[Openswan Users] Site-to-site tunnel established but connections not working

Felipe Machado felipe at s10i.com.br
Tue Sep 17 20:35:14 UTC 2013 

Hello everyone,

First of all, I'm sorry. I'm very new to openswan, so I couldn't come up
with a better subject, as I don't know where my problem lies exactly.

So on to the problem. In a nutshell, what I need is: to create a VPN subnet
that will connect to an outer VPN (outside my control, controlled by cisco
hardware) so I can connect machines on my VPN to a server lying on the
outer VPN.

Let me parametrize some things:

We have a subnet of fixed public IPs, let's say: A.A.A.0/24
All of these IPs are blocked on all ports. Well, all but one, which is our
public server, with ip let's say A.A.A.1 (let's call it machine A)

So, I installed openswan on machine A, and configured it so other computers
could connect to it (using L2TP and PPP). Thus creating the a VPN subnet
172.22.1.0/24. That worked well, and I can connect to machine A from my
laptop and access the internet through it (that is, I can see the traffic
being routed through machine A). This is the configuration I used for
ipsec.conf:

config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.22.1.0/24,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    ikelifetime=8h
    keylife=1h
    type=transport
    left=A.A.A.1
    leftid=@A
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    forceencaps=yes

The main purpose of this VPN was to connect it with the outer VPN I
mentioned. So there is a VPN with subnet C.C.C.0/24 behind the public ip
B.B.B.B (let's call this public IP machine B).

I configured the site-to-site tunnel with the following options on
ipsec.conf:

conn AtoB
    authby=secret
    forceencaps=yes
    right=B.B.B.B
    rightsubnet=C.C.C.0/24
    rightid=B.B.B.B
    left=A.A.A.1
    leftsubnet=172.22.1.0/24
    leftid=A.A.A.1
    leftsourceip=172.22.1.1
    keyexchange=ike
    ikelifetime=480m
    keylife=60m
    ike=3des-sha1;modp1024
    phase2=esp
    phase2alg=3des-sha1;modp1024
    auto=start

(also, the shared key is on ipsec.secrets)

>From what i see in /var/log/auth.log, the tunnel seems to be up correctly:

STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x22ce104a
<0xee6f5fcf xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=B.B.B.B:4500 DPD=none}

This is what *ipsec setup status* says:

IPsec running  - pluto pid: 16468
pluto pid 16468
6 tunnels up
some eroutes exist

Output from *ip xfrm policy*:

src 172.22.1.0/24 dst C.C.C.0/24
dir out priority 2344
tmpl src A.A.A.1 dst B.B.B.B
proto esp reqid 16393 mode tunnel
src C.C.C.0/24 dst 172.22.1.0/24
dir fwd priority 2344
tmpl src B.B.B.B dst A.A.A.1
proto esp reqid 16393 mode tunnel
src C.C.C.0/24 dst 172.22.1.0/24
dir in priority 2344
tmpl src B.B.B.B dst A.A.A.1
proto esp reqid 16393 mode tunnel
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0

Output from *ip xfrm state*:

src B.B.B.B dst A.A.A.1
proto esp spi 0xd975bef6 reqid 16393 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xb8f35f24c4e6e5b8b276ff87c54ff505f81516ce 96
enc cbc(des3_ede) 0x697f5905b38b0253745796600db14eae49ed07858df03477
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src A.A.A.1 dst B.B.B.B
proto esp spi 0xfc41a87b reqid 16393 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xa6e92befa1f12f71ed9ecb480f6e4c52669f9c8f 96
enc cbc(des3_ede) 0xe6f9383a1b8db9344a97934471a8cd63eb0f85e072a66f2f
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0


So, as far as I know, everything should be working! But I can't access any
ip on the C.C.C.0/24 subnet. I tried doing some traceroutes, and it goes
through machine A, but from there it tries to find the IP C.C.C.1 directly,
and not through the IP B.B.B.B (machine B, the outer VPN gateway).

I'm running openswan 2.6.37-1 on Ubuntu 12.04 kernel 3.2.0-52-generic-pae!

Any input will be appreciated! If any other info is required, just mention
and I'll send it!

Thanks,
Felipe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130917/a1fd7b49/attachment.html>

More information about the Users mailing list