[Openswan Users] Cannot get end-to-end bidirectional successful subnet routing across an OpenSwan VPN - only works in one direction..
Angelo Roussos
angelo at roussos.co.za
Wed Mar 28 21:21:12 EDT 2012
Hi All,
Apologies for the (possibly) distorted ascii depiction of the OpenSwan VPN setup
we are trying to implement. The following is the current setup:
10.112.0.0/21===x.x.128.61<x.x.128.61>[+S=C]---x.x.128.1...y.y.40.228<y.y.40.228
[+S=C]===172.16.94.0/24
The issues are as follows:
1. We can successfully setup an OpenSwan VPN using OpenSwan installed on Centos
5.7 (OpenSwan 'left' host is x.x.128.61)
2. iptables is NOT running, and all firewalling and SELinux-related processes
are also NOT running
3. We can successfuly route from the 'right' side of the VPN (i.e. from
172.16.94.0/24) all the way to the OpenSwan host (x.x.128.61), but cannot get
beyond that. Correspondingly, we cannot get from anywhere on the 10.112.0.0/21
subnet beyond the OpenSwan host (x.x.128.61). Again, no natting, masquerading,
iptables etc. etc. are in place.
4. sysctl.conf (OpenSwan host (x.x.128.61):
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
5. ipsec.conf:
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes # but irrelevant in our setup
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
interfaces=%defaultroute
conn JOYV-KIO-VPN
type=tunnel #tunnel mode ipsec
left=x.x.128.61 #the IP address of your OpenSWAN endpoint
leftsubnet=10.112.0.0/21 #network behind your endpoint
leftsourceip=10.112.0.61
leftnexthop=%defaultroute
right=y.y.40.228 #tunnel end-point - remote end
rightsubnet=172.16.94.0/24 #network behind the CISCO
auth=esp
esp=3des-md5 #esp: 3des, hmac: sha
keyexchange=ike #use regular ike
ikelifetime=28800s
authby=secret #pre-shared secret, you can also use rsa
nounces
pfs=no #use perfect forward secrecy
auto=start #don't initiate tunnel, but allow
incoming
6. Output of ipsec verify (OpenSwan host (x.x.128.61):
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.18-308.1.1.el5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
7. Output of netstat -rn (OpenSwan host (x.x.128.61) ON SUCCESSFUL START OF THE
VPN CONNECTION:
Destination Gateway Genmask Flags MSS Window irtt Iface
172.16.94.0 x.x.128.1 255.255.255.0 UG 0 0 0 eth0
x.x.128.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
10.112.0.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 x.x.128.1 0.0.0.0 UG 0 0 0 eth0
8. The 'right' side is a Cisco ASA, and there is no problem routing from right
to left until the OpenSwan host.
Any ideas? Pulling my hair out on this one.
Thanks,
Angelo.
More information about the Users
mailing list