[strongSwan] Locally generated packets not encrypted

Kevin Clark kevin.clark at csoft.co.uk
Thu Jul 1 14:52:39 CEST 2010 

I have a problem with locally generated packets from a Strongswan gateway not getting encrypted and tunnelled to an Openswan gateway.  It does work going in the other direction.

Gateway X - Strongswan
192.168.100.1/32===xxx.xxx.xxx.xxx...

Gateway Y - Openswan
...yyy.yyy.yyy.yyy===192.168.200.1/32

I have configured a net-to-net VPN between these two gateways.  The choice of net-to-net VPN is so that we have the option for traffic between these two boxes to be encrypted or not.  The choice of destination IP address - public or private - determines whether the traffic gets encrypted.

I know the VPN works because I get replies when I use ping with its -I switch to bind to the local interface address, i.e.

[kevin at xxx ~]$ ping -I 192.168.100.1 192.168.200.1
PING 192.168.200.1 (192.168.200.1) from 192.168.100.1 : 56(84) bytes of data.
64 bytes from 192.168.200.1: icmp_seq=0 ttl=64 time=15.7 ms

For commands that don't support local address binding I have a rule in the POSTROUTING chain (NAT table) to alter the source address:

Chain POSTROUTING (policy ACCEPT 167 packets, 7255 bytes)
 pkts bytes target     prot opt in     out     source               destination
  509 31481 ACCEPT     all  --  *      eth0.3  0.0.0.0/0            0.0.0.0/0
  229  121K ACCEPT     all  --  *      eth0.4  0.0.0.0/0            0.0.0.0/0
    0     0 SNAT       all  --  *      eth1    xxx.xxx.xxx.xxx    192.168.200.1 to:192.168.100.1
    2   168 SNAT       all  --  *      eth1    xxx.xxx.xxx.xxx    192.168.200.1 to:192.168.100.1

But tcpdump shows me that these outgoing packets aren't getting encrypted - there's no sign of them on the WAN interface :(

[root at pbx ~]# tcpdump -n -i eth1 proto 50 or host 192.168.200.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:37:06.575680 IP 192.168.100.1 > 192.168.200.1: icmp 64: echo request seq 0
13:37:09.575357 IP 192.168.100.1 > 192.168.200.1: icmp 64: echo request seq 1

Any ideas?

Thanks,

Kevin

=====================================
VPN gateway software & configuration
=====================================

Gateway X
=========
Strongswan 4.4.0
kernel 2.6.9-89.0.25.EL
iptables v1.2.11

conn xxx-yyy
        left=xxx.xxx.xxx.xxx
        leftsourceip=192.168.100.1/32
        leftid=@xxx.xxx.xxx.xxx
        leftcert=xxx.xxx.xxx.xxx.crt
        leftfirewall=yes
        right=yyy.yyy.yyy.yyy
        rightsubnet=192.168.200.1/32
        rightid=@yyy.yyy.yyy.yyy
        rightcert=yyy.yyy.yyy.yyy.crt
        auto=start

Gateway Y
=========
Openswan 2.4.15
kernel 2.6.9-89.0.25.EL
iptables v1.2.11

conn yyy-xxx
        left=yyy.yyy.yyy.yyy
        leftid=@yyy.yyy.yyy.yyy
        leftsubnet=192.168.200.1/32
        leftnexthop=%defaultroute
        leftcert=yyy.yyy.yyy.yyy.crt
        right=xxx.xxx.xxx.xxx
        rightid=@xxx.xxx.xxx.xxx
        rightcert=xxx.xxx.xxx.xxx.crt
        rightsubnet=192.168.100.1/32
        auto=start

More information about the Users mailing list