Discussion:
[Openswan Users] IPsec SA established but packets are not encapsulated
Dennison Williams
2010-04-03 01:32:57 UTC
Permalink
Hello all,

I sent an email yesterday titled "openswan + xl2tpd + iptables issues"
where I incorrectly diagnosed the problem to be one of iptables. I now
believe that the problem lies with packets not being correctly
encapsulated between the two endpoints. I expect that packets should be
encapsulated to the openswan server from the client and that I should be
able to reach addresses on the LAN but this is not happening.

My network looks like follows:
client (192.168.1.23) --> gateway (192.168.1.1) -> INTERNET -> openswan
(24.21.203.123) -> LAN (10.66.6.0/24)


The connection seems to come all the way up correctly:
client# ipsec auto --up pptp-rw
104 "pptp-rw" #15: STATE_MAIN_I1: initiate
003 "pptp-rw" #15: received Vendor ID payload [Openswan (this version)
2.6.25 ]
003 "pptp-rw" #15: received Vendor ID payload [Dead Peer Detection]
003 "pptp-rw" #15: received Vendor ID payload [RFC 3947] method set to=109
106 "pptp-rw" #15: STATE_MAIN_I2: sent MI2, expecting MR2
003 "pptp-rw" #15: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
both are NATed
108 "pptp-rw" #15: STATE_MAIN_I3: sent MI3, expecting MR3
003 "pptp-rw" #15: discarding duplicate packet; already STATE_MAIN_I3
010 "pptp-rw" #15: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "pptp-rw" #15: received Vendor ID payload [CAN-IKEv2]
004 "pptp-rw" #15: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "pptp-rw" #16: STATE_QUICK_I1: initiate
004 "pptp-rw" #16: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0xb1f1203e <0x8f21f2e4 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=24.21.203.123:4500 DPD=none}

No new routing rules are setup to the LAN:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0
wlan0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0
wlan0

And packets do not seem to get incapsulated when doing a ping test from
either end:
client# tcpdump -i wlan0 -n host 24.21.203.123 and not port 22
13:48:00.656164 IP 24.21.203.123.4500 > 192.168.1.23.4500:
isakmp-nat-keep-alive
13:48:05.005971 IP 192.168.1.23 > 24.21.203.123: ICMP echo request, id
42584, seq 1, length 64
13:48:05.133579 IP 24.21.203.123 > 192.168.1.23: ICMP echo reply, id
42584, seq 1, length 64

As you can see the nat-keep-alive is coming through, but there are no
ESP packets for the ping. Things look about the same as you might
expect on the server:

server# ipsec auto --status|grep estab
000 #47: "pptp-rw"[7] 75.93.49.165:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3070s; newest IPSEC; eroute owner;
isakmp#46; idle; import:not set
000 #46: "pptp-rw"[7] 75.93.49.165:4500 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_EXPIRE in 3340s; newest ISAKMP;
lastdpd=-1s(seq in:0 out:0); idle; import:not set

Where as here we do see the route set up to the client:
server# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
255.255.255.255 0.0.0.0 255.255.255.255 UH 0 0 0 eth2
10.66.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
24.21.200.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
0.0.0.0 24.21.200.1 0.0.0.0 UG 0 0 0 eth1

But still no esp encapsulated packets (since the client is NAT-T the
ping is initiated from the client):
server# tcpdump -i eth1 -n \(host 75.93.49.165 and not port 22\) or
\(host 192.168.1.23 and not port 22\)
13:55:22.888588 IP 24.21.203.123.4500 > 75.93.49.165.4500:
isakmp-nat-keep-alive
13:55:26.117191 IP 75.93.49.165 > 24.21.203.123: ICMP echo request, id
64345, seq 1, length 64
13:55:26.117253 IP 24.21.203.123 > 75.93.49.165: ICMP echo reply, id
64345, seq 1, length 64


In this test 75.93.49.165 is the public ip of the network the client is
on. We see the nat-keep-alive traffic, and we still see the clear text
icmp traffic.

I have been starring at this config issue for so long now, I am
guessing my problem is obvious but can't seem to find it, so any
feedback would be helpful at this point.

Sincerely,
Dennison Williams

ipsec --version: Linux Openswan U2.6.25/K2.6.26-2-486 (netkey)
compiled manually on both client and server

Server ipsec config:
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.66.6.0/24
protostack=netkey

conn pptp-rw
leftcert=StorageCert.pem
leftrsasigkey=%cert
leftid=<x509_subject>
left=24.21.203.123 #%defaultroute is not working here for some reason
leftsourceip=10.66.6.1
leftsubnet=10.66.6.0/24
rightsubnet=vhost:%no,%priv
right=%any
auto=add
rightrsasigkey=%cert
rightid=<x509_subject>
authby=rsasig
pfs=no
rightca=%same
rekey=no

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear-or-private
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore

Client ipsec config:
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
protostack=netkey

conn pptp-rw
left=192.168.1.23 #%defaultroute is not working here for some reason
leftrsasigkey=%cert
leftcert=<cert_file_name>
leftprotoport=17/1701
leftsourceip=192.168.1.23
right=24.21.203.123
rightid=<x509_subject>
rightsubnet=10.66.6.0/24
rightcert=StorageCert.pem
rightrsasigkey=%cert
rightca=%same
authby=rsasig
pfs=no
keyingtries=3
auto=add
rekey=yes
type=transport

conn block
auto=ignore

conn private
auto=ignore

conn private-or-clear
auto=ignore

conn clear-or-private
auto=ignore

conn clear
auto=ignore

conn packetdefault
auto=ignore
Dennison Williams
2010-04-13 01:52:32 UTC
Permalink
An update on this issue:

I have now tried openswan 2.6.25 and 2.6.24 with the same results. I
suppose it is absolutely possible that this is all the result of a lousy
router, I shouldn't get "IPsec SA Established" if there is a bad router.

