[Openswan Users] Tunnel up - packets sent thru - but no forwarding to target ! routing issue ?

Patrick Naubert patrickn at xelerance.com
Thu Nov 20 09:52:14 EST 2014 

Rescued from the Spam bucket.  Please remember to subscribe to the mailing list before posting to it.

From: Gerhard Reuter <gerhard.reuter at bayer.com <mailto:gerhard.reuter at bayer.com>>
To: "users at lists.openswan.org <mailto:users at lists.openswan.org>" <users at lists.openswan.org <mailto:users at lists.openswan.org>>
Subject: Tunnel up - packets sent thru - but no forwarding to target ! routing issue ?
Date: November 20, 2014 at 1:48:20 AM GMT-5


Hello all,
 
I created a Client-Server VPN between VPN Access Manager (Win7) and Openswan (Ubuntu at AWS). The tunnel comes up:
 
tail -10 /var/log/auth.log
Nov 20 06:19:54 ip-172-31-14-254 pluto[2139]: "RWConn"[2] 212.64.228.6 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
Nov 20 06:20:09 ip-172-31-14-254 pluto[2139]: "RWConn"[2] 212.64.228.6 #1: the peer proposed: 172.31.15.0/24:17/1701 -> 10.161.62.58/32:17/0
Nov 20 06:20:09 ip-172-31-14-254 pluto[2139]: "RWConn"[2] 212.64.228.6 #2: responding to Quick Mode proposal {msgid:1a739fef}
Nov 20 06:20:09 ip-172-31-14-254 pluto[2139]: "RWConn"[2] 212.64.228.6 #2:     us: 172.31.15.0/24===172.31.14.254<172.31.14.254>[@172.31.14.254,+XS+S=C]:17/1701
Nov 20 06:20:09 ip-172-31-14-254 pluto[2139]: "RWConn"[2] 212.64.228.6 #2:   them: 212.64.228.6[@,+MC+XC+S=C]:17/0
Nov 20 06:20:09 ip-172-31-14-254 pluto[2139]: "RWConn"[2] 212.64.228.6 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 20 06:20:09 ip-172-31-14-254 pluto[2139]: "RWConn"[2] 212.64.228.6 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov 20 06:20:09 ip-172-31-14-254 pluto[2139]: "RWConn"[2] 212.64.228.6 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 20 06:20:09 ip-172-31-14-254 pluto[2139]: "RWConn"[2] 212.64.228.6 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x4090c6e1 <0x2962fb5a xfrm=AES_256-HMAC_MD5 NATOA=none NATD=212.64.228.6:53523 DPD=none}
 
A ping from the Client to the Target Server (172.31.15.27), which is located behind the Openswan (172.31.14.254), is sent in the tunnel but “remains” on the Openswan. It is not seen within a tcpdump @ 172.31.15.27
 
tcpdump at Openswan:
 
10.161.62.58 is my Client’s IP
212.64.xxx.xxx is our Internet GW (NAT-T is used)
 
06:20:37.932761 IP bayer-212-64-xxx-xxx.bayer.de <http://bayer-212-64-xxx-xxx.bayer.de/>.53523 > ip-172-31-14-254.eu <http://ip-172-31-14-254.eu/>-central-1.compute.internal.ipsec-nat-t: UDP-encap: ESP(spi=0x2962fb5a,seq=0x5), length 100
06:20:37.932761 IP ip-10-161-62-58.eu <http://ip-10-161-62-58.eu/>-central-1.compute.internal > ip-172-31-15-27.eu <http://ip-172-31-15-27.eu/>-central-1.compute.internal: ICMP echo request, id 1, seq 17, length 40
 
 
Openswan Server:
 
ifconfig -a
eth0      Link encap:Ethernet  HWaddr 06:55:c6:9d:7d:13
          inet addr:172.31.14.254  Bcast:172.31.15.255  Mask:255.255.240.0
          inet6 addr: fe80::455:c6ff:fe9d:7d13/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:1301 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1040 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:118809 (118.8 KB)  TX bytes:175780 (175.7 KB)
 
netstat –rnv:
 
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.31.0.1      0.0.0.0         UG        0 0          0 eth0
172.31.0.0      0.0.0.0         255.255.240.0   U         0 0          0 eth0
 
The ping from the Openswan to the Target Server works fine:
 
ping 172.31.15.27
PING 172.31.15.27 (172.31.15.27) 56(84) bytes of data.
64 bytes from 172.31.15.27: icmp_seq=1 ttl=128 time=0.590 ms
64 bytes from 172.31.15.27: icmp_seq=2 ttl=128 time=0.538 ms
^C
--- 172.31.15.27 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.538/0.564/0.590/0.026 ms
 
 
/etc/sysctl.conf:
 
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_ignore_bogus_error_responses = 1
 
 
/etc/ipsec.conf
 
version    2.0
config setup
   protostack=netkey
   interfaces=%defaultroute
   nat_traversal=yes
   force_keepalive=yes
   keep_alive=60
   oe=no
   nhelpers=0
conn RWConn
   type=transport
   authby=secret
   modecfgclient=yes
   pfs=no
   rekey=no
   ikelifetime=8h
   keylife=1h
   leftprotoport=17/1701
   left=172.31.14.254
   leftsubnet=172.31.15.0/24
   leftid=@172.31.14.254 <mailto:leftid=@172.31.14.254>
   leftxauthserver=yes
   rightprotoport=17/0
   right=%any
   rightxauthclient=yes
   auto=ignore
 
I tried to set the “leftsourceip=172.31.14.254” but that did not help.
 
Any idea would be highly appreciated !
 
greetings
-Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141120/69d83e10/attachment-0001.html>

More information about the Users mailing list