[Openswan Users] Site 2 Site VPN: tunnel established, data are not sent

Konstantin Boyandin lists at boyandin.info
Sun Dec 8 09:48:01 UTC 2013 

Hello,

I am setting up connection between two intranets. Tunnel started working
quite quickly, little configuration tuning was required. However, data
are not passed (all connections to foreign intraent time out).

After the tunnel is established, no routing is added for left subnet
(and trying to add 'right IP' addressed didn't solve the problem.

May I ask for a piece of advice on where to look further to allow data
transmission through the tunnel?

Required data (please tell me what to post if these are insufficient):

Left (our) public IP: 1.1.1.1
Left network: 10.20.20.0/24
Left private network we wish to exclude from communication: 10.10.10.0/24
Left network IP (source ip): 10.20.20.1

Right public IP: 2.2.2.2
Right network: 192.168.2.0/24
Right test IP (accepts connections on TCP 22): 192.168.2.2

/etc/ipsec.conf:
----------------

config setup
	protostack=netkey
	nat_traversal=yes
	virtual_private=%v4:!10.10.10.0/24,%v4:10.20.20.0/24
	oe=off

include /etc/ipsec.d/*.conf

/etc/ipsec.d/acme.conf
----------------------

conn acme
  type=tunnel
  authby=secret
  pfs=yes
  keyexchange=ike
  ike=aes256-md5;modp1536
  phase2=esp
  phase2alg=aes256-md5;modp1536
  left=1.1.1.1
  leftsubnet=10.20.20.0/24
  leftsourceip=10.20.20.1
  right=2.2.2.2
  rightsubnet=192.168.2.0/24
  auto=start

$ ipsec auto --status
---------------------

[...]
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
trans={0,2,2160} attrs={0,2,1440}
000
000 "acme":
10.20.20.0/24===1.1.1.1<1.1.1.1>[+S=C]...2.2.2.2<2.2.2.2>[+S=C]===192.168.2.0/24;
erouted; eroute owner: #2
000 "acme":     myip=10.20.20.1; hisip=unset;
000 "acme":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "acme":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
interface: eth0;
000 "acme":   newest ISAKMP SA: #3; newest IPsec SA: #2;
000 "acme":   IKE algorithms wanted:
AES_CBC(7)_256-MD5(1)_000-MODP1536(5); flags=-strict
000 "acme":   IKE algorithms found:  AES_CBC(7)_256-MD5(1)_128-MODP1536(5)
000 "acme":   IKE algorithm newest: AES_CBC_256-MD5-MODP1536
000 "acme":   ESP algorithms wanted: AES(12)_256-MD5(1)_000;
pfsgroup=MODP1536(5); flags=-strict
000 "acme":   ESP algorithms loaded: AES(12)_256-MD5(1)_128
000 "acme":   ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=MODP1536
000
000 #2: "acme":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 24831s; newest IPSEC; eroute owner; isakmp#1; idle;
import:admin initiate
000 #2: "acme" esp.11e46422 at 2.2.2.2 esp.73ae1ec at 1.1.1.1 tun.0 at 2.2.2.2
tun.0 at 1.1.1.1 ref=0 refhim=4294901761
000 #1: "acme":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_EXPIRE in 383s; lastdpd=13s(seq in:0 out:0); idle; import:admin
initiate
000 #3: "acme":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2028s; newest ISAKMP; lastdpd=7s(seq in:0 out:0);
idle; import:admin initiate
000

$ ip xfrm state
---------------

src 2.2.2.2 dst 1.1.1.1
	proto esp spi 0x073ae1ec reqid 16385 mode tunnel
	replay-window 32 flag 20
	auth hmac(md5) 0x0c3f4210afedec8981278abaf9eab95a
	enc cbc(aes)
0x0d84702a07dff2330cd45941db03304038b864cec966541ca81e925f3d7289f0
src 1.1.1.1 dst 2.2.2.2
	proto esp spi 0x11e46422 reqid 16385 mode tunnel
	replay-window 32 flag 20
	auth hmac(md5) 0x7081e21726f676256947cabaa0c9bd7b
	enc cbc(aes)
0x8523221b41fb4b137f5561d1ab12b3266dd3871206ed0d2e27c6a08eea6ba20d

$ ipsec verify
--------------

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	OK
Linux Openswan U2.6.32/K2.6.18-xxxxxx (netkey)
Checking for IPsec support in kernel                        	OK
 SAref kernel support                                       	N/A
 NETKEY:  Testing for disabled ICMP send_redirects          	OK
NETKEY detected, testing for disabled ICMP accept_redirects 	OK
Testing against enforced SElinux mode                       	OK
Checking that pluto is running                              	OK
 Pluto listening for IKE on udp 500                         	OK
 Pluto listening for NAT-T on udp 4500                      	OK
Two or more interfaces found, checking IP forwarding        	OK
Checking NAT and MASQUERADEing                              	OK
Checking for 'ip' command                                   	OK
Checking /bin/sh is not /bin/dash                           	OK
Checking for 'iptables' command                             	OK
Opportunistic Encryption Support                            	DISABLED

Thank you in advance,

Sincerely,
Konstantin

More information about the Users mailing list