[Openswan Users] site to site ipsec VPN. local endpoint replies with a host unreachable.

Michael Closson openswan-users at closson.ca
Sun Nov 24 04:43:08 UTC 2013


Hello Openswan experts.

Site to site VPN, ping from local site, local VPN endpoint generates ICMP
host unreachable.

I'm using CentOS 6.4
Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.x86_64...

The remote side is the IaaS company SoftLayer.

Here is the network map

172.16.0.0/16
     |
172.16.1.201==24.212.xxx.xxx  --- 173.192.251.47
                                       |
									   |
									  ???
									   |
									   |
								10.100.128.128/26

If I run 'ping 10.100.128.130' on 172.16.1.18, then 172.16.1.201 replies
with ICMP host unreachable.

I don't think its an iptables problem since I've set the default rule in
the filter/INPUT and filter/FORWARD to be ACCEPT.  And there are no rules
about replying with a host unreachable.

I think the problem is with the local ipsec endpoint (172.16.1.201).  I
attach tcpdump to eth0 on that machine (the public interface) and there
is no ESP traffic to the remote ipsec endpoint.  Just the periodic
 'isakmp: phase 2/others ? inf[E]'
which--I believe--is expected.

I am following up in parallel with softlayer support.  But I suspect that
if they don't know openswan/netkey/linux kernel, they will not be able to
help.

I don't know how to debug this further.  Any suggestions will be
appreciated!  From my understanding of how things are supposed to work,
the local endpoint should know that 10.100.128.130 is on the other side
of the tunnel, and put the icmp packet in an ESP and send it to the other
endpoint.


Here is my ipsec config file. (lambda is 172.16.1.201)

[root at lambda ipsec.d]# cat softlayer.conf
conn softlayer
        type=tunnel
        authby=secret
        auto=start
        left=%defaultroute
        leftsubnet=172.16.0.0/16
        leftsourceip=172.16.1.201
        right=173.192.251.47
        rightsubnet=10.100.128.128/26
        pfs=yes

		
and the route table on the local endpoint

[root at lambda ipsec.d]# ip route
24.212.xxx.xxx/27 dev eth0  proto kernel  scope link  src 24.212.xxx.xxx
10.100.128.128/26 dev eth0  scope link  src 172.16.1.201
172.16.0.0/16 dev eth1  proto kernel  scope link  src 172.16.1.201
default via 24.212.xxx.xxx dev eth0

[root at lambda ipsec.d]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.32-358.23.2.el6.x86_64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Testing against enforced SElinux mode                           [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


[root at lambda ipsec.d]# ip xfrm state
src 173.192.251.47 dst 24.212.xxx.xxx
        proto esp spi 0xd04fb5e2 reqid 16385 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0xc8e849ee498bbe3453dfa2a9a84e837926fe9675
        enc cbc(aes) 0xa98dee1f3574083b2d19ed95699f92e4
src 24.212.xxx.xxx dst 173.192.251.47
        proto esp spi 0xd3636bcf reqid 16385 mode tunnel
        replay-window 32 flag 20
        auth hmac(sha1) 0xf28bd49f9608e03e0130784a829054e1038a3fe4
        enc cbc(aes) 0xc73abb30f3078aa3a382ec2daad50ea5

[root at lambda ipsec.d]# ip xfrm policy | head -12
src 172.16.0.0/16 dst 10.100.128.128/26
        dir out priority 2598 ptype main
        tmpl src 24.212.xxx.xxx dst 173.192.251.47
                proto esp reqid 16385 mode tunnel
src 10.100.128.128/26 dst 172.16.0.0/16
        dir fwd priority 2598 ptype main
        tmpl src 173.192.251.47 dst 24.212.xxx.xxx
                proto esp reqid 16385 mode tunnel
src 10.100.128.128/26 dst 172.16.0.0/16
        dir in priority 2598 ptype main
        tmpl src 173.192.251.47 dst 24.212.xxx.xxx
                proto esp reqid 16385 mode tunnel

Thanks!!
Michael Closson



More information about the Users mailing list