* Libreswan 3.15 ipsec (libreswan-3.15-5.el7_1.x86_64)
* Openstack Icehouse
* RHEL 7.1 boxes used as routers

Followed this document (with modifications) 
https://libreswan.org/wiki/Subnet_to_subnet_VPN_with_PSK

I am attempting to create libreswan ipsec tunnels between tenants in an 
Openstack Icehouse cloud.  I have created a shared subnet (10.255.255.0/24) 
that the RHEL boxes attach to in a multi-homed fashion.  Each box has two 
interfaces. net.ipv4.ip_forward is enabled (1) on each box.

    Router in tenant A                           Router in tenant B
    ------------------------                     ------------------------
    eth0      eth1           <=================> eth1           eth0
    10.0.1.1  10.255.255.10                      10.255.255.20  10.0.2.1
    ------------------------                     ------------------------


Routing

    Tenant A: 10.0.1.0/24
       * Subnet hosts use gateway: 10.0.1.1
    Tenant B: 10.0.2.0/24
       * Subnet hosts use gateway: 10.0.2.1
    Shared segment: 10.255.255.0/24

    10.0.2.0/24 via 10.255.255.20
    10.0.1.0/24 via 10.255.255.10


I've setup the VM ports to allow tenant A's network to be announced on Tenant 
B's eth0 interface, and vice-versa, by setting the port's allowed_address_pairs 
to the opposite network's range (this is an Openstack-ism).  I can connect 
(ping,ssh) across the shared network to arbitrary hosts on the other end.  This 
all works without libreswan in the middle.

I add libreswan, and things break.

Libreswan config router tenant A
--------------------------------
    config setup
        protostack=netkey
        plutodebug=all
        plutorestartoncrash=yes
        dumpdir=/var/run/pluto

    conn base
        authby=rsasig
        left=10.255.255.10
        leftsourceip=10.0.1.1
        leftsubnet=10.0.1.0/24
        leftrsasigkey=<redacted>

    tenant_a
        also=base
        right=10.255.255.10
        rightsubnet=10.0.2.0/24
        rightrsasigkey=<redacted>
        auto=start

Libreswan config router tenant B
--------------------------------
    config setup
        protostack=netkey
        plutodebug=all
        plutorestartoncrash=yes
        dumpdir=/var/run/pluto

    conn base
        authby=rsasig
        left=10.255.255.20
        leftsourceip=10.0.2.1
        leftsubnet=10.0.2.0/24
       leftrsasigkey=<redacted>

    tenant_b
        also=base
        right=10.255.255.20
        rightsubnet=10.0.1.0/24
        rightrsasigkey=<redacted>
        auto=start

Running this config on each end has the tunnel coming up without any errors.  
When the tunnel comes up, libreswan adds a new route with a higher priority 
than the initial static route:

     10.0.2.0/24 dev eth1  scope link  src 10.0.1.1
     10.0.2.0/24 via 10.255.255.20 dev eth1  proto static  metric 100

and the same on the remote end:

    10.0.1.0/24 dev eth1  scope link  src 10.0.2.1
    10.0.1.0/24 via 10.255.255.10 dev eth1  proto static  metric 100

I can ping the remote router's eth0 interface IP address but not any hosts in 
the remote subnet.  This is true from either direction.

With this config, i can reach the remote end:

    traceroute to 10.0.2.1 (10.0.2.1), 64 hops max, 52 byte packets
     1  172.31.228.1 (172.31.228.1)  29.907 ms  29.742 ms  29.888 ms
     2  10.0.1.1 (10.0.1.1)  30.338 ms  29.795 ms  29.985 ms
     3  10.0.2.1 (10.0.2.1)  29.645 ms  30.893 ms  30.823 ms

But cannot route past 10.0.2.1.  I get a 'Network unreachable' error:

     1  172.31.228.1 (172.31.228.1)  29.907 ms  29.742 ms  29.888 ms
     2  10.0.1.1 (10.0.1.1)  30.338 ms  29.795 ms  29.985 ms
     3  10.0.1.1 (10.0.1.1)  3035.382 ms  !H 30.893 ms  30.823 ms

Any idea what is going on here?
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to