[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: [Openswan Users] Cannot get end-to-end bidirectional successful subnet routing across an OpenSwan VP
From: Angelo Roussos <angelo () roussos ! co ! za>
Date: 2012-03-29 1:21:12
Message-ID: loom.20120329T025717-313 () post ! gmane ! org
[Download RAW message or body]
Hi All,
Apologies for the (possibly) distorted ascii depiction of the OpenSwan VPN setup
we are trying to implement. The following is the current setup:
10.112.0.0/21===x.x.128.61<x.x.128.61>[+S=C]---x.x.128.1...y.y.40.228<y.y.40.228
[+S=C]===172.16.94.0/24
The issues are as follows:
1. We can successfully setup an OpenSwan VPN using OpenSwan installed on Centos
5.7 (OpenSwan 'left' host is x.x.128.61)
2. iptables is NOT running, and all firewalling and SELinux-related processes
are also NOT running
3. We can successfuly route from the 'right' side of the VPN (i.e. from
172.16.94.0/24) all the way to the OpenSwan host (x.x.128.61), but cannot get
beyond that. Correspondingly, we cannot get from anywhere on the 10.112.0.0/21
subnet beyond the OpenSwan host (x.x.128.61). Again, no natting, masquerading,
iptables etc. etc. are in place.
4. sysctl.conf (OpenSwan host (x.x.128.61):
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
5. ipsec.conf:
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=all
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes # but irrelevant in our setup
oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
interfaces=%defaultroute
conn JOYV-KIO-VPN
type=tunnel #tunnel mode ipsec
left=x.x.128.61 #the IP address of your OpenSWAN endpoint
leftsubnet=10.112.0.0/21 #network behind your endpoint
leftsourceip=10.112.0.61
leftnexthop=%defaultroute
right=y.y.40.228 #tunnel end-point - remote end
rightsubnet=172.16.94.0/24 #network behind the CISCO
auth=esp
esp=3des-md5 #esp: 3des, hmac: sha
keyexchange=ike #use regular ike
ikelifetime=28800s
authby=secret #pre-shared secret, you can also use rsa
nounces
pfs=no #use perfect forward secrecy
auto=start #don't initiate tunnel, but allow
incoming
6. Output of ipsec verify (OpenSwan host (x.x.128.61):
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.18-308.1.1.el5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
7. Output of netstat -rn (OpenSwan host (x.x.128.61) ON SUCCESSFUL START OF THE
VPN CONNECTION:
Destination Gateway Genmask Flags MSS Window irtt Iface
172.16.94.0 x.x.128.1 255.255.255.0 UG 0 0 0 eth0
x.x.128.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
10.112.0.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 x.x.128.1 0.0.0.0 UG 0 0 0 eth0
8. The 'right' side is a Cisco ASA, and there is no problem routing from right
to left until the OpenSwan host.
Any ideas? Pulling my hair out on this one.
Thanks,
Angelo.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic