[strongSwan] net 2 net still not working
Dr.Peer-Joachim Koch
pkoch at bgc-jena.mpg.de
Wed Jul 11 13:43:34 CEST 2012
Hi,
some weeks ago I've posted a question about a net2net ipsec tunnel.
So finally for the testing setup everything is working (well), but
trying to implement it on the real world system - fails.
We want direct access to a private network through the ipsec tunnel
and from computer within the private network access into our network.
To connect both sides, we have a pc (far, far away) with only
one NIC serving one official IP (the internet connection)
and one private ip. So it's a router and working so far.
On the other side we are using our openvpn gateway (for our institute)
also as a ipsec device. Our "internal" network can be reached directly
from the gw.
[10.3.9.0/24] - Remote Host - [195.10.1.98 ] -- [195.37.229.150]IPSEC GW
We are using the following configuration [IPSEC GW]:
config setup
charonstart=yes
plutostart=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
include /etc/ipsec.d/BGC/outside.conf
-----------------cat outside.conf -----------
conn Ascension
left=195.37.229.150
leftsubnet=141.5.16.0/22
leftfirewall=yes
lefthostaccess=yes
right=195.10.1.98
rightsubnet=10.3.9.0/24
auto=start
----------------
We are using a identical setup on the remote side.
The tunnel is build:
ipsec status
000 "MPI-BGC":
10.3.9.0/24===195.10.1.98[195.10.1.98]...195.37.229.150[195.37.229.150]===141.5.16.0/22;
erouted; eroute owner: #7
000 "MPI-BGC": newest ISAKMP SA: #5; newest IPsec SA: #7;
000
000 #7: "MPI-BGC" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 955s; newest IPSEC; eroute owner
000 #7: "MPI-BGC" esp.1d811ecb at 195.37.229.150 (0 bytes)
esp.272cc11 at 195.10.1.98 (0 bytes); tunnel
000 #6: "MPI-BGC" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3s
000 #6: "MPI-BGC" esp.3ce7ba32 at 195.37.229.150 (0 bytes)
esp.970eb33e at 195.10.1.98 (0 bytes); tunnel
000 #5: "MPI-BGC" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 2400s; newest ISAKMP
We are also seeing the routing rules:
--------------------------
master:~# ip -s xfrm policy|more
src 10.3.9.0/24 dst 141.5.16.0/22 uid 0
dir out action allow index 2137 priority 2346 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-07-10 10:02:57 use -
tmpl src 195.10.1.98 dst 195.37.229.150
proto esp spi 0x00000000(0) reqid 16385(0x00004001) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 141.5.16.0/22 dst 10.3.9.0/24 uid 0
dir fwd action allow index 2154 priority 2346 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-07-10 09:47:04 use -
tmpl src 195.37.229.150 dst 195.10.1.98
proto esp spi 0x00000000(0) reqid 16385(0x00004001) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 141.5.16.0/22 dst 10.3.9.0/24 uid 0
dir in action allow index 2144 priority 2346 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-07-10 09:47:04 use -
tmpl src 195.37.229.150 dst 195.10.1.98
proto esp spi 0x00000000(0) reqid 16385(0x00004001) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
--------------------------
routing table remote
--------
------------------
master:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
195.10.1.96 0.0.0.0 255.255.255.252 U 0 0 0 eth0
10.3.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 195.10.1.97 0.0.0.0 UG 0 0 0 eth0
-------------------------------
But when we try to ping into the subnet, or ping from the subnet into
our network, no packages is going through the ipsec tunnel!
We have use tcpdump to monitore the traffic.
Any idea whats wrong ?
--
Bye,
Peer
_________________________________________________________
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10 Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pkoch.vcf
Type: text/x-vcard
Size: 304 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120711/0eacea90/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4599 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120711/0eacea90/attachment.bin>
More information about the Users
mailing list