[Openswan Users] Aliased device on Host to Site Openswan tunnel troubleshooting

users-bounces at lists.openswan.org users-bounces at lists.openswan.org
Tue May 17 08:21:54 EDT 2016 

Rescued from the spam bucket.  Please remember to subscribe to the mailing list before posting to it.

From: "Kevin Kohler" <kevinwkohler at gmail.com <mailto:kevinwkohler at gmail.com>>
Subject: Aliased device on Host to Site Openswan tunnel troubleshooting
Date: May 17, 2016 at 8:21:36 AM EDT
To: <users at lists.openswan.org <mailto:users at lists.openswan.org>>


Hi,
 
I have the following network configuration:
 
<Private subnet 196.34.X.X/24> --- <196.25.X.X> <  < ==== IPSEC VPN TUNNEL ==== > >  <41.X.X.X> <ALIAS 192.168.253.1>
 
I am connecting from my server to a 3rd party. I want to be able to allow access to an Apache server instance running on an aliased private IP (192.168.253.1). I have setup the alias and configured OpenSwan as best as I can tell.
The tunnel appears to be coming up however no packets are being routed via the tunnel from either side. I have a feeling I need to setup special IPTABLES POSTROUTING rules for the traffic destined to their private subnet (196.34.X.X/24) to be routed via the tunnel, however I am unsure how to achieve this.
 
Here is my connection setting:
 
## connection definition 3rdParty ##
conn party-ipsec-vpn
        authby=secret
        auto=start
        ike=3des-sha1;modp1024
        ikelifetime=1440m
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        phase2=esp
        phase2alg=3des-sha1;modp1024
        compress=no
        # Perfect Forward Secrecy
        pfs=yes
        type=tunnel
 
        left=196.25.X.X
        leftsourceip=196.34.X.10
        leftsubnet=196.34.X.X/24
 
        right=41.X.X.X
        rightsubnet=192.168.253.0/24
        rightsourceip=192.168.253.1
 
When I start the tunnel, it appears to work/come up:
 
# ipsec auto --up easypay-ipsec-vpn
117 "easypay-ipsec-vpn" #4: STATE_QUICK_I1: initiate
004 "easypay-ipsec-vpn" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x07707bb5 <0xc435a5c2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
 
But when I try telnet/ping etc to the 196.34.X.X/24  range, if I run a tcpdump  (tcpdump -vv -i any -n dst host 196.34.X.X) it shows ARP requests with no response.
 
ip xfrm policy has the route from 253.0/24->196.34.X.X/24 and via versa.
 
# cat /etc/redhat-release 
CentOS release 6.7 (Final)
 
# ipsec --version
Linux Openswan U2.6.32/K2.6.32-573.22.1.el6.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
 
Not sure what other info may be required?
 
Any assistance will be greatly appreciated!
 
Thank you
Kevin (from South Africa)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160517/eb18e510/attachment.html>

More information about the Users mailing list