[Openswan Users] Ipsec tunnel up but no traffic is sent through

Giovanni Messina - Bizmate s.r.l giovanni.messina at bizmate.it
Tue Dec 6 09:42:19 EST 2016


Hi all!

I am a new openswan user and I start to enjoy this tool.

I'm configuring a site to site ipsec tunnel, and I have some problems: 
the tunnel is up but no traffic is passing through. In the following the 
description of the scenario.

I have to establish a ipsec tunnel between our customer site(on amazon 
cloud) and a provider site. An host in our customer site needs to 
connect to two different host in the provider site, through the ipsec 
tunnel. The ipsec endpoint for our customer is a linux server; the linux 
server is behind a firewall and doesn't have a pubblic ip. The ipsec 
endpoint of the provider is a Cisco ASA: i have no control on this 
endpoint. The endpoint LAN ip address is 192.168.60.10 and the host who 
needs to use the ipsec tunnel has ip 192.168.50.4. For a requirement of 
the provider, we have to use as encrypted domain (our left subnet) the 
network 10.129.46.168/29; so i have configured a SNAT that translate the 
ip of the host (192.168.50.4) to an ip of the encrypted domain 
(10.129.46.169). On the provider side, the encryption domain (the right 
subnet) is composed by two different ip: 
10.129.128.101/32,10.128.243.223/32, so in the configuration you can 
find the "righsubnets" parameter.

I have the following ipsec.conf:

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version    2.0    # conforms to second version of ipsec.conf specification

# basic configuration
config setup
     # Do not set debug options to debug configuration issues!
     # plutodebug / klipsdebug = "all", "none" or a combation from below:
     # "raw crypt parsing emitting control klips pfkey natt x509 dpd 
private"
     # eg:
     # plutodebug="control parsing"
     #
     # enable to get logs per-peer
      plutoopts="--perpeerlog"
     #
     # Again: only enable plutodebug or klipsdebug when asked by a developer
     #
     # NAT-TRAVERSAL support, see README.NAT-Traversal
     nat_traversal=yes
     # exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
     # OE is now off by default. Uncomment and change to on, to enable.
     #oe=off
     # which IPsec stack to use. auto will try netkey, then klips then mast
     protostack=netkey
     interfaces=%defaultroute
     klipsdebug=all
     plutodebug=all
         plutostderrlog=/var/log/pluto.log
conn provider
     type=tunnel
     left=192.168.60.10
     leftnexthop=%defaultroute
     leftsubnet=10.129.46.168/29
     right=PROVIDER_PUBLIC_IP
     #rightnexthop=%defaultroute
     #rightsubnet=10.129.128.101/32
     rightsubnets={10.129.128.101/32,10.128.243.223/32}
     ike=3des-md5;modp1024
     auth=esp
     phase2alg=3des-md5
     keyexchange=ike
     authby=secret
     pfs=no
     auto=start
     aggrmode=no
         ikelifetime=28800s
         salifetime=3600s
     forceencaps=yes


and the tunnel seems to be up:

#/etc/init.d/ipsec status
IPsec running  - pluto pid: 28315
pluto pid 28315
2 tunnels up
some eroutes exist

and ipsec auto --status:
000 #460: "provider/0x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 1678s; newest IPSEC; eroute owner; 
isakmp#458; idle; import:admin initiate
000 #460: "provider/0x1" esp.908d713a at PROVIDER_PUBLIC_IP 
esp.43855675 at 192.168.60.10 tun.0 at PROVIDER_PUBLIC_IP tun.0 at 192.168.60.10 
ref=0 refhim=4294901761
000 #458: "provider/0x1":4500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 27088s; newest ISAKMP; lastdpd=17s(seq in:0 out:0); 
idle; import:admin initiate
000 #459: "provider/0x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 1947s; newest IPSEC; eroute owner; 
isakmp#458; idle; import:admin initiate
000 #459: "provider/0x2" esp.5efdb3f7 at PROVIDER_PUBLIC_IP 
esp.67195cef at 192.168.60.10 tun.0 at PROVIDER_PUBLIC_IP tun.0 at 192.168.60.10 
ref=0 refhim=4294901761
000


