[Openswan Users] Multi-hop IPSec

Kevin Keane (subscriptions) subscription at kkeane.com
Fri Nov 18 20:40:25 EST 2011 

> -----Original Message-----
> On Fri, 18 Nov 2011, Kevin Keane (subscriptions) wrote:
> 
> > In my situation, I really have two hubs chained together.
> >
> > Leaf 1                 hub 1                       hub 2                leaf 2
> > 10.0.1.0/24  ==== 10.0.2.0/24
> > 57.0.1.0/24           57.0.2.0/24 ==== 10.0.4.0/24 ------- 10.0.3.0/24

I have two separate IPSec connections here. One goes from leaf1 to hub1 (or from 10.0.1.0/24 to 10.0.2.0/24), the other goes from hub1 to hub2 (or from 57.0.2.0 to 10.0.4.0). I just changed the above illustration slightly and used === to identify IPSec connections, ----- to identify unencrypted connections.

> not sure i understand this, but if you want 10.0.1.0/24 to reach 10.0.3.0/24,
> then you need to build an ipsec tunnel with leftsubnet=10.0.1.0/24 and
> rightsubnet=10.0.3.0/24 If you also want to reachh 10.0.4.0/24 from
> 10.0.1.0/24 then you need to add a second conn for that or use
> rightsubnets={10.0.2.0/24, 10.0.3.0/24}

The connection 57.0.2.0 === 10.0.4.0 has the following:

Leftsubnet=10.0.3.0/24
Rightsubnets={10.0.2.0/24,10.0.1.0/24}

The connection 10.0.1.0====10.0.2.0 has the following

Leftsubnet=10.0.1.0/24
Rightsubnet=10.0.2.0/24

I also tried:
Leftsubnet=10.0.1.0/24
Rightsubnets=10.0.2.0/24,10.0.3.0/24

But when I do that, leaf1 can't connect to hub1. The log file on hub1 shows:

initial Main Mode message received on 10.0.1.0:500 but no connection has been authorized with policy=RSASIG

(even though everything else on that connection remained unchanged).

> If the ipsec gateway is not "in the path" of the default route, then yes, leaf1
> machines will need a route to point to the ipsec gateway instead of the default
> gateway.

Thanks for clarifying that!

