Thank you Lonnie. The information you provided was helpful because it reassured me that the setup at my end in Astlinux was most likely all proper and correct. So I focused on the other end and did find that there are problems inside the OpenStack cloud environment which I will need to chase the development team to fix.
Working around the problems at the OpenStack end I was able to get a site-to-site IPsec tunnel working between the two networks, proving that it can be done. Thank you David On Thu, May 28, 2015 at 11:27 AM, Lonnie Abelbeck <li...@lonnie.abelbeck.com > wrote: > Hi David, > > Well, there are many things that can go wrong with IPsec since each phase > has options that sort-of need to match, and proper routes. > > In AstLinux this is automagically all done for you, so first start with an > example... > > I have two of my test boxes, sitting on the same private > subnet, 10.10.50.64 and 10.10.50.65 > > > ======= pbx3 ======== > > > pbx3 ~ # ip route > default via 10.10.50.1 dev eth0 > 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 > 10.8.1.0/24 dev tun2 proto kernel scope link src 10.8.1.2 > 10.10.50.0/24 dev eth0 proto kernel scope link src 10.10.50.64 > 192.168.101.0/24 dev eth1 proto kernel scope link src 192.168.101.1 > 192.168.103.0/24 dev eth1.10 proto kernel scope link src 192.168.103.1 > 192.168.110.0/24 via 10.8.1.1 dev tun2 > 192.168.111.0/24 dev eth1 scope link src 192.168.101.1 > 192.168.222.0/24 dev eth3 proto kernel scope link src 192.168.222.1 > > pbx3 ~ # ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen > 1000 > link/ether 00:30:18:xx:xx:xx brd ff:ff:ff:ff:ff:ff > inet 10.10.50.64/24 brd 10.10.50.255 scope global eth0 > inet6 2001:470:xxxx:x::x/64 scope global > valid_lft forever preferred_lft forever > inet6 fe80::230:18ff:fec7:ae9d/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen > 1000 > link/ether 00:30:18:xx:xx:xx brd ff:ff:ff:ff:ff:ff > inet 192.168.101.1/24 brd 192.168.101.255 scope global eth1 > inet6 2001:470:xxxx:x::x/64 scope global > valid_lft forever preferred_lft forever > inet6 fe80::230:18ff:fec7:ae9e/64 scope link > valid_lft forever preferred_lft forever > ... > > ======= pbx4 ======== > > > pbx4 ~ # ip route > default via 10.10.50.1 dev eth0 > 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 > 10.10.50.0/24 dev eth0 proto kernel scope link src 10.10.50.65 > 192.168.101.0/24 dev eth1 scope link src 192.168.111.1 > 192.168.102.0/24 dev eth2 proto kernel scope link src 192.168.102.1 > 192.168.103.0/24 dev eth4 proto kernel scope link src 192.168.103.1 > 192.168.111.0/24 dev eth1 proto kernel scope link src 192.168.111.1 > 192.168.200.0/24 dev eth3 proto kernel scope link src 192.168.200.1 > > pbx4 ~ # ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen > 1000 > link/ether 00:90:0b:xx:xx:xx brd ff:ff:ff:ff:ff:ff > inet 10.10.50.65/24 brd 10.10.50.255 scope global eth0 > inet6 2001:470:xxxx:x::x/64 scope global > valid_lft forever preferred_lft forever > inet6 fe80::290:bff:fe36:9b78/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen > 1000 > link/ether 00:90:0b:xx:xx:xx brd ff:ff:ff:ff:ff:ff > inet 192.168.111.1/24 brd 192.168.111.255 scope global eth1 > inet6 2001:470:xxxx:x::x/64 scope global > valid_lft forever preferred_lft forever > inet6 fe80::290:bff:fe36:9b79/64 scope link > valid_lft forever preferred_lft forever > ... > > This should give you some info to chew on. > > Yes, your "br1" route is correct, AstLinux finds the interface associated > with your "Local-Net" and hooks the "Remote-Net" to that interface. Which > means the "br1" link must be up or there will be issues. Personally I have > never used a bridge interface, but it should work as well. > > AstLinux handles all the firewall stuff for you, as well as all the routes. > > So, at this point if the associations are up and running, your phase > options should be compatible, set logging to "Info" for more detail. > > My guess is a route is needed on your cloud IPsec to point back to your > local net. > > Also if your have residential internet access, possibly they will block > ESP packets, enabling NAT-T will use 4500/UDP instead. > > Lonnie > > Note: Seeming since these are both on the same subnet I had to specify > "Local-Host" and not use the 0.0.0.0 wildcard, it seems. > > > > On May 27, 2015, at 10:13 PM, David Kerr <da...