[Openswan Users] Tunnels over dual DSL connections

Don Applick donapplick at gmail.com
Sun Oct 24 13:37:46 EDT 2010 

On Sun, Oct 24, 2010 at 3:08 AM, Paul Wouters <paul at xelerance.com> wrote:
>
> On Fri, 22 Oct 2010, Don Applick wrote:
>
> That's not a valid CIDR btw.

Ooops!  I've must have looked at that 100 times and obviously never spotted it.

> You cannot have two tunnels for those two subnets, as openswan will then not know
> where to send the traffic through. Should a packet for 192.168.0.0/24 go via ppp0 or ppp1?
> And who is keeping track for load balancing this?

Sorry, I have confused the issue by not posting full details - the
sites have different subnets.
See config and log below.  This is indeed working and my tests show
that traffic is flowing
through the correct interface for each site.

One small issue remains.  As the log shows Openswan's first attempt to
connect to siteB fails.
Ultimately I had to start the connection from the siteB router but
Openswan keeps retrying
to create a connection even though one already exists.  Although
benign it's annoying.

> A better method here would be if your ISP supported MPPE so then you bond the two ppp
> lines into one logical link and run IPsec on that.

The irony is that this used to be a bonded connection but the ISP no
longer supports it.
I could easily have put a Netgear on both the head office lines but
decided to retain the Linux
router and play instead!

---------------------------------------------------------

version 2.0     # conforms to version 2.0 and newer

config setup
	plutodebug="none"
	interfaces="ipsec0=ppp0 ipsec1=ppp1"

# Head Office:  internal = 192.168.0.0/24,  external ppp0 = 1.2.3.4/32
 ppp1 = 1.2.3.5/32
# Site A:       internal = 192.168.16.0/24  external = siteA.ip
# Site B:       internal = 192.168.32.0/24  external = siteB.ip


# SiteA (Netgear DG834) via ppp0
conn siteA
	authby=secret
	auto=start
	esp=3des-sha1
	ike=3des-sha1-modp1024
	keylife=10h
	ikelifetime=10h
	keyexchange=ike
	left=1.2.3.4
	leftid=headoffice at domain.com
	leftsubnet=192.168.0.0/24
	pfs=yes
	right=siteA.ip
	rightid=siteA at domain.com
	rightnexthop=1.2.3.4
	rightsubnet=192.168.16.0/24
	type=tunnel

# SiteB (Netgear DG834) via ppp1
conn siteB
	authby=secret
	auto=start
	esp=3des-sha1
	ike=3des-sha1-modp1024
	keylife=10h
	ikelifetime=10h
	keyexchange=ike
	left=1.2.3.5
	leftid=headoffice at domain.com
	leftsubnet=192.168.0.0/24
	pfs=yes
	right=siteB.ip
	rightid=siteB at domain.com
	rightnexthop=1.2.3.5
	rightsubnet=192.168.32.0/24
	type=tunnel

