[Swan] subnet behind libreswan host without ip in it
Christoph
mangel at gmx.de
Wed Mar 1 06:46:48 UTC 2017
Hi!
I have here a tunnel between libreswan 3.15 and cisco asa (9.1). For the
network where the libreswan has an ip inside it does work goos, but I
have a network 'behind' libreswan host and if I ping to it, the tunnel
doesnt go online.
works good: net 192.168.55.0/24 <--> 192.168.55.1 (libreswan host)
$STATIC_INET_IP === $DYN_INET_IP (with dyndomain) (cisco asa behind
router) 192.168.40.2/192.168.50.2 <--> net 192.168.50.0/24
doesnt work: net 10.0.0.0/8 <--> 192.168.55.1 (libreswan host with route
to 10.0.0.0/8 over 192.168.55.1) === $DYN_INET_IP (with dyndomain)
(cisco asa behind router) 192.168.40.2/192.168.50.2 <--> net
192.168.50.0/24
my config:
libreswan:
forwarding is on
ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 3.10.0-514.6.1.el7.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
config setup
protostack=netkey
listen=$STATIC_INET_IP
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
nat_traversal=yes
conn home
ike=aes256-sha256;modp1024
esp=aes256-sha1;modp1024
initial_contact=yes
aggrmode=yes
authby=secret
left=$STATIC_INET_IP
leftid=$STATIC_INET_IP
leftsourceip=192.168.55.1
remote_peer_type=cisco
right=$MY_DYNDNS_ON_CISCO_ASA
rightid=192.168.40.2
right=%any
salifetime=24h
ikelifetime=24h
dpdaction=restart
dpdtimeout=60
dpddelay=30
ikev2=insist
disablearrivalcheck=no
auto=start
conn chao5.int-bio
also=home
leftsubnet=10.0.0.0/8
rightsubnet=192.168.50.0/24
conn chao5.int-behemoth
also=home
leftsubnet=192.168.55.0/24
rightsubnet=192.168.50.0/24
cisco asa (only the crypto part):
interface Ethernet0/0
nameif dmz-chao5
security-level 50
ip address 192.168.40.2 255.255.255.0
!
interface Ethernet0/1
nameif chao5
security-level 100
ip address 192.168.50.2 255.255.255.0
access-list chao5.int-behemoth line 1 extended permit ip 192.168.50.0
255.255.255.0 192.168.55.0 255.255.255.0
access-list chao5.int-work line 1 extended permit ip 192.168.50.0
255.255.255.0 10.0.0.0 255.0.0.0
crypto ipsec ikev2 ipsec-proposal ikev2-proposal
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map ikev2-map 10 match address chao5.int-behemoth
crypto map ikev2-map 10 set pfs
crypto map ikev2-map 10 set peer $STATIC_INET_IP_LIBRESWAN
crypto map ikev2-map 10 set ikev2 ipsec-proposal ikev2-proposal
crypto map ikev2-map 20 match address chao5.int-work
crypto map ikev2-map 20 set pfs
crypto map ikev2-map 20 set peer $STATIC_INET_IP_LIBRESWAN
crypto map ikev2-map 20 set ikev2 ipsec-proposal ikev2-proposal
crypto map ikev2-map interface dmz-chao5
crypto ca trustpool policy
crypto isakmp disconnect-notify
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 86400
crypto ikev2 enable dmz-chao5
tunnel-group $STATIC_INET_IP_LIBRESWAN type ipsec-l2l
tunnel-group $STATIC_INET_IP_LIBRESWAN ipsec-attributes
isakmp keepalive threshold 30 retry 5
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
what can be the problem?
--
----------
Greetz
Christoph
More information about the Swan
mailing list