[Openswan Users] overlapping left/right networks

Dmitry Chirikov dmitry at chirikov.ru
Thu Dec 4 08:04:15 EST 2014 

I am new in OpenSwan and ipsec, so please guide me carefully :)

My local network is 10.12.3.0/24. I need to get access to
networks: 10.12.0.{0,1,2}/24
My "right" side owns some Cisco device and playing some kind of "hub" role
asks me to set:
        leftsubnet=10.12.3.0/24
        rightsubnet=10.12.0.0/16
If I am setting it that way I immediately loosing the connection to my
local 3.0/24 network peers, And that looks obvious for me, because AFAIK,
routing decision goes after encryption. Mediation to tcpdump, iptables
counters and ip xfrm monitor outputs confirm my suggestions.

Can I tune my ipsec configuration somehow to fix it?

Before writing to this list I tried to fix it by tuning xfrm subsystem by
removing overlapping networks, like:
leftupdown="/etc/ipsec.d/updown.sh"

cat /etc/ipsec.d/updown.sh

if [ $PLUTO_VERB = 'up-client' ] ; then
        logger "$PLUTO_VERB detected. Will apply SUDOE xfrm patch. See $0
for details"
        ip xfrm policy del dir in src 10.12.0.0/16 dst 10.12.3.0/24 >
/dev/null 2>&1
        ip xfrm policy del dir fwd src 10.12.0.0/16 dst 10.12.3.0/24 >
/dev/null 2>&1
        ip xfrm policy del dir out src 10.12.3.0/24 dst 10.12.0.0/16 >
/dev/null 2>&1
        ip xfrm policy add dir in src 10.12.2.0/24 dst 10.12.3.0/24
priority 16385 tmpl src 178.255.105.19 dst 193.52.26.135 proto esp reqid
16385 mode tunnel > /dev/null 2>&1
        ip xfrm policy add dir fwd src 10.12.2.0/24 dst 10.12.3.0/24
priority 16385 tmpl src 178.255.105.19 dst 193.52.26.135 proto esp reqid
16385 mode tunnel > /dev/null 2>&1
        ip xfrm policy add dir out src 10.12.3.0/24 dst 10.12.2.0/24
priority 16385 tmpl src 193.52.26.135 dst 178.255.105.19 proto esp reqid
16385 mode tunnel > /dev/null 2>&1
        ip xfrm policy add dir fwd src 10.12.1.0/24 dst 10.12.3.0/24
priority 16385 tmpl src 178.255.105.19 dst 193.52.26.135 proto esp reqid
16385 mode tunnel > /dev/null 2>&1
        ip xfrm policy add dir out src 10.12.3.0/24 dst 10.12.1.0/24
priority 16385 tmpl src 193.52.26.135 dst 178.255.105.19 proto esp reqid
16385 mode tunnel > /dev/null 2>&1
        ip xfrm policy add dir in src 10.12.0.0/24 dst 10.12.3.0/24
priority 16385 tmpl src 178.255.105.19 dst 193.52.26.135 proto esp reqid
16385 mode tunnel > /dev/null 2>&1
        ip xfrm policy add dir fwd src 10.12.0.0/24 dst 10.12.3.0/24
priority 16385 tmpl src 178.255.105.19 dst 193.52.26.135 proto esp reqid
16385 mode tunnel > /dev/null 2>&1
        ip xfrm policy add dir out src 10.12.3.0/24 dst 10.12.0.0/24
priority 16385 tmpl src 193.52.26.135 dst 178.255.105.19 proto esp reqid
16385 mode tunnel > /dev/null 2>&1

But it is working only for couple of hours. The overlapping record are back
after some time:
# ip xfrm policy  | grep -A3 "\/16"
src 10.12.3.0/24 dst 10.12.0.0/16
        dir out priority 2352 ptype main
        tmpl src 193.52.26.135 dst 178.255.105.19
                proto esp reqid 16385 mode tunnel

And (that is very wierd) these lines are not dissapearing after restart
ipsec service:
# ip xfrm policy  | grep "src 10"
src 10.12.3.0/24 dst 10.12.0.0/16
src 10.12.3.0/24 dst 10.12.0.0/24
src 10.12.0.0/24 dst 10.12.3.0/24
src 10.12.0.0/24 dst 10.12.3.0/24
src 10.12.3.0/24 dst 10.12.1.0/24
src 10.12.1.0/24 dst 10.12.3.0/24
src 10.12.3.0/24 dst 10.12.2.0/24
src 10.12.2.0/24 dst 10.12.3.0/24
src 10.12.2.0/24 dst 10.12.3.0/24
# service ipsec stop; service ipsec start
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-431.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
# ip xfrm policy  | grep "src 10"
src 10.12.3.0/24 dst 10.12.0.0/16
src 10.12.3.0/24 dst 10.12.0.0/24
src 10.12.0.0/24 dst 10.12.3.0/24
src 10.12.0.0/24 dst 10.12.3.0/24
src 10.12.3.0/24 dst 10.12.1.0/24
src 10.12.1.0/24 dst 10.12.3.0/24
src 10.12.3.0/24 dst 10.12.2.0/24
src 10.12.2.0/24 dst 10.12.3.0/24
src 10.12.2.0/24 dst 10.12.3.0/24

and going away only with manual deleting:
# ip xfrm policy del dir out src 10.12.3.0/24 dst 10.12.0.0/16
# ip xfrm policy  | grep "src 10"
src 10.12.3.0/24 dst 10.12.0.0/24
src 10.12.0.0/24 dst 10.12.3.0/24
src 10.12.0.0/24 dst 10.12.3.0/24
src 10.12.3.0/24 dst 10.12.1.0/24
src 10.12.1.0/24 dst 10.12.3.0/24
src 10.12.3.0/24 dst 10.12.2.0/24
src 10.12.2.0/24 dst 10.12.3.0/24
src 10.12.2.0/24 dst 10.12.3.0/24
# service ipsec stop; service ipsec start >/dev/null 2>&1
ipsec_setup: Stopping Openswan IPsec...
# ip xfrm policy  | grep "src 10"
src 10.12.3.0/24 dst 10.12.0.0/24
src 10.12.0.0/24 dst 10.12.3.0/24
src 10.12.0.0/24 dst 10.12.3.0/24
src 10.12.3.0/24 dst 10.12.1.0/24
src 10.12.1.0/24 dst 10.12.3.0/24
src 10.12.3.0/24 dst 10.12.2.0/24
src 10.12.2.0/24 dst 10.12.3.0/24
src 10.12.2.0/24 dst 10.12.3.0/24

So I have 3 options to fix it:
1) To make "right" side not to use overlapping networks
2) To tune ipsec configuration
3) To fix xfrm permanent

My versions:
# uname -r
2.6.32-431.el6.x86_64
# cat /etc/redhat-release
Scientific Linux release 6.6 (Carbon)
# rpm -qf /etc/ipsec.conf
openswan-2.6.32-37.el6.x86_64
# ipsec --version
Linux Openswan U2.6.32/K2.6.32-431.el6.x86_64 (netkey)

Thank you in advance.

Kind regards,
Dmitry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141204/4cdd94f2/attachment.html>

More information about the Users mailing list