[Openswan Users] net-to-net with multiple subnets, unrouted
kallen at groknaut.net
kallen at groknaut.net
Mon Nov 22 18:15:05 EST 2010
hi there. i'm having some difficulty setting up net-to-net with multiple
subnets on both the left and right sides, and could use some help. let me
know if you'd like to see the barf.
three essential questions at the outset:
1) on the linux gateway host, what is the correct way to tell it to route
packets thru the tunnel? there are a few incantations of "route add".
i think i've done it correctly, but i'd like to verify.
2) why do 3 out of 4 of my "connections" show as "unrouted; eroute owner: #0"?
and why does the linux gateway keep trying to, i think, negotiate add'l
IPSEC SAs? and why do those attempts fail? is it a misconfig on my end, a
misconfig on the Juniper end? or an interop problem?
3) when sending packets from the left to the right, why the following?
- ping succeeds from left to right
- netcat hitting a TCP port works (if i provide a source address)
- telneting to that same port does NOT work (i can't provide source
address to the telnet command)
thanks very much in advance,
kallen
the details:
Us: CentOS 5.5, 2.6.18-194.el5, OpenSwan 2.6.31, NETKEY
Them: Juniper SSG520 (netscreen)
to keep it simple at the outset, iptables is default ACCEPT. i will need
to fire up iptables later, and figure out how to push ipsec packets thru it.
my config:
version 2.0
config setup
interfaces=%defaultroute
plutodebug="control parsing"
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.8.13.0/24,%v4:!172.16.6.0/24
protostack=netkey
conn bender
type=tunnel
left=5.5.5.22
leftnexthop=5.5.5.100
leftsubnets={172.16.6.0/24 10.8.13.0/24}
right=6.6.6.3
#rightnexthop=6.6.6.2
rightsubnets={192.168.101.0/24 192.168.111.0/24}
authby=secret
auto=add
pfs=no
sysctl:
net.ipv4.conf.tun0.arp_filter = 0
net.ipv4.conf.tun0.rp_filter = 0
net.ipv4.conf.eth1.arp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.ip_forward = 1
1) add the routes:
[11/22-14:36]linux-gw:~# route add -net 192.168.111.0/24 dev eth1
[11/22-14:37]linux-gw:~# route add -net 192.168.101.0/24 dev eth1
[11/22-14:37]linux-gw:~# ipsec setup start
(yes, i do have OpenVPN running here, tun0)
[11/22-14:38]linux-gw:~# route -n | grep -v tun0
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.17.0.10 10.8.13.1 255.255.255.255 UGH 0 0 0 eth0
239.2.11.71 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
172.16.130.24 10.8.13.1 255.255.255.248 UG 0 0 0 eth0
192.168.100.0 10.8.13.1 255.255.255.0 UG 0 0 0 eth0
192.168.101.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
172.16.128.0 10.8.13.1 255.255.255.0 UG 0 0 0 eth0
172.16.129.0 10.8.13.1 255.255.255.0 UG 0 0 0 eth0
192.168.64.0 10.8.13.1 255.255.255.0 UG 0 0 0 eth0
5.5.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.111.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.8.13.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.16.0.0 10.8.13.1 255.240.0.0 UG 0 0 0 eth0
10.0.0.0 10.8.13.1 255.0.0.0 UG 0 0 0 eth0
0.0.0.0 5.5.5.100 0.0.0.0 UG 0 0 0 eth1
[11/22-14:38]linux-gw:~# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:25:90:04:6c:fa brd ff:ff:ff:ff:ff:ff
inet 10.8.13.16/24 brd 10.8.13.255 scope global eth0
inet 10.8.13.18/32 scope global eth0
inet6 fe80::225:90ff:fe04:6cfa/64 scope link
valid_lft forever preferred_lft forever
[11/22-14:38]linux-gw:~# ip addr show dev eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:25:90:04:6c:fb brd ff:ff:ff:ff:ff:ff
inet 5.5.5.22/24 scope global eth1
inet6 fe80::225:90ff:fe04:6cfb/64 scope link
valid_lft forever preferred_lft forever
[11/22-14:38]linux-gw:~# ipsec auto --verbose --up bender
000 initiating all conns with alias='bender'
002 "bender/2x2" #1: initiating Main Mode
104 "bender/2x2" #1: STATE_MAIN_I1: initiate
003 "bender/2x2" #1: ignoring unknown Vendor ID payload [925414152942290b65aa6c4bf142b1f6e08a2bb11100000014060000]
003 "bender/2x2" #1: received Vendor ID payload [Dead Peer Detection]
003 "bender/2x2" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
002 "bender/2x2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "bender/2x2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "bender/2x2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "bender/2x2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "bender/2x2" #1: Main mode peer ID is ID_IPV4_ADDR: '6.6.6.3'
002 "bender/2x2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "bender/2x2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
002 "bender/1x1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:3968cb5b proposal=defaults pfsgroup=no-pfs}
002 "bender/1x2" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:a34309fd proposal=defaults pfsgroup=no-pfs}
002 "bender/2x1" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:0a036966 proposal=defaults pfsgroup=no-pfs}
002 "bender/2x2" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:ca11df38 proposal=defaults pfsgroup=no-pfs}
117 "bender/1x1" #2: STATE_QUICK_I1: initiate
117 "bender/1x2" #3: STATE_QUICK_I1: initiate
117 "bender/2x1" #4: STATE_QUICK_I1: initiate
117 "bender/2x2" #5: STATE_QUICK_I1: initiate
003 "bender/2x2" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=ca11df38
002 "bender/2x2" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "bender/2x2" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xff2e2a07 <0x15d0519f xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
010 "bender/2x1" #4: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "bender/1x2" #3: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "bender/1x1" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "bender/1x1" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
010 "bender/1x2" #3: STATE_QUICK_I1: retransmission; will wait 40s for response
010 "bender/2x1" #4: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "bender/2x1" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "bender/2x1" #4: starting keying attempt 2 of an unlimited number, but releasing whack
031 "bender/1x2" #3: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "bender/1x2" #3: starting keying attempt 2 of an unlimited number, but releasing whack
031 "bender/1x1" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "bender/1x1" #2: starting keying attempt 2 of an unlimited number, but releasing whack
[11/22-14:40]linux-gw:~# /etc/init.d/ipsec status
IPsec running - pluto pid: 28703
pluto pid 28703
1 tunnels up
some eroutes exist
2) why "unrouted; eroute owner: #0"?
