[Openswan Users] linux to linux connection is setup ok but hosts cannot ping through the connection

Piavlo piavka at cs.bgu.ac.il
Mon Nov 15 16:30:04 EST 2010 

Bob Miller wrote:
> Interesting.  I recently setup a tunnel where one end had only one
> interface but needed a subnet configuration, and I used a virtual
> interface eth0:1 for it.  The thing that took me a long time to figure
> out was the iptables rules to make it work, but you say that is not a
> factor here.
> I have two suggestions: in your linux-to-linux conn, try leftsourceip
> and rightsourceip, you need those to ping the actual gateways of each
> subnet at each end,

Hi Bob, thanks for your suggestions.

I've already done this but just tried it again with addition to also
take the tcpdumps of this use case - if I understand the ipsec.conf man
page correctly I need to set those to leftsourceip=192.168.1.1 &
rightsourceip=192.168.1.2 Whose happen to be the ip's of virtual
interfaces which represent the internal local subnets of left/rightsubnets.

I can see that these options cause to add a routing entries
on vpn01a -> 192.168.2.0/24 dev eth0 scope link src 192.168.1.1
on vpn01b -> 192.168.1.0/24 dev eth0 scope link src 192.168.2.1

The good news is that I can see that now the ping to 192.168.2.1 goes
over eth0 as esp packet (with "tcpdump  -n -i eth0 esp") previosluly
they were sent as-is over eth0 (as I could see them with "tcpdump  -n -i
eth0 icmp")

The bad news is that the esp packets go out from vpn01a but never reach
vpn01b. Now that I think about it again those vpn hosts are Amazon ec2
could instances - and I can use only icmp/tcp/udp protocols to
communicate within amazon could. Oh shi.... how I could have forgotten
that - I guess I was misguided by the fact that the ISAKMP and IPsec SAs
were successfully established - but UDP is used for this establishment.

I guess SSL based VPN (like openVPN) is currently the only way to go in
the amazon cloud or just use Amazon VPC.

Thanks
Alex

 and have you tried dumping traffic to see where
> packets are actually going?
> 

> On Mon, 2010-11-15 at 17:25 +0200, Piavlo wrote:
>> Hi,
>>
>> I hope someone can help me as I'm really stuck with this.
>>
>> I've two linux hosts running ubuntu maverick with openswan 2.6.26
>> The ISAKMP and IPsec SAs are established ok , but I can not ping subnet
>> ip through the tunnel.
>>
>> Both hosts have only one physical interface through which IPsec tunnel
>> is established.
>> In order to have a subnet like behaviour I've setup virtual interface as
>> TAP device and assigned ip address to in on each host.
>>
>> The ipsec.conf is:
>> ------------
>> config setup
>>         nat_traversal=yes
>>         virtual_private=%v4:192.168.0.0/16
>>         oe=off
>>         protostack=netkey
>>
>> conn linux-to-linux
>>         connaddrfamily=ipv4
>>         type=tunnel
>>         authby=rsasig
>>         ike=3des-sha1
>>         phase2=esp
>>         phase2alg=3des-sha1
>>         left=10.227.37.62
>>         leftid=@vpn01a
>>         leftsubnet=192.168.1.0/24
>>         leftrsasigkey=0sAwE....
>>         right=10.235.41.152
>>         rightid=@vpn01b
>>         rightsubnet=192.168.2.0/24
>>         rightrsasigkey=0sAwE...
>>         auto=add
>> ---------------
>>
>> And relevant interface configs are:
>> ------------------
>> #On vpn01a /etc/network/interfaces
>> auto tap0
>> iface tap0 inet static
>>         pre-up /usr/sbin/openvpn --mktun --dev tap0
>>         post-down /usr/sbin/openvpn --rmtun --dev tap0
>>         address 192.168.1.1
>>         netmask 255.255.255.0
>>
>> root at vpn01a:~# netstat -rn
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags   MSS Window  irtt
>> Iface
>> 10.227.37.0     0.0.0.0         255.255.255.0   U         0 0          0
>> eth0
>> 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0
>> tap0
>> 0.0.0.0         10.227.37.1     0.0.0.0         UG        0 0          0
>> eth0
>> root at vpn01a:~#
>> -----------------
>> #On vpn01b /etc/network/interfaces
>> auto tap0
>> iface tap0 inet static
>>         pre-up /usr/sbin/openvpn --mktun --dev tap0
>>         post-down /usr/sbin/openvpn --rmtun --dev tap0
>>         address 192.168.2.1
>>         netmask  255.255.255.0
>>
>> root at vpn01b:~# netstat -rn
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags   MSS Window  irtt
>> Iface
>> 192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0
>> tap0
>> 10.235.41.0     0.0.0.0         255.255.255.0   U         0 0          0
>> eth0
>> 0.0.0.0         10.235.41.1     0.0.0.0         UG        0 0          0
>> eth0
>> root at vpn01b:~#
>> ------------------
>>
>> So then i'm on vpn01a I can not ping 192.168.2.1 (but obviously can
>> ping  192.168.1.1)
>> and vice versa on vpn01b.
>>
>> No firewall is running on these hosts, and no nat between the hosts.
>>
>> I've tried changing almost everything I could think of but nothing helps.
>> For example changing left/rightsubnet=192.168.X.0/24 two
>> left/rightsubnet=192.168.X.1/32
>> and tap0 inetface netmask  from 255.255.255.0 to 255.255.255.255.
>> Changing nat_traversal to no or left/rightnexthop to different values
>> and much more I can't even remember of now.
>>
>> So if anyone has got any clues , please help.
>>
>> Thanks a lot
>> Alex
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> Bob Miller
> 334-7117/660-5315
> http://computerisms.ca
> bob at computerisms.ca
> Network, Internet, Server,
> and Open Source Solutions

More information about the Users mailing list