[Openswan Users] Tunnel is up but private network is unreachable

Nick Howitt nick at howitts.co.uk
Tue Jul 21 09:09:10 EDT 2015


Isn't virtual_private only used when IPsec is natted and supplying an IP 
address to something like a roadwarrior?

I'd have a look at firewalling, either for an explicit rule for the 
remote subnet or for a rule for packets with the policy ipsec. I can't 
remember the details, but I think it is a PREROUTING rule in the nat 
chain which is needed.

Nick

On 2015-07-21 13:50, Damian McHugh wrote:
> Hi Mitsue,
> 
> I would specify allowed networks as follows:
> 
> virtual_private=%v4:192.168.13.0/24,%v4:192.168.4.0/24 (note I've 
> removed
> the ! ).
> 
> See if that does the trick.
> 
> Damian McHugh
>  
> 
> -----Original Message-----
> From: users-bounces at lists.openswan.org
> [mailto:users-bounces at lists.openswan.org] On Behalf Of Mitsue A 
> Murakami
> Sent: 21 July 2015 12:07
> To: users at lists.openswan.org
> Subject: [Openswan Users] Tunnel is up but private network is 
> unreachable
> 
> Hello,
> 
> I am having difficulty in setting up a site to site vpn. Tunnel is up 
> but
> private network is unreachable.
> 
> 
> My side is debian linux firewall:
> 
> Public IP: xxx.xxx.xxx.xxx
> Gateway: xxx.xxx.xxx.gw
> 
> Private IP: 192.168.4.12
> 
> 
> The other side is a Cisco-ASA 5510:
> 
> Public IP: yyy.yyy.yyy.yyy
> 
> Private Network: 192.168.13.0/24
> 
> 
> 
> 
> Here is my configuration file:
> 
> config setup
>      plutoopts="--perpeerlog"
>      nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192
> .168.4.0/24
>      nhelpers=0
> 
> conn cisco
>          authby=secret
>          auto=start
>          keyexchange=ike
>          esp=3des-md5;modp1024
>          ikelifetime=8h
>          pfs=no
>          type=tunnel
>          left=xxx.xxx.xxx.xxx
>          leftsourceip=192.168.4.12
>          leftsubnet=192.168.4.0/24
>          leftnexthop=%defaultroute
>          right=yyy.yyy.yyy.yyy
>          rightsubnet=192.168.13.0/24
>          rightnexthop=%defaultroute
> 
> 
> 
> 
> 
> $ ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 xxx.xxx.xxx.xxx
> 000 interface eth0/eth0 xxx.xxx.xxx.xxx
> 000 interface eth1/eth1 192.168.4.12
> 000 interface eth1/eth1 192.168.4.12
> 000 interface eth2/eth2 187.174.tt.ttt
> 000 interface eth2/eth2 187.174.tt.ttt
> 000 interface tun0/tun0 10.0.22.2
> 000 interface tun0/tun0 10.0.22.2
> 000 interface tun1/tun1 10.0.28.1
> 000 interface tun1/tun1 10.0.28.1
> 000 interface tun2/tun2 10.0.25.2
> 000 interface tun2/tun2 10.0.25.2
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
> keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, 
> keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, 
> keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, 
> bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, 
> bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, 
> bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, 
> bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, 
> bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,5,64}
> trans={0,5,1080} attrs={0,5,360}
> 000
> 000 "cisco":
> 192.168.4.0/24===xxx.xxx.xxx.xxx---xxx.xxx.xxx.gw...xxx.xxx.xxx.gw---yyy.yyy
> .yyy.yyy===192.168.13.0/24;
> erouted; eroute owner: #8
> 000 "cisco":     srcip=192.168.4.12; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "cisco":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 
> 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "cisco":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface:
> eth0; encap: esp;
> 000 "cisco":   newest ISAKMP SA: #7; newest IPsec SA: #8;
> 000 "cisco":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
> 000 "cisco":   ESP algorithms wanted: 3DES(3)_000-MD5(1);
> pfsgroup=MODP1024(2); flags=strict
> 000 "cisco":   ESP algorithms loaded: 3DES(3)_000-MD5(1);
> pfsgroup=MODP1024(2); flags=strict
> 000 "cisco":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
> 000
> 000 #8: "cisco":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 27397s; newest IPSEC; eroute owner
> 000 #8: "cisco" esp.54ca394e at yyy.yyy.yyy.yyy
> esp.74437dee at xxx.xxx.xxx.xxx tun.0 at yyy.yyy.yyy.yyy 
> tun.0 at xxx.xxx.xxx.xxx
> 000 #7: "cisco":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 27537s; newest ISAKMP; lastdpd=10s(seq in:0 out:0)
> 000
> 
> 
> 
> $ service ipsec status
> IPsec running  - pluto pid: 15669
> pluto pid 15669
> 1 tunnels up
> some eroutes exist
> 
> 
> 
> $ ip xfrm state
> src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx
>      proto esp spi 0x74437dee reqid 16385 mode tunnel
>      replay-window 32
>      auth hmac(md5) 0x64171f9eccec636983692dfdbbc8c9e5
>      enc cbc(des3_ede) 
> 0xf6f04d7a1f008063f6ce4c2806b6b111c5d1d19286907345
>      sel src 0.0.0.0/0 dst 0.0.0.0/0
> src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy
>      proto esp spi 0x54ca394e reqid 16385 mode tunnel
>      replay-window 32
>      auth hmac(md5) 0x9444902bea54768bb7e66aabdff1aea6
>      enc cbc(des3_ede) 
> 0xf0ca7c8f2b0429471e03c3d3e0739d57a1c9def0b2edddf5
>      sel src 0.0.0.0/0 dst 0.0.0.0/0
> 
> 
> 
> $ less /var/run/pluto/ipsec.info
> defaultroutephys=eth0
> defaultroutevirt=ipsec0
> defaultrouteaddr=xxx.xxx.xxx.xxx
> defaultroutenexthop=xxx.xxx.xxx.gw
> 
> 
> Can someone help me with this issue?
> 
> 
> Thank you,
> 
> 
> --
> Mitsue
> 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list