[Openswan Users] Problems: protected subnets

SilverTip257 silvertip257 at gmail.com
Thu Mar 3 10:26:10 EST 2011


Thank you Nick.
Configuration tested and working as expected.

True - I can contact my gateways via LAN IP address and still have it
encrypted.  Not gateway address.
This phrase rings true:
"It does not replace the conn northgate-southgate"
Bottom of http://wiki.openswan.org/index.php/Openswan/MultipleTunnelsBetweenTheSameTwoGateways
(same link as before)

Whether that is a problem is up the sysadmin (thus justifying a
gw-to-gw conn).  Either way using the adv routing conn results in
_two_ conns total if end-to-end IPsec is required for gw hosts --
versus the four conn config I wrote about a day ago.  I'm not certain
I need the gw-to-gw, but I can decide that.  I already have the conns
written up for it! ;)

QUESTION:  Is it a general rule that for each conn block there will be
one tunnel established?  What I'm getting at is the overhead with four
conns versus the advanced routing setup.  Now that I have a working
setup, I can nitpick to get the best/better setup.
( 1st = Time to ditch my PSKs. :P )

---~~.~~---
Mike
//  SilverTip257  //



On Tue, Mar 1, 2011 at 14:49, Nick Howitt <n1ck.h0w1tt at gmail.com> wrote:
> Mike,
>
> If you can, the "One tunnel plus advanced routing" example in your link with
> the left/rightsourceip is simpler, and despite the big bold letters below
> the example, it allows you to access the remote gateway by its LAN IP.
>
> Nick
>
> On 01/03/2011 15:10, SilverTip257 wrote:
>>
>> Well I deserve to be told to "Read the Manual".
>>
>> http://wiki.openswan.org/index.php/Openswan/MultipleTunnelsBetweenTheSameTwoGateways
>>
>> My whole problem was that I only established the tunnel between
>> subneta and subnetb.
>> Now that I have a proper 4conns configuration my tunnel allows access
>> between protected hosts and gateways.
>>
>> subneta-subnetb, subneta-hostb, hosta-subnetb, hosta-hostb
>>
>> Now it's time for me to look into the use of also= ... my configs are
>> huge/long right now!
>>
>> ---~~.~~---
>> Mike
>> //  SilverTip257  //
>>
>> Fortune Cookie:  "Digital circuits are made from analog parts."
>>
>>
>>
>> On Sat, Feb 26, 2011 at 21:35, SilverTip257<silvertip257 at gmail.com>
>>  wrote:
>>>
>>> Hello,
>>>
>>> I'm attempting to set up an Openswan to Openswan IPsec tunnel.  I
>>> started out with host-to-host and now I'm attempting a protected
>>> subnet setup.
>>> CentOS = Linux Openswan U2.6.21/K2.6.18-164.el5 (netkey)
>>> Debian = Linux Openswan U2.4.12/K2.6.26-2-686 (netkey)
>>>
>>> I'm having problems setting up a host to host with protected subnets.
>>> I can establish and communicate over a host-to-host without subnets
>>> just fine by leaving out the leftsubnet/rightsubnet lines.
>>>
>>> # Network Topology
>>> 192.168.110.2<-->( 192.168.110.1/30 --|-- 192.168.111.1/30
>>> )<-->192.168.111.2
>>> 192.168.110.2 has a subnet behind it 172.16.0.32/27 (actual subnet)
>>> 192.168.111.2 has a subnet behind it 10.0.2.0/24 (virtual interface)
>>>
>>> I created a MITM setup with a custom Linux router in the middle so I
>>> could sniff all the traffic (to make sure things are truly working).
>>> I have found that if I do not specify the 110 and 111 interfaces (on
>>> the respective hosts) as a default gateway and remove my main network
>>> as a DFGW that usually one end has trouble locating the other.
>>> Because I threw the Linux router in the middle, that's my doing I
>>> expect -- I'm not asking for help on that unless someone has an idea.
>>> But as long as I set the test nics as the each host's gateway and
>>> remove the other gateway it works without a hitch given the simple PSK
>>> config.
>>>
>>> # Simple config
>>> conn cent-deb
>>>       authby=secret
>>>       auto=add
>>>       left=192.168.110.2
>>>       right=192.168.111.2
>>>
>>> # Subnet config -- the one that's not working
>>> conn cent-deb
>>>       authby=secret
>>>       auto=add
>>>       left=192.168.110.2
>>>       leftsubnet=172.16.0.32/27
>>>       right=192.168.111.2
>>>       rightsubnet=10.0.2.0/24
>>>
>>> Regardless of which connection config I use I still get a message like
>>> below every time I bring the conn up.
>>> Proof the tunnel has been established:
>>> # /var/log/auth.log on Debian
>>> # or /var/log/secure on RedHat
>>> Feb 26 20:30:27 debian507-vm pluto[3445]: "cent-deb" #26:
>>> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x297c2119
>>> <0x175eddd3 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
>>>
>>> *** When using the subnet config, none of the pings between hosts is
>>> encrypted and additionally...
>>> I have noticed (once I try to bring the tunnel up) that my right
>>> host's routing table has an entry for the leftsubnet 172.16.0.32/27
>>> network, BUT the left host does not have an entry for the rightsubnet
>>> 10.0.2.0/24 (which is a virtual interface at the moment - Debian
>>> eth1:1 assigned 10.0.2.1).
>>>
>>> Please let me know what additional information is necessary to
>>> troubleshoot this problem.
>>> I can show up in the #openswan IRC channel to answer
>>> questions/troubleshoot as well.
>>>
>>> Thank you,
>>> ---~~.~~---
>>> Mike
>>> //  SilverTip257  //
>>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>


More information about the Users mailing list