@kerr.net> wrote: > > I'm experimenting with IPsec. I want to see if I can connect two networks > together but am running into problems. > > I have little flexibility at the "other" end... the environment I'm using > is a test OpenStack cloud environment. It supports IPsec Gateway VPN but > not OpenVPN. So I configured IPSec at both ends and the negotiation > appears to work, but no traffic is being routed between the networks. > > IPsec Associations: > > Source Destination Created Lifetime Age Bytes Type > 50.187.xx.yy 169.53.aa.bb May 27 22:53:17 2015 3600 63 336 esp mode=tunnel > 169.53.aa.bb 50.187.xx.yy May 27 22:53:17 2015 3600 63 0 esp mode=tunnel > > My astlinux box has public IP of 50.187.xx.yy and the public IP of the > OpenStack VPN gateway is 169.53.aa.bb. My internal network at astlinux > end is 192.168.17.0/24 and the virtual network at the openstack end is > 192.168.18.0/24. I have a virtual machine configured on that network and > it is able to access the internet just fine. I can ping the public IP > addresses of both ends from the other ends. > > I am not able to mess around with the gateway VPN at the other end so I > cannot look and see what is configured. But on Astlinux I have the > following... > > pbx ~ # netstat -rn > Kernel IP routing table > Destination Gateway Genmask Flags MSS Window irtt > Iface > 0.0.0.0 50.187.96.1 0.0.0.0 UG 0 0 0 > eth0 > 50.187.96.0 0.0.0.0 255.255.248.0 U 0 0 0 > eth0 > 192.168.17.0 0.0.0.0 255.255.255.0 U 0 0 0 > br1 > 192.168.18.0 0.0.0.0 255.255.255.0 U 0 0 0 > br1 > pbx ~ # > pbx ~ # ifconfig > br1 Link encap:Ethernet HWaddr 00:0D:B9:33:15:61 > inet addr:192.168.17.1 Bcast:192.168.17.255 Mask:255.255.255.0 > inet6 addr: fe80::20d:b9ff:fe33:1561/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:9000 Metric:1 > RX packets:468916 errors:0 dropped:104 overruns:0 frame:0 > TX packets:556471 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:69249985 (66.0 MiB) TX bytes:575921175 (549.2 MiB) > > eth0 Link encap:Ethernet HWaddr 00:0D:B9:33:15:60 > inet addr:50.187.xx.yy Bcast:255.255.255.255 Mask:255.255.248.0 > inet6 addr: fe80::20d:b9ff:fe33:1560/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:554365 errors:0 dropped:0 overruns:0 frame:0 > TX packets:440068 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:575823212 (549.1 MiB) TX bytes:71908074 (68.5 MiB) > Interrupt:40 Base address:0x4000 > > eth1 Link encap:Ethernet HWaddr 00:0D:B9:33:15:61 > inet6 addr: fe80::20d:b9ff:fe33:1561/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:9000 Metric:1 > RX packets:471125 errors:0 dropped:0 overruns:0 frame:0 > TX packets:555754 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:76019519 (72.4 MiB) TX bytes:575483412 (548.8 MiB) > Interrupt:41 Base address:0x6000 > > eth2 Link encap:Ethernet HWaddr 00:0D:B9:33:15:62 > inet6 addr: fe80::20d:b9ff:fe33:1562/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:9000 Metric:1 > RX packets:970 errors:0 dropped:0 overruns:0 frame:0 > TX packets:13541 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:1000 > RX bytes:292026 (285.1 KiB) TX bytes:2333516 (2.2 MiB) > Interrupt:42 Base address:0x8000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:37036 errors:0 dropped:0 overruns:0 frame:0 > TX packets:37036 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:3273747 (3.1 MiB) TX bytes:3273747 (3.1 MiB) > > pbx ~ # > > > So the routing table is adding 192.168.18.0/24 but it is pointing to > interface br1, is that right? And ifconfig does not show any interface for > IPsec that I would have expected (but I will add that I have never done > this before so maybe I don't know what I should expect). Syslog is not > reporting anything either. > > Any suggestions? > > Thanks > David > > > ------------------------------------------------------------------------------ > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. >
------------------------------------------------------------------------------
_______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