------------------------------------------------------------------

Oct 24 17:42:10 vpnrouter ipsec_setup: NETKEY on ppp0
1.2.3.4/255.255.255.255 pointopoint 1.7.8.9
Oct 24 17:42:10 vpnrouter ipsec_setup: NETKEY on ppp1
1.2.3.5/255.255.255.255 pointopoint 1.7.8.9
Oct 24 17:42:10 vpnrouter ipsec__plutorun: Starting Pluto subsystem...
Oct 24 17:42:10 vpnrouter ipsec_setup: ...Openswan IPsec started
Oct 24 17:42:10 vpnrouter ipsec_setup: Starting Openswan IPsec
U2.4.7/K2.6.19.7...
Oct 24 17:42:10 vpnrouter pluto[12721]: Starting Pluto (Openswan
Version 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEZ~BaB]r\134p_)
Oct 24 17:42:10 vpnrouter pluto[12721]: Setting NAT-Traversal
port-4500 floating to off
Oct 24 17:42:10 vpnrouter pluto[12721]:    port floating activation
criteria nat_t=0/port_fload=1
Oct 24 17:42:10 vpnrouter pluto[12721]:   including NAT-Traversal
patch (Version 0.6c) [disabled]
Oct 24 17:42:10 vpnrouter pluto[12721]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Oct 24 17:42:10 vpnrouter pluto[12721]: starting up 1 cryptographic helpers
Oct 24 17:42:10 vpnrouter pluto[12721]: started helper pid=12731 (fd:6)
Oct 24 17:42:10 vpnrouter pluto[12721]: Using NETKEY IPsec interface
code on 2.6.19.7
Oct 24 17:42:10 vpnrouter pluto[12721]: Changing to directory
'/var/etc/ipsec.d/cacerts'
Oct 24 17:42:10 vpnrouter pluto[12721]: Changing to directory
'/var/etc/ipsec.d/aacerts'
Oct 24 17:42:10 vpnrouter pluto[12721]: Changing to directory
'/var/etc/ipsec.d/ocspcerts'
Oct 24 17:42:10 vpnrouter pluto[12721]: Changing to directory
'/var/etc/ipsec.d/crls'
Oct 24 17:42:10 vpnrouter pluto[12721]:   Warning: empty directory
Oct 24 17:42:10 vpnrouter pluto[12721]: added connection description "siteA"
Oct 24 17:42:11 vpnrouter pluto[12721]: added connection description "siteB"
Oct 24 17:42:11 vpnrouter pluto[12721]: listening for IKE messages
Oct 24 17:42:11 vpnrouter pluto[12721]: adding interface ppp1/ppp1 1.2.3.5:500
Oct 24 17:42:11 vpnrouter pluto[12721]: adding interface ppp0/ppp0 1.2.3.4:500
Oct 24 17:42:11 vpnrouter pluto[12721]: adding interface eth0/eth0
192.168.0.3:500
Oct 24 17:42:11 vpnrouter pluto[12721]: adding interface lo/lo 127.0.0.1:500
Oct 24 17:42:11 vpnrouter pluto[12721]: loading secrets from
"/var/etc/ipsec.secrets"
Oct 24 17:42:11 vpnrouter pluto[12721]: "siteB" #1: initiating Main Mode
Oct 24 17:42:11 vpnrouter ipsec__plutorun: 104 "siteB" #1:
STATE_MAIN_I1: initiate
Oct 24 17:42:11 vpnrouter ipsec__plutorun: ...could not start conn "siteB"
Oct 24 17:42:11 vpnrouter pluto[12721]: "siteA" #2: initiating Main Mode
Oct 24 17:42:11 vpnrouter ipsec__plutorun: 104 "siteA" #2:
STATE_MAIN_I1: initiate
Oct 24 17:42:11 vpnrouter ipsec__plutorun: ...could not start conn "siteA"
Oct 24 17:42:11 vpnrouter pluto[12721]: "siteA" #2: received Vendor ID
payload [Dead Peer Detection]
Oct 24 17:42:11 vpnrouter pluto[12721]: "siteA" #2: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct 24 17:42:11 vpnrouter pluto[12721]: "siteA" #2: STATE_MAIN_I2:
sent MI2, expecting MR2
Oct 24 17:42:11 vpnrouter pluto[12721]: "siteA" #2: I did not send a
certificate because I do not have one.
Oct 24 17:42:11 vpnrouter pluto[12721]: "siteA" #2: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct 24 17:42:11 vpnrouter pluto[12721]: "siteA" #2: STATE_MAIN_I3:
sent MI3, expecting MR3
Oct 24 17:42:12 vpnrouter pluto[12721]: "siteA" #2: Main mode peer ID
is ID_USER_FQDN: 'siteA at domain.com'
Oct 24 17:42:12 vpnrouter pluto[12721]: "siteA" #2: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Oct 24 17:42:12 vpnrouter pluto[12721]: "siteA" #2: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Oct 24 17:42:12 vpnrouter pluto[12721]: "siteA" #4: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#2}
Oct 24 17:42:12 vpnrouter pluto[12721]: "siteA" #4: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Oct 24 17:42:12 vpnrouter pluto[12721]: "siteA" #4: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP=>0x4692fec7 <0xd8e06a74
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
....
Oct 24 17:45:51 vpnrouter pluto[12721]: packet from siteB.ip:1:
received Vendor ID payload [Dead Peer Detection]
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #5: responding to Main Mode
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #5: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #5: STATE_MAIN_R1:
sent MR1, expecting MI2
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #5: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #5: STATE_MAIN_R2:
sent MR2, expecting MI3
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #5: Main mode peer ID
is ID_USER_FQDN: 'siteB at domain.com'
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #5: I did not send a
certificate because I do not have one.
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #5: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #5: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #6: responding to
Quick Mode {msgid:5f30cb5f}
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #6: transition from
state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 24 17:45:51 vpnrouter pluto[12721]: "siteB" #6: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2
Oct 24 17:45:52 vpnrouter pluto[12721]: "siteB" #6: transition from
state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 24 17:45:52 vpnrouter pluto[12721]: "siteB" #6: STATE_QUICK_R2:
IPsec SA established {ESP=>0xbc934e61 <0x534fc45f
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
....
....
Oct 24 17:55:21 vpnrouter pluto[12721]: "siteB" #1: max number of
retransmissions (20) reached STATE_MAIN_I1.  No response (or no
acceptable response) to our first IKE message
Oct 24 17:55:21 vpnrouter pluto[12721]: "siteB" #1: starting keying
attempt 2 of an unlimited number
Oct 24 17:55:21 vpnrouter pluto[12721]: "siteB" #8: initiating Main
Mode to replace #1

More information about the Users mailing list