[Openswan Users] Tunnel established but cannot ping

Makarand Pradhan MakarandPradhan at is5com.com
Wed Apr 3 12:32:56 EDT 2019 

Hello Everyone,

I'm trying to use openswan to create an IPSec tunnel. The tunnel status says up but I cannot ping over the tunnel. Would appreciate any pointers to get it working.

Please find below a details about my setup.

Setup:

(Linux pc)
10.1.1.3
|
|
10.1.1.1  172.16.18.64 <-------> 172.16.18.72 192.168.18.1 --- 192.168.18.3
eth0       eth1                               eth0                  eth1                             Linux PC
Raspberry pi                                Linux vm
OpenSwan running here.           OpenSwan running here.

On Linux vm (172.16.18.72)
service ipsec status
IPsec running  - pluto pid: 29954
pluto pid 29954
1 tunnels up
some eroutes exist

ipsec auto --status
000 using kernel interface: netkey
...
000 interface eth0/eth0 172.16.18.64
000 interface eth0/eth0 172.16.18.64
000 interface eth1/eth1 192.168.18.1
000 interface eth1/eth1 192.168.18.1
...
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
...
000 "test_conn": 192.168.18.0/24===172.16.18.64<172.16.18.64>...172.16.18.72<172.16.18.72>===10.1.1.0/24; erouted; eroute owner: #2


root at makarandpradhan:/proc/sys/net/ipv4# ip xfrm state
src 172.16.18.72 dst 172.16.18.64
               proto esp spi 0xdf61e45a reqid 16385 mode tunnel
               replay-window 32 flag af-unspec
               auth-trunc hmac(md5) 0x9e7882623b06f8509aa2337957752bd9 96
               enc cbc(des3_ede) 0x953abbe75655e7b268feee4ab63f6bff876d7b6254ed7325
src 172.16.18.64 dst 172.16.18.72
               proto esp spi 0x8c8525e7 reqid 16385 mode tunnel
               replay-window 32 flag af-unspec
               auth-trunc hmac(md5) 0xff8d29bc5bbfe1d935eb260a29a944df 96
               enc cbc(des3_ede) 0xfa1cc693ef5dba393bdacc2553b7fbd86b46e68d7acca8a1

root at makarandpradhan:/proc/sys/net/ipv4# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.18.2     0.0.0.0         UG    0      0        0 eth0
172.16.18.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.18.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1

root at makarandpradhan:/proc/sys/net/ipv4# ipsec eroute
/usr/lib/ipsec/eroute: NETKEY does not support eroute table.


When I ping 10.1.1.1 from 192.168.18.3, I can see the pkt come in on eth1 i.e. 192.168.18.1, but I do not see an ESP packet go out of eth0 (172.16.18.72). I think, the pkt is going out the default route instead of the tunnel.

I'm running a fairly recent linux and openswan:
root at makarandpradhan:/proc/sys/net/ipv4# uname -a
Linux makarandpradhan 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:07:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


root at makarandpradhan:/proc/sys/net/ipv4# dpkg -l openswan
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  openswan       1:2.6.38-1   amd64        Internet Key Exchange daemon

Any pointers to get the tunnel working would be highly appreciated.

With Rgds,
Makarand.

Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
#1-1815 Meyerside Drive
Mississauga, Ontario
L5T 1G3
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com<mailto:makarandpradhan at is5com.com>
Website: www.iS5Com.com<http://www.is5com.com/>

 [cid:image002.png at 01D40F8B.0A286FC0]
Confidentiality Notice:
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20190403/adde8b32/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 118589 bytes
Desc: image002.png
URL: <http://lists.openswan.org/pipermail/users/attachments/20190403/adde8b32/attachment-0001.png>

More information about the Users mailing list