[Openswan Users] openswan initiating from wrong IP, but answers with the right one

Lennart Regner Lennart.Regner at fsenetwork.com
Fri Apr 10 03:05:43 EDT 2015


Hi there,
I'm running a Debian 7.8 openswan 1:2.6.37-3+deb7u1 server with one external interface, but many different aliases :
inet xxx.xxx.xxx.94/24 brd xxx.xxx.xxx.255 scope global eth1
inet xxx.xxx.xxx.93/29 brd xxx.xxx.xxx.95 scope global eth1:ovpn
inet xxx.xxx.xxx.35/27 brd xxx.xxx.xxx.63 scope global eth1:mail1
inet xxx.xxx.xxx.75/29 brd xxx.xxx.xxx.79 scope global eth1:mail2
inet xxx.xxx.xxx.10/27 brd xxx.xxx.xxx.31 scope global eth1:web1
inet xxx.xxx.xxx.82/29 brd xxx.xxx.xxx.87 scope global eth1:ipsec2
inet xxx.xxx.xxx.36/27 brd xxx.xxx.xxx.63 scope global secondary eth1:web2
inet xxx.xxx.xxx.76/29 brd xxx.xxx.xxx.79 scope global secondary eth1:web3
inet xxx.xxx.xxx.3/27 brd xxx.xxx.xxx.31 scope global secondary eth1:gate1
inet xxx.xxx.xxx.34/27 brd xxx.xxx.xxx.63 scope global secondary eth1:gate2
inet xxx.xxx.xxx.5/27 brd xxx.xxx.xxx.31 scope global secondary eth1:mail
inet xxx.xxx.xxx.92/29 brd xxx.xxx.xxx.95 scope global secondary eth1:ipsec
My "main"-connections use xxx.xxx.xxx.94, but only one has to use xxx.xxx.xxx.92. If at my server I start up the connection using .92, all packets exit the interface with the .94 IP, of course getting NO_PROPOSAL_CHOSEN msgid=00000000 at phase 1.
I also found, that all my other IPSec servers (creating tunnels to .94) sometimes receive ESP packets from .92, despite there being not a single connection using this IP to them.
If the other side initiates the connection to .92 the server responds with the correct IP and the tunnel is established. Here is an excerpt from my ipsec.conf:
uniqueids=yes
nhelpers=0
interfaces="ipsec0=eth1"

conn site2site
authby=secret
right=xxx.xxx.xxx.92
rightsubnet=192.168.0.0/24
rightnexthop=xxx.xxx.xxx.91
left=xxx.xxx.xxx.21
leftid="xxx.xxx.xxx.21"
ikelifetime=480m
keylife=3600s
rekeymargin=5m
keyingtries=0
auto=start
ike=3des-sha1;modp1024
esp=3des-sha1;modp1024

conn site2site-1
leftsubnet=172.16.0.0/12
also=site2site

conn site2site-2
leftsubnet=10.182.0.0/15
also=site2site
I tried adding an iptables rule to SNAT the packets src: .94 dst: .21 to source .92, but to no avail, they keep leaving from the wrong interface:
iptables -t nat -A POSTROUTING -s xxx.xxx.xxx.94 -d xxx.xxx.xxx.21 -j SNAT --to-source xxx.xxx.xxx.92
Anyone got some better idea or want to point me in the right direction here?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150410/693c44b6/attachment.html>


More information about the Users mailing list