Here is the Source Nat configuration on the ipsec endpoint:

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  192.168.50.4         10.129.128.101 to:10.129.46.170
SNAT       all  --  192.168.50.4         10.128.243.223 to:10.129.46.169
MASQUERADE  all  --  192.168.50.0/24      anywhere

If I try a telnet from the host on the customer site to  one of the host 
in provider site, the telnet doesn't work. I can see in the file of the 
nat translation the following:
packets=6 bytes=360 [UNREPLIED] src=10.129.128.101 dst=10.129.46.170 
sport=23 dport=46032 packets=0 bytes=0 mark=0 secmark=0 use=2

I've asked to the provider IT Group to check if they receive traffic 
from our host...They used an ACL to log the traffic from our host; they 
confirmed that the tunnels are up but no traffic was arrived into their 
network:

access-list outside_cryptomap_161 extended permit ip host 10.129.128.101 
10.129.46.168 255.255.255.248

       local ident (addr/mask/prot/port): 
(10.129.128.101/255.255.255.255/0/0)

       remote ident (addr/mask/prot/port): 
(10.129.46.168/255.255.255.248/0/0)

       current_peer: CUSTOMER_PUBLIC_IP



       #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

       #pkts decaps: 0, #pkts decrypt: 0, #pkts verify:

Here there are the ip xfrm policy:

src 10.129.46.168/29 dst 10.129.128.101/32
     dir out priority 2176 ptype main
     tmpl src 192.168.60.10 dst PROVIDER_PUBLIC_IP
         proto esp reqid 16385 mode tunnel
src 10.129.46.168/29 dst 10.128.243.223/32
     dir out priority 2176 ptype main
     tmpl src 192.168.60.10 dst PROVIDER_PUBLIC_IP
         proto esp reqid 16389 mode tunnel
src 10.128.243.223/32 dst 10.129.46.168/29
     dir fwd priority 2176 ptype main
     tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10
         proto esp reqid 16389 mode tunnel
src 10.128.243.223/32 dst 10.129.46.168/29
     dir in priority 2176 ptype main
     tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10
         proto esp reqid 16389 mode tunnel
src 10.129.128.101/32 dst 10.129.46.168/29
     dir fwd priority 2176 ptype main
     tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10
         proto esp reqid 16385 mode tunnel
src 10.129.128.101/32 dst 10.129.46.168/29
     dir in priority 2176 ptype main
     tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10
         proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
     dir 4 priority 0 ptype main
src ::/0 dst ::/0
     dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
     dir 3 priority 0 ptype main


Here is the traceroute from the customer host:
traceroute to 10.129.128.101 (10.129.128.101), 30 hops max, 60 byte packets
  1  192.168.60.10 (192.168.60.10)  0.356 ms  0.335 ms  0.344 ms
  2  * * *
  3  * * *
  4  * * *
  5  * * *
  6  * * *


I haven't iptables rules that are blocking the traffic:

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  MALICIUS_HOST_IP        anywhere     (old rule,it's 
not related to the ipsec tunnel)

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Here is the ipsec verify output:

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
     LANGUAGE = (unset),
     LC_ALL = (unset),
     LANG = "it_IT.UTF-8"
     are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.28/K2.6.32-5-xen-686 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [OK]
Pluto listening for NAT-T on udp 4500                           [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support [DISABLED]


I also tried to enable or disable the forceencaps, but nothing changed.

So, it seems that the traffic from the customer host isn't send through 
the ipsec tunnel.but why?
I really appreciate if someone can provide any helps!

Thank You!






-- 

-----------------------------------------------------------
*Giovanni Messina*
Systems Operations
tel: *+39 095 388583*
tel/fax: *+39 095 382521*
internet: www.bizmate.it <http://www.bizmate.it/>
mail: giovanni.messina at bizmate.it <mailto:giovanni.messina at bizmate.it>
-----------------------------------------------------------
Bizmate S.r.l. - confidenziale - Tutti i diritti riservati

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161206/135925a1/attachment.html>


More information about the Users mailing list