[Openswan Users] Multi-hop IPSec

Kevin Keane (subscriptions) subscription at kkeane.com
Sun Nov 20 19:51:06 EST 2011


I think I may be close to solving it. I think my data center may have a firewall between the leaf and hub1 (the 10.0.1.0 and 10.0.2.0 networks in the diagram below) that blocks traffic outside the two destinations.

If I remember right, IPSec does not do true tunneling. So my solution would be to build a network of L2TP tunnels on top of IPSec.

Thanks for your help! It really got my mind jogging.

> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org]
> On Behalf Of Kevin Keane (subscriptions)
> Sent: Friday, November 18, 2011 5:40 PM
> To: undisclosed-recipients
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Multi-hop IPSec
> 
> > -----Original Message-----
> > On Fri, 18 Nov 2011, Kevin Keane (subscriptions) wrote:
> >
> > > In my situation, I really have two hubs chained together.
> > >
> > > Leaf 1                 hub 1                       hub 2                leaf 2
> > > 10.0.1.0/24  ==== 10.0.2.0/24
> > > 57.0.1.0/24           57.0.2.0/24 ==== 10.0.4.0/24 ------- 10.0.3.0/24
> 
> I have two separate IPSec connections here. One goes from leaf1 to hub1 (or
> from 10.0.1.0/24 to 10.0.2.0/24), the other goes from hub1 to hub2 (or from
> 57.0.2.0 to 10.0.4.0). I just changed the above illustration slightly and used ===
> to identify IPSec connections, ----- to identify unencrypted connections.
> 
> > not sure i understand this, but if you want 10.0.1.0/24 to reach
> > 10.0.3.0/24, then you need to build an ipsec tunnel with
> > leftsubnet=10.0.1.0/24 and
> > rightsubnet=10.0.3.0/24 If you also want to reachh 10.0.4.0/24 from
> > 10.0.1.0/24 then you need to add a second conn for that or use
> > rightsubnets={10.0.2.0/24, 10.0.3.0/24}
> 
> The connection 57.0.2.0 === 10.0.4.0 has the following:
> 
> Leftsubnet=10.0.3.0/24
> Rightsubnets={10.0.2.0/24,10.0.1.0/24}
> 
> The connection 10.0.1.0====10.0.2.0 has the following
> 
> Leftsubnet=10.0.1.0/24
> Rightsubnet=10.0.2.0/24
> 
> I also tried:
> Leftsubnet=10.0.1.0/24
> Rightsubnets=10.0.2.0/24,10.0.3.0/24
> 
> But when I do that, leaf1 can't connect to hub1. The log file on hub1 shows:
> 
> initial Main Mode message received on 10.0.1.0:500 but no connection has
> been authorized with policy=RSASIG
> 
> (even though everything else on that connection remained unchanged).
> 
> > If the ipsec gateway is not "in the path" of the default route, then
> > yes, leaf1 machines will need a route to point to the ipsec gateway
> > instead of the default gateway.
> 
> Thanks for clarifying that!
> 
> > What I meant was if you have one ipsec tunnel, you cannot just "route
> > add" arbitrary networks in it unless you build something evil like a
> > 0/0 <-
> > > 0/0 tunnel.
> >
> > Paul
> >
> > > I had already configured the sysctl.conf settings - I just double-checked:
> > >
> > > net.ipv4.conf.all.accept_redirects = 0
> > > net.ipv4.conf.all.send_redirects = 0
> > > net.ipv4.conf.default.accept_redirects = 0
> > > net.ipv4.conf.default.send_redirects = 0
> > >
> > >> -----Original Message-----
> > >> From: Paul Wouters [mailto:paul at xelerance.com]
> > >> Sent: Friday, November 18, 2011 8:41 AM
> > >> To: Kevin Keane (subscriptions)
> > >> Cc: users at openswan.org
> > >> Subject: Re: [Openswan Users] Multi-hop IPSec
> > >>
> > >> On Fri, 18 Nov 2011, Kevin Keane (subscriptions) wrote:
> > >>
> > >> You cannot "route add" into an ipsec tunnel. these tunnels have
> > >> policy
> > checks.
> > >>
> > >> Either you setup a subnet-0.0.0.0/0 from leaf to hub, so the other
> > >> leaves are covered in that tunnel, or you need to have seperate
> > >> tunnels defined via the hub, so  subA-hub and subA-subB on each
> > >> leaf (and hub)
> > >>
> > >> say:
> > >>
> > >> Leaf 1                 hub                  leaf 2
> > >> 10.0.1.0/24  ------ 10.0.2.0/24 --------- 10.0.3.0/24
> > >>
> > >> Then on leaf one you need:
