[Openswan Users] Ipsec tunnel up but no traffic is sent through
Giovanni Messina - Bizmate s.r.l
giovanni.messina at bizmate.it
Tue Dec 6 09:42:19 EST 2016
Hi all!
I am a new openswan user and I start to enjoy this tool.
I'm configuring a site to site ipsec tunnel, and I have some problems:
the tunnel is up but no traffic is passing through. In the following the
description of the scenario.
I have to establish a ipsec tunnel between our customer site(on amazon
cloud) and a provider site. An host in our customer site needs to
connect to two different host in the provider site, through the ipsec
tunnel. The ipsec endpoint for our customer is a linux server; the linux
server is behind a firewall and doesn't have a pubblic ip. The ipsec
endpoint of the provider is a Cisco ASA: i have no control on this
endpoint. The endpoint LAN ip address is 192.168.60.10 and the host who
needs to use the ipsec tunnel has ip 192.168.50.4. For a requirement of
the provider, we have to use as encrypted domain (our left subnet) the
network 10.129.46.168/29; so i have configured a SNAT that translate the
ip of the host (192.168.50.4) to an ip of the encrypted domain
(10.129.46.169). On the provider side, the encryption domain (the right
subnet) is composed by two different ip:
10.129.128.101/32,10.128.243.223/32, so in the configuration you can
find the "righsubnets" parameter.
I have the following ipsec.conf:
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
plutoopts="--perpeerlog"
#
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
#oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
interfaces=%defaultroute
klipsdebug=all
plutodebug=all
plutostderrlog=/var/log/pluto.log
conn provider
type=tunnel
left=192.168.60.10
leftnexthop=%defaultroute
leftsubnet=10.129.46.168/29
right=PROVIDER_PUBLIC_IP
#rightnexthop=%defaultroute
#rightsubnet=10.129.128.101/32
rightsubnets={10.129.128.101/32,10.128.243.223/32}
ike=3des-md5;modp1024
auth=esp
phase2alg=3des-md5
keyexchange=ike
authby=secret
pfs=no
auto=start
aggrmode=no
ikelifetime=28800s
salifetime=3600s
forceencaps=yes
and the tunnel seems to be up:
#/etc/init.d/ipsec status
IPsec running - pluto pid: 28315
pluto pid 28315
2 tunnels up
some eroutes exist
and ipsec auto --status:
000 #460: "provider/0x1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 1678s; newest IPSEC; eroute owner;
isakmp#458; idle; import:admin initiate
000 #460: "provider/0x1" esp.908d713a at PROVIDER_PUBLIC_IP
esp.43855675 at 192.168.60.10 tun.0 at PROVIDER_PUBLIC_IP tun.0 at 192.168.60.10
ref=0 refhim=4294901761
000 #458: "provider/0x1":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 27088s; newest ISAKMP; lastdpd=17s(seq in:0 out:0);
idle; import:admin initiate
000 #459: "provider/0x2":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 1947s; newest IPSEC; eroute owner;
isakmp#458; idle; import:admin initiate
000 #459: "provider/0x2" esp.5efdb3f7 at PROVIDER_PUBLIC_IP
esp.67195cef at 192.168.60.10 tun.0 at PROVIDER_PUBLIC_IP tun.0 at 192.168.60.10
ref=0 refhim=4294901761
000
Here is the Source Nat configuration on the ipsec endpoint:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 192.168.50.4 10.129.128.101 to:10.129.46.170
SNAT all -- 192.168.50.4 10.128.243.223 to:10.129.46.169
MASQUERADE all -- 192.168.50.0/24 anywhere
If I try a telnet from the host on the customer site to one of the host
in provider site, the telnet doesn't work. I can see in the file of the
nat translation the following:
packets=6 bytes=360 [UNREPLIED] src=10.129.128.101 dst=10.129.46.170
sport=23 dport=46032 packets=0 bytes=0 mark=0 secmark=0 use=2
I've asked to the provider IT Group to check if they receive traffic
from our host...They used an ACL to log the traffic from our host; they
confirmed that the tunnels are up but no traffic was arrived into their
network:
access-list outside_cryptomap_161 extended permit ip host 10.129.128.101
10.129.46.168 255.255.255.248
local ident (addr/mask/prot/port):
(10.129.128.101/255.255.255.255/0/0)
remote ident (addr/mask/prot/port):
(10.129.46.168/255.255.255.248/0/0)
current_peer: CUSTOMER_PUBLIC_IP
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify:
Here there are the ip xfrm policy:
src 10.129.46.168/29 dst 10.129.128.101/32
dir out priority 2176 ptype main
tmpl src 192.168.60.10 dst PROVIDER_PUBLIC_IP
proto esp reqid 16385 mode tunnel
src 10.129.46.168/29 dst 10.128.243.223/32
dir out priority 2176 ptype main
tmpl src 192.168.60.10 dst PROVIDER_PUBLIC_IP
proto esp reqid 16389 mode tunnel
src 10.128.243.223/32 dst 10.129.46.168/29
dir fwd priority 2176 ptype main
tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10
proto esp reqid 16389 mode tunnel
src 10.128.243.223/32 dst 10.129.46.168/29
dir in priority 2176 ptype main
tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10
proto esp reqid 16389 mode tunnel
src 10.129.128.101/32 dst 10.129.46.168/29
dir fwd priority 2176 ptype main
tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10
proto esp reqid 16385 mode tunnel
src 10.129.128.101/32 dst 10.129.46.168/29
dir in priority 2176 ptype main
tmpl src PROVIDER_PUBLIC_IP dst 192.168.60.10
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
dir 4 priority 0 ptype main
src ::/0 dst ::/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
dir 3 priority 0 ptype main
Here is the traceroute from the customer host:
traceroute to 10.129.128.101 (10.129.128.101), 30 hops max, 60 byte packets
1 192.168.60.10 (192.168.60.10) 0.356 ms 0.335 ms 0.344 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
I haven't iptables rules that are blocking the traffic:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- MALICIUS_HOST_IP anywhere (old rule,it's
not related to the ipsec tunnel)
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Here is the ipsec verify output:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "it_IT.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32-5-xen-686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
I also tried to enable or disable the forceencaps, but nothing changed.
So, it seems that the traffic from the customer host isn't send through
the ipsec tunnel.but why?
I really appreciate if someone can provide any helps!
Thank You!
--
-----------------------------------------------------------
*Giovanni Messina*
Systems Operations
tel: *+39 095 388583*
tel/fax: *+39 095 382521*
internet: www.bizmate.it <http://www.bizmate.it/>
mail: giovanni.messina at bizmate.it <mailto:giovanni.messina at bizmate.it>
-----------------------------------------------------------
Bizmate S.r.l. - confidenziale - Tutti i diritti riservati
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161206/135925a1/attachment.html>
More information about the Users
mailing list