[strongSwan] net 2 net still not working

Dr.Peer-Joachim Koch pkoch at bgc-jena.mpg.de
Wed Jul 11 13:43:34 CEST 2012


Hi,

some weeks ago I've posted a question about a net2net ipsec tunnel.
So finally for the testing setup everything is working (well), but
trying to implement it on the real world system - fails.

We want direct access to a private network through the ipsec tunnel
and from computer within the private network access into our network.


To connect both sides, we have a pc (far, far away) with only
one NIC serving one official IP (the internet connection)
and one private ip. So it's a router and working so far.

On the other side we are using our openvpn gateway (for our institute) 
also as a ipsec device. Our "internal" network can be reached directly 
from the gw.

[10.3.9.0/24] - Remote Host - [195.10.1.98 ] -- [195.37.229.150]IPSEC GW


We are using the following configuration [IPSEC GW]:


config setup
   charonstart=yes
   plutostart=yes

conn %default
   ikelifetime=60m
   keylife=20m
   rekeymargin=3m
   keyingtries=1
   keyexchange=ikev1
   authby=secret

include /etc/ipsec.d/BGC/outside.conf

-----------------cat outside.conf -----------
conn Ascension
         left=195.37.229.150
         leftsubnet=141.5.16.0/22
         leftfirewall=yes
         lefthostaccess=yes
         right=195.10.1.98
         rightsubnet=10.3.9.0/24
         auto=start
----------------


We are using a identical setup on the remote side.
The tunnel is build:
ipsec status
000 "MPI-BGC":
10.3.9.0/24===195.10.1.98[195.10.1.98]...195.37.229.150[195.37.229.150]===141.5.16.0/22;
erouted; eroute owner: #7
000 "MPI-BGC":   newest ISAKMP SA: #5; newest IPsec SA: #7;
000
000 #7: "MPI-BGC" STATE_QUICK_R2 (IPsec SA established);
   EVENT_SA_REPLACE in 955s; newest IPSEC; eroute owner
000 #7: "MPI-BGC" esp.1d811ecb at 195.37.229.150 (0 bytes)
   esp.272cc11 at 195.10.1.98 (0 bytes); tunnel
000 #6: "MPI-BGC" STATE_QUICK_R2 (IPsec SA established);
   EVENT_SA_REPLACE in 3s
000 #6: "MPI-BGC" esp.3ce7ba32 at 195.37.229.150 (0 bytes)
   esp.970eb33e at 195.10.1.98 (0 bytes); tunnel
000 #5: "MPI-BGC" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
   EVENT_SA_REPLACE in 2400s; newest ISAKMP



We are also seeing the routing rules:
--------------------------
master:~# ip -s xfrm policy|more
src 10.3.9.0/24 dst 141.5.16.0/22 uid 0
         dir out action allow index 2137 priority 2346 ptype main share
any flag  (0x00000000)
         lifetime config:
           limit: soft (INF)(bytes), hard (INF)(bytes)
           limit: soft (INF)(packets), hard (INF)(packets)
           expire add: soft 0(sec), hard 0(sec)
           expire use: soft 0(sec), hard 0(sec)
         lifetime current:
           0(bytes), 0(packets)
           add 2012-07-10 10:02:57 use -
         tmpl src 195.10.1.98 dst 195.37.229.150
                 proto esp spi 0x00000000(0) reqid 16385(0x00004001) mode
tunnel
                 level required share any
                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 141.5.16.0/22 dst 10.3.9.0/24 uid 0
         dir fwd action allow index 2154 priority 2346 ptype main share
any flag  (0x00000000)
         lifetime config:
           limit: soft (INF)(bytes), hard (INF)(bytes)
           limit: soft (INF)(packets), hard (INF)(packets)
           expire add: soft 0(sec), hard 0(sec)
           expire use: soft 0(sec), hard 0(sec)
         lifetime current:
           0(bytes), 0(packets)
           add 2012-07-10 09:47:04 use -
         tmpl src 195.37.229.150 dst 195.10.1.98
                 proto esp spi 0x00000000(0) reqid 16385(0x00004001) mode
tunnel
                 level required share any
                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 141.5.16.0/22 dst 10.3.9.0/24 uid 0
         dir in action allow index 2144 priority 2346 ptype main share
any flag  (0x00000000)
         lifetime config:
           limit: soft (INF)(bytes), hard (INF)(bytes)
           limit: soft (INF)(packets), hard (INF)(packets)
           expire add: soft 0(sec), hard 0(sec)
           expire use: soft 0(sec), hard 0(sec)
         lifetime current:
           0(bytes), 0(packets)
           add 2012-07-10 09:47:04 use -
         tmpl src 195.37.229.150 dst 195.10.1.98
                 proto esp spi 0x00000000(0) reqid 16385(0x00004001) mode
tunnel
                 level required share any
                 enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

--------------------------
routing table remote
--------
------------------
master:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
195.10.1.96     0.0.0.0         255.255.255.252 U     0      0        0 eth0
10.3.9.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         195.10.1.97     0.0.0.0         UG    0      0        0 eth0
-------------------------------

But when we try to ping into the subnet, or ping from the subnet into 
our network, no packages is going through the ipsec tunnel!
We have use tcpdump to monitore the traffic.


Any idea whats wrong ?

-- 
Bye,
     Peer
_________________________________________________________
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10            Telefon: ++49 3641 57-6705
D-07745 Jena                 Telefax: ++49 3641 57-7705
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pkoch.vcf
Type: text/x-vcard
Size: 304 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120711/0eacea90/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4599 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120711/0eacea90/attachment.bin>


More information about the Users mailing list