> > >>
> > >> conn tohub
> > >>    leftsubnet=10.0.1.0/24
> > >>    rightsubnet=10.0.2.0/24
> > >>
> > >> conn toleaf2
> > >>    leftsubnet=10.0.1.0/24
> > >>    rightsubnet=10.0.3.0/24
> > >>
> > >> You also need to exclude NAT from 10.0.1.0/24 to both 10.0.2.0/24
> > >> and 10.0.3.0/24.
> > >>
> > >> And repet this on leaf2. And on hub ensure it can route from one
> > >> tunnel into the next, which with NETKEY can get tricky if this is
> > >> the same
> > physical interface.
> > >> Look at the sysctl.conf we ship as example to supress NETKEY from
> > >> causing bogus redirect ICMP packets.
> > >>
> > >> Paul
> > >>
> > >>> Date: Fri, 18 Nov 2011 07:11:23
> > >>> From: "Kevin Keane (subscriptions)" <subscription at kkeane.com>
> > >>> To: "users at openswan.org" <users at openswan.org>
> > >>> Subject: [Openswan Users] Multi-hop IPSec
> > >>> X-Spam-Flag: NO
> > >>>
> > >>> I would like to connect two sites with IPSec, and would like some
> > >>> help setting
> > >> it up correctly. Most everything works, except that the two private
> > >> subnets behind the gateways can't reach each other.
> > >>>
> > >>> All devices use openswan 2.6.21 on CentOS 5.7, except for a fairly
> > >>> new
> > >> Sonicwall device.
> > >>>
> > >>> Site 1 has an unencrypted 192.168.0.0 network behind a Sonicwall
> gateway.
> > >>>
> > >>> Site 2 consists of two computers in a data center. Each computer
> > >>> has two
> > >> NICs - one has a public IP address and connects to the Internet,
> > >> the other connects to a private network in a 10.1.2.0 network. The
> > >> private network is untrusted, so I am using IPSec over the 10.1.2.0
> > >> network to connect the two servers. I also want to use one of these
> > >> two computers as a gateway to an IPSec connection to the Sonicwall.
> > >>>
> > >>> Individually, these two IPSec connections work without a problem.
> > >>> But traffic
> > >> from the non-gateway computer to the network behind the Sonicwall
> > >> does not work, even though IP forwarding is enabled.
> > >>>
> > >>> Here is a diagram:
> > >>>
> > >>> Server 1 public (eth0,57.6.7.8 - default GW) Server 1 private
> > >>> (eth1,10.1.2.17)
> > >>>        ||
> > >>> Server 2 private (eth1,10.1.2.98)
> > >>> Server 2 public (eth0,57.3.4.5 - default GW) ===== Sonicwall
> > >>> gateway
> > >>> (68.6.7.8) ------ 192.168.0.0/24
> > >>>
> > >>> The connection between Server 2 and Sonicwall has
> > >>>
> > >>> Leftsubnets=10.1.2.98/32,10.1.2.17/32,57.3.4.5/32
> > >>> Rightsubnet=192.168.0.0/24
> > >>>
> > >>> The connection between Server 2 and Server 1 has
> > >>>
> > >>> Leftsubnet=10.1.2.98/32
> > >>> Rightsubnet=10.1.2.17/32
> > >>>
> > >>> I also added a route on Server 1: 192.168.0.0/24 via 10.1.2.98 dev
> > >>> eth1
> > >>>
> > >>> With this configuration, I can ping between Server 2 and
> > >>> 192.168.0.19. I
> > >> cannot ping between Server 1 and 192.168.0.19.
> > >>>
> > >>> Any idea about where I may have gone wrong would help!
> > >>>
> > >>> How would I go about troubleshooting this problem?
> > >>>
> > >>> Thanks!
> > >>>
> > >>>
> > >>> _______________________________________________
> > >>> Users at openswan.org
> > >>> http://lists.openswan.org/mailman/listinfo/users
> > >>> Micropayments:
> > >>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > >>> Building and Integrating Virtual Private Networks with Openswan:
> > >>> http://www.amazon.com/gp/product/1904811256/104-3099591-
> > >> 2946327?n=283155
> > >>>
> > >
> > > _______________________________________________
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > > Micropayments:
> > > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > Building and Integrating Virtual Private Networks with Openswan:
> > > http://www.amazon.com/gp/product/1904811256/104-3099591-
> > 2946327?n=283155
> > >
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-
> 2946327?n=283155



More information about the Users mailing list