My next guess is to look into how the route is setup afterwards. What
are the other common issues for "IPsec SA Established" succeeding but
the link between the two endpoints not being encrypted in a NAT-T setup?
Post by Dennison Williams
Hello all,
I sent an email yesterday titled "openswan + xl2tpd + iptables issues"
where I incorrectly diagnosed the problem to be one of iptables. I now
believe that the problem lies with packets not being correctly
encapsulated between the two endpoints. I expect that packets should be
encapsulated to the openswan server from the client and that I should be
able to reach addresses on the LAN but this is not happening.
client (192.168.1.23) --> gateway (192.168.1.1) -> INTERNET -> openswan
(24.21.203.123) -> LAN (10.66.6.0/24)
client# ipsec auto --up pptp-rw
104 "pptp-rw" #15: STATE_MAIN_I1: initiate
003 "pptp-rw" #15: received Vendor ID payload [Openswan (this version)
2.6.25 ]
003 "pptp-rw" #15: received Vendor ID payload [Dead Peer Detection]
003 "pptp-rw" #15: received Vendor ID payload [RFC 3947] method set to=109
106 "pptp-rw" #15: STATE_MAIN_I2: sent MI2, expecting MR2
both are NATed
108 "pptp-rw" #15: STATE_MAIN_I3: sent MI3, expecting MR3
003 "pptp-rw" #15: discarding duplicate packet; already STATE_MAIN_I3
010 "pptp-rw" #15: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "pptp-rw" #15: received Vendor ID payload [CAN-IKEv2]
004 "pptp-rw" #15: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "pptp-rw" #16: STATE_QUICK_I1: initiate
004 "pptp-rw" #16: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0xb1f1203e <0x8f21f2e4 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=24.21.203.123:4500 DPD=none}
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0
wlan0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0
wlan0
And packets do not seem to get incapsulated when doing a ping test from
client# tcpdump -i wlan0 -n host 24.21.203.123 and not port 22
isakmp-nat-keep-alive
13:48:05.005971 IP 192.168.1.23 > 24.21.203.123: ICMP echo request, id
42584, seq 1, length 64
13:48:05.133579 IP 24.21.203.123 > 192.168.1.23: ICMP echo reply, id
42584, seq 1, length 64
As you can see the nat-keep-alive is coming through, but there are no
ESP packets for the ping. Things look about the same as you might
server# ipsec auto --status|grep estab
000 #47: "pptp-rw"[7] 75.93.49.165:4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3070s; newest IPSEC; eroute owner;
isakmp#46; idle; import:not set
000 #46: "pptp-rw"[7] 75.93.49.165:4500 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_EXPIRE in 3340s; newest ISAKMP;
lastdpd=-1s(seq in:0 out:0); idle; import:not set
server# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
255.255.255.255 0.0.0.0 255.255.255.255 UH 0 0 0 eth2
10.66.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
24.21.200.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
0.0.0.0 24.21.200.1 0.0.0.0 UG 0 0 0 eth1
But still no esp encapsulated packets (since the client is NAT-T the
server# tcpdump -i eth1 -n \(host 75.93.49.165 and not port 22\) or
\(host 192.168.1.23 and not port 22\)
isakmp-nat-keep-alive
13:55:26.117191 IP 75.93.49.165 > 24.21.203.123: ICMP echo request, id
64345, seq 1, length 64
13:55:26.117253 IP 24.21.203.123 > 75.93.49.165: ICMP echo reply, id
64345, seq 1, length 64
In this test 75.93.49.165 is the public ip of the network the client is
on. We see the nat-keep-alive traffic, and we still see the clear text
icmp traffic.
I have been starring at this config issue for so long now, I am
guessing my problem is obvious but can't seem to find it, so any
feedback would be helpful at this point.
Sincerely,
Dennison Williams
ipsec --version: Linux Openswan U2.6.25/K2.6.26-2-486 (netkey)
compiled manually on both client and server
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.66.6.0/24
protostack=netkey
conn pptp-rw
leftcert=StorageCert.pem
leftrsasigkey=%cert
leftid=<x509_subject>
left=24.21.203.123 #%defaultroute is not working here for some reason
leftsourceip=10.66.6.1
leftsubnet=10.66.6.0/24
rightsubnet=vhost:%no,%priv
right=%any
auto=add
rightrsasigkey=%cert
rightid=<x509_subject>
authby=rsasig
pfs=no
rightca=%same
rekey=no
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
protostack=netkey
conn pptp-rw
left=192.168.1.23 #%defaultroute is not working here for some reason
leftrsasigkey=%cert
leftcert=<cert_file_name>
leftprotoport=17/1701
leftsourceip=192.168.1.23
right=24.21.203.123
rightid=<x509_subject>
rightsubnet=10.66.6.0/24
rightcert=StorageCert.pem
rightrsasigkey=%cert
rightca=%same
authby=rsasig
pfs=no
keyingtries=3
auto=add
rekey=yes
type=transport
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
Loading...