[Openswan Users] Routing issue with extruded subnet

Peter Skensved peter at jay.Phy.QueensU.CA
Sat Apr 18 18:40:03 EDT 2015 


  Trying to set up a VPN with IPSEC where 16 addresses on 10.4.0.x ( 224->239 )
are hanging off  right.rightdomain.org  and the rest are off 
 left.leftdomain.org . Primary ethernet cards on both are on eth0 and subnets
are on eth1 . 

 The config files are listed below :

----

/etc/ipsec.d/left-to-right.conf :

#
conn left-to-right
  left=l.l.l.32
  leftsubnets=10.4.0.0/25,10.4.0.128/26,10.4.0.192/27,10.4.0.240/28
  leftid=@left.leftdomain.org
  leftrsakey=0sA.........
#
  right=r.r.r.12
  rightsubnet=10.4.0.224/28
  rightid=@right.rightdomain.org
  rightrsasigkey=0sA...
#
  authby=rsasig
  type=tunnel
  auto=start

---

left  /etc/ipsec.conf :

version	2.0
# basic configuration
config setup
	protostack=netkey
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:!10.4.0.0/25,%v4:!10.4.0.128/26,%v4:
!10.4.0.192/27,%v4:!10.4.0.240/28:%v4:!10.100.0.0/24
	oe=off
include /etc/ipsec.d/*.conf


left> ip route list

10.100.0.0/24 dev eth2  proto kernel  scope link  src 10.100.0.32 
10.4.0.0/24 dev eth1  proto kernel  scope link  src 10.4.0.177 
l.l.l.0/24 dev eth0  proto kernel  scope link  src a.a.a.32 
default via r.r.r.254 dev eth0 

--

right ipsec.conf :

as above except that :

	virtual_private=%v4:10.0.0.0/8,%v4:!10.0.0.0/24,%v4:!10.4.0.224/28


right> ip route list

10.0.0.0/24 dev eth2  proto kernel  scope link  src 10.0.0.1
192.168.1.0/24 dev eth3  proto kernel  scope link  src 192.168.1.1 
r.r.r.0/24 dev eth0  proto kernel  scope link  src r.r.r.12 
10.4.0.0/24 dev eth1  proto kernel  scope link  src 10.4.0.224 
default via l.l.l.254 dev eth0 


----


 ipsec verify  and  ipsec auto --status  indicate the tunnel is up and I see
ESP packets being exchanged at regular intervals.

 If I ping 10.4.0.x addresses from an extruded address on the right I see ESP
packets on the left ( on l.l.l.32 / eth0 ) except when  x  is in the extruded
range ( 224 through 239 ) . But I see no replies. When  x  is in the extruded
range the packets stay on the right side and I do see replies. So - the ICMP
packets go astray on the left side. In fact - they go out on the wrong 
interface ( eth0 ). I see packets like  :

  10.4.0.225 > 10.4.0.34: ICMP echo request, id 25471, seq 18, length 64

on it. 

  ipsec seems to ignore the left routing table listed above which says to
direct them to eth1 . It picks the default route instead ( eth0 ) !  Why ?
I thought the priority went from the most specific route down to the default
if nothing else matched.


 I tried adding  leftsourceip=10.4.0.177  and  rightsourceip=10.4.0.224  to
the config files above but it seems to have no effect except that ipsec now
adds additional entries to the routing table :

right : 10.4.0.224/28 dev eth0  scope link  src 10.4.0.177 

left :  10.4.0.240/28 dev eth0  scope link  src 10.4.0.224 
        10.4.0.192/27 dev eth0  scope link  src 10.4.0.224 
        10.4.0.128/26 dev eth0  scope link  src 10.4.0.224 
        10.4.0.0/25   dev eth0  scope link  src 10.4.0.224 

 But they look wrong to me. Shouldn't ipsec have picked  eth1  instead of
eth0  in both cases ???  eth0 is the public facing default card and  eth1
is the private 10-network

 Both boxes are running CentOS6.6 with latest openswan .

 Any help would be appreciated
                                       peter

More information about the Users mailing list