[Openswan Users] Aliased device on Host to Site Openswan tunnel troubleshooting

Kevin Kohler kevinwkohler at gmail.com
Tue May 17 09:33:11 EDT 2016 

Hi,

 

I have the following network configuration:

 

<Private subnet 196.34.X.X/24> --- <196.25.X.X> <  < ==== IPSEC VPN TUNNEL
==== > >  <41.X.X.X> <ALIAS 192.168.253.1>

 

I am connecting from my server to a 3rd party. I want to be able to allow
access to an Apache server instance running on an aliased private IP
(192.168.253.1). I have setup the alias and configured OpenSwan as best as I
can tell.

The tunnel appears to be coming up however no packets are being routed via
the tunnel from either side. I have a feeling I need to setup special
IPTABLES POSTROUTING rules for the traffic destined to their private subnet
(196.34.X.X/24) to be routed via the tunnel, however I am unsure how to
achieve this.

 

Here is my connection setting:

 

## connection definition 3rdParty ##

conn party-ipsec-vpn

        authby=secret

        auto=start

        ike=3des-sha1;modp1024

        ikelifetime=1440m

        ## phase 1 ##

        keyexchange=ike

        ## phase 2 ##

        phase2=esp

        phase2alg=3des-sha1;modp1024

        compress=no

        # Perfect Forward Secrecy

        pfs=yes

        type=tunnel

 

        left=196.25.X.X

        leftsourceip=196.34.X.10

        leftsubnet=196.34.X.X/24

 

        right=41.X.X.X

        rightsubnet=192.168.253.0/24

        rightsourceip=192.168.253.1

 

When I start the tunnel, it appears to work/come up:

 

# ipsec auto --up easypay-ipsec-vpn

117 "easypay-ipsec-vpn" #4: STATE_QUICK_I1: initiate

004 "easypay-ipsec-vpn" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode {ESP=>0x07707bb5 <0xc435a5c2 xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=none DPD=none}

 

But when I try telnet/ping etc to the 196.34.X.X/24  range, if I run a
tcpdump  (tcpdump -vv -i any -n dst host 196.34.X.X) it shows ARP requests
with no response.

 

ip xfrm policy has the route from 253.0/24->196.34.X.X/24 and via versa.

 

# cat /etc/redhat-release 

CentOS release 6.7 (Final)

 

# ipsec --version

Linux Openswan U2.6.32/K2.6.32-573.22.1.el6.x86_64 (netkey)

See `ipsec --copyright' for copyright information.

 

Not sure what other info may be required?

 

Any assistance will be greatly appreciated!

 

Thank you

Kevin (from South Africa)

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160517/849575f8/attachment.html>

More information about the Users mailing list