[Openswan Users] Problem with vpn connection and leftsubnet

Patrick Naubert patrickn at xelerance.com
Fri Sep 28 15:55:22 EDT 2012 

Saved from the spam bucket, please remember to register to the list before posting to it.

Begin forwarded message:

> From: "Renzo Dani" <renzo.dani at logobject.ch>
> Subject: Problem with vpn connection and leftsubnet
> Date: 28 September, 2012 2:59:39 PM EDT
> To: users at lists.openswan.org
> 
> 
> Hi,
> we recently replace our firewall with a linux box and we are using openswan for our VPNs.
> We are really happy, everything works fine except for one of our VPNs.
> The tunnel is established but when I try to connect to a machine on the other side of the tunnel I don't receive any package back.
> The vpn is  working on the old firewall ( I've tried to place it back shortly just to test the vpn is still working )
> 
> Our local network is 10.11.1.0/24.
> We need to map our network to a single address 74.54.90.100, we are doing SNAT in iptables:
> [0:0] -A POSTROUTING -d 41.156.64.0/24 -j SNAT --to-source 74.54.90.100
> 
> Here our ipsec.conf:
> 
> conn nonWorkingConnection
>         authby=secret
>         disablearrivalcheck=no
>         # Local
>         left=xxx.xxx.xxx.xxx
>         leftid=xxx.xxx.xxx.xxx
>         # virtual host (SNAT iptables)
>         leftsubnet=74.54.90.100/32
>         # Remote (Distant)
>         right=aaa.aaa.aaa.aaa
>         rightid=196.7.66.129
>         rightsubnet=41.156.64.0/24
>         # PHASE 1
>         # negothiation mode
>         aggrmode=no
>         ike=3des-sha1;modp1024
>         # PHASE 2
>         type=tunnel
>         phase2=esp
>         phase2alg=3des-sha1
>         salifetime=1h
>         pfs=no
>         auto=start
> 
> 
> Some notes: the only differences we have from other working connections are:
>  - right and rightid values are not the same
>  - our peer accept request only from ip 74.54.90.100 (that's why we use it in leftsubnet and SNAT)
> 
> Here an extract of  ipsec auto --status:
> 
> 000 "nonWorkingConnection": 74.54.90.100/32===xxx.xxx.xxx.xxx<xxx.xxx.xxx.xxx>...aaa.aaa.aaa.aaa<aaa.aaa.aaa.aaa>[196.7.66.129]===41.156.64.0/24; erouted; eroute owner: #434
> 000 "nonWorkingConnection":     myip=74.54.90.100; hisip=unset;
> 000 "nonWorkingConnection":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
> 000 "nonWorkingConnection":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,24; interface: wan; 
> 000 "cenonWorkingConnectionlc":   newest ISAKMP SA: #424; newest IPsec SA: #434; 
> 000 "nonWorkingConnection":   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
> 000 "nonWorkingConnection":   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
> 000 "nonWorkingConnection":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
> 000 "nonWorkingConnection":   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; flags=-strict
> 000 "nonWorkingConnection":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
> 000 "nonWorkingConnection":   ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=<N/A>
> ...
> 000 #434: "nonWorkingConnection":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1430s; newest IPSEC; eroute owner; isakmp#424; idle; import:admin initiate
> 000 #434: "nonWorkingConnection" esp.e84b4ee at aaa.aaa.aaa.aaa esp.bba1f074 at aaa.aaa.aaa.aaa tun.0 at aaa.aaa.aaa.aaa tun.0 at aaa.aaa.aaa.aaa ref=0 refhim=4294901761
> 000 #424: "nonWorkingConnection":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1037s; newest ISAKMP; nodpd; idle; import:admin initiate
> 
> 
> the tunnel looks goog, and when I'm trying to connect to the remote host I can see the ESP package leave my box but no answer coming back:
> 
> tcpdump -i wan -n host aaa.aaa.aaa.aaa                                                                                                                                                      
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode                                                                                                                          
> listening on wan, link-type EN10MB (Ethernet), capture size 65535 bytes                                                                                                                             
> 20:47:28.704575 IP xxx.xxx.xxx.xxx > aaa.aaa.aaa.aaa: ESP(spi=0x0e84b4ee,seq=0x1), length 92                                                                                                                
> 20:47:29.702905 IP xxx.xxx.xxx.xxx > aaa.aaa.aaa.aaa: ESP(spi=0x0e84b4ee,seq=0x2), length 92                                                                                                                
> 20:47:31.706959 IP xxx.xxx.xxx.xxx > aaa.aaa.aaa.aaa: ESP(spi=0x0e84b4ee,seq=0x3), length 92                                                                                                                
> 20:47:35.718936 IP xxx.xxx.xxx.xxx > aaa.aaa.aaa.aaa: ESP(spi=0x0e84b4ee,seq=0x4), length 92
> ....
> 
> 
> What can be the problem? How must be correctly configured the virtual host? Is SNAT the correct solution?
> Anyone can help?
> 
> 
> 
> Thanks a lot.
> Renzo
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120928/96657335/attachment.html>

More information about the Users mailing list