[Openswan Users] Openswan and routing using NETKEY.

Kevin Wilson wkevils at gmail.com
Mon Oct 3 11:43:40 EDT 2011 

HI,
Thanks a lot for your quick response ! I appreciate it.

I am attaching a PDF of the setup diagram. I should have
done something like it in the first place.

>It looks like your 192.168.1.0/24 lives at two places at once?

I have 192.168.1.196 on machine B, and 192.168.1.197 on machine C, which is
connected directly to 192.168.1.196 via a canble.

>no idea where 192.168.0.* suddenly comes from ?
It is just a subnet number I chosed when trying to work with subnet.
See in my second ipsec.conf:
...
 conn sample
 		type=tunnel
 		left=1.1.1.6
 		leftsubnet=192.168.0.0/24
		...
		
In a matter of fact, I can setup these three machines as I want. In case
there is a different recommended setup where I can know that with Netkey
ESP tunneling encryption is done, when once machine is performing routing,
I will be glad to hear.

>Note you cannot see outgoing ESP packets with NETKEY on the machine itself,
>so be careful using tcpdump
Is there any other way to know on thise machine itslef (like
cat /proc/net/xfrm_stat ?)


rgs,
Kevin

On Mon, Oct 3, 2011 at 5:13 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Sun, 2 Oct 2011, Kevin Wilson wrote:
>
>> My question is regarding openswan and routing  using NETKEY.
>> I have three machines; I want to  setup routing on machine B so
>> traffic sent from A to C will
>> be ESP encrypted ( tunnel mode or transport mode). I must use NETKEY.
>
> the ascii art got mangled, so i am not sure what it is you want
>
>> ---------------------            ------------------------------
>>           ---------------------------------
>> |                         |         |
>>  |                  |                                       |
>> |1.1.1.6 (eth0)  |  ----- | 1.1.1.196 (eth1)        |
>> |                                        |
>> |                         |         |
>>  |                  |                                        |
>> |                         |         |192.168.1.196(eth0) |   ---------
>>  | 192.168.1.197 (eth1)   |
>> ---------------------           --------------------------------
>>          ----------------------------------
>>     A                                      B
>
> It looks like your 192.168.1.0/24 lives at two places at once? while
> possible, that would require them being told explicitely it is not
> in their local LAN with some kind of host route. The same seems to apply
> to 1.1.1.0/24, so i am not sure i understand this. Likely because I'm
> misreading the ascii art.
>
>> Setup:
>> On machine A and B runs openswan (2.6.29).
>> I need to run netkey on both machines (and not KLIPS)
>>
>> On machine A:
>>        eth0 has 1.1.1.6 on eth0; connected directly to machine B (via eth1
>> of machine B).
>>        Can ping  to 1.1.1.196
>>
>> On machine B:
>>        - eth1 has 1.1.1.196 ; connected directly to machine A via eth0 of
>> machine A;
>>                        able to ping 1.1.1.6 before starting ipsec service.
>>        - eth0 has 192.168.1.196 ; connected directly to Machine C via eth1
>>                          of Machine C ;  able to ping 192.168.1.197.
>> On machine C:
>>      192.168.1.197 on eth1. Connected directly to machine B and can
>> ping 192.168.1.196.
>>
>> Now, I want to create tunnel mode with routing between A and C using
>> openswan.
>
> so that would be 1.1.1.6 <-> 192.168.1.197 ?
>
>> What I mean is that traffic going from A to C will go via B.
>> Thus, the traffic which C sends to A and that A receives will be ESP
>> encrypted.
>>
>> I tried this /etc/ipsec.conf:
>>
>> config setup
>>        protostack=netkey
>>
>> conn sample
>>                type=tunnel
>>                left=1.1.1.6
>>                right=1.1.1.196
>>                authby=secret
>>                auto=start
>
> So that would have to be right=192.168.1.197 to cover your case?
>
>> but traffic (ping, for example) sent from A to C was not esp encrypted.
>> I should add that I added this routing rule on A:
>> route add 192.168.1.197 gw 1.1.1.196
>>
>> I had also tried using subnets, as in the following  /etc/ipsec.conf:
>>
>> config setup
>>
>>        protostack=netkey
>>
>> conn sample
>>                type=tunnel
>>                left=1.1.1.6
>>                leftsubnet=192.168.0.0/24
>>                leftnexthop=1.1.1.196
>>                right=1.1.1.196
>>                rightsubnet=10.0.0.0/24
>>                rightnexthop=1.1.1.6
>>                authby=secret
>>                auto=start
>>
>> And I added IP address of 10.0.0.10 on eth0:0 of A; and 192.168.0.10
>> on eth1:0 of B.
>>
>> Added a routing rule:
>> route add 192.168.0.10 gw 1.1.1.196
>
> no idea where 192.168.0.* suddenly comes from ?
>
>> Please advice - what should I do to achieve ESP encryption with Netkey
>> with routing between A and C ?
>
> Note you cannot see outgoing ESP packets with NETKEY on the machine itself,
> so be careful using tcpdump
>
> Paul
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: setup3MachinesIPsec.pdf
Type: application/pdf
Size: 43686 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20111003/130a437a/attachment-0001.pdf

More information about the Users mailing list