[Openswan Users] problem establishing traffic between 2 networks over openswan/ipsec

Walter Robert Ditzler ditwal001 at gmail.com
Mon Jan 14 11:58:59 EST 2013


Hi there,

I got stuck for weeks now getting a tunnel to work. Now i really need some cracks to help me if possible. What i need is:

- A tunnel from 10.41.50.0/24 to 10.41.20.0/23

My network looks as followed:

***
[10.41.50.0/24] <> [10.41.50.1 (Firewall/m0n0) 192.168.0.2] <> [192.168.0.1 (ADSL) 87.xxx.xxx.xxx] <> [62.xxx.xxx.xxx (Firewall/NAT/Squeeze) 10.41.10.1] <> [10.41.10.2 (Openswan/IPSEC/wheezy) 10.41.20.1] <> [10.41.20.0/23]
***

Bellow i send some export of my configuration. I dont know what else to do ☹.

what i did and what works/doesnt work:

1) i created the tunnel, i think that should be ok
2) the ipsec is ok
3) the tunnel inteface is not here (ifconfig)
4) ping/traffic doesnt go through
5) traffic arrives at the openswan world nic in encapsulated udp packed when i run ping on remote network over tunnel

thanks a lot out there for help!

walter.



root at srv:/etc# nano /etc/ipsec.conf
***
version 2.0

config setup
  interfaces="%defaultroute"
  nat_traversal=yes
  dumpdir=/var/run/pluto/
  oe=off
  protostack=netkey
  uniqueids=yes

conn block
  auto=ignore
conn private
  auto=ignore
conn clear
  auto=ignore
conn clear-or-private
  auto=ignore

conn ABO_CHBSLBS212
  left=62.xxx.xxx.xxx
  leftsubnet=10.41.20.0/23
  leftnexthop=10.41.10.1
  leftid=chbslsa52 at abc.net
  right=87.xxx.xxx.xxx
  rightsubnet=10.41.50.0/24
  rightnexthop=10.41.50.1
  rightid=chbslbs212 at abc.net
  auto=start
  pfs=yes
  aggrmode=no
  ike=3des-md5;modp1024
  phase2=esp
  phase2alg=3des-md5;modp1024
  authby=secret
  #rekey=no
  #keyingtries=3
  #dpddelay=3500
  #dpdtimeout=3500
  #dpdaction=clear
  type=tunnel

conn ABO_MOBILE
  authby=secret
  pfs=no
  rekey=no
  keyingtries=3
  dpddelay=30
  dpdtimeout=60
  dpdaction=clear
  compress=yes
  left=%defaultroute
  leftprotoport=udp/1701
  right=%any
  rightprotoport=udp/0
  auto=add
  aggrmode=no
  ike=3des-md5-modp1024
  esp=3des-md5
***


root at srv:/etc# nano /etc/ipsec.secrets
***
include /var/lib/openswan/ipsec.secrets.inc

chbslsa52 at abc.net chbslbs212 at abc.net: PSK "abc"
***


root at srv:/etc# ipsec setup status
***
IPsec running  - pluto pid: 2760
pluto pid 2760
1 tunnels up
some eroutes exist
***


root at srv:/etc/abbeoo# ip xfrm state
***
src 87.xxx.xxx.xxx dst 10.41.10.2
        proto esp spi 0x5c41132b reqid 16405 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(md5) 0x0df17831b8c406f14c5454677eb00244 96
        enc cbc(des3_ede) 0x5a170cc7d8f69bdc254820a8e07cdbd37fefacdaa2e579c2
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 src 10.41.10.2 dst 87.xxx.xxx.xxx
        proto esp spi 0x0eb114bb reqid 16405 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(md5) 0xf976d837935941437a50fb3fb0cfff6b 96
        enc cbc(des3_ede) 0x246f00e61bbe1e84146c93b8837f6640d48282e83a3fa060
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
***


root at srv:/etc/abbeoo# ip route show
***
default via 10.41.10.1 dev eth0
10.41.10.0/24 dev eth0  proto kernel  scope link  src 10.41.10.2
10.41.20.0/23 dev eth1  proto kernel  scope link  src 10.41.20.1
***


root at srv:/etc/abbeoo# ifconfig
***
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:10.41.10.2  Bcast:10.41.10.255  Mask:255.255.255.0
          inet6 addr: xx:xx:xx:xx:xx:xx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:90366 errors:0 dropped:1925 overruns:0 frame:0
          TX packets:120048 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:28586733 (27.2 MiB)  TX bytes:49990071 (47.6 MiB)
          Interrupt:16 Memory:fe9e0000-fea00000

eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:10.41.20.1  Bcast:10.41.21.255  Mask:255.255.254.0
          inet6 addr: xx:xx:xx:xx:xx:xx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:131170 errors:0 dropped:4 overruns:0 frame:0
          TX packets:98124 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:50952183 (48.5 MiB)  TX bytes:30981050 (29.5 MiB)
          Interrupt:17 Memory:feae0000-feb00000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:348 errors:0 dropped:0 overruns:0 frame:0
          TX packets:348 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:38814 (37.9 KiB)  TX bytes:38814 (37.9 KiB)
***


root at srv:/etc/abbeoo# tcpdump -f udp -i eth0
***
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:25:58.296795 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cb), length 92
14:26:03.295872 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cc), length 92
14:26:08.297490 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cd), length 92
14:26:08.633713 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: isakmp-nat-keep-alive
***


root at srv:/etc/abbeoo# ipsec verify
***
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                  [OK]
Linux Openswan U2.6.37-g955aaafb-dirty/K3.7.1.1-abo.srv (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                                    [N/A]
 NETKEY:  Testing XFRM related proc values               [OK]
        [OK]
        [OK]
Checking that pluto is running                                     [OK]
 Pluto listening for IKE on udp 500                               [OK]
 Pluto listening for NAT-T on udp 4500                        [OK]
Two or more interfaces found, checking IP forwarding   [OK]
Checking NAT and MASQUERADEing                                [OK]
Checking for 'ip' command                                          [OK]
Checking /bin/sh is not /bin/dash                                [WARNING]
Checking for 'iptables' command                                [OK]
Opportunistic Encryption Support                                [DISABLED]
***




More information about the Users mailing list