[Openswan Users] CentOS5 + Draytek 2820 pings only one way
John Crisp
jcrisp at safeandsoundit.co.uk
Thu Feb 14 13:08:01 EST 2013
Hi,
it is with some frustration that I write to this list. I know I must be
close to sorting out this connection but cannot get over the last
hurdle. I've read until my eyes hurt, and still can't work it out.
I have an online VPS server running a version of CentOS 5 with
openswan-2.6.32-4.el5
It is in 'Server/Gateway' mode with masquerading and it has a dummy
'local' address of 192.168.99.1
It's external/public IP address is L.C.98.24
I am trying to make a IPSec VPN connection to a Draytek 2820 router.
The Draytek has an IP of 10.0.0.251 with a local network of 10.0.0.0 and
an external/public static IP of R.D.128.243
The server is set to dial in to the router. I have a script to disable
redirects.
The connection is up and seems stable. The frustration comes from the
fact that I can ping the server and ssh to 192.168.99.1 from the
10.0.0.x network, but NOT from the server back to the router network.
I presume it is either a mistake in ipsec.conf or a routing problem on
the server.
I wonder if anyone would be kind enough to take a look and point me in
the right direction ! I'm sure it is a simple answer.
B. Rgds
John Crisp
Notes :
Left is the VPS server. Right is the Draytek
I found one page that said to use pfs=yes but that did not seem to work.
Logging is on.
I can provide anything else required for diagnosis - please just ask.
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug="control parsing"
interfaces=%defaultroute
myid=L.C.98.24
nat_traversal=yes
oe=no
protostack=netkey
syslog=syslog.debug
virtual_private=%v4:10.0.0.0/24,%v4:192.168.99.0/24
conn net-to-net
type=tunnel
connaddrfamily=ipv4
authby=secret
auto=start
compress=no
ike=3des-sha1,des-md5
phase2alg=3des-sha1,des-md5
phase2=esp
ikelifetime=3600s
keyexchange=ike
keylife=28800s
keyingtries=%forever
left=%defaultroute
leftsourceip=192.168.99.1 # Server local address
leftid=L.C.98.24 # Server public IP
leftsubnet=192.168.99.0/24
pfs=no
dpdaction=restart
right=R.D.128.243 # Router public IP
rightid=R.D.128.243 # Router public IP
rightsourceip=10.0.0.251 # Router local address
rightsubnet=10.0.0.0/24
Most config files on the server are generated by templates.
I added the following to /etc/rc.d/init.d/masq to allow IPsec
connections. This may be where the problem lies and need modifying butu
I am not a iptables expert
# IPsec ports
/sbin/iptables -A INPUT -i $OUTERIF -p udp --sport 500 --dport 500 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 50 -j MARK
--set-mark 1
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 1 -j ACCEPT
/sbin/iptables -t mangle -A PREROUTING -i $OUTERIF -p 51 -j MARK
--set-mark 2
/sbin/iptables -A INPUT -i $OUTERIF -m mark --mark 2 -j ACCEPT
/sbin/iptables -A FORWARD -i $OUTERIF -m mark --mark 2 -j ACCEPT
Server routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
L.C.98.0 * 255.255.255.0 U 0 0 0 eth1
10.0.0.0 * 255.255.255.0 U 0 0 0 eth1
192.168.99.0 * 255.255.255.0 U 0 0 0 eth0
default L.C.98.1 0.0.0.0 UG 0 0 0 eth1
/usr/sbin/ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 5.44.98.24
000 interface eth1/eth1 5.44.98.24
000 interface eth0/eth0 192.168.99.1
000 interface eth0/eth0 192.168.99.1
000 %myid = L.C.98.24
000 debug parsing+control
000
000 virtual_private (%priv):
000 - allowed 2 subnets: 10.0.0.0/24, 192.168.99.0/24
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,42,64}
trans={0,42,2160} attrs={0,42,1440}
000
000 "net-to-net":
192.168.99.0/24===L.C.98.24[+S=C]...R.D.128.243<R.D.128.243>[+S=C]===10.0.0.0/24;
erouted; eroute owner: #4
000 "net-to-net": myip=192.168.99.1; hisip=10.0.0.251;
000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net": policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
interface: eth1;
000 "net-to-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "net-to-net": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5),
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2),
DES_CBC(1)_000-MD5(1)_000-MODP1536(5),
DES_CBC(1)_000-MD5(1)_000-MODP1024(2); flags=-strict
000 "net-to-net": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5),
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "net-to-net": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "net-to-net": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000,
DES(2)_000-MD5(1)_000; flags=-strict
000 "net-to-net": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160,
DES(2)_064-MD5(1)_128
000 "net-to-net": ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=<N/A>
000
000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_EXPIRE in 760s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate
000 #44: "net-to-net":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 36s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate
000 #4: "net-to-net":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 492s; newest IPSEC; eroute owner; isakmp#3; idle;
import:not set
000 #4: "net-to-net" esp.9c01b69d at R.D.128.243 esp.36b3767b at L.C.98.24
tun.0 at R.D.128.243 tun.0 at L.C.98.24 ref=0 refhim=4294901761
000 #3: "net-to-net":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 491s; newest ISAKMP; lastdpd=1s(seq
in:0 out:0); idle; import:admin initiate
000
More information about the Users
mailing list