IPSec - Strange routing problem

Joshua Schmidlkofer <menion@xxxxxxxxxxxxxx> · Wed, 09 Feb 2005 13:29:03 -0800

I am setting up an IPSec tunnel (ESP) between two networks.  I can ping the private side of the routers, from the routers, however, I can't get 
anything else through.  It's very strange.  tcpdump shows traffic going in the correct direction, but nothing get's out the internal network.

from a host, 192.168.1.5:

ping 10.1.1.252
<nothing>

tcpdump -i eth0 shows this:
 13:26:42.467836 IP 2.2.2.2 > 5.5.5.5: ESP(spi=0x07c8e29a,seq=0x321)
 13:26:42.467836 IP 2.2.2.2 > 10.1.1.252: icmp 64: echo request seq 1
 13:26:43.462994 IP 2.2.2.2 > 5.5.5.5: ESP(spi=0x07c8e29a,seq=0x322)
 13:26:43.462994 IP 2.2.2.2 > 10.1.1.252: icmp 64: echo request seq 2
 13:26:44.463060 IP 2.2.2.2 > 5.5.5.5: ESP(spi=0x07c8e29a,seq=0x323)
 13:26:44.463060 IP 2.2.2.2 > 10.1.1.252: icmp 64: echo request seq 3
 13:26:45.462688 IP 2.2.2.2 > 5.5.5.5: ESP(spi=0x07c8e29a,seq=0x324)
 13:26:45.462688 IP 2.2.2.2 > 10.1.1.252: icmp 64: echo request seq 4
 13:26:46.462774 IP 2.2.2.2 > 5.5.5.5: ESP(spi=0x07c8e29a,seq=0x325)
 13:26:46.462774 IP 2.2.2.2 > 10.1.1.252: icmp 64: echo request seq 5
 13:26:47.462730 IP 2.2.2.2 > 5.5.5.5: ESP(spi=0x07c8e29a,seq=0x326)
 13:26:47.462730 IP 2.2.2.2 > 10.1.1.252: icmp 64: echo request seq 6
 13:26:48.462167 IP 2.2.2.2 > 5.5.5.5: ESP(spi=0x07c8e29a,seq=0x327)
 13:26:48.462167 IP 2.2.2.2 > 10.1.1.252: icmp 64: echo request seq 7
 13:26:49.462236 IP 2.2.2.2 > 5.5.5.5: ESP(spi=0x07c8e29a,seq=0x328)
 13:26:49.462236 IP 2.2.2.2 > 10.1.1.252: icmp 64: echo request seq 8
 13:26:50.463452 IP 2.2.2.2 > 5.5.5.5: ESP(spi=0x07c8e29a,seq=0x329)
 13:26:50.463452 IP 2.2.2.2 > 10.1.1.252: icmp 64: echo request seq 9

tcpdump -i br0 shows this:
 <this space left intentionally blank>

Routera:[sub'd numbers]
  name = bc_router (eth0:5.5.5.5)
  private address: br0:10.1.1.0    (/24)

Routerb:[sub'd numbers]

  name = port_router (eth0:2.2.2.2)

  private address: br0:192.168.1.1 (/24)

racoon.conf:
 path include "/etc/racoon";
 path pre_shared_key "/etc/racoon/psk.txt";
 path certificate "/etc/racoon/certs";
 log debug;

 remote anonymous
 {
       exchange_mode main;
       lifetime time 24 hours;
       proposal {
               authentication_method pre_shared_key;
               encryption_algorithm 3des;
               hash_algorithm sha1;
               dh_group 2;
       }
 }

 sainfo anonymous
 {
       lifetime time 12 hours;
       encryption_algorithm 3des;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
 }

ipsec.conf:[setkey script]
  #!/usr/sbin/setkey -f
 flush;
 spdflush;

 ## [Begin local tunnel: 10.1.1.0/24 ] ############
 spdadd 2.2.2.2         10.1.1.0/24  any -P in  ipsec
    esp/tunnel/2.2.2.2-5.5.5.5/require;
 spdadd 10.1.1.0/24          2.2.2.2 any -P out ipsec
    esp/tunnel/5.5.5.5-2.2.2.2/require;
 ## [End                              ] ############

 ## [Begin Remote tunnel: 192.168.1.0/24 ] ############
 spdadd 10.1.1.0/24          192.168.1.0/24      any -P out ipsec
       esp/tunnel/5.5.5.5-2.2.2.2/require;
 spdadd 192.168.1.0/24          10.1.1.0/24      any -P in  ipsec
       esp/tunnel/2.2.2.2-5.5.5.5/require;

 spdadd 5.5.5.5   192.168.1.0/24         any -P out ipsec
    esp/tunnel/5.5.5.5-2.2.2.2/require;
 spdadd 192.168.1.0/24          5.5.5.5  any -P in  ipsec
    esp/tunnel/2.2.2.2-5.5.5.5/require;
 ### [end net<->net tunnel] ########################

 #Hosts: [L]5.5.5.5 <-> [R]2.2.2.2
 spdadd 2.2.2.2  5.5.5.5 any -P out ipsec
    esp/transport/2.2.2.2-5.5.5.5/require;
 spdadd 5.5.5.5    2.2.2.2       any -P in  ipsec
    esp/transport/5.5.5.5-2.2.2.2/require;
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html