[Openswan Users] Problems: protected subnets

SilverTip257 silvertip257 at gmail.com
Sat Feb 26 21:35:14 EST 2011


I'm attempting to set up an Openswan to Openswan IPsec tunnel.  I
started out with host-to-host and now I'm attempting a protected
subnet setup.
CentOS = Linux Openswan U2.6.21/K2.6.18-164.el5 (netkey)
Debian = Linux Openswan U2.4.12/K2.6.26-2-686 (netkey)

I'm having problems setting up a host to host with protected subnets.
I can establish and communicate over a host-to-host without subnets
just fine by leaving out the leftsubnet/rightsubnet lines.

# Network Topology<-->( --|-- )<--> has a subnet behind it (actual subnet) has a subnet behind it (virtual interface)

I created a MITM setup with a custom Linux router in the middle so I
could sniff all the traffic (to make sure things are truly working).
I have found that if I do not specify the 110 and 111 interfaces (on
the respective hosts) as a default gateway and remove my main network
as a DFGW that usually one end has trouble locating the other.
Because I threw the Linux router in the middle, that's my doing I
expect -- I'm not asking for help on that unless someone has an idea.
But as long as I set the test nics as the each host's gateway and
remove the other gateway it works without a hitch given the simple PSK

# Simple config
conn cent-deb

# Subnet config -- the one that's not working
conn cent-deb

Regardless of which connection config I use I still get a message like
below every time I bring the conn up.
Proof the tunnel has been established:
# /var/log/auth.log on Debian
# or /var/log/secure on RedHat
Feb 26 20:30:27 debian507-vm pluto[3445]: "cent-deb" #26:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x297c2119
<0x175eddd3 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}

*** When using the subnet config, none of the pings between hosts is
encrypted and additionally...
I have noticed (once I try to bring the tunnel up) that my right
host's routing table has an entry for the leftsubnet
network, BUT the left host does not have an entry for the rightsubnet (which is a virtual interface at the moment - Debian
eth1:1 assigned

Please let me know what additional information is necessary to
troubleshoot this problem.
I can show up in the #openswan IRC channel to answer
questions/troubleshoot as well.

Thank you,
//  SilverTip257  //

More information about the Users mailing list