[Openswan Users] routing a new network into connected vpn

Oguz Yilmaz oguzyilmazlist at gmail.com
Fri Oct 19 07:24:50 EDT 2012


Hello,

I know "route" command will not work for routing any traffic into vpn.
It is recommended to add new conn with this new destination network as
rightsubnet. I have several problems around this limitation(or
design).

1- If I use KLIPS, is it possible to add a route like "route add -net
DEST_NET dev ipsec0" or "gw ipsec0_peer_IP) ?

2- I have tried to add new conn to route this new destination net into
vpn. However, I have a problem with connection with Cisco peer.

My topology is as below:

10.37.0.0/16 - OPENSWANROUTER - .............. - CISCO - 10.6.0.0/16,
Other networks are connected thru other vpns terminated in this Cisco
(10.x.0.0/16)

config setup
        interfaces=%defaultroute
        klipsdebug=all
        plutodebug=all
        nat_traversal=no
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.19.32.0/24
        protostack=netkey

conn merkezvpn
        authby=secret
        auth=esp
        esp=3des-md5-96
        left=LEFTIP
        leftsubnet=10.37.0.0/16
        right=RIGHTIP
        leftnexthop=DEFGW
        leftsourceip=10.37.1.5
        disablearrivalcheck=no
        rightid=10.6.202.3
        auto=start
        keylife=86400s
        pfs=yes
        ikelifetime=86400s
        keyexchange=ike
        ike=3des-md5-modp1024
        rightsubnet=10.6.0.0/16

Cisco: access-list 150 permit ip 10.6.0.0 0.0.255.255 10.37.0.0 0.0.255.255

This vpn works correctly between 10.37.x.x - 10.6.x.x. Now I want to
also forward any dst 10.x.x.x traffic into this central Cisco for
regional communication.


We have added an ACL in Cisco keeping previous

access-list 150 permit ip 10.0.0.0 0.0.0.255 10.37.0.0 0.0.255.255

I have changed rigthsubnet to 10.0.0.0/8

        rightsubnet=10.0.0.0/8


On this point VPN does NOT establish.


Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: initiating Main Mode
Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: STATE_MAIN_I2:
sent MI2, expecting MR2
Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: received Vendor ID
payload [Cisco-Unity]
Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: received Vendor ID
payload [Dead Peer Detection]
Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: ignoring unknown
Vendor ID payload [f2766867174fc849633ef4ebf101bd89]
Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: received Vendor ID
payload [XAUTH]
Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: STATE_MAIN_I3:
sent MI3, expecting MR3
Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: Main mode peer ID
is ID_IPV4_ADDR: \'10.6.202.3\'
Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Oct 19 14:13:58 2012 pluto[7635]: \"merkezvpn\" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Oct 19 14:15:01 2012 pluto[7635]: initiate on demand from 10.37.1.5:8
to 10.14.1.5:0 proto=1 state: fos_start because: acquire
Oct 19 14:15:01 2012 pluto[7635]: \"merkezvpn\" #70: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
msgid:f0dd9c5a proposal=3DES(3)_192-MD5(1)_096
pfsgroup=OAKLEY_GROUP_MODP1024}
Oct 19 14:15:01 2012 pluto[7635]: \"merkezvpn\" #1: ignoring
informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Oct 19 14:15:01 2012 pluto[7635]: \"merkezvpn\" #1: received and
ignored informational message


ipsec auto --status output:

000 "merkezvpn":
10.37.0.0/16===LEFTIP<LEFTIP>[+S=C]---DEFGW...RIGHTIP<RIGHTIP>[10.6.202.3,+S=C]===10.0.0.0/8;
erouted HOLD; eroute owner: #0
000 "merkezvpn":     myip=10.37.1.5; hisip=unset;
000 "merkezvpn":   ike_life: 86400s; ipsec_life: 86400s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "merkezvpn":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,8;
interface: eth9.102;
000 "merkezvpn":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "merkezvpn":   IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict
000 "merkezvpn":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "merkezvpn":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "merkezvpn":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_096; flags=-strict
000 "merkezvpn":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_096


What can be my problem?



3- I have read about iptables policy. Is it possible to put this new
destination network into vpn with a rule in iptables?

I have tried:
iptables -I OUTPUT -s 10.37.0.0/24 -d 10.14.0.0/24 -m policy --dir out
--pol ipsec --reqid 16385 --proto 50
iptables -t nat -I OUTPUT -s 10.37.0.0/24 -d 10.14.0.0/24 -m policy
--dir out --pol ipsec --reqid 16385 --proto 50
iptables -t nat -I POSTROUTING -d 10.14.0.0/24 -m policy --dir out
--pol ipsec --reqid 16385 --proto 50

reqid is from setkey -D output.

I have watced iptables rule match counter but these rules does not match.



What do you suggest me in routing this new network into correctly
established vpn?


Thank you for your suggestions for my 3 questions.






--
Oguz YILMAZ


More information about the Users mailing list