List Info

Thread: Fwd: Tunnel working "one way only"
Fwd: Tunnel working "one way only"
user name
 2007-04-02 12:25:42 

  


  

    
Hi all, I'm a newbie in ipsec issues, and I'm hanged up with a problem. I was able to configure the tunnel, but the tunnel is only working in one way. Let me  show you the net topology and the configuration files:


Network:

10.1.2.0/24-------192.168.2.2====TUNNEL====192.168.2.1---------192.168.1.0/24 



The left box is a Ubuntu linux with kernel  2.6.17 with NETKEY openswan version 2.4.7, the left box is an openwrt device with kernel 2.6.19 and KLIPS 2.4.7. The two machines are connected directly one to the other. 


I have a virtual interface in the left box with IP 10.1.2.3.

#################################
#IFCONFIG  # 

########
eth1      Link encap:Ethernet  HWaddr 00:16:17:C7:E4:EC
                  inet addr:192.168.2.2  Bcast:
192.168.2.255  Mask:
 255.255.255.0
                  inet6 addr: fe80::216:17ff:fec7:e4ec/64 Scope:Link
                  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                  RX packets:25332 errors:0 dropped:0 overruns:0 frame:0 

                  TX packets:359042 errors:0 dropped:0 overruns:0 carrier:0
                  collisions:0 txqueuelen:1000
                  RX bytes:3824929 (3.6 MiB)  TX bytes:55525791 (52.9 MiB)
                  Interrupt:177 


eth1:1    Link encap:Ethernet  HWaddr 00:16:17:C7:E4:EC
                     ; inet addr:10.1.2.3  Bcast:
10.1.2.255  Mask: 255.255.255.0
                     ; UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


                     ; Interrupt:177

###################################

The RIGHT box has the following config 


eth0.1    Link encap:Ethernet  HWaddr 00:30:AB:28:38:9E
                     ; inet addr:
192.168.2.1  Bcast:
192.168.2.255  Mask: 255.255.255.0
                     ; UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1


                     ; RX packets:7485 errors:0 dropped:0 overruns:0 frame:0
                     ; TX packets:2627 errors:0 dropped:0 overruns:0 carrier:0 
                     ; collisions:0 txqueuelen:5
                     ; RX bytes:2701698 (
2.5 MiB)  TX bytes:1032886 (1008.6 KiB)

br-lan    Link encap:Ethernet  HWaddr 00:30:AB:28:38:9F
                     ;inet addr: 
192.168.1.1  Bcast:192.168.1.255  Mask:
255.255.255.0
                     ;UP BROADCAST RUNNING MULTICAST  MTU:2290  Metric:1 
                     ;RX packets:0 errors:0 dropped:0 overruns:0 frame:0
                     ;TX packets:0 errors:0 dropped:0 overruns:0 carrier:0


                     ;collisions:0 txqueuelen:0
                     ;RX bytes:0 ( 0.0 B)  TX bytes:0 (0.0 B)

The machine connected to the br-lan of the right box has the ip 
192.168.1.2.

In the right and the left machine iptables are empty and their policies are ACCEPT by default. In the Right box I have ip_forward activated. 

----------------------------------------------------------------------------


Ok that's the network configuration, now I want to show you the ipsec.conf and the ipsec.secrets config files:

LEFT BOX: 

#ipsec.conf
config setup
      interfaces=%defaultroute
      klipsdebug=none

      plutodebug=none

conn tunnconn
    ;   type=tunnel
      ; left=192.168.2.2 
       leftnexthop=
192.168.2.1
       ;right=
192.168.2.1
   ;    rightnexthop=192.168.2.2
       ;leftsubnet=
 10.1.2.0/24
       ;rightsubnet=192.168.1.0/24
 ;      esp=3des-md5-96
      ; authby=secret
    ;   auto=start


##############

# ipsec.secrets

 192.168.2.2 
192.168.2.1: PSK "test"

###################

The configuration in the left box is the same like this but now left* is right* and vice versa.

########### 

Ok, well so with this escenary working having a look to /var/log/auth.log I can see how the tunnel is stablished between the two boxes, the first phase is succesful and the second is succesful too. And once ;stablished I made ;the first test, pinging ;from  
10.1.2.3 to 192.168.1.1












  

  
  
   
     
    

  

    Re:  Fwd: Tunnel working "one way
only"
  


  

     country flaguser name
Netherlands		
     2007-04-02 13:59:30
  


  

    
On Mon, 2 Apr 2007, Antonio Ávila wrote:

> Hi all, I'm a newbie in ipsec issues, and I'm hanged up
with a problem. I
> was able to configure the tunnel, but the tunnel is
only working in one way.
> Let me show you the net topology and the configuration
files:

>
10.1.2.0/24-------192.168.2.2====TUNNEL====192.168.2.1------
---192.168.1.0/24

> In the right and the left machine iptables are empty
and their policies are
> ACCEPT by default. In the Right box I have ip_forward
activated.

Not on the machine on the left?

> conn tunnconn
>       type=tunnel
>       left=192.168.2.2
>       leftnexthop=192.168.2.1
>       right=192.168.2.1

Try type=%direct

The situation when using two IPsec machines in the same
subnet is fundamentally
different from having two IPsec machines with a box (or a
whole internet) in
the middle. If you are doing this for testing a real world
deployment, change
the network and add a machine in the middle that's just a
router.

Paul
-- 
Building and integrating Virtual Private Networks with
Openswan:
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155



  


  

    
  

  
  
   
     
    

  

    Re:  Tunnel working "one way
only"
  


  

     user name

     2007-04-03 03:41:18
  


  

    

  


  

    Well I don't know why but in my first post, is some test is missing
so, I'm going to paste here again, sorry:



 ...
  Ok, well so with this escenary working having a look to /var/log/auth.log I can see how the tunnel is stablished between the two boxes, the first phase is succesful and the second is succesful too. And once ;stablished I made ;the first test, pinging ;from   
10.1.2.3 to 192.168.1.1 


it continues like this: 

Well so now I can see (via tcpdump) the esp packets leaving the left box, and I can see them (via tcpdump also) arriving to the right box, and if I made a tcpdump to the lan interface now I can see clearly the packets without the encryption, that is a icmp echo request from 
10.1.2.3 to 192.168.1.1 and a icmp echo reply from 192.168.1.1 to 10.1.2.3. But if I follow now the icmp echo response, I can see it arriving to the right box but then it dissapears... I have tried to make directly a ping from the right subnet and the same result ( I have tested also pinging from the right subnet to an unknown ip, and I can follow through the right box and see them in the left box).


Which should be my next move?

Thanks to all




  

  
  
   
     
    






 [1-3]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )