[Openswan Users] Openswan does not appear to create the correct routes on both sides

Wed Sep 18 08:49:21 UTC 2013

Hi Everyone,

I am in the deep end with Openswan and possibly the following will show
that. Apologies!

So far I have been relying heavily on this -
http://www.jacco2.dds.nl/networking/openswan-l2tp.html

A little bit of background first. We have a just opened a new office and
not all the infrastructure is in place as yet.

So the idea is to use a site to site VPN back to the current office so that
all resources can be reached.

There is a server acting as the openswan VPN\gateway etc in both offices -
current office and new office.

The current office has a number of site to site configs already in place to
third parties. I have configured a server side which looks like this:

*conn server*
*        authby=secret*
*        pfs=no*
*        auto=add*
*        keyingtries=3*
*        type=transport*
*        forceencaps=yes*
*        right=%any*
*        #rightsubnet=vhost:%priv,%no*
*        rightprotoport=17/%any*
*        # Using the magic port of "0" means "any one single port". This is*
*        # a work around required for Apple OSX clients that use a randomly*
*        # high port, but propose "0" instead of their port. Could also be
17/%any*
*        left=<my outside fixed IP address>*
*        leftnexthop=<my outside fixed IP address next hop>*
*        leftprotoport=17/1701*
*        # Apple iOS doesn't send delete notify so we need dead peer
detection*
*        # to detect vanishing clients*
*        dpddelay=10*
*        dpdtimeout=90*
*        dpdaction=clear*

behind that is some ppp and xl2tp settings that work well for some of our
remote types. but I am looking at pure Ipsec at this point.

In the new office I have set up a conn like this:

*conn aconn*
*        authby=secret*
*        left=192.168.3.3*
*        #left=%any*
*        leftid=@vpn*
*        leftnexthop=%defaultroute*
*        leftsourceip=192.168.3.3*
*        leftsubnet=192.168.3.0/24*
*        right=**<my outside fixed IP address>*
*        rightsubnets={10.134.162.59/32 10.134.210.64/28 192.168.1.0/24}*
*        type=tunnel*
*        auto=start*
*        pfs=no*
*        salifetime=28800s*
*        ikelifetime=86400s*

It sits behind a router so left is the local interface. And the subnets are
back in the current office.

It comes up ok:

*# service ipsec status*
*IPsec running  - pluto pid: 11869*
*pluto pid 11869*
*3 tunnels up*
*some eroutes exist*

I see the routes come up ok on the new office side:

*# ip xfrm policy*
*src 192.168.3.0/24 dst 10.134.162.59/32*
*        dir out priority 2336 ptype main*
*        tmpl src 192.168.3.3 dst 203.215.150.142*
*                proto esp reqid 16385 mode tunnel*
*src 10.134.162.59/32 dst 192.168.3.0/24*
*        dir fwd priority 2336 ptype main*
*        tmpl src 203.215.150.142 dst 192.168.3.3*
*                proto esp reqid 16385 mode tunnel*
*src 10.134.162.59/32 dst 192.168.3.0/24*
*        dir in priority 2336 ptype main*
*        tmpl src 203.215.150.142 dst 192.168.3.3*
*                proto esp reqid 16385 mode tunnel*
*src 192.168.3.0/24 dst 10.134.210.64/28*
*        dir out priority 2340 ptype main*
*        tmpl src 192.168.3.3 dst 203.215.150.142*
*                proto esp reqid 16389 mode tunnel*
*src 10.134.210.64/28 dst 192.168.3.0/24*
*        dir fwd priority 2340 ptype main*
*        tmpl src 203.215.150.142 dst 192.168.3.3*
*                proto esp reqid 16389 mode tunnel*
*src 10.134.210.64/28 dst 192.168.3.0/24*
*        dir in priority 2340 ptype main*
*        tmpl src 203.215.150.142 dst 192.168.3.3*
*                proto esp reqid 16389 mode tunnel*
*src 192.168.3.0/24 dst 192.168.1.0/24*
*        dir out priority 2344 ptype main*
*        tmpl src 192.168.3.3 dst 203.215.150.142*
*                proto esp reqid 16393 mode tunnel*
*src 192.168.1.0/24 dst 192.168.3.0/24*
*        dir fwd priority 2344 ptype main*
*        tmpl src 203.215.150.142 dst 192.168.3.3*
*                proto esp reqid 16393 mode tunnel*
*src 192.168.1.0/24 dst 192.168.3.0/24*
*        dir in priority 2344 ptype main*
*        tmpl src 203.215.150.142 dst 192.168.3.3*
*                proto esp reqid 16393 mode tunnel*

Can't ping anything back in the current office from the new office even
though I can see encapsulated traffic going across at the time of my ping -
nothing comes back.

I also don't see anything being created in the xfrm policy for the current
office and if I add a rightsubnet(s) line to the current office config then
the road runners types can't connect.

Is what I am trying to do even possible?

Thanks,
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130918/838f8e83/attachment-0001.html>