[Openswan Users] problem establishing traffic between 2 networks over openswan/ipsec
Walter Robert Ditzler
ditwal001 at gmail.com
Mon Jan 14 11:58:59 EST 2013
Hi there,
I got stuck for weeks now getting a tunnel to work. Now i really need some cracks to help me if possible. What i need is:
- A tunnel from 10.41.50.0/24 to 10.41.20.0/23
My network looks as followed:
***
[10.41.50.0/24] <> [10.41.50.1 (Firewall/m0n0) 192.168.0.2] <> [192.168.0.1 (ADSL) 87.xxx.xxx.xxx] <> [62.xxx.xxx.xxx (Firewall/NAT/Squeeze) 10.41.10.1] <> [10.41.10.2 (Openswan/IPSEC/wheezy) 10.41.20.1] <> [10.41.20.0/23]
***
Bellow i send some export of my configuration. I dont know what else to do ☹.
what i did and what works/doesnt work:
1) i created the tunnel, i think that should be ok
2) the ipsec is ok
3) the tunnel inteface is not here (ifconfig)
4) ping/traffic doesnt go through
5) traffic arrives at the openswan world nic in encapsulated udp packed when i run ping on remote network over tunnel
thanks a lot out there for help!
walter.
root at srv:/etc# nano /etc/ipsec.conf
***
version 2.0
config setup
interfaces="%defaultroute"
nat_traversal=yes
dumpdir=/var/run/pluto/
oe=off
protostack=netkey
uniqueids=yes
conn block
auto=ignore
conn private
auto=ignore
conn clear
auto=ignore
conn clear-or-private
auto=ignore
conn ABO_CHBSLBS212
left=62.xxx.xxx.xxx
leftsubnet=10.41.20.0/23
leftnexthop=10.41.10.1
leftid=chbslsa52 at abc.net
right=87.xxx.xxx.xxx
rightsubnet=10.41.50.0/24
rightnexthop=10.41.50.1
rightid=chbslbs212 at abc.net
auto=start
pfs=yes
aggrmode=no
ike=3des-md5;modp1024
phase2=esp
phase2alg=3des-md5;modp1024
authby=secret
#rekey=no
#keyingtries=3
#dpddelay=3500
#dpdtimeout=3500
#dpdaction=clear
type=tunnel
conn ABO_MOBILE
authby=secret
pfs=no
rekey=no
keyingtries=3
dpddelay=30
dpdtimeout=60
dpdaction=clear
compress=yes
left=%defaultroute
leftprotoport=udp/1701
right=%any
rightprotoport=udp/0
auto=add
aggrmode=no
ike=3des-md5-modp1024
esp=3des-md5
***
root at srv:/etc# nano /etc/ipsec.secrets
***
include /var/lib/openswan/ipsec.secrets.inc
chbslsa52 at abc.net chbslbs212 at abc.net: PSK "abc"
***
root at srv:/etc# ipsec setup status
***
IPsec running - pluto pid: 2760
pluto pid 2760
1 tunnels up
some eroutes exist
***
root at srv:/etc/abbeoo# ip xfrm state
***
src 87.xxx.xxx.xxx dst 10.41.10.2
proto esp spi 0x5c41132b reqid 16405 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(md5) 0x0df17831b8c406f14c5454677eb00244 96
enc cbc(des3_ede) 0x5a170cc7d8f69bdc254820a8e07cdbd37fefacdaa2e579c2
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 src 10.41.10.2 dst 87.xxx.xxx.xxx
proto esp spi 0x0eb114bb reqid 16405 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(md5) 0xf976d837935941437a50fb3fb0cfff6b 96
enc cbc(des3_ede) 0x246f00e61bbe1e84146c93b8837f6640d48282e83a3fa060
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
***
root at srv:/etc/abbeoo# ip route show
***
default via 10.41.10.1 dev eth0
10.41.10.0/24 dev eth0 proto kernel scope link src 10.41.10.2
10.41.20.0/23 dev eth1 proto kernel scope link src 10.41.20.1
***
root at srv:/etc/abbeoo# ifconfig
***
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:10.41.10.2 Bcast:10.41.10.255 Mask:255.255.255.0
inet6 addr: xx:xx:xx:xx:xx:xx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:90366 errors:0 dropped:1925 overruns:0 frame:0
TX packets:120048 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:28586733 (27.2 MiB) TX bytes:49990071 (47.6 MiB)
Interrupt:16 Memory:fe9e0000-fea00000
eth1 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:10.41.20.1 Bcast:10.41.21.255 Mask:255.255.254.0
inet6 addr: xx:xx:xx:xx:xx:xx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:131170 errors:0 dropped:4 overruns:0 frame:0
TX packets:98124 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:50952183 (48.5 MiB) TX bytes:30981050 (29.5 MiB)
Interrupt:17 Memory:feae0000-feb00000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:348 errors:0 dropped:0 overruns:0 frame:0
TX packets:348 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:38814 (37.9 KiB) TX bytes:38814 (37.9 KiB)
***
root at srv:/etc/abbeoo# tcpdump -f udp -i eth0
***
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:25:58.296795 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cb), length 92
14:26:03.295872 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cc), length 92
14:26:08.297490 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cd), length 92
14:26:08.633713 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: isakmp-nat-keep-alive
***
root at srv:/etc/abbeoo# ipsec verify
***
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37-g955aaafb-dirty/K3.7.1.1-abo.srv (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
***
More information about the Users
mailing list