[strongSwan] Locally generated packets not encrypted

Andreas Steffen andreas.steffen at strongswan.org
Thu Jul 1 15:45:42 CEST 2010 

Hello Kevin,

I see that you are using a stone-age 2.6.9 Linux kernel. As far as I
remember NAT-before IPsec was awfully broken before the 2.6.16 kernel
when Patrick McHardy finally introduced IPsec policy rules in netfilter.
NAT-ed packets just somehow disappeared in the native NETKEY Linux IPsec
stack. Are you using KLIPS on the Openswan side?

Regards

Andreas

On 01.07.2010 14:52, Kevin Clark wrote:
> I have a problem with locally generated packets from a Strongswan gateway not getting encrypted and tunnelled to an Openswan gateway.  It does work going in the other direction.
> 
> Gateway X - Strongswan
> 192.168.100.1/32===xxx.xxx.xxx.xxx...
> 
> Gateway Y - Openswan
> ...yyy.yyy.yyy.yyy===192.168.200.1/32
> 
> I have configured a net-to-net VPN between these two gateways.  The choice of net-to-net VPN is so that we have the option for traffic between these two boxes to be encrypted or not.  The choice of destination IP address - public or private - determines whether the traffic gets encrypted.
> 
> I know the VPN works because I get replies when I use ping with its -I switch to bind to the local interface address, i.e.
> 
> [kevin at xxx ~]$ ping -I 192.168.100.1 192.168.200.1
> PING 192.168.200.1 (192.168.200.1) from 192.168.100.1 : 56(84) bytes of data.
> 64 bytes from 192.168.200.1: icmp_seq=0 ttl=64 time=15.7 ms
> 
> For commands that don't support local address binding I have a rule in the POSTROUTING chain (NAT table) to alter the source address:
> 
> Chain POSTROUTING (policy ACCEPT 167 packets, 7255 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>   509 31481 ACCEPT     all  --  *      eth0.3  0.0.0.0/0            0.0.0.0/0
>   229  121K ACCEPT     all  --  *      eth0.4  0.0.0.0/0            0.0.0.0/0
>     0     0 SNAT       all  --  *      eth1    xxx.xxx.xxx.xxx    192.168.200.1 to:192.168.100.1
>     2   168 SNAT       all  --  *      eth1    xxx.xxx.xxx.xxx    192.168.200.1 to:192.168.100.1
> 
> But tcpdump shows me that these outgoing packets aren't getting encrypted - there's no sign of them on the WAN interface :(
> 
> [root at pbx ~]# tcpdump -n -i eth1 proto 50 or host 192.168.200.1
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
> 13:37:06.575680 IP 192.168.100.1 > 192.168.200.1: icmp 64: echo request seq 0
> 13:37:09.575357 IP 192.168.100.1 > 192.168.200.1: icmp 64: echo request seq 1
> 
> Any ideas?
> 
> Thanks,
> 
> Kevin
> 
> =====================================
> VPN gateway software & configuration
> =====================================
> 
> Gateway X
> =========
> Strongswan 4.4.0
> kernel 2.6.9-89.0.25.EL
> iptables v1.2.11
> 
> conn xxx-yyy
>         left=xxx.xxx.xxx.xxx
>         leftsourceip=192.168.100.1/32
>         leftid=@xxx.xxx.xxx.xxx
>         leftcert=xxx.xxx.xxx.xxx.crt
>         leftfirewall=yes
>         right=yyy.yyy.yyy.yyy
>         rightsubnet=192.168.200.1/32
>         rightid=@yyy.yyy.yyy.yyy
>         rightcert=yyy.yyy.yyy.yyy.crt
>         auto=start
> 
> Gateway Y
> =========
> Openswan 2.4.15
> kernel 2.6.9-89.0.25.EL
> iptables v1.2.11
> 
> conn yyy-xxx
>         left=yyy.yyy.yyy.yyy
>         leftid=@yyy.yyy.yyy.yyy
>         leftsubnet=192.168.200.1/32
>         leftnexthop=%defaultroute
>         leftcert=yyy.yyy.yyy.yyy.crt
>         right=xxx.xxx.xxx.xxx
>         rightid=@xxx.xxx.xxx.xxx
>         rightcert=xxx.xxx.xxx.xxx.crt
>         rightsubnet=192.168.100.1/32
>         auto=start
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100701/a72776fa/attachment.bin>

More information about the Users mailing list