Re: [Astlinux-users] IPsec peer-to-peer network tunnel

Lonnie Abelbeck Thu, 28 May 2015 08:33:00 -0700

Hi David,

Well, there are many things that can go wrong with IPsec since each phase has 
options that sort-of need to match, and proper routes.


In AstLinux this is automagically all done for you, so first start with an 
example...

I have two of my test boxes, sitting on the same private subnet, 10.10.50.64 
and 10.10.50.65


======= pbx3 ========



pbx3 ~ # ip route
default via 10.10.50.1 dev eth0 
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1 
10.8.1.0/24 dev tun2  proto kernel  scope link  src 10.8.1.2 
10.10.50.0/24 dev eth0  proto kernel  scope link  src 10.10.50.64 
192.168.101.0/24 dev eth1  proto kernel  scope link  src 192.168.101.1 
192.168.103.0/24 dev eth1.10  proto kernel  scope link  src 192.168.103.1 
192.168.110.0/24 via 10.8.1.1 dev tun2 
192.168.111.0/24 dev eth1  scope link  src 192.168.101.1 
192.168.222.0/24 dev eth3  proto kernel  scope link  src 192.168.222.1 

pbx3 ~ # ip a 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:30:18:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 10.10.50.64/24 brd 10.10.50.255 scope global eth0
    inet6 2001:470:xxxx:x::x/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::230:18ff:fec7:ae9d/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:30:18:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.1/24 brd 192.168.101.255 scope global eth1
    inet6 2001:470:xxxx:x::x/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::230:18ff:fec7:ae9e/64 scope link 
       valid_lft forever preferred_lft forever
...

======= pbx4 ========



pbx4 ~ # ip route
default via 10.10.50.1 dev eth0 
10.8.0.0/24 dev tun0  proto kernel  scope link  src 10.8.0.1 
10.10.50.0/24 dev eth0  proto kernel  scope link  src 10.10.50.65 
192.168.101.0/24 dev eth1  scope link  src 192.168.111.1 
192.168.102.0/24 dev eth2  proto kernel  scope link  src 192.168.102.1 
192.168.103.0/24 dev eth4  proto kernel  scope link  src 192.168.103.1 
192.168.111.0/24 dev eth1  proto kernel  scope link  src 192.168.111.1 
192.168.200.0/24 dev eth3  proto kernel  scope link  src 192.168.200.1 

pbx4 ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:90:0b:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 10.10.50.65/24 brd 10.10.50.255 scope global eth0
    inet6 2001:470:xxxx:x::x/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::290:bff:fe36:9b78/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:90:0b:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet 192.168.111.1/24 brd 192.168.111.255 scope global eth1
    inet6 2001:470:xxxx:x::x/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::290:bff:fe36:9b79/64 scope link 
       valid_lft forever preferred_lft forever
...

This should give you some info to chew on.

Yes, your "br1" route is correct, AstLinux finds the interface associated with 
your "Local-Net" and hooks the "Remote-Net" to that interface.  Which means the 
"br1" link must be up or there will be issues.  Personally I have never used a 
bridge interface, but it should work as well.

AstLinux handles all the firewall stuff for you, as well as all the routes.

So, at this point if the associations are up and running, your phase options 
should be compatible, set logging to "Info" for more detail.

My guess is a route is needed on your cloud IPsec to point back to your local 
net.

Also if your have residential internet access, possibly they will block ESP 
packets, enabling NAT-T will use 4500/UDP instead.

Lonnie

Note: Seeming since these are both on the same subnet I had to specify 
"Local-Host" and not use the 0.0.0.0 wildcard, it seems.



