[Openswan Users] Old user having troubles with new techniques

Larry Brown larry.brown at dimensionnetworks.com
Mon Jun 28 14:22:32 EDT 2010 

I used to successfully use FreeS/WAN after following the howto's and it
worked brilliantly.  Fast forward 10 years and I, for the life of me,
cannot get my packets through...  I followed the howto for a roadwarrior
using netkey and it eludes me.  If anyone can help, I sure can use it.
Scenario:

RoadWarrior 
  [192.168.2.1 (netmask 255.255.0.0)]
RoadWarrior Local Gateway 
  [192.168.1.1 (internal eth1) --NAT-- 10.45.212.101(external eth0)]
Office Gateway 
  [10.45.212.71 (external eth0) --NAT-- 172.16.0.1 (internal eth1)]
Office Server 
  [172.16.0.4 (netmask 255.255.255.0)]


The Roadwarrior in the example is behind a gateway, but may in other
circumstances be directly connected to the Internet.

I get a successful tunnel using the following ipsec.confs

RoadWarrior:

version 2.0

config setup
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/24
	oe=off
	protostack=netkey

conn road
	left=%defaultroute
	leftid=@rw1
	leftrsasigkey=0s.....K
	right=10.45.212.71
	rightsubnet=172.16.0.0/24
	rightid=@gateway
	rightrsasigkey=0s.....N
	auto=add

Gateway:

version 2.0

config setup
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/24
	oe=off
	protostack=netkey

conn road
	left=10.45.212.71
	leftid=@gateway
	leftsubnet=172.16.0.0/24
	leftrsasigkey=0s.....N
	right=%any
	rightid=@rw1
	rightrsasigkey=0s.....K
	auto=add


So I am able to create the tunnel from the roadwarrior successfully.  I
send out a ping from the roadwarrior to the 172.16.0.4 server with no
response. Sniffing traffic on the roadwarrior gateway I can see the
packets source 192.168.2.1 destination 10.45.212.71 as ESP packets.  On
the Office gateway I can see the ESP packets from 10.45.212.101
arriving.  Imediately after those packets I see the ICMP packet from
192.168.2.1 destination 172.16.0.4 on eth0 (external interface).  I do
not see a packet on eth1 of that gateway bound for 172.16.0.4.  There is
no firewall enabled.

I have tried various iptables attempts that the howto does not mention
to no avail.  The howto looks like it should just work at this point.

Do I need to set up something on netkey to get it to work?

ipsec version on the roadwarrior is:
Linux Openswan U2.6.27/K2.6.33.3 (netkey)

ipsec version on the office gateway:
Linux Openswan U2.6.27/K2.6.22.9-61.fc6 (netkey)

TIA

Larry

More information about the Users mailing list