[Cialug] IPSec VPN not passing traffic

Jonathan C. Bailey jbailey at co.marshall.ia.us
Tue Sep 7 20:22:37 CDT 2010 

Ok, I guess I'm not getting how XFRM passes packets out of the IPSec world to the real world. The documentation for it (at least what I can find) isn't too helpful..

Anyway, here is my setup:

VPN server: 10.81.10.60
Win7 client: 10.64.4.110 (so at least different subnets from the server)
VPN routes: 10.81.28.2 10.81.28.3 10.81.28.4 10.81.10.17

After connecting, I see the following transforms:

root at srvpn:~# ip xfrm stat
src 10.64.4.110 dst 10.81.10.60
        proto esp spi 0x045590dd reqid 0 mode tunnel
        replay-window 4
        auth hmac(sha1) 0x592f64b3d85f07a2171f9888731868cbfaec266a
        enc cbc(aes) 0x018cb5e53540202a56ec104572d3f7524ec5fc4311b5120baf807b83895bee08
        encap type espinudp sport 4500 dport 4500 addr 32.108.228.222
        sel src 0.0.0.0/0 dst 0.0.0.0/0
src 10.81.10.60 dst 10.64.4.110
        proto esp spi 0x20512408 reqid 0 mode tunnel
        replay-window 4
        auth hmac(sha1) 0x90c82c62b3db843f49a7bc706343ad1fbde2bb5e
        enc cbc(aes) 0x5905a3ac1c8877c29568d6d596e55e2a3ec354a0689c66fea5b5c58abdd37e44
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        sel src 0.0.0.0/0 dst 0.0.0.0/0

I can also see traffic from 10.64.4.110 to anywhere when running tcpdump on eth0 of srvpn (10.81.10.60), but that traffic never seems to *leave* eth0 of srvpn...


The Sun Rays themselves have some debugging abilities, but they're more abysmal than what I have on Windows at the moment..

-Jon

----- Original Message -----
From: "Zachary Kotlarek" <zach at kotlarek.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Tuesday, September 7, 2010 5:44:19 PM
Subject: Re: [Cialug] IPSec VPN not passing traffic


On Sep 7, 2010, at 5:32 PM, Jonathan C. Bailey wrote:

> Ok.. I confirmed it's NETKEY in this case (on Ubuntu 10.04). ip xfrm state shows each side of the connection (client->server and server->client).
> 
> I did some more reading on NETKEY, and it seems that it's supposed to automagically do the routing, but nothing I find seems very clear on this...


XFRM *is* the routing. There's no other indication in the normal IP stack tools.

I'm more familiar with OpenSwan than Racoon, but it seems to me that with the "passive on" setting you should only see the XFRM transforms come up after a client has negotiated a key and the system is ready to start exchanging encrypted traffic.

Is it possible you've got an illogical configuration due to the intra-network testing -- where you're telling the system to use an IPSec tunnel to reach the same network segment that contains the next-hop router or some other impossibility?

It might also be useful to see what the Sun Rays think about the tunnel. I don't know what kind of tools they have available for debugging, but there should at least be some basic logs/tools.

	Zach


_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list