[Openswan Users] Traffic from routed net not going through tunnel?
John E.P. Hynes
john at hytronix.com
Fri Jul 25 14:27:10 EDT 2014
Oh - one additional thing:
If I ping from the private network that the private interface 10.0.0.254
is on, for instance, from 10.0.0.5 - it also works.
-John
On 07/25/2014 01:59 PM, John E.P. Hynes wrote:
> Greetings,
>
> I have just set up a tunnel from a Linux/OpenSWAN firewall to a Cisco
> device at my service provider. The logical setup looks like this:
>
> (10/8, 17.16/12, 192.168/16 networks)->Linux Firewall Private
> IF(10.0.0.254)->forwarding->
> Linux Firewall Public IF(111.222.333.444)->Cisco Device Public
> IF(555.666.777.888)->forwarding->
> Cisco Firewall Private IF(10.200.89.1)->(10.200.89.0/24 network)
>
> If I ping from the Linux firewall to hosts on the 10.200.89.0/24 net,
> everything works. If I try to ping from one of the routed networks
> behind the Linux firewall (say, from a host on 192.168.1.0/24) it
> doesn't work.
>
> The policy looks like it should go through the tunnel:
>
> (relevant output of "ip xfrm policy" on Linux firewall)
>
> src 10.200.89.0/24 dst 10.0.0.0/24
> dir in priority 2344 ptype main
> tmpl src 555.666.777.888 dst 111.222.333.444
> proto esp reqid 16385 mode tunnel
> src 10.200.89.0/24 dst 10.0.0.0/24
> dir fwd priority 2344 ptype main
> tmpl src 555.666.777.888 dst 111.222.333.444
> proto esp reqid 16385 mode tunnel
> src 10.0.0.0/24 dst 10.200.89.0/24
> dir out priority 2344 ptype main
> tmpl src 111.222.333.444 dst 555.666.777.888
> proto esp reqid 16385 mode tunnel
>
> The routing table entry that gets created on the Linux firewall looks
> like this:
>
> 10.200.89.0 * 255.255.255.0 U 0 0 0 eth1
>
> (eth1 is the external, public IF 111.222.333.444)
>
> When pinging from a routed network as described above, it fails - and
> tcpdump on the public interface shows this:
>
> 13:52:04.084015 arp who-has 10.200.89.10 tell hostname.of.public.if
>
> Which leads me to think that when the firewall forwards traffic from a
> routed private network, it's trying to send it directly over the
> public interface, and not through the tunnel. I'm ready to be wrong
> on that though.
>
> the ipsec.conf looks like this:
>
> version 2.0
>
> config setup
> interfaces=%defaultroute
> plutodebug=none
> protostack=netkey
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> oe=no
> uniqueids=yes
> nhelpers=0
>
> conn RemoteCisco
> type=tunnel
> auth=esp
> authby=secret
> ike=aes256-sha1
> phase2alg=aes256-sha1
> pfs=no
> forceencaps=off
> ikev2=no
> aggrmode=off
> salifetime=28800s
> ikelifetime=3600s
> dpddelay=10
> dpdtimeout=30
> dpdaction=restart_by_peer
> rekey=yes
> keyingtries=%forever
> left=111.222.333.444
> leftsubnet=10.0.0.0/24
> leftnexthop=555.666.777.888
> leftsourceip=10.0.0.254
> right=555.666.777.888
> rightsubnet=10.200.89.0/24
> rightnexthop=111.222.333.444
> rightsourceip=10.200.89.1
> auto=start
>
> Since this firewall is also a NAT gateway for these local networks, I
> added the following line before my "nat everything going out" line
> (which was $IPTABLES -t nat -A POSTROUTING -o $PUB_IF -m policy --dir
> out --pol none -j SNAT --to-source $PUB_IP)
>
> (line added before above)
> $IPTABLES -t nat -A POSTROUTING -o $PUB_IF -d 10.200.89.0/24 -j ACCEPT
>
> (the -m policy --dir out --pol none stuff was just added today, as
> suggested by someone on the IRC channel)
>
> I also added a line to the forward rules to allow everything destined
> for 10.200.89.0/24 to be accepted.
>
> I'd appreciate some guidance on what to do to trouble shoot next, or
> if anything looks obviously wrong that I've missed, please let me
> know. :)
>
> Thanks,
>
> -John
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list