> What I meant was if you have one ipsec tunnel, you cannot just
> "route add" arbitrary networks in it unless you build something evil like a 0/0 <-
> > 0/0 tunnel.
> 
> Paul
> 
> > I had already configured the sysctl.conf settings - I just double-checked:
> >
> > net.ipv4.conf.all.accept_redirects = 0
> > net.ipv4.conf.all.send_redirects = 0
> > net.ipv4.conf.default.accept_redirects = 0
> > net.ipv4.conf.default.send_redirects = 0
> >
> >> -----Original Message-----
> >> From: Paul Wouters [mailto:paul at xelerance.com]
> >> Sent: Friday, November 18, 2011 8:41 AM
> >> To: Kevin Keane (subscriptions)
> >> Cc: users at openswan.org
> >> Subject: Re: [Openswan Users] Multi-hop IPSec
> >>
> >> On Fri, 18 Nov 2011, Kevin Keane (subscriptions) wrote:
> >>
> >> You cannot "route add" into an ipsec tunnel. these tunnels have policy
> checks.
> >>
> >> Either you setup a subnet-0.0.0.0/0 from leaf to hub, so the other
> >> leaves are covered in that tunnel, or you need to have seperate
> >> tunnels defined via the hub, so  subA-hub and subA-subB on each leaf
> >> (and hub)
> >>
> >> say:
> >>
> >> Leaf 1                 hub                  leaf 2
> >> 10.0.1.0/24  ------ 10.0.2.0/24 --------- 10.0.3.0/24
> >>
> >> Then on leaf one you need:
> >>
> >> conn tohub
> >>    leftsubnet=10.0.1.0/24
> >>    rightsubnet=10.0.2.0/24
> >>
> >> conn toleaf2
> >>    leftsubnet=10.0.1.0/24
> >>    rightsubnet=10.0.3.0/24
> >>
> >> You also need to exclude NAT from 10.0.1.0/24 to both 10.0.2.0/24 and
> >> 10.0.3.0/24.
> >>
> >> And repet this on leaf2. And on hub ensure it can route from one
> >> tunnel into the next, which with NETKEY can get tricky if this is the same
> physical interface.
> >> Look at the sysctl.conf we ship as example to supress NETKEY from
> >> causing bogus redirect ICMP packets.
> >>
> >> Paul
> >>
> >>> Date: Fri, 18 Nov 2011 07:11:23
> >>> From: "Kevin Keane (subscriptions)" <subscription at kkeane.com>
> >>> To: "users at openswan.org" <users at openswan.org>
> >>> Subject: [Openswan Users] Multi-hop IPSec
> >>> X-Spam-Flag: NO
> >>>
> >>> I would like to connect two sites with IPSec, and would like some
> >>> help setting
> >> it up correctly. Most everything works, except that the two private
> >> subnets behind the gateways can't reach each other.
> >>>
> >>> All devices use openswan 2.6.21 on CentOS 5.7, except for a fairly
> >>> new
> >> Sonicwall device.
> >>>
> >>> Site 1 has an unencrypted 192.168.0.0 network behind a Sonicwall gateway.
> >>>
> >>> Site 2 consists of two computers in a data center. Each computer has
> >>> two
> >> NICs - one has a public IP address and connects to the Internet, the
> >> other connects to a private network in a 10.1.2.0 network. The
> >> private network is untrusted, so I am using IPSec over the 10.1.2.0
> >> network to connect the two servers. I also want to use one of these
> >> two computers as a gateway to an IPSec connection to the Sonicwall.
> >>>
> >>> Individually, these two IPSec connections work without a problem.
> >>> But traffic
> >> from the non-gateway computer to the network behind the Sonicwall
> >> does not work, even though IP forwarding is enabled.
> >>>
> >>> Here is a diagram:
> >>>
> >>> Server 1 public (eth0,57.6.7.8 - default GW) Server 1 private
> >>> (eth1,10.1.2.17)
> >>>        ||
> >>> Server 2 private (eth1,10.1.2.98)
> >>> Server 2 public (eth0,57.3.4.5 - default GW) ===== Sonicwall gateway
> >>> (68.6.7.8) ------ 192.168.0.0/24
> >>>
> >>> The connection between Server 2 and Sonicwall has
> >>>
> >>> Leftsubnets=10.1.2.98/32,10.1.2.17/32,57.3.4.5/32
> >>> Rightsubnet=192.168.0.0/24
> >>>
> >>> The connection between Server 2 and Server 1 has
> >>>
> >>> Leftsubnet=10.1.2.98/32
> >>> Rightsubnet=10.1.2.17/32
> >>>
> >>> I also added a route on Server 1: 192.168.0.0/24 via 10.1.2.98 dev
> >>> eth1
> >>>
> >>> With this configuration, I can ping between Server 2 and
> >>> 192.168.0.19. I
> >> cannot ping between Server 1 and 192.168.0.19.
> >>>
> >>> Any idea about where I may have gone wrong would help!
> >>>
> >>> How would I go about troubleshooting this problem?
> >>>
> >>> Thanks!
> >>>
> >>>
> >>> _______________________________________________
> >>> Users at openswan.org
> >>> http://lists.openswan.org/mailman/listinfo/users
> >>> Micropayments:
> >>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> >>> Building and Integrating Virtual Private Networks with Openswan:
> >>> http://www.amazon.com/gp/product/1904811256/104-3099591-
> >> 2946327?n=283155
> >>>
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Micropayments:
> > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-
> 2946327?n=283155
> >

More information about the Users mailing list