[Openswan Users] Problems: protected subnets

SilverTip257 silvertip257 at gmail.com
Tue Mar 1 10:10:22 EST 2011 

Well I deserve to be told to "Read the Manual".
http://wiki.openswan.org/index.php/Openswan/MultipleTunnelsBetweenTheSameTwoGateways

My whole problem was that I only established the tunnel between
subneta and subnetb.
Now that I have a proper 4conns configuration my tunnel allows access
between protected hosts and gateways.

subneta-subnetb, subneta-hostb, hosta-subnetb, hosta-hostb

Now it's time for me to look into the use of also= ... my configs are
huge/long right now!

---~~.~~---
Mike
//  SilverTip257  //

Fortune Cookie:  "Digital circuits are made from analog parts."



On Sat, Feb 26, 2011 at 21:35, SilverTip257 <silvertip257 at gmail.com> wrote:
> Hello,
>
> I'm attempting to set up an Openswan to Openswan IPsec tunnel.  I
> started out with host-to-host and now I'm attempting a protected
> subnet setup.
> CentOS = Linux Openswan U2.6.21/K2.6.18-164.el5 (netkey)
> Debian = Linux Openswan U2.4.12/K2.6.26-2-686 (netkey)
>
> I'm having problems setting up a host to host with protected subnets.
> I can establish and communicate over a host-to-host without subnets
> just fine by leaving out the leftsubnet/rightsubnet lines.
>
> # Network Topology
> 192.168.110.2<-->( 192.168.110.1/30 --|-- 192.168.111.1/30 )<-->192.168.111.2
> 192.168.110.2 has a subnet behind it 172.16.0.32/27 (actual subnet)
> 192.168.111.2 has a subnet behind it 10.0.2.0/24 (virtual interface)
>
> I created a MITM setup with a custom Linux router in the middle so I
> could sniff all the traffic (to make sure things are truly working).
> I have found that if I do not specify the 110 and 111 interfaces (on
> the respective hosts) as a default gateway and remove my main network
> as a DFGW that usually one end has trouble locating the other.
> Because I threw the Linux router in the middle, that's my doing I
> expect -- I'm not asking for help on that unless someone has an idea.
> But as long as I set the test nics as the each host's gateway and
> remove the other gateway it works without a hitch given the simple PSK
> config.
>
> # Simple config
> conn cent-deb
>       authby=secret
>       auto=add
>       left=192.168.110.2
>       right=192.168.111.2
>
> # Subnet config -- the one that's not working
> conn cent-deb
>       authby=secret
>       auto=add
>       left=192.168.110.2
>       leftsubnet=172.16.0.32/27
>       right=192.168.111.2
>       rightsubnet=10.0.2.0/24
>
> Regardless of which connection config I use I still get a message like
> below every time I bring the conn up.
> Proof the tunnel has been established:
> # /var/log/auth.log on Debian
> # or /var/log/secure on RedHat
> Feb 26 20:30:27 debian507-vm pluto[3445]: "cent-deb" #26:
> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x297c2119
> <0x175eddd3 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
>
> *** When using the subnet config, none of the pings between hosts is
> encrypted and additionally...
> I have noticed (once I try to bring the tunnel up) that my right
> host's routing table has an entry for the leftsubnet 172.16.0.32/27
> network, BUT the left host does not have an entry for the rightsubnet
> 10.0.2.0/24 (which is a virtual interface at the moment - Debian
> eth1:1 assigned 10.0.2.1).
>
> Please let me know what additional information is necessary to
> troubleshoot this problem.
> I can show up in the #openswan IRC channel to answer
> questions/troubleshoot as well.
>
> Thank you,
> ---~~.~~---
> Mike
> //  SilverTip257  //
>

More information about the Users mailing list