On May 27, 2015, at 10:13 PM, David Kerr <da...@kerr.net> wrote:

> I'm experimenting with IPsec.  I want to see if I can connect two networks 
> together but am running into problems.
> 
> I have little flexibility at the "other" end... the environment I'm using is 
> a test OpenStack cloud environment.  It supports IPsec Gateway VPN but not 
> OpenVPN.  So I configured IPSec at both ends and the negotiation appears to 
> work, but no traffic is being routed between the networks. 
> 
> IPsec Associations:
> 
> Source        Destination     Created Lifetime        Age     Bytes   Type
> 50.187.xx.yy  169.53.aa.bb    May 27 22:53:17 2015    3600    63      336     
> esp mode=tunnel
> 169.53.aa.bb  50.187.xx.yy    May 27 22:53:17 2015    3600    63      0       
> esp mode=tunnel
> 
> My astlinux box has public IP of 50.187.xx.yy and the public IP of the 
> OpenStack VPN gateway is 169.53.aa.bb.  My internal network at astlinux end 
> is 192.168.17.0/24 and the virtual network at the openstack end is 
> 192.168.18.0/24.  I have a virtual machine configured on that network and it 
> is able to access the internet just fine.  I can ping the public IP addresses 
> of both ends from the other ends.
> 
> I am not able to mess around with the gateway VPN at the other end so I 
> cannot look and see what is configured. But on Astlinux I have the 
> following...
> 
> pbx ~ # netstat -rn
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 0.0.0.0         50.187.96.1     0.0.0.0         UG        0 0          0 eth0
> 50.187.96.0     0.0.0.0         255.255.248.0   U         0 0          0 eth0
> 192.168.17.0    0.0.0.0         255.255.255.0   U         0 0          0 br1
> 192.168.18.0    0.0.0.0         255.255.255.0   U         0 0          0 br1
> pbx ~ #
> pbx ~ # ifconfig
> br1       Link encap:Ethernet  HWaddr 00:0D:B9:33:15:61  
>           inet addr:192.168.17.1  Bcast:192.168.17.255  Mask:255.255.255.0
>           inet6 addr: fe80::20d:b9ff:fe33:1561/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:9000  Metric:1
>           RX packets:468916 errors:0 dropped:104 overruns:0 frame:0
>           TX packets:556471 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:69249985 (66.0 MiB)  TX bytes:575921175 (549.2 MiB)
>  > 
> eth0      Link encap:Ethernet  HWaddr 00:0D:B9:33:15:60  
>           inet addr:50.187.xx.yy  Bcast:255.255.255.255  Mask:255.255.248.0
>           inet6 addr: fe80::20d:b9ff:fe33:1560/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:554365 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:440068 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:575823212 (549.1 MiB)  TX bytes:71908074 (68.5 MiB)
>           Interrupt:40 Base address:0x4000 
>  > 
> eth1      Link encap:Ethernet  HWaddr 00:0D:B9:33:15:61  
>           inet6 addr: fe80::20d:b9ff:fe33:1561/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:9000  Metric:1
>           RX packets:471125 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:555754 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:76019519 (72.4 MiB)  TX bytes:575483412 (548.8 MiB)
>           Interrupt:41 Base address:0x6000 
>  > 
> eth2      Link encap:Ethernet  HWaddr 00:0D:B9:33:15:62  
>           inet6 addr: fe80::20d:b9ff:fe33:1562/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:9000  Metric:1
>           RX packets:970 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:13541 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000 
>           RX bytes:292026 (285.1 KiB)  TX bytes:2333516 (2.2 MiB)
>           Interrupt:42 Base address:0x8000 
>  > 
> lo        Link encap:Local Loopback  
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:37036 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:37036 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:3273747 (3.1 MiB)  TX bytes:3273747 (3.1 MiB)
>  > 
> pbx ~ #
> 
> 
> So the routing table is adding 192.168.18.0/24 but it is pointing to 
> interface br1, is that right?  And ifconfig does not show any interface for 
> IPsec that I would have expected (but I will add that I have never done this 
> before so maybe I don't know what I should expect).  Syslog is not reporting 
> anything either.
> 
> Any suggestions?
> 
> Thanks
> David
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.

------------------------------------------------------------------------------

_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Re: [Astlinux-users] IPsec peer-to-peer network tunnel

Reply via email to