[strongSwan] Tunnel up, no packets routed through

Russ Cox russ.cox at e-dba.com
Wed May 19 16:38:53 CEST 2010 

Hi guys - I'm trying to set up a net-net connection to a customer site
as below - any help would be great, so thanks in advance!

Russ

Remote network ----------------------------------------------------------local
network

YY.YY.YY.218 ==========172.16.102.0/24 =========
192.168.102.0/24========XX.XX.XX.248

Where XX.XX.XX.248 is the ip address of eth2:8 on my gateway.


The tunnel has come up ok, but no traffic appears to be getting routed
through the tunnel.
My ipsec gateway is the default gateway for my local 192.168.0.0/24 subnet.
I have to use ikev1.
Strongswan version 4.2.4 (from debian lenny repo)
Debian Lenny - kernel 2.6.26-2-amd64
No routes are added - but ip xfrm policy and state output is below.
192.168.102.0/24 isn't my lan network, so I'm natting thusly -
currently only for the single local machine:

iptables -t nat -A POSTROUTING -s 192.168.0.194 -d 172.16.102.0/24 -j
SNAT --to-source 192.168.102.1
iptables -t nat -A PREROUTING -s 172.16.102.0/24 -d 192.168.102.1 -j
DNAT --to-destination 192.168.0.194


my ipsec.conf is as follows;
------------------------------
---------------------
config setup
         plutodebug=control
         nat_traversal=yes
        charonstart=no
        plutostart=yes


# Add connections here.

conn net-net
        left=XX.XX.XX.248
        leftsubnet=192.168.102.0/24
        leftfirewall=yes
        right=YY.YY.YY.218
        rightsubnet=172.16.102.0/24
        keyexchange=ikev1
        ike=3des-sha1-modp1024
        esp=3des-sha1-modp1024
        authby=secret
        auto=add
----------------------------------------------

myipsecgw:~# ipsec up net-net

002 "net-net" #1: initiating Main Mode
104 "net-net" #1: STATE_MAIN_I1: initiate
003 "net-net" #1: received Vendor ID payload [Dead Peer Detection]
106 "net-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "net-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "net-net" #1: Peer ID is ID_IPV4_ADDR: 'YY.YY.YY.218'
002 "net-net" #1: ISAKMP SA established
004 "net-net" #1: STATE_MAIN_I4: ISAKMP SA established
002 "net-net" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#1}
112 "net-net" #2: STATE_QUICK_I1: initiate
002 "net-net" #2: up-client output: Warning: weird character in
interface `eth2:8' (No aliases, :, ! or *).
002 "net-net" #2: up-client output: Warning: weird character in
interface `eth2:8' (No aliases, :, ! or *).
002 "net-net" #2: sent QI2, IPsec SA established {ESP=>0x0883d23a <0x2c441000}
004 "net-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x0883d23a <0x2c441000

----------------------------------------------------------
myipsecgw:~# ipsec status

000 "net-net": 192.168.102.0/24===XX.XX.XX.248...YY.YY.YY.218===172.16.102.0/24;
erouted; eroute owner: #2
000 "net-net":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000
000 #2: "net-net" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2527s; newest IPSEC; eroute owner
000 #2: "net-net" esp.883d23a at YY.YY.YY.218 (0 bytes)
esp.2c441000 at XX.XX.XX.248 (0 bytes); tunnel
000 #1: "net-net" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 9588s; newest ISAKMP
000
-----------------------------------------------------

myipsecgw:~# ip xfrm state
src YY.YY.YY.218 dst XX.XX.XX.248
        proto esp spi 0x2c441000 reqid 16385 mode tunnel
        replay-window 32
        auth hmac(md5) 0x9c905efd35d202fa0b8eb5247c958a71
        enc cbc(aes)
0x86e2570a5d3449bec4a3d59ea933cc371ed0921f93d70d0e68c2182b6ce6eca5
        sel src 0.0.0.0/0 dst 0.0.0.0/0
src XX.XX.XX.248 dst YY.YY.YY.218
        proto esp spi 0x0883d23a reqid 16385 mode tunnel
        replay-window 32
        auth hmac(md5) 0x485e06c122682f9f3464a1abb4e26e6b
        enc cbc(aes)
0xb1224c128e5346b906990b844ff6d6643f19465030e178a5af39b360b981db5d
        sel src 0.0.0.0/0 dst 0.0.0.0/0

--------------------------------------------------------------------

myipsecgw:~# ip xfrm policy
src 172.16.102.0/24 dst 192.168.102.0/24
        dir in priority 2344
        tmpl src YY.YY.YY.218 dst XX.XX.XX.248
                proto esp reqid 16385 mode tunnel
src 172.16.102.0/24 dst 192.168.102.0/24
        dir fwd priority 2344
        tmpl src YY.YY.YY.218 dst XX.XX.XX.248
                proto esp reqid 16385 mode tunnel
src 192.168.102.0/24 dst 172.16.102.0/24
        dir out priority 2344
        tmpl src XX.XX.XX.248 dst YY.YY.YY.218
                proto esp reqid 16385 mode tunnel

--

Russ Cox
Systems Engineer

e-DBA Ltd.
48A Old Steine,
Brighton, East Sussex,
BN1 1NH

Main:      +44 (0) 870 366 7800
Direct:    +44 (0) 127 322 4704
email:     russ.cox at e-dba.net
Msn:   russ.cox at e-dba.com
Skype:     russc0x

Company No: 365969

Oracle Partner of the Year
General Business Technology

UKOUG Partner of the year
(4 categories)



-- 

Russ Cox
Systems Engineer

e-DBA Ltd.
48A Old Steine,
Brighton, East Sussex,
BN1 1NH

Main:      +44 (0) 870 366 7800
Direct:    +44 (0) 127 322 4704
email:     russ.cox at e-dba.net
Msn:	   russ.cox at e-dba.com
Skype:     russc0x

Company No: 365969

Oracle Partner of the Year
General Business Technology

UKOUG Partner of the year
(4 categories)

More information about the Users mailing list