[Openswan Users] Help with routing between networks

Peter Skensved peter at jay.Phy.QueensU.CA
Fri Feb 20 07:51:00 EST 2015 

    Hi,
  I'm trying to set up a simple tunnel between two networks : 172.16.1.0/24
hanging off hostA.a.org at a.a.a.a and 172.16.2.0/4 hanging off hostB.b.org at
b.b.b.b . hostB has another 172 network ( 172.16.10.0/24 ) which is separate.

 The short description of the problem is that I can see ESP packets on say
b.b.b.b when I ping addresses on 172.16.2.0/24 from the 172 side of A ( eth1
at 172.16.1.1 ) but I see nothing going out on the 172.16.2.0/24 network
( hostB eth1 at 172.16.2.1 ) so my routing is not correct and nothing I try
seems to make it work. 

 Both sides run fully patched CentOS 6.6

---

ipsec.conf on A :

version		 2.0	# conforms to second version of ipsec.conf specification
config setup
			 protostack=netkey
			 nat_traversal=yes
			 virtual_private=%v4:172.16.0.0/12,%v4:!172.16.1.0/24
			 oe=off
include /etc/ipsec.d/*.conf
 

ipsec.conf on host B  :

version		 2.0		 # conforms to second version of ipsec.conf specification
config setup
			 protostack=netkey
			 nat_traversal=yes
			 virtual_private=%v4:172.16.0.0/12,%v4:!172.16.2.0/24,%v4:!172.16.10.0/24
			 oe=off
include /etc/ipsec.d/*.conf


 So - first question : Am I excluding the correct networks in the
virtual_private  statements ?



ipsec.s/siteA-to-siteB.conf  on both A and B

conn A-to-B
  left=b.b.b.b
  leftsubnet=172.16.2.0/24
  leftid=@hostB.b.org
# rsakey ...
  leftrsasigkey=0sA...

  right=a.a.a.a
  rightsubnet=172.16.1.0/24
  rightid=@hostA.a.org
# rsakey
  rightrsasigkey=0sA...
#
  type=tunnel
  authby=rsasig
  auto=start

---

 I set send and accept_redirects to 0 and set ip_forward = 1 on both hostA
and hostB . 

 ipsec verify  runs correctly on both hosts and warns about SELINUX on host B
( but I see no errors/warnings in the logs )  

 Second question :  I've seen references to the rp-filter settings - do I have
to tinker with them ? (  "all" is 0, the rest are 1 by default )

 UDP ports 500 and 4500 are open on both firewalls for the relevant address
ranges and both hosts accept protocols ESP and AH. 

 Third and fourth questions : I don't need AH - right ? Do I need port 4500
open ? 


 Without doing anything to the routing tables I can :

hostB> ping -R -I eth1 172.16.1.1 

 which returns :

RR: 	 172.16.2.1
			 172.16.1.1
			 172.16.1.1
			 172.16.2.1

64 bytes from 172.16.1.1: ..... ( same route )
....

 and I see ESP packets on eth0 on  hostA

 Ditto on hostB if I ping from hostA


 If I try any other address on network A  I get no reply. I see both ESP and
ICMP packets on eth0 but no packets on eth1 on hostA . So the ICMP packets
never seem to make it out onto the 172.16.1.0 network. But shouldn't ipsec
take care of that ???   ipsec auto --status  returns among other things :

"a-to-b": 172.16.1.0/24===a.a.a.a<a.a.a.a>[@hostA.a.org,+S=C]...b.b.b.b<b.b.b.
b>[@hostB.b.org,+S=C]===172.16.2.0/24; erouted; eroute owner: #6

 Doen't that mean that it knows where to send 172.16.1.x packets ?



 I've looked at a number of web pages describing ipsec tunnels between networks
and hosts and I've looked at the RedHat guide to setting up ipsec but I can
see nothing consistent when it come to the setting up the routing tables ( or
whether it is necessary ) . Some people suggest adding iptable rules like 

hostA> iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -j  MASQUERADE

but it sems to have no effect. And besides, shouldn't ipsec take care of that ?

  I think I have tried just about every combination of entries in the routing
table that seemed to make sense but so far nothing I've done has enabled me
to ping other 172.16 addresses. 

 What am I missing ? Turning the firewalls off does not seem to have any effect


-----

  I'm adding a few things here in case anyone sees anything that is obviously
wrong in the configuration : 

hostB> ip xfrm policy
src 172.16.2.0/24 dst 172.16.1.0/24 
		dir out priority 2344 ptype main 
		tmpl src b.b.b.b dst a.a.a.a
				 proto esp reqid 16385 mode tunnel
src 172.16.1.0/24 dst 172.16.2.0/24 
		dir fwd priority 2344 ptype main 
		tmpl src a.a.a.a dst b.b.b.b
				 proto esp reqid 16385 mode tunnel
src 172.16.1.0/24 dst 172.16.2.0/24 
		dir in priority 2344 ptype main 
		tmpl src a.a.a.a dst b.b.b.b
				 proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0 
		dir 4 priority 0 ptype main 
src ::/0 dst ::/0 
		dir 3 priority 0 ptype main 
....
....




hostB> ip route
172.16.2.0/24 dev eth1  proto kernel  scope link  src 172.16.2.1 
10.0.0.0/24 dev eth2  proto kernel  scope link  src 10.0.0.137 
b.b.b.0/24 dev eth0  proto kernel  scope link  src b.b.b.b 
default via b.b.b.254 dev eth0 



 The following is while doing 

hostA> ping -I eth1 -R 172.16.x

hostB> ip xfrm monitor
Async event  (0x10)  replay update 
			src a.a.a.a dst b.b.b.b  reqid 0x4001 protocol esp  SPI 0xefaef517
Async event  (0x20)  timer expired 
			src a.a.a.a dst b.b.b.b  reqid 0x4001 protocol esp  SPI 0xefaef517
Async event  (0x20)  timer expired 
			src a.a.a.a dst b.b.b.b  reqid 0x4001 protocol esp  SPI 0xefaef517
Async event  (0x20)  timer expired 

  Does the "timer expired" mean something is wrong ?


hostB> ip xfr state
src a.a.a.a dst b.b.b.b
		proto esp spi 0xefaef517 reqid 16385 mode tunnel
		replay-window 32 flag 20
		auth hmac(sha1) 0xde9d0e1894a92832fbdb4d3ba132b6785f615e42
		enc cbc(aes) 0xcd9f52977b9e2b01b52ff843a38530a7
src b.b.b.b dst a.a.a.a
		proto esp spi 0xdc9f0821 reqid 16385 mode tunnel
		replay-window 32 flag 20
		auth hmac(sha1) 0xa6d7c88ec3fffd4f923b6211af58267daf7280be
		enc cbc(aes) 0x322184c96233e3caa5b304acf884f72c
...
...

   Any help would be greatly appreciated.

                                          peter

More information about the Users mailing list