[11/22-14:40]linux-gw:~# ipsec auto --verbose --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.8.13.16
000 interface eth0/eth0 10.8.13.18
000 interface eth1/eth1 5.5.5.22
000 interface tun0/tun0 10.8.0.1
000 %myid = (none)
000 debug parsing+control
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - disallowed 2 subnets: 10.8.13.0/24, 172.16.6.0/24
000
[snip algorithm output]
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "bender/1x1": 172.16.6.0/24===5.5.5.22<5.5.5.22>[+S=C]---5.5.5.100...6.6.6.3<6.6.6.3>[+S=C]===192.168.101.0/24; unrouted; eroute owner: #0
000 "bender/1x1": myip=unset; hisip=unset;
000 "bender/1x1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "bender/1x1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface: eth1;
000 "bender/1x1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "bender/1x1": aliases: bender
000 "bender/1x2": 172.16.6.0/24===5.5.5.22<5.5.5.22>[+S=C]---5.5.5.100...6.6.6.3<6.6.6.3>[+S=C]===192.168.111.0/24; unrouted; eroute owner: #0
000 "bender/1x2": myip=unset; hisip=unset;
000 "bender/1x2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "bender/1x2": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface: eth1;
000 "bender/1x2": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "bender/1x2": aliases: bender
000 "bender/2x1": 10.8.13.0/24===5.5.5.22<5.5.5.22>[+S=C]---5.5.5.100...6.6.6.3<6.6.6.3>[+S=C]===192.168.101.0/24; unrouted; eroute owner: #0
000 "bender/2x1": myip=unset; hisip=unset;
000 "bender/2x1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "bender/2x1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface: eth1;
000 "bender/2x1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "bender/2x1": aliases: bender
000 "bender/2x2": 10.8.13.0/24===5.5.5.22<5.5.5.22>[+S=C]---5.5.5.100...6.6.6.3<6.6.6.3>[+S=C]===192.168.111.0/24; erouted; eroute owner: #5
000 "bender/2x2": myip=unset; hisip=unset;
000 "bender/2x2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "bender/2x2": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface: eth1;
000 "bender/2x2": newest ISAKMP SA: #1; newest IPsec SA: #5;
000 "bender/2x2": aliases: bender
000 "bender/2x2": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000
000 #8: "bender/1x1":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 27s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #7: "bender/1x2":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 27s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #6: "bender/2x1":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 27s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #5: "bender/2x2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27935s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #5: "bender/2x2" esp.ff2e2a07 at 6.6.6.3 esp.15d0519f at 5.5.5.22 tun.0 at 6.6.6.3 tun.0 at 5.5.5.22 ref=0 refhim=4294901761
000 #1: "bender/2x2":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2494s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
3) when sending packets from the left to the right, why the following?
[11/22-14:42]linux-gw:~# ping -c 1 -I 10.8.13.16 192.168.111.11
PING 192.168.111.11 (192.168.111.11) from 10.8.13.16 : 56(84) bytes of data.
64 bytes from 192.168.111.11: icmp_seq=1 ttl=63 time=1.49 ms
--- 192.168.111.11 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.497/1.497/1.497/0.000 ms
[11/22-14:42]linux-gw:~# nc -nv -z -w 3 -s 10.8.13.16 192.168.111.11 22
Connection to 192.168.111.11 22 port [tcp/*] succeeded!
14:43:35.871503 IP (tos 0x0, ttl 64, id 23003, offset 0, flags [DF], proto: ESP (50), length: 112) 5.5.5.22 > 6.6.6.3: ESP(spi=0xff2e2a07,seq=0xe), length 92
14:43:35.873031 IP (tos 0x0, ttl 60, id 28344, offset 0, flags [none], proto: ESP (50), length: 112) 6.6.6.3 > 5.5.5.22: ESP(spi=0x15d0519f,seq=0xc), length 92
14:43:35.873031 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.111.11.ssh > 10.8.13.16.37073: S, cksum 0x14af (correct), 2421587839:2421587839(0) ack 2861143331 win 5792 <mss 1460,sackOK,timestamp 1124944558 293688878,nop,wscale 7>
[snip]
[11/22-14:42]linux-gw:~# telnet 192.168.111.11 22
Trying 192.168.111.11...
telnet: connect to address 192.168.111.11: No route to host
telnet: Unable to connect to remote host: No route to host
14:42:42.686367 arp who-has 192.168.111.11 tell 5.5.5.22
14:42:42.686278 arp who-has 192.168.111.11 tell 5.5.5.22
14:42:43.686187 arp who-has 192.168.111.11 tell 5.5.5.22
More information about the Users
mailing list