[Openswan Users] Help with routing between networks
Peter Skensved
peter at jay.Phy.QueensU.CA
Fri Feb 20 07:51:00 EST 2015
Hi,
I'm trying to set up a simple tunnel between two networks : 172.16.1.0/24
hanging off hostA.a.org at a.a.a.a and 172.16.2.0/4 hanging off hostB.b.org at
b.b.b.b . hostB has another 172 network ( 172.16.10.0/24 ) which is separate.
The short description of the problem is that I can see ESP packets on say
b.b.b.b when I ping addresses on 172.16.2.0/24 from the 172 side of A ( eth1
at 172.16.1.1 ) but I see nothing going out on the 172.16.2.0/24 network
( hostB eth1 at 172.16.2.1 ) so my routing is not correct and nothing I try
seems to make it work.
Both sides run fully patched CentOS 6.6
---
ipsec.conf on A :
version 2.0 # conforms to second version of ipsec.conf specification
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:172.16.0.0/12,%v4:!172.16.1.0/24
oe=off
include /etc/ipsec.d/*.conf
ipsec.conf on host B :
version 2.0 # conforms to second version of ipsec.conf specification
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:172.16.0.0/12,%v4:!172.16.2.0/24,%v4:!172.16.10.0/24
oe=off
include /etc/ipsec.d/*.conf
So - first question : Am I excluding the correct networks in the
virtual_private statements ?
ipsec.s/siteA-to-siteB.conf on both A and B
conn A-to-B
left=b.b.b.b
leftsubnet=172.16.2.0/24
leftid=@hostB.b.org
# rsakey ...
leftrsasigkey=0sA...
right=a.a.a.a
rightsubnet=172.16.1.0/24
rightid=@hostA.a.org
# rsakey
rightrsasigkey=0sA...
#
type=tunnel
authby=rsasig
auto=start
---
I set send and accept_redirects to 0 and set ip_forward = 1 on both hostA
and hostB .
ipsec verify runs correctly on both hosts and warns about SELINUX on host B
( but I see no errors/warnings in the logs )
Second question : I've seen references to the rp-filter settings - do I have
to tinker with them ? ( "all" is 0, the rest are 1 by default )
UDP ports 500 and 4500 are open on both firewalls for the relevant address
ranges and both hosts accept protocols ESP and AH.
Third and fourth questions : I don't need AH - right ? Do I need port 4500
open ?
Without doing anything to the routing tables I can :
hostB> ping -R -I eth1 172.16.1.1
which returns :
RR: 172.16.2.1
172.16.1.1
172.16.1.1
172.16.2.1
64 bytes from 172.16.1.1: ..... ( same route )
....
and I see ESP packets on eth0 on hostA
Ditto on hostB if I ping from hostA
If I try any other address on network A I get no reply. I see both ESP and
ICMP packets on eth0 but no packets on eth1 on hostA . So the ICMP packets
never seem to make it out onto the 172.16.1.0 network. But shouldn't ipsec
take care of that ??? ipsec auto --status returns among other things :
"a-to-b": 172.16.1.0/24===a.a.a.a<a.a.a.a>[@hostA.a.org,+S=C]...b.b.b.b<b.b.b.
b>[@hostB.b.org,+S=C]===172.16.2.0/24; erouted; eroute owner: #6
Doen't that mean that it knows where to send 172.16.1.x packets ?
I've looked at a number of web pages describing ipsec tunnels between networks
and hosts and I've looked at the RedHat guide to setting up ipsec but I can
see nothing consistent when it come to the setting up the routing tables ( or
whether it is necessary ) . Some people suggest adding iptable rules like
hostA> iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j MASQUERADE
but it sems to have no effect. And besides, shouldn't ipsec take care of that ?
I think I have tried just about every combination of entries in the routing
table that seemed to make sense but so far nothing I've done has enabled me
to ping other 172.16 addresses.
What am I missing ? Turning the firewalls off does not seem to have any effect
-----
I'm adding a few things here in case anyone sees anything that is obviously
wrong in the configuration :
hostB> ip xfrm policy
src 172.16.2.0/24 dst 172.16.1.0/24
dir out priority 2344 ptype main
tmpl src b.b.b.b dst a.a.a.a
proto esp reqid 16385 mode tunnel
src 172.16.1.0/24 dst 172.16.2.0/24
dir fwd priority 2344 ptype main
tmpl src a.a.a.a dst b.b.b.b
proto esp reqid 16385 mode tunnel
src 172.16.1.0/24 dst 172.16.2.0/24
dir in priority 2344 ptype main
tmpl src a.a.a.a dst b.b.b.b
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
....
....
hostB> ip route
172.16.2.0/24 dev eth1 proto kernel scope link src 172.16.2.1
10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.137
b.b.b.0/24 dev eth0 proto kernel scope link src b.b.b.b
default via b.b.b.254 dev eth0
The following is while doing
hostA> ping -I eth1 -R 172.16.x
hostB> ip xfrm monitor
Async event (0x10) replay update
src a.a.a.a dst b.b.b.b reqid 0x4001 protocol esp SPI 0xefaef517
Async event (0x20) timer expired
src a.a.a.a dst b.b.b.b reqid 0x4001 protocol esp SPI 0xefaef517
Async event (0x20) timer expired
src a.a.a.a dst b.b.b.b reqid 0x4001 protocol esp SPI 0xefaef517
Async event (0x20) timer expired
Does the "timer expired" mean something is wrong ?
hostB> ip xfr state
src a.a.a.a dst b.b.b.b
proto esp spi 0xefaef517 reqid 16385 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xde9d0e1894a92832fbdb4d3ba132b6785f615e42
enc cbc(aes) 0xcd9f52977b9e2b01b52ff843a38530a7
src b.b.b.b dst a.a.a.a
proto esp spi 0xdc9f0821 reqid 16385 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0xa6d7c88ec3fffd4f923b6211af58267daf7280be
enc cbc(aes) 0x322184c96233e3caa5b304acf884f72c
...
...
Any help would be greatly appreciated.
peter
More information about the Users
mailing list