[Openswan Users] Cannot get end-to-end bidirectional successful subnet routing across an OpenSwan VPN - only works in one direction..

Angelo Roussos angelo at roussos.co.za
Wed Mar 28 21:21:12 EDT 2012


Hi All,

Apologies for the (possibly) distorted ascii depiction of the OpenSwan VPN setup 
we are trying to implement. The following is the current setup:<x.x.128.61>[+S=C]---x.x.128.1...y.y.40.228<y.y.40.228 

The issues are as follows:

1. We can successfully setup an OpenSwan VPN using OpenSwan installed on Centos 
5.7 (OpenSwan 'left' host is x.x.128.61)

2. iptables is NOT running, and all firewalling and SELinux-related processes 
are also NOT running

3. We can successfuly route from the 'right' side of the VPN (i.e. from all the way to the OpenSwan host (x.x.128.61), but cannot get 
beyond that. Correspondingly, we cannot get from anywhere on the 
subnet beyond the OpenSwan host (x.x.128.61). Again, no natting, masquerading, 
iptables etc. etc. are in place.

4. sysctl.conf (OpenSwan host (x.x.128.61):

net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0

5. ipsec.conf:

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=all
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        nat_traversal=yes # but irrelevant in our setup
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

        type=tunnel                     #tunnel mode ipsec
        left=x.x.128.61             #the IP address of your OpenSWAN endpoint
        leftsubnet=        #network behind your endpoint
        right=y.y.40.228            #tunnel end-point - remote end
        rightsubnet=      #network behind the CISCO
        esp=3des-md5                    #esp: 3des, hmac: sha
        keyexchange=ike                 #use regular ike
        authby=secret                   #pre-shared secret, you can also use rsa 
        pfs=no                          #use perfect forward secrecy
        auto=start                      #don't initiate tunnel, but allow 

6. Output of ipsec verify (OpenSwan host (x.x.128.61):

Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.18-308.1.1.el5 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

7. Output of netstat -rn (OpenSwan host (x.x.128.61) ON SUCCESSFUL START OF THE 

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface     x.x.128.1   UG        0 0          0 eth0
x.x.128.0   U         0 0          0 eth0   U         0 0          0 eth1     U         0 0          0 eth1         x.x.128.1         UG        0 0          0 eth0

8. The 'right' side is a Cisco ASA, and there is no problem routing from right 
to left until the OpenSwan host.

Any ideas? Pulling my hair out on this one.



More information about the Users mailing list