:
Openswan version	l2tpd version	outcome(VPN conn to ETH4)	outcome (VPN conn to eth0) 
2.4.6			l2tpd V0.70		Success				Success
2.6.26		l2tpd V0.70		failure				Success
2.6.26		xl2tpd V.1.2.0	failure				Success
2.6.26		xl2tpd V.1.2.6	failure				Success


-----Messaggio originale-----
Da: Willie Gillespie [mailto:wgillespie+openswan at es2eng.com] 
Inviato: mercoledì 23 giugno 2010 23:10
A: Federico Viel
Cc: users at openswan.org
Oggetto: RE: [Openswan Users] Multiple interfaces ipsec/l2tp vpn openswan 2.6.26

I'm curious if you do a tcpdump looking at -i eth0 during that same time period if you see packets trying to head out that way.

-----Original Message-----
From: "Federico Viel" <fviel at bellunum.com>
Sent: Wednesday, June 23, 2010 8:11am
To: users at openswan.org
Subject: [Openswan Users] Multiple interfaces ipsec/l2tp vpn openswan 2.6.26

          {==========}
          { INTERNET }
          {==========}
            /      \
           /        \
        [ISP1]     [ISP2]
          |          |
    [HDSL Modem]  [DSL Modem]
          |          | 
          |eth4      |eth0
  eth2__[ Linux Router ]___eth3
                |eth1
                |
        [Internal Network]

This is my router conf
eth0 (IP= xx.yy.zz.246) is default internet traffic route interfaces
eth4 (IP= x.y.z.206) is the "dedicated" interface to vpns
eth1 (IP= 10.6.100.254) is lan interface
eth3 is DMZ interface
eth2 is another lan interface

   On eth4 I got
      2 net-to-tet VPN configured
      - The first  is an openswan router to opensan router VPN
      - The second is an    "       "    to cisco      "   VPN
   And
      1 IPSEC/L2TP road warrior VPN (xp client) ("conn L2TP-PSK" on
ipsec.conf)


On eth0 I had
     1 IPSEC/L2TP road warrior VPN ("conn L2TP-PSK2" on ipsec.conf)

Since my upgrade from opensan 2.4.6 to 2.6.26 and xl2tpd to 1.2.6 l2tp/ipsec
road warrior vpn on adsl also works fine, the 2 net-to-net vpns on HDSL work
fine,
but the road warrior ipsec/l2tp vpn on the same interface does not work
anymore.
Or better... it works iff I change the default route on my router through
eth4/gw = xx.yy.zz.193 (=> affecting fw functionality:
no more internet connection because nat...)


It looks like something on esp packet went wrong when routing decision have
to
be takenon l2tp/ipsec connection (the 2 ipsec net-to-net VPNs routed through
the
same interface work fine):
(below tcpdump example of roadwarrior connection try: no response from
router after phase 2)


multifw:/etc/init.d# tcpdump -i eth4 src R.W.I.P or dst R.W.I.P
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 96 bytes
12:44:14.357096 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase 1 I
ident
12:44:14.358010 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase 1 R
ident
12:44:15.301166 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase 1 I
ident
12:44:15.306807 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase 1 R
ident
12:44:15.627204 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase 1 I
ident[E]
12:44:15.627477 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase 1 R
ident[E]
12:44:16.657183 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase
2/others I oakley-quick[E]
12:44:16.658494 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase
2/others R oakley-quick[E]
12:44:17.924862 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase
2/others I oakley-quick[E]
12:44:17.925459 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase
2/others R inf
12:44:17.928529 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase
2/others I oakley-quick[E]
12:44:17.931368 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x1), length
164
12:44:17.977159 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x2), length
164
12:44:20.135689 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x3), length
164
12:44:24.298083 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x4), length
164
12:44:32.677495 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x5), length
164
12:44:42.397244 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x6), length
164



This is my "advanced" multi-path-route script and my "no more working"
ipsec/l2tp ipsec.conf
road-warrior conn section


#!/bin/sh
ip route flush T2

#Clear out old rules
ip rule show | grep -Ev '^(0|32766|32767):|iif lo' \
  | while read PRIO NATRULE; do
  ip rule del prio ${PRIO%%:*} $( echo $NATRULE | sed 's|all|0/0|' )
done

ip route flush cache
# routing eth4
ip route add xx.yy.zz.192/28 dev eth4 table T2
ip route add table T2 default via xx.yy.zz.193 dev eth4

#use tabel T2 for marked packet 
#use table T2 to route packet from x.y.z.206
ip rule add from x.y.z.206 table T2

#add default route (even useful to lan pc internet access)
route add default gw x.y.z.241 
----------------------------------------


conn L2TP-PSK
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=x.y.z.206
        leftsourceip=x.y.z.206
        leftnexthop=xx.yy.zz.193
        leftprotoport=17/1701
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/%any
        auto=add



Thank you all in advance for any help.


Dr. Federico Viel

Bellunum srl
Via Marisiga, 111
32100 Belluno (Italy)

E-Mail: fviel at bellunum.com

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155





More information about the Users mailing list