[Openswan Users] trouble with tunnels connecting two networks over a central point
Mark Weaver
mark-clist at npsl.co.uk
Thu Nov 8 07:07:56 EST 2012
This is a configuration that I had working for a number of years, but it
seems to have stopped working after replacing the debian based central
point with an ubuntu 12.04 machine. It looks like this:
network 1: network 2: network 3:
10.0.14.0/24 10.80.80.0/24 10.0.5.0/24
gw 10.0.14.1 gw 10.80.80.1 gw 10.0.5.1
=============================>
tunnel 10.0.14.0/24 to 10.80.80.0/24
====================================================>
tunnel 10.0.14.0/24 to 10.0.5.0/24
<=================================
tunnel 10.0.5.0/24 to 10.80.80.0/24
<==========================================================
tunnel 10.0.5.0/24 to 10.0.14.0/24
It's on the central server that packets go missing. This is variable --
for example sometimes you can ping from one network to another and get
as far as a reply being dropped in the middle, sometimes the ping
doesn't go out; sometimes both tunnels work and ping is happy. ipsec
setup --restart changes the behaviour.
I have tried tracing the packets as far as I can, e.g. here's a ping
from 10.0.14.1 -> 10.0.5.20
TRACE: filter:INPUT:rule:3 IN=... OUT= MAC=... SRC=... DST=... DF
PROTO=ESP SPI=... MARK=0x1
TRACE: raw:PREROUTING:policy:3 IN=... OUT= MAC=... SRC=10.0.14.1
DST=10.0.5.20 PROTO=ICMP TYPE=8 MARK=0x1
TRACE: mangle:PREROUTING:policy:4 IN=eth1 OUT= MAC=... SRC=10.0.14.1
DST=10.0.5.20 PROTO=ICMP TYPE=8 MARK=0x1
TRACE: nat:PREROUTING:policy:7 IN=eth1 OUT= MAC=... SRC=10.0.14.1
DST=10.0.5.20 PROTO=ICMP TYPE=8 CODE=0 MARK=0x1
the last that is seen of this is in PREROUTING in the nat, which has
nothing that would cause this packet to be dropped.
ip xfrm policy shows:
src 10.0.14.0/24 dst 10.0.5.0/24
dir out priority 2344
tmpl src x.x.x.x dst y.y.y.y
proto esp reqid 17381 mode tunnel
I have 3 copies of the other direction:
src 10.0.5.0/24 dst 10.0.14.0/24
dir out priority 2344
tmpl src y.y.y.y dst x.x.x.x
proto esp reqid 17357 mode tunnel
src 10.0.5.0/24 dst 10.0.14.0/24
dir fwd priority 2344
tmpl src x.x.x.x dst y.y.y.y
proto esp reqid 17381 mode tunnel
src 10.0.5.0/24 dst 10.0.14.0/24
dir in priority 2344
tmpl src x.x.x.x dst 83.231.160.129
proto esp reqid 17381 mode tunnel
here is the SPI that matches the SPI in the trace above:
src 109.150.202.159 dst 83.231.160.129
proto esp spi ... reqid 17357 mode tunnel
replay-window 32 flag af-unspec
I also have 4 other ip xfrm states for reqid 17357 in that example, but
only two for reqid 17381.
I'm not really sure what's going on with the ip xfrm output, but it
looks a bit suspect to me.
Here's the config of the middle server (the others are basically the same):
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
nat_traversal=yes
nhelpers=0
protostack=netkey
# defaults for subsequent connection descriptions
conn %default
ike=aes256-sha2_256,aes128-sha
esp=aes256-sha1,aes128-sha1
type=tunnel
pfs=yes
keylife=2h
keyingtries=1 # road warrior can retry, we
shouldn't
auto=add
authby=rsasig
leftrsasigkey=%cert
leftid="xxx"
leftcert=...
left=...
leftsubnet=10.80.80.0/24
right=%any
rightrsasigkey=%cert
dpdaction=clear
dpddelay=30
dpdtimeout=120
conn c14
rightid="xxx"
rightsubnet=10.0.14.0/24
leftsendcert=never
rightsendcert=never
rightcert=xxx
conn c14-c5
rightid="xxx"
rightsubnet=10.0.14.0/24
leftsubnet=10.0.5.0/24
leftsendcert=never
rightsendcert=never
rightcert=xxx
conn c5
leftsourceip=10.80.80.1
rightid="..."
rightsubnet=10.0.5.0/24
leftsendcert=never
rightsendcert=never
rightcert=xxx
conn c5-c14
rightid="xxx"
rightsubnet=10.0.5.0/24
leftsubnet=10.0.14.0/24
leftsendcert=never
rightsendcert=never
rightcert=xxx
Any help would be great!
Thanks,
Mark
More information about the Users
mailing list