[Openswan Users] Multiple interfaces ipsec/l2tp vpn PROBLEM openswan 2.6.26

Federico Viel fviel at bellunum.com
Tue Jun 22 10:52:07 EDT 2010


           {==========}
           { INTERNET }
           {==========}
            /      \
           /        \
        [ISP1]     [ISP2]
          |          |
    [HDSL Modem]  [DSL Modem]
          |          | 
          |eth4      |eth0
  eth2__[ Linux Router ]___eth3
                |eth1
                |
        [Internal Network]

This is my router conf
eth0 (IP= xx.yy.zz.246) is default internet traffic route interfaces
eth4 (IP= x.y.z.206) is the "dedicated" interface to vpns
eth1 (IP= 10.6.100.254) is lan interface
eth3 is DMZ interface
eth2 is another lan interface

   On eth4 I got
      2 net-to-tet VPN configured
      - The first  is an openswan router to opensan router VPN
      - The second is an    "       "    to cisco      "   VPN
   And
      1 IPSEC/L2TP road warrior VPN (xp client) ("conn L2TP-PSK" on
ipsec.conf)


On eth0 I had
     1 IPSEC/L2TP road warrior VPN ("conn L2TP-PSK2" on ipsec.conf)

Since my upgrade from opensan 2.4.6 to 2.6.26 and xl2tpd to 1.2.6 
l2tp/ipsec road warrior vpn on adsl also works fine,
the 2 net-to-net vpns on HDSL work fine, but the road warrior ipsec/l2tp vpn
on the same interface
does not work anymore.
Or better... it works iff I change the default route on my router through
eth4/gw = xx.yy.zz.193 (=> affecting fw functionality:
no more internet connection because nat...)


It looks like something on esp packet went wrong when routing decision have
to be taken
on l2tp/ipsec connection (the 2 ipsec net-to-net VPNs routed through the
same interface work fine):
(follow tcpdump example of roadwarriore connection try: no response from
router after phase 2)


multifw:/etc/init.d# tcpdump -i eth4 src R.W.I.P or dst R.W.I.P
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth4, link-type EN10MB (Ethernet), capture size 96 bytes
12:44:14.357096 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase 1 I
ident
12:44:14.358010 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase 1 R
ident
12:44:15.301166 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase 1 I
ident
12:44:15.306807 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase 1 R
ident
12:44:15.627204 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase 1 I
ident[E]
12:44:15.627477 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase 1 R
ident[E]
12:44:16.657183 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase
2/others I oakley-quick[E]
12:44:16.658494 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase
2/others R oakley-quick[E]
12:44:17.924862 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase
2/others I oakley-quick[E]
12:44:17.925459 IP x.y.z.206 .isakmp > R.W.I.P.isakmp: isakmp: phase
2/others R inf
12:44:17.928529 IP R.W.I.P.isakmp > x.y.z.206 .isakmp: isakmp: phase
2/others I oakley-quick[E]
12:44:17.931368 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x1), length
164
12:44:17.977159 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x2), length
164
12:44:20.135689 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x3), length
164
12:44:24.298083 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x4), length
164
12:44:32.677495 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x5), length
164
12:44:42.397244 IP R.W.I.P> x.y.z.206 : ESP(spi=0xcca2bdba,seq=0x6), length
164



This is my "advanced" multi-path-route script and my "no more working"
ipsec/l2tp ipsec.conf
road-warrior conn section


#!/bin/sh
ip route flush T2

#Clear out old rules
ip rule show | grep -Ev '^(0|32766|32767):|iif lo' \
  | while read PRIO NATRULE; do
  ip rule del prio ${PRIO%%:*} $( echo $NATRULE | sed 's|all|0/0|' )
done

ip route flush cache
# routing eth4
ip route add xx.yy.zz.192/28 dev eth4 table T2
ip route add table T2 default via xx.yy.zz.193 dev eth4

#use tabel T2 for marked packet 
#use table T2 to route packet from x.y.z.206
ip rule add from x.y.z.206 table T2

#add default route (even useful to lan pc internet access)
route add default gw x.y.z.241 
----------------------------------------


conn L2TP-PSK
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3
        left=x.y.z.206
        leftsourceip=x.y.z.206
        leftnexthop=xx.yy.zz.193
        leftprotoport=17/1701
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/%any
        auto=add



Thank you all in advance for any help.


Dr. Federico Viel

Bellunum srl
Via Marisiga, 111
32100 Belluno (Italy)

E-Mail: fviel at bellunum.com



More information about the Users mailing list