Problem with ipsec routing, kernel 2.6 and susefirewall
Dear all I have a problem with my ipsec-connection. It works only in a direction Configuration: GW-Left: Suse 9.2 (kernel 2.6.8-24.3-default)) Openswan 2.2.0 Susefirewall 3.2 GW-Right: Suse 7.3 (kernel 2.4-18) freeswan 1.98b Susefirewall PC-Left/Right Windows XP SP1 |PC-Left|---|GW-Left|--<Router>---|GW-Right|---|PC-Right| 10.0.0.116 83.0.0.51 83.0.0.52 10.0.0.231 The ipsec tunnel established and key-exchange seems to work, but a ping from PC-Left to PC-Right don't works. A ping from PC-Right to PC-Left works fine. The Ping from PC-Left to PC-Right shows following messages in /var/log/message: Dec 2 17:35:52 FWTest kernel: SFW2-FWDint-ACC-PING IN=eth1 OUT=eth0 SRC=10.0.0.116 DST=10.0.0.231 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=2517 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=36864 Dec 2 17:35:57 FWTest kernel: SFW2-FWDint-ACC-PING IN=eth1 OUT=eth0 SRC=10.0.0.116 DST=10.0.0.231 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=2519 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=37120 Dec 2 17:36:03 FWTest kernel: SFW2-FWDint-ACC-PING IN=eth1 OUT=eth0 SRC=10.0.0.116 DST=10.0.0.231 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=2521 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=37376 There i can see, the ping packets arrive the firewall not encrypted. The Ping from PC-Right to PC-Left shows following: Dec 2 17:45:53 FWTest kernel: SFW2-INext-ACC-IP IN=eth0 OUT= MAC=00:04:75:97:79:19:00:50:04:31:22:cf:08:00 SRC=83.0.0.52 DST=83.0.0.51 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=32706 PROTO=ESP SPI=0x6ffc8a25 Dec 2 17:45:53 FWTest kernel: SFW2-FWDext-ACC-FORW IN=eth0 OUT=eth1 SRC=10.0.0.231 DST=10.0.0.116 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=5381 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=35585 Dec 2 17:45:53 FWTest kernel: SFW2-FWDint-FWD-RELA IN=eth1 OUT=eth0 SRC=10.0.0.116 DST=10.0.0.231 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=2734 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=35585 Dec 2 17:45:54 FWTest kernel: SFW2-INext-ACC-IP IN=eth0 OUT= MAC=00:04:75:97:79:19:00:50:04:31:22:cf:08:00 SRC=83.0.0.52 DST=83.0.0.51 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=32707 PROTO=ESP SPI=0x6ffc8a25 Dec 2 17:45:54 FWTest kernel: SFW2-FWDext-ACC-FORW IN=eth0 OUT=eth1 SRC=10.0.0.231 DST=10.0.0.116 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=5383 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=35841 There i see, ipsec data is encrypted. My ipsec.conf of GW-Left plutodebug=none # Certificate Revocation List handling #crlcheckinterval=600 #strictcrlpolicy=yes # Change rp_filter setting, default = 0 (switch off) rp_filter=%unchanged # Switch on NAT-Traversal (if patch is installed) nat_traversal=yes interfaces=%defaultroute #forwardcontrol=yes # default settings for connections conn %default # Default: %forever (try forever) #keyingtries=3 # Sig keys (default: %dnsondemand) #leftrsasigkey=%cert #rightrsasigkey=%cert # Lifetimes, defaults are 1h/8hrs #ikelifetime=20m #keylife=1h #rekeymargin=8m left=%defaultroute compress=no # Add connections here # sample VPN connection conn kbs-test type=tunnel auth=esp # Left security gateway, subnet behind it, next hop toward right. left=83.0.0.51 leftsubnet=10.0.0.64/26 leftnexthop=83.0.0.49 # Right security gateway, subnet behind it, next hop toward left. right=83.0.0.52 rightsubnet=10.0.0.192/26 rightnexthop=83.0.0.49 # To authorize this connection, but not actually start it, at startup, # uncomment this. auto=start authby=secret #Disable Opportunistic Encryption include /etc/ipsec.d/examples/no_oe.conf Any ideas about that? Greetings, Gabriel
participants (1)
-
ONAY, Gabriel