[Openswan Users] FW: problem establishing traffic between 2 networks over openswan/ipsec

Walter Robert Ditzler ditwal001 at gmail.com
Fri Jan 18 09:52:28 EST 2013


hi,

actually i am registered ???

anyone here with some help form e?

thanks a lot, walter¨.

***
Rescued from the Spam bucket.  Please remember to register to the mailing list before posting to it.


Hi there,

I got stuck for weeks now getting a tunnel to work. Now i really need some cracks to help me if possible. What i need is:

- A tunnel from 10.41.50.0/24 to 10.41.20.0/23

My network looks as followed:

***
[10.41.50.0/24] <> [10.41.50.1 (Firewall/m0n0) 192.168.0.2] <> [192.168.0.1 (ADSL) 87.xxx.xxx.xxx] <> [62.xxx.xxx.xxx (Firewall/NAT/Squeeze) 10.41.10.1] <> [10.41.10.2 (Openswan/IPSEC/wheezy) 10.41.20.1] <> [10.41.20.0/23]
***

Bellow i send some export of my configuration. I dont know what else to do ☹.

what i did and what works/doesnt work:

1) i created the tunnel, i think that should be ok
2) the ipsec is ok
3) the tunnel inteface is not here (ifconfig)
4) ping/traffic doesnt go through
5) traffic arrives at the openswan world nic in encapsulated udp packed when i run ping on remote network over tunnel

thanks a lot out there for help!

walter.



root at srv:/etc# nano /etc/ipsec.conf
***
version 2.0

config setup
 interfaces="%defaultroute"
 nat_traversal=yes
 dumpdir=/var/run/pluto/
 oe=off
 protostack=netkey
 uniqueids=yes

conn block
 auto=ignore
conn private
 auto=ignore
conn clear
 auto=ignore
conn clear-or-private
 auto=ignore

conn ABO_CHBSLBS212
 left=62.xxx.xxx.xxx
 leftsubnet=10.41.20.0/23
 leftnexthop=10.41.10.1
 leftid=chbslsa52 at abc.net
 right=87.xxx.xxx.xxx
 rightsubnet=10.41.50.0/24
 rightnexthop=10.41.50.1
 rightid=chbslbs212 at abc.net
 auto=start
 pfs=yes
 aggrmode=no
 ike=3des-md5;modp1024
 phase2=esp
 phase2alg=3des-md5;modp1024
 authby=secret
 #rekey=no
 #keyingtries=3
 #dpddelay=3500
 #dpdtimeout=3500
 #dpdaction=clear
 type=tunnel

conn ABO_MOBILE
 authby=secret
 pfs=no
 rekey=no
 keyingtries=3
 dpddelay=30
 dpdtimeout=60
 dpdaction=clear
 compress=yes
 left=%defaultroute
 leftprotoport=udp/1701
 right=%any
 rightprotoport=udp/0
 auto=add
 aggrmode=no
 ike=3des-md5-modp1024
 esp=3des-md5
***


root at srv:/etc# nano /etc/ipsec.secrets
***
include /var/lib/openswan/ipsec.secrets.inc

chbslsa52 at abc.net chbslbs212 at abc.net: PSK "abc"
***


root at srv:/etc# ipsec setup status
***
IPsec running  - pluto pid: 2760
pluto pid 2760
1 tunnels up
some eroutes exist
***


root at srv:/etc/abbeoo# ip xfrm state
***
src 87.xxx.xxx.xxx dst 10.41.10.2
       proto esp spi 0x5c41132b reqid 16405 mode tunnel
       replay-window 32 flag af-unspec
       auth-trunc hmac(md5) 0x0df17831b8c406f14c5454677eb00244 96
       enc cbc(des3_ede) 0x5a170cc7d8f69bdc254820a8e07cdbd37fefacdaa2e579c2
       encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 10.41.10.2 dst 87.xxx.xxx.xxx
       proto esp spi 0x0eb114bb reqid 16405 mode tunnel
       replay-window 32 flag af-unspec
       auth-trunc hmac(md5) 0xf976d837935941437a50fb3fb0cfff6b 96
       enc cbc(des3_ede) 0x246f00e61bbe1e84146c93b8837f6640d48282e83a3fa060
       encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
***


root at srv:/etc/abbeoo# ip route show
***
default via 10.41.10.1 dev eth0
10.41.10.0/24 dev eth0  proto kernel  scope link  src 10.41.10.2
10.41.20.0/23 dev eth1  proto kernel  scope link  src 10.41.20.1
***


root at srv:/etc/abbeoo# ifconfig
***
eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
         inet addr:10.41.10.2  Bcast:10.41.10.255  Mask:255.255.255.0
         inet6 addr: xx:xx:xx:xx:xx:xx/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:90366 errors:0 dropped:1925 overruns:0 frame:0
         TX packets:120048 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:28586733 (27.2 MiB)  TX bytes:49990071 (47.6 MiB)
         Interrupt:16 Memory:fe9e0000-fea00000

eth1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
         inet addr:10.41.20.1  Bcast:10.41.21.255  Mask:255.255.254.0
         inet6 addr: xx:xx:xx:xx:xx:xx/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:131170 errors:0 dropped:4 overruns:0 frame:0
         TX packets:98124 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:50952183 (48.5 MiB)  TX bytes:30981050 (29.5 MiB)
         Interrupt:17 Memory:feae0000-feb00000

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:65536  Metric:1
         RX packets:348 errors:0 dropped:0 overruns:0 frame:0
         TX packets:348 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:38814 (37.9 KiB)  TX bytes:38814 (37.9 KiB)
***


root at srv:/etc/abbeoo# tcpdump -f udp -i eth0
***
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:25:58.296795 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cb), length 92
14:26:03.295872 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cc), length 92
14:26:08.297490 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: UDP-encap: ESP(spi=0x5c41132b,seq=0x1cd), length 92
14:26:08.633713 IP 87.xxx.xxx.xxx.4500 > 10.41.10.2.4500: isakmp-nat-keep-alive
***


root at srv:/etc/abbeoo# ipsec verify
***
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                  [OK]
Linux Openswan U2.6.37-g955aaafb-dirty/K3.7.1.1-abo.srv (netkey)
Checking for IPsec support in kernel                            [OK]
SAref kernel support                                                    [N/A]
NETKEY:  Testing XFRM related proc values               [OK]
       [OK]
       [OK]
Checking that pluto is running                                     [OK]
Pluto listening for IKE on udp 500                               [OK]
Pluto listening for NAT-T on udp 4500                        [OK]
Two or more interfaces found, checking IP forwarding   [OK]
Checking NAT and MASQUERADEing                                [OK]
Checking for 'ip' command                                          [OK]
Checking /bin/sh is not /bin/dash                                [WARNING]
Checking for 'iptables' command                                [OK]
Opportunistic Encryption Support                                [DISABLED]
***



-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Untitled attachment 00318.txt
URL: <http://lists.openswan.org/pipermail/users/attachments/20130118/d39bc2a3/attachment.txt>


More information about the Users mailing list