[Openswan Users] Problems: protected subnets

SilverTip257 silvertip257 at gmail.com
Sat Feb 26 21:35:14 EST 2011 

Hello,

I'm attempting to set up an Openswan to Openswan IPsec tunnel.  I
started out with host-to-host and now I'm attempting a protected
subnet setup.
CentOS = Linux Openswan U2.6.21/K2.6.18-164.el5 (netkey)
Debian = Linux Openswan U2.4.12/K2.6.26-2-686 (netkey)

I'm having problems setting up a host to host with protected subnets.
I can establish and communicate over a host-to-host without subnets
just fine by leaving out the leftsubnet/rightsubnet lines.

# Network Topology
192.168.110.2<-->( 192.168.110.1/30 --|-- 192.168.111.1/30 )<-->192.168.111.2
192.168.110.2 has a subnet behind it 172.16.0.32/27 (actual subnet)
192.168.111.2 has a subnet behind it 10.0.2.0/24 (virtual interface)

I created a MITM setup with a custom Linux router in the middle so I
could sniff all the traffic (to make sure things are truly working).
I have found that if I do not specify the 110 and 111 interfaces (on
the respective hosts) as a default gateway and remove my main network
as a DFGW that usually one end has trouble locating the other.
Because I threw the Linux router in the middle, that's my doing I
expect -- I'm not asking for help on that unless someone has an idea.
But as long as I set the test nics as the each host's gateway and
remove the other gateway it works without a hitch given the simple PSK
config.

# Simple config
conn cent-deb
       authby=secret
       auto=add
       left=192.168.110.2
       right=192.168.111.2

# Subnet config -- the one that's not working
conn cent-deb
       authby=secret
       auto=add
       left=192.168.110.2
       leftsubnet=172.16.0.32/27
       right=192.168.111.2
       rightsubnet=10.0.2.0/24

Regardless of which connection config I use I still get a message like
below every time I bring the conn up.
Proof the tunnel has been established:
# /var/log/auth.log on Debian
# or /var/log/secure on RedHat
Feb 26 20:30:27 debian507-vm pluto[3445]: "cent-deb" #26:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x297c2119
<0x175eddd3 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}

*** When using the subnet config, none of the pings between hosts is
encrypted and additionally...
I have noticed (once I try to bring the tunnel up) that my right
host's routing table has an entry for the leftsubnet 172.16.0.32/27
network, BUT the left host does not have an entry for the rightsubnet
10.0.2.0/24 (which is a virtual interface at the moment - Debian
eth1:1 assigned 10.0.2.1).

Please let me know what additional information is necessary to
troubleshoot this problem.
I can show up in the #openswan IRC channel to answer
questions/troubleshoot as well.

Thank you,
---~~.~~---
Mike
//  SilverTip257  //

More information about the Users mailing list