[Cialug] IPSec VPN not passing traffic
Jonathan C. Bailey
jbailey at co.marshall.ia.us
Wed Sep 8 08:22:56 CDT 2010
(excuse my lack of caffeine this morning)
All of the IPSec implementations I've seen so far have had a virtual adapter on the client side where traffic destined to the VPN is routed to. The end effect should be the same as a Cisco Easy VPN setup. This seems similar to other VPNs I've set up where a virtual interface is created on the client to route traffic over. When I bring up the IPSec connection, my client machine gets a 192.168.22.0/24 address assigned via mode configuration (apparently a Cisco designed IPSec extension). That address is used to bring up a virtual interface on the client (looks like the following on 10.64.4.110):
Ethernet adapter Local Area Connection* 11:
Connection-specific DNS Suffix . : co.marshall.ia.us
Description . . . . . . . . . . . : Shrew Soft Virtual Adapter
Physical Address. . . . . . . . . : AA-AA-AA-D2-C3-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::96d:4ef2:a7e4:3268%23(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.22.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 10.81.10.17
NetBIOS over Tcpip. . . . . . . . : Disabled
The mode configuration also adds the following routes to the client machine (I've cut the local routes):
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
10.81.10.17 255.255.255.255 On-link 192.168.22.2 31
10.81.28.2 255.255.255.255 On-link 192.168.22.2 31
10.81.28.3 255.255.255.255 On-link 192.168.22.2 31
10.81.28.4 255.255.255.255 On-link 192.168.22.2 31
192.168.22.0 255.255.255.0 On-link 192.168.22.2 386
192.168.22.2 255.255.255.255 On-link 192.168.22.2 286
192.168.22.255 255.255.255.255 On-link 192.168.22.2 286
===========================================================================
Also, the traffic *is* getting from client to VPN server and being decrypted, just not going anywhere on the internal network.
----- Original Message -----
From: "Zachary Kotlarek" <zach at kotlarek.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Tuesday, September 7, 2010 10:31:59 PM
Subject: Re: [Cialug] IPSec VPN not passing traffic
On Sep 7, 2010, at 9:35 PM, Jonathan C. Bailey wrote:
> For example:
>
> The example client I previously mentioned gets the IP of 192.168.22.2 on the VPN.
This is part of my confusion. You list server and client addresses in the 10. range and then separate VPN addresses in 192.
What do you mean "gets the IP... on the VPN." Without PPP (usually as part of L2TP or PPTP) there is no VPN-specific IP address -- there's just your regular IP address(es) where some of the traffic will be encrypted and some will not. Are your hosts with the 10. addresses already setup with secondary 192. addresses before you start IPSec? Or am I just confusing two different parts of your configuration?
> * tcpdump -i eth0 "host 192.168.22.2" on srvpn shows client -> world of the ping (decrypted) (but not return traffic)
I would expect pcap to see only the encrypted traffic. I'm not 100% positive, but I'm pretty sure it pulls out of the actual interface buffers (or thereabouts), so it should be after the encryption is applied.
> Based on how you're describing the xfrm rules, I'm guessing I should be fine if I can see the encrypt/decrypt working?
Yes. It sounds to me like you've got the key exchange daemons setup correctly and configuring SA for encrypted traffic exchange. It should just be a question of figuring out why it isn't sending traffic over those tunnels.
Zach
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list