[Openswan Users] OPENSWAN VPN is up but traffic does not go through

Badi kenji kelnji at yahoo.com
Wed Mar 19 11:02:31 EDT 2014 

Hi All,

I am trying to implement a new tunnel to an already existing openswan setup 
with 3 working tunnels. The tunnel comes up, however when I trace the remote 
local IP, my traffic seems not to be going through the tunnel and goes 
through the default route to the internet. 

I have gone through so many documents online and I have also done some 
debugging however, I am not able to see the problem here. kindly assist.

These are my configurations


conn MM-AIR-VPN
        type=tunnel
#IKE policy
        authby=secret
        pfs=no
        ike=3des-sha1
        ikelifetime=24h
        keyexchange=ike
#IPSEC POLICY
        phase2alg=3des-sha1
        phase2=esp
        keylife=8h
        ikev2=permit
        aggrmode=no
#LOCAL AN REMOTE GATEWAY
        left=172.18.123.139
        leftid=197.24.xxx.xxx
        leftsubnet=172.18.123.140/32
        leftnexthop=%defaultroute
        right=41.223.xxx.xxx
        rightsubnet=10.10.254.114/32
        auto=start

<========debug logs========>

"MM-AIR-VPN" #1: extra debugging enabled for connection: 
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfke
y+nattraversal+x509+dpd+oppoinfo
| processing connection MM-AIR-VPN
| last Phase 1 IV:  11 f3 08 89  eb 30 69 23
| current Phase 1 IV:  11 f3 08 89  eb 30 69 23
| computed Phase 2 IV:
|   c9 57 fc 75  68 e5 4c 8d  b0 f4 18 a8  72 e9 69 9f
|   03 dd a1 23
| received encrypted packet from 41.223.xxx.xxx:4500
| decrypting 56 bytes using algorithm OAKLEY_3DES_CBC
| NSS: do_3des init start
| NSS: do_3des init end
| decrypted:
|   0b 00 00 18  59 05 9a 4a  c8 09 56 5c  e7 01 22 5a
|   7b 18 13 9e  ff ff 67 54  00 00 00 20  00 00 00 01
|   01 10 8d 28  45 31 da d4  45 5b 6b 4a  b9 01 19 69
|   18 03 2f ee  46 ee c8 13
| next IV:  8c 2e e3 a7  92 9d e5 b6
| got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0
| ***parse ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_N
|    length: 24
| got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
| ***parse ISAKMP Notification Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    length: 32
|    DOI: ISAKMP_DOI_IPSEC
|    protocol ID: 1
|    SPI size: 16
|    Notify Message Type: R_U_THERE
| info:  45 31 da d4  45 5b 6b 4a  b9 01 19 69  18 03 2f ee
| info:  46 ee c8 13
| processing informational R_U_THERE (36136)
| DPD: received R_U_THERE seq:1190053907 time:1395241246 (state=#1 name="MM-
AIR-VPN")
| **emit ISAKMP Message:
|    initiator cookie:
|   45 31 da d4  45 5b 6b 4a
|    responder cookie:
|   b9 01 19 69  18 03 2f ee
|    next payload type: ISAKMP_NEXT_HASH
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
|    exchange type: ISAKMP_XCHG_INFO
|    flags: ISAKMP_FLAG_ENCRYPTION
|    message ID:  fc 12 18 53
| ***emit ISAKMP Hash Payload:
|    next payload type: ISAKMP_NEXT_N
| emitting 20 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| ***emit ISAKMP Notification Payload:
|    next payload type: ISAKMP_NEXT_NONE
|    DOI: ISAKMP_DOI_IPSEC
|    protocol ID: 1
|    SPI size: 16
|    Notify Message Type: R_U_THERE_ACK
| emitting 8 raw bytes of notify icookie into ISAKMP Notification Payload
| notify icookie  45 31 da d4  45 5b 6b 4a
| emitting 8 raw bytes of notify rcookie into ISAKMP Notification Payload
| notify rcookie  b9 01 19 69  18 03 2f ee
| emitting 4 raw bytes of notify data into ISAKMP Notification Payload
| notify data  46 ee c8 13
| emitting length of ISAKMP Notification Payload: 32
| HASH computed:
|   50 c9 a8 e0  1a c5 bf 93  9b 90 8f aa  5c a8 f1 1c
|   e5 99 bc 68
| last Phase 1 IV:  11 f3 08 89  eb 30 69 23
| current Phase 1 IV:  11 f3 08 89  eb 30 69 23
| computed Phase 2 IV:
|   b9 e0 e9 6f  69 f9 bb f1  f3 0a d3 29  c9 59 7c 36
|   28 7b 39 d2
| encrypting:
|   0b 00 00 18  50 c9 a8 e0  1a c5 bf 93  9b 90 8f aa
|   5c a8 f1 1c  e5 99 bc 68  00 00 00 20  00 00 00 01
|   01 10 8d 29  45 31 da d4  45 5b 6b 4a  b9 01 19 69
|   18 03 2f ee  46 ee c8 13
| IV:
|   b9 e0 e9 6f  69 f9 bb f1  f3 0a d3 29  c9 59 7c 36
|   28 7b 39 d2
| unpadded size is: 56
| encrypting 56 using OAKLEY_3DES_CBC
| NSS: do_3des init start
| NSS: do_3des init end
| next IV:  b1 cd f6 23  b1 b2 64 e3
| emitting length of ISAKMP Message: 84
| sending 84 bytes for ISAKMP notify through eth0:4500 to 41.223.59.226:4500 
(using #1)
|   00 00 00 00  45 31 da d4  45 5b 6b 4a  b9 01 19 69
|   18 03 2f ee  08 10 05 01  fc 12 18 53  00 00 00 54
|   cf a5 8d 0a  e7 eb b1 27  ca 01 44 3a  d1 50 5a 22
|   cc c5 ff c3  ae 44 e5 50  a9 81 51 c6  95 a4 99 e5
|   18 6e 99 09  67 d7 a7 08  a4 55 09 a1  1d de 1f 4b
|   b1 cd f6 23  b1 b2 64 e3
| complete state transition with STF_IGNORE

<=====debug logs======>

More information about the Users mailing list