[Openswan Users] Routing Issue with Openswan Tunnel

Ben Schmeckpeper ben at aisle50.com
Mon Aug 12 18:33:28 UTC 2013 

Turns out this wasn't an issue with OpenSwan at all.  There was a
routing issue on the other end of the tunnel.

-Ben

On Thu, Aug 8, 2013 at 11:49 AM, Ben Schmeckpeper <ben at aisle50.com> wrote:
> Hi.
>
> I'm using Openswan to setup a VPN between a server we own (hosted by
> Rackspace) and a 3rd party company we're working with.  Our box has an
> aliased network device (eth0:0) with a private IP of 192.168.205.10.
> That's my "subnet" and the only box that I plan on using to connect to
> the 3rd party.  (Technically, we've agreed to use 192.168.205.0/26.)
>
> The tunnel comes up correctly and the 3rd party is able to ping and
> SSH into my box, but I'm unable to initiate a connection from my box
> to their network.  I'm on the left, they're on the right and the
> configuration is:
>
> conn foobar
>         authby=secret
>         forceencaps=no
>         auto=start
>         left=%defaultroute
>         leftid=192.168.205.10
>         leftsourceip=192.168.205.10
>         leftsubnet=192.168.205.0/26
>         right=X.X.X.X
>         rightid=X.X.X.X
>         rightsubnet=10.2.1.0/24
>         pfs=yes
>         salifetime=28800s
>         ike=aes256-sha1;modp1536
>         phase2alg=aes256-sha1;modp1536
>
> We're not using NAT-T.
>
> When they ping my box, tcpdump shows an ESP packet from their public
> IP to my public IP, then an ICMP packet from their private IP to my
> private IP, then an ESP packet from my public IP to their public IP:
> 10:43:25.293020 IP X.X.X.X > Y.Y.Y.Y: ESP(spi=0xdfecf980,seq=0x51a), length 100
> 10:43:25.293098 IP 10.2.1.253 > 192.168.205.10: ICMP echo request, id
> 57822, seq 1476, length 40
> 10:43:25.293140 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e556ce,seq=0x527), length 100
>
> When I run 'ping -I eth0:0 -S 192.168.205.10 10.2.1.253' tcpdump shows
> sequential ESP packets being sent from my public IP to their public IP
> but the packets are not routed correctly on their end.
> 10:30:53.885175 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x2e), length 132
> 10:30:54.885187 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x2f), length 132
> 10:30:55.885190 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x30), length 132
>
> iptables are set to accept everything and my routing table looks like:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 0.0.0.0         Y.Y.Y.1            0.0.0.0         UG        0 0          0 eth0
> 10.2.1.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0
>
> I've run out of ideas on how to proceed.  It seems like there's either
> a routing issue on their end (but my replies to their pings seem to
> routed correctly) or the source IP is being set incorrectly when I'm
> initiating the connection.  Any suggestions on what to check next?
>
> Thanks,
> Ben

More information about the Users mailing list