[Openswan Users] IPSEC routing refuses to go through the tunnel
Greg Scott
GregScott at InfraSupportEtc.com
Thu Mar 18 22:43:37 EDT 2010
And now I know the HQ site is routing my tunnel traffic in the clear
even though it should be routing it through the tunnel. How do I know?
>From Rochester - ping a host inside HQ and watch tcpdump on the HQ
firewall. Watching for -i br0 net 172.21.7.0/24, I see echo requests
and replies. Breaking it down to physical eth devices, all looks as it
should. But watching tcpdump looking for the public side of Rochester -
nothing. No ESP, just dead space.
Anything **initiated** from the HQ side works as it should. But
anything with the HQ side **responding** tries to route outside the
tunnel.
OK, so what's different now than before? The biggie - everything is
bridged now and it was a pure router before. So now both the inside
(LAN) and outside (Internet) interface is br0 instead of eth1 and eth0.
I have other sites doing Openswan tunnels with bridged firewalls. The
firewall rules are a little different now because it's a bridge. But I
can drop all the filtering rules and the problem does not change. I
also just put in some more nat PREROUTING rules to make sure I'm not
masquerading anything that should be part of a tunnel. But this didn't
help.
Why bridge? Because a Cisco VPN Concentrator and a Sonicwall VPN device
were connected in parallel. Neither of these work well behind a NAT
gateway. We want them behind the firewall so I can see all the traffic
in and out of this network.
So now that I have the problem well defined, it would be lots better if
I knew how to fix it.
- Greg Scott
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Greg Scott
Sent: Thursday, March 18, 2010 4:39 PM
To: users at openswan.org
Subject: [Openswan Users] IPSEC routing refuses to go through the tunnel
I've been banging my head all day on this one. I'm running an Openswan
tunnel between a HQ site and several branches. These tunnels have
worked for years with no hassles. After modifying the HQ system to use
bridging, now all my tunnels have turned to pure crap. It has to be
something subtle I'm missing but I'm not getting it. Here are details:
The home HQ site is the right, the branch site in Rochester on the left.
HQ is running Openswan 2.6.19. Rochester is running Openswan U2.4.4.
The main HQ LAN is 192.168.3.nnn/24 The Rochester LAN is 172.21.7.0/24.
The problem is on the HQ side.
>From a host inside the HQ network, I can ping anywhere I want inside
Rochester. But when Rochester tries to ping anywhere inside HQ, the
pings just hang. So do all other connection types. Watching tcpdump
on the HQ side, I see the Echo Request/Echo Reply pairs go back and
forth as normal. But Rochester never sees an echo reply come back.
Trying a traceroute from the HQ firewall to Rochester, instead of going
thru the tunnel, the packets wander out over the public Internet -
**outside** the tunnel - and eventually die. Trying the same traceroute
from a host inside the HQ LAN works as normal.
The answer has to be right in front of my face but I don't see it.
I've also looked at some ip xfrm policy output and tried to decipher it.
Near as I can tell and comparing with other working tunnel networks, it
looks OK. So how do I tell ipsec to stop messing around and route the
stuff I want through that tunnel?
Here is the relevant portion of /etc/ipsec.d/hq-ipsec.conf with dummied
up public IP Addresses:
##version 2.0 # conforms to second version of ipsec.conf
specification
# basic configuration
conn Rochester-Everywhere
type=tunnel
#
# Left security gateway, subnet behind it, next hop toward
right.
#
also=rochester
#
# Right security gateway, subnet behind it, next hop toward
left.
#
also=hq
rightupdown=/etc/ipsec.d/hq-updown.sh
auto=start
.
.
.
include /etc/ipsec.d/sites.conf
Here is the relevant portion of my sites.conf file:
##version 2.0 # conforms to second version of ipsec.conf
specification
# basic configuration
conn hq
right=1.2.3.50
rightnexthop=1.2.3.49
rightsubnet=192.168.0.0/16
rightsourceip=192.168.3.5
rightid=@hq.local
# RSA 2192 bits hq.lme.local Wed Jul 19 21:09:32 2006
rightrsasigkey=0sAQNb...
conn rochester
left=3.2.1.145
leftnexthop=3.2.1.150
leftsubnet=172.21.7.0/24
leftsourceip=172.21.7.1
leftid=@rochester.local
# RSA 2192 bits rochester.lme.local Sat Oct 21 07:04:18 2006
leftrsasigkey=0sAQNki3sx4...
.
.
.
And here is hq_updown.sh. I've gone through a few different iterations
of this:
#!/bin/sh
LOCALNET1=192.168.0.0/16
LOCALNET2=10.200.1.0/24
##/usr/lib/ipsec/_updown $*
/usr/libexec/ipsec/_updown $*
if [ "$PLUTO_VERB" = "route-host" -o "$PLUTO_VERB" = "route-client" ];
then
for dir in in out; do
ip xfrm policy update dir $dir src $LOCALNET1 dst $LOCALNET1
ip xfrm policy update dir $dir src $LOCALNET2 dst $LOCALNET2
done
fi
# Route to Rochester
##/sbin/ip route change 172.21.7.0/24 dev br0 src 192.168.3.5 mtu 1400
One more clue. Ip route show... will display the relevant routes after
restarting ipsec, relevant extract pasted in below. But notice the
route to Rochester, 172.21.7.0/24 - it doesn't say scope link the way
other IPSEC routes on other hosts do. This is a clue but I don't know
what it means.
[root at lme-fw2 ipsec]# ip route show
.
.
.
1.2.3.48/28 dev br0 proto kernel scope link src 12.2.3.50
192.168.4.0/24 via 192.168.3.100 dev br0
192.168.3.0/24 dev br0 proto kernel scope link src 192.168.3.5
.
.
.
172.21.7.0/24 via 12.24.248.49 dev br0 src 192.168.3.5
.
.
.
default via 1.2.3.49 dev br0
[root at lme-fw2 ipsec]#
Thanks
- Greg Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100318/1734b88c/attachment-0001.html
More information about the Users
mailing list