[Openswan Users] Routing problem with IPSec Site-To-Site between Openswan and Cisco ASA

Min Hwan Chang minchang at gmail.com
Fri Nov 12 14:01:38 EST 2010 

Hi all,

I've set up an Openswan to Cisco ASA Site-to-Site but having some
problems with the Left side not being able to ping the 10.1.0.0/16
network. From the Cisco ASA side I'm able to ping the 192.168.1.x
network with no problems.
I suppose it has to do with wrong values for the left and right sides
but I'm stumped on this one.

For the sake of brevity I've included what I thought might be relevant
logs and a TCP Dump but can send the full barf if requested.

192.168.1.0/24===192.168.1.50---192.168.1.1...10.1.0.1---66.xx.xx.xxx===10.1.0.0/16

config setup
       interfaces=%defaultroute #interfaces="ipsec0=eth0"
       klipsdebug=all #enable debugging using all
       plutodebug=all
       nat_traversal=yes
#       virtual_private=%v4:192.168.1.0/24

conn test
       type=tunnel     #tunnel mode ipsec
       leftsourceip=98.248.95.yyy
       left=192.168.1.50
       leftnexthop=192.168.1.1
       leftsubnet=192.168.1.0/24
       right=66.xx.xx.xxx   # External IP Address
       rightnexthop=10.1.0.1
       rightsubnet=10.1.0.0/16
       ike=3des-md5
       esp=3des-md5
       keyexchange=ike    #use regular ike
       authby=secret    #pre-shared secret
       pfs=no    #use perfect forward secrecy
       auto=add     #add doesnt initiate tunnel, but allow incoming.
Use start for auto initiate

#Disable Opportunistic Encryption


+ _________________________ netstat-rn
+
+ netstat -nr
+ head -n 100
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.1.0.0        192.168.1.1     255.255.0.0     UG        0 0          0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0

+ _________________________ iptables
+
+ test -r /sbin/iptables
+ iptables -L -v -n
Chain INPUT (policy ACCEPT 8396 packets, 1135K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 9008 packets, 5634K bytes)
 pkts bytes target     prot opt in     out     source
destination

A tcpdump shows the following when pinging from 192.168.1.50 to
10.1.xxx.xxx (Excuse the length, I'm not sure what's required)

10:48:34.867754 IP c-98-248-95-xxx.hsd1.ca.comcast.net > 10.1.x.x:
ICMP echo request, id 10008, seq 1, length 64
10:48:35.109387 IP min-ubuntu.ntp > 64.73.32.xxx.ntp: NTPv4, Client, length 48
10:48:35.109747 IP min-ubuntu.51659 > unknown.domain: 54833+ PTR?
134.32.73.64.in-addr.arpa. (43)
10:48:35.131769 IP unknown.domain > min-ubuntu.51659: 54833 NXDomain 0/1/0 (106)
10:48:35.190366 IP 64.73.xxx.xxx.ntp > min-ubuntu.ntp: NTPv4, Server, length 48
10:48:35.876522 IP c-98-248-95-xxx.hsd1.ca.comcast.net > 10.1.xxx.xxx:
ICMP echo request, id 10008, seq 2, length 64
10:48:36.591853 IP 66-xx-xx-xxx.rinc.net.4500 > min-ubuntu.4500:
NONESP-encap: isakmp: phase 2/others ? inf[E]
10:48:36.714926 IP min-ubuntu.4500 >
custnets-66-xx-xx-xxx.rinc.net.4500: NONESP-encap: isakmp: phase
2/others ? inf[E]

More information about the Users mailing list