[Openswan Users] Traffic from routed net not going through tunnel?

John E.P. Hynes john at hytronix.com
Fri Jul 25 13:59:31 EDT 2014 

Greetings,

I have just set up a tunnel from a Linux/OpenSWAN firewall to a Cisco 
device at my service provider.  The logical setup looks like this:

(10/8, 17.16/12, 192.168/16 networks)->Linux Firewall Private 
IF(10.0.0.254)->forwarding->
Linux Firewall Public IF(111.222.333.444)->Cisco Device Public 
IF(555.666.777.888)->forwarding->
Cisco Firewall Private IF(10.200.89.1)->(10.200.89.0/24 network)

If I ping from the Linux firewall to hosts on the 10.200.89.0/24 net, 
everything works.  If I try to ping from one of the routed networks 
behind the Linux firewall (say, from a host on 192.168.1.0/24) it 
doesn't work.

The policy looks like it should go through the tunnel:

(relevant output of "ip xfrm policy" on Linux firewall)

src 10.200.89.0/24 dst 10.0.0.0/24
     dir in priority 2344 ptype main
     tmpl src 555.666.777.888 dst 111.222.333.444
         proto esp reqid 16385 mode tunnel
src 10.200.89.0/24 dst 10.0.0.0/24
     dir fwd priority 2344 ptype main
     tmpl src 555.666.777.888 dst 111.222.333.444
         proto esp reqid 16385 mode tunnel
src 10.0.0.0/24 dst 10.200.89.0/24
     dir out priority 2344 ptype main
     tmpl src 111.222.333.444 dst 555.666.777.888
         proto esp reqid 16385 mode tunnel

The routing table entry that gets created on the Linux firewall looks 
like this:

10.200.89.0     *               255.255.255.0   U     0 0        0 eth1

(eth1 is the external, public IF 111.222.333.444)

When pinging from a routed network as described above, it fails - and 
tcpdump on the public interface shows this:

13:52:04.084015 arp who-has 10.200.89.10 tell hostname.of.public.if

Which leads me to think that when the firewall forwards traffic from a 
routed private network, it's trying to send it directly over the public 
interface, and not through the tunnel.  I'm ready to be wrong on that 
though.

the ipsec.conf looks like this:

version 2.0

config setup
     interfaces=%defaultroute
     plutodebug=none
     protostack=netkey
     nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
     oe=no
     uniqueids=yes
     nhelpers=0

conn RemoteCisco
     type=tunnel
     auth=esp
     authby=secret
     ike=aes256-sha1
     phase2alg=aes256-sha1
     pfs=no
     forceencaps=off
     ikev2=no
     aggrmode=off
     salifetime=28800s
     ikelifetime=3600s
     dpddelay=10
     dpdtimeout=30
     dpdaction=restart_by_peer
     rekey=yes
     keyingtries=%forever
     left=111.222.333.444
     leftsubnet=10.0.0.0/24
     leftnexthop=555.666.777.888
     leftsourceip=10.0.0.254
     right=555.666.777.888
     rightsubnet=10.200.89.0/24
     rightnexthop=111.222.333.444
     rightsourceip=10.200.89.1
     auto=start

Since this firewall is also a NAT gateway for these local networks, I 
added the following line before my "nat everything going out" line 
(which was $IPTABLES -t nat -A POSTROUTING -o $PUB_IF  -m policy --dir 
out --pol none -j SNAT --to-source $PUB_IP)

(line added before above)
$IPTABLES -t nat -A POSTROUTING -o $PUB_IF -d 10.200.89.0/24 -j ACCEPT

(the -m policy --dir out --pol none stuff was just added today, as 
suggested by someone on the IRC channel)

I also added a line to the forward rules to allow everything destined 
for 10.200.89.0/24 to be accepted.

I'd appreciate some guidance on what to do to trouble shoot next, or if 
anything looks obviously wrong that I've missed, please let me know. :)

Thanks,

-John

More information about the Users mailing list