[Openswan Users] site to site ipsec VPN. local endpoint replies with a host unreachable.

Paul Wouters paul at nohats.ca
Sun Nov 24 17:45:52 UTC 2013 

On Sat, 23 Nov 2013, Michael Closson wrote:

> Site to site VPN, ping from local site, local VPN endpoint generates ICMP
> host unreachable.
>
> I'm using CentOS 6.4
> Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.x86_64...
>
> The remote side is the IaaS company SoftLayer.
>
> Here is the network map
>
> 172.16.0.0/16
>     |
> 172.16.1.201==24.212.xxx.xxx  --- 173.192.251.47
>                                       |
> 									   |
> 									  ???
> 									   |
> 									   |
> 								10.100.128.128/26
>
> If I run 'ping 10.100.128.130' on 172.16.1.18, then 172.16.1.201 replies
> with ICMP host unreachable.

> Here is my ipsec config file. (lambda is 172.16.1.201)
>
> [root at lambda ipsec.d]# cat softlayer.conf
> conn softlayer
>        type=tunnel
>        authby=secret
>        auto=start
>        left=%defaultroute
>        leftsubnet=172.16.0.0/16
>        leftsourceip=172.16.1.201
>        right=173.192.251.47
>        rightsubnet=10.100.128.128/26
>        pfs=yes

That looks good.

> [root at lambda ipsec.d]# ip xfrm state
> src 173.192.251.47 dst 24.212.xxx.xxx
>        proto esp spi 0xd04fb5e2 reqid 16385 mode tunnel
>        replay-window 32 flag 20
>        auth hmac(sha1) 0xc8e849ee498bbe3453dfa2a9a84e837926fe9675
>        enc cbc(aes) 0xa98dee1f3574083b2d19ed95699f92e4
> src 24.212.xxx.xxx dst 173.192.251.47
>        proto esp spi 0xd3636bcf reqid 16385 mode tunnel
>        replay-window 32 flag 20
>        auth hmac(sha1) 0xf28bd49f9608e03e0130784a829054e1038a3fe4
>        enc cbc(aes) 0xc73abb30f3078aa3a382ec2daad50ea5
>
> [root at lambda ipsec.d]# ip xfrm policy | head -12
> src 172.16.0.0/16 dst 10.100.128.128/26
>        dir out priority 2598 ptype main
>        tmpl src 24.212.xxx.xxx dst 173.192.251.47
>                proto esp reqid 16385 mode tunnel
> src 10.100.128.128/26 dst 172.16.0.0/16
>        dir fwd priority 2598 ptype main
>        tmpl src 173.192.251.47 dst 24.212.xxx.xxx
>                proto esp reqid 16385 mode tunnel
> src 10.100.128.128/26 dst 172.16.0.0/16
>        dir in priority 2598 ptype main
>        tmpl src 173.192.251.47 dst 24.212.xxx.xxx
>                proto esp reqid 16385 mode tunnel

Same here, look good. Perhaps there is an ESP filter somewhere? Try adding
forceencaps=yes to force ESPinUDP?

Paul
-- 
Libreswan Developer - https://libreswan.org/
Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/

More information about the Users mailing list