[Openswan Users] Openswan and routing using NETKEY.

Kevin Wilson wkevils at gmail.com
Sun Oct 2 13:21:37 EDT 2011 

Hi,
My question is regarding openswan and routing  using NETKEY.
I have three machines; I want to  setup routing on machine B so
traffic sent from A to C will
be ESP encrypted ( tunnel mode or transport mode). I must use NETKEY.

---------------------            ------------------------------
            ---------------------------------
|                         |         |
  |                  |                                       |
|1.1.1.6 (eth0)  |  ----- | 1.1.1.196 (eth1)        |
|                                        |
|                         |         |
  |                  |                                        |
|                         |         |192.168.1.196(eth0) |   ---------
   | 192.168.1.197 (eth1)   |
---------------------           --------------------------------
           ----------------------------------
      A                                      B
                            C

Setup:
On machine A and B runs openswan (2.6.29).
I need to run netkey on both machines (and not KLIPS)

On machine A:
	eth0 has 1.1.1.6 on eth0; connected directly to machine B (via eth1
of machine B).
	Can ping  to 1.1.1.196
	
On machine B:
	- eth1 has 1.1.1.196 ; connected directly to machine A via eth0 of machine A;
			able to ping 1.1.1.6 before starting ipsec service.
	- eth0 has 192.168.1.196 ; connected directly to Machine C via eth1
	                  of Machine C ;  able to ping 192.168.1.197. 	
On machine C:
       192.168.1.197 on eth1. Connected directly to machine B and can
ping 192.168.1.196.
	
Now, I want to create tunnel mode with routing between A and C using openswan.
What I mean is that traffic going from A to C will go via B.
Thus, the traffic which C sends to A and that A receives will be ESP encrypted.

I tried this /etc/ipsec.conf:

config setup
	protostack=netkey

conn sample
		type=tunnel
		left=1.1.1.6
		right=1.1.1.196
 		authby=secret
 		auto=start

but traffic (ping, for example) sent from A to C was not esp encrypted.
I should add that I added this routing rule on A:
route add 192.168.1.197 gw 1.1.1.196

I had also tried using subnets, as in the following  /etc/ipsec.conf:

config setup

	protostack=netkey

conn sample
		type=tunnel
		left=1.1.1.6
		leftsubnet=192.168.0.0/24		
		leftnexthop=1.1.1.196
		right=1.1.1.196
		rightsubnet=10.0.0.0/24
		rightnexthop=1.1.1.6
 		authby=secret
 		auto=start

And I added IP address of 10.0.0.10 on eth0:0 of A; and 192.168.0.10
on eth1:0 of B.

Added a routing rule:
route add 192.168.0.10 gw 1.1.1.196
still, pinging from A thus:
ping -I 10.0.0.10 192.168.0.10
does get a reply; but the traffic is ICMP, and not ESP encrypted.

Could it be that the problem is assigning IP addresses on eth0:0 and eth1:0?

The same goes when I try to send traffic to machine C after
configuring ip addresses
there correspondingly (on eth1:0 of C).

Please advice - what should I do to achieve ESP encryption with Netkey
with routing between A and C ?


Rgs,
Kevin

More information about the Users mailing list