[Openswan Users] Site 2 Site VPN: tunnel established, data are not sent
Konstantin Boyandin
lists at boyandin.info
Sun Dec 8 09:48:01 UTC 2013
Hello,
I am setting up connection between two intranets. Tunnel started working
quite quickly, little configuration tuning was required. However, data
are not passed (all connections to foreign intraent time out).
After the tunnel is established, no routing is added for left subnet
(and trying to add 'right IP' addressed didn't solve the problem.
May I ask for a piece of advice on where to look further to allow data
transmission through the tunnel?
Required data (please tell me what to post if these are insufficient):
Left (our) public IP: 1.1.1.1
Left network: 10.20.20.0/24
Left private network we wish to exclude from communication: 10.10.10.0/24
Left network IP (source ip): 10.20.20.1
Right public IP: 2.2.2.2
Right network: 192.168.2.0/24
Right test IP (accepts connections on TCP 22): 192.168.2.2
/etc/ipsec.conf:
----------------
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:!10.10.10.0/24,%v4:10.20.20.0/24
oe=off
include /etc/ipsec.d/*.conf
/etc/ipsec.d/acme.conf
----------------------
conn acme
type=tunnel
authby=secret
pfs=yes
keyexchange=ike
ike=aes256-md5;modp1536
phase2=esp
phase2alg=aes256-md5;modp1536
left=1.1.1.1
leftsubnet=10.20.20.0/24
leftsourceip=10.20.20.1
right=2.2.2.2
rightsubnet=192.168.2.0/24
auto=start
$ ipsec auto --status
---------------------
[...]
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
trans={0,2,2160} attrs={0,2,1440}
000
000 "acme":
10.20.20.0/24===1.1.1.1<1.1.1.1>[+S=C]...2.2.2.2<2.2.2.2>[+S=C]===192.168.2.0/24;
erouted; eroute owner: #2
000 "acme": myip=10.20.20.1; hisip=unset;
000 "acme": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "acme": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
interface: eth0;
000 "acme": newest ISAKMP SA: #3; newest IPsec SA: #2;
000 "acme": IKE algorithms wanted:
AES_CBC(7)_256-MD5(1)_000-MODP1536(5); flags=-strict
000 "acme": IKE algorithms found: AES_CBC(7)_256-MD5(1)_128-MODP1536(5)
000 "acme": IKE algorithm newest: AES_CBC_256-MD5-MODP1536
000 "acme": ESP algorithms wanted: AES(12)_256-MD5(1)_000;
pfsgroup=MODP1536(5); flags=-strict
000 "acme": ESP algorithms loaded: AES(12)_256-MD5(1)_128
000 "acme": ESP algorithm newest: AES_256-HMAC_MD5; pfsgroup=MODP1536
000
000 #2: "acme":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 24831s; newest IPSEC; eroute owner; isakmp#1; idle;
import:admin initiate
000 #2: "acme" esp.11e46422 at 2.2.2.2 esp.73ae1ec at 1.1.1.1 tun.0 at 2.2.2.2
tun.0 at 1.1.1.1 ref=0 refhim=4294901761
000 #1: "acme":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_EXPIRE in 383s; lastdpd=13s(seq in:0 out:0); idle; import:admin
initiate
000 #3: "acme":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2028s; newest ISAKMP; lastdpd=7s(seq in:0 out:0);
idle; import:admin initiate
000
$ ip xfrm state
---------------
src 2.2.2.2 dst 1.1.1.1
proto esp spi 0x073ae1ec reqid 16385 mode tunnel
replay-window 32 flag 20
auth hmac(md5) 0x0c3f4210afedec8981278abaf9eab95a
enc cbc(aes)
0x0d84702a07dff2330cd45941db03304038b864cec966541ca81e925f3d7289f0
src 1.1.1.1 dst 2.2.2.2
proto esp spi 0x11e46422 reqid 16385 mode tunnel
replay-window 32 flag 20
auth hmac(md5) 0x7081e21726f676256947cabaa0c9bd7b
enc cbc(aes)
0x8523221b41fb4b137f5561d1ab12b3266dd3871206ed0d2e27c6a08eea6ba20d
$ ipsec verify
--------------
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path OK
Linux Openswan U2.6.32/K2.6.18-xxxxxx (netkey)
Checking for IPsec support in kernel OK
SAref kernel support N/A
NETKEY: Testing for disabled ICMP send_redirects OK
NETKEY detected, testing for disabled ICMP accept_redirects OK
Testing against enforced SElinux mode OK
Checking that pluto is running OK
Pluto listening for IKE on udp 500 OK
Pluto listening for NAT-T on udp 4500 OK
Two or more interfaces found, checking IP forwarding OK
Checking NAT and MASQUERADEing OK
Checking for 'ip' command OK
Checking /bin/sh is not /bin/dash OK
Checking for 'iptables' command OK
Opportunistic Encryption Support DISABLED
Thank you in advance,
Sincerely,
Konstantin
More information about the Users
mailing list