I am trying to set up an ipsec net-to-net VPN and am having problems. Here is a diagram of the setup:
LAN A --> Host A ----> Internet <---- Host B <-- LAN B
LAN A = 10.10.2.0/24 LAN A gateway = 10.10.2.254 Host A internal = 10.10.2.254 Host A external = xx.xx.xx.xx Host B external (see below) Host B internal = 10.10.1.10 LAN B = 10.10.1.0/24 LAN B gateway = 10.10.1.252 (F5 Big IP)
Host A is CentOS5 and is a router/firewall for LAN A. Host B is RHEL4 and does not have a public IP. It is behind an F5 BigIP and the BigIP forwards all traffic for yy.yy.yy.yy to Host B. Likewise it masks Host B's outbound traffic as yy.yy.yy.yy.
I can get this tunnel to come up but seem to be having problems on the Host A side. If I run 'tcpdump |grep -i esp' on Host A and ping a host on LAN A from a host on LAN B (whose routing table was adjusted to go through Host B for the 10.10.2.0 network), I see ESP traffic on Host A:
AH(spi=0x04c98137,seq=0x3): IP 10.10.1.10 > xx.xx.xx.xx: ESP(spi=0x07b6bcd3,seq=0x3), length 116 (ipip-proto-4)
If I ping a host on LAN B from a host on LAN A I don't see any ESP traffic on either Host A or Host B and the host doing the ping gets a 'Destination Host Unreachable'. It seems like a problem with the routing on Host A.
Here is the result of setkey -D on both hosts:
Host A:
xx.xx.xx.xx yy.yy.yy.yy esp mode=tunnel spi=169285624(0x0a1717f8) reqid=0(0x00000000) E: 3des-cbc ce370c79 68e74da7 79ba58b9 1605f149 f3e98e5b 9984da9b A: hmac-sha1 ea9dba47 cf6a4c04 7e949d4f a8f304f0 76e006c7 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Feb 16 12:46:01 2009 current: Feb 16 12:47:13 2009 diff: 72(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=3 pid=5198 refcnt=0 xx.xx.xx.xx yy.yy.yy.yy ah mode=tunnel spi=173186772(0x0a529ed4) reqid=0(0x00000000) A: hmac-sha1 82aaec77 11dfb67c 7fbb7f7c 152c2764 4445ad8e seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Feb 16 12:46:01 2009 current: Feb 16 12:47:13 2009 diff: 72(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=5198 refcnt=0 yy.yy.yy.yy xx.xx.xx.xx esp mode=tunnel spi=166536016(0x09ed2350) reqid=0(0x00000000) E: 3des-cbc b63a5538 c6a2dd3b f449df6e c594cd16 644a59d4 cb45dfef A: hmac-sha1 5d8d015c f8e8e12f d117dc5b fc64d2ed f3ca79b5 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Feb 16 12:46:01 2009 current: Feb 16 12:47:13 2009 diff: 72(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=5198 refcnt=0 yy.yy.yy.yy xx.xx.xx.xx ah mode=tunnel spi=84103999(0x0503533f) reqid=0(0x00000000) A: hmac-sha1 022dbd45 248b1ffa 05d94068 22e3c530 5485a468 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Feb 16 12:46:01 2009 current: Feb 16 12:47:13 2009 diff: 72(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=5198 refcnt=0
Host B:
xx.xx.xx.xx 10.10.1.10 esp mode=tunnel spi=169285624(0x0a1717f8) reqid=0(0x00000000) E: 3des-cbc ce370c79 68e74da7 79ba58b9 1605f149 f3e98e5b 9984da9b A: hmac-sha1 ea9dba47 cf6a4c04 7e949d4f a8f304f0 76e006c7 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Feb 16 12:45:57 2009 current: Feb 16 12:47:35 2009 diff: 98(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=3 pid=15049 refcnt=0 xx.xx.xx.xx 10.10.1.10 ah mode=tunnel spi=173186772(0x0a529ed4) reqid=0(0x00000000) A: hmac-sha1 82aaec77 11dfb67c 7fbb7f7c 152c2764 4445ad8e seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Feb 16 12:45:57 2009 current: Feb 16 12:47:35 2009 diff: 98(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=15049 refcnt=0 10.10.1.10 xx.xx.xx.xx esp mode=tunnel spi=166536016(0x09ed2350) reqid=0(0x00000000) E: 3des-cbc b63a5538 c6a2dd3b f449df6e c594cd16 644a59d4 cb45dfef A: hmac-sha1 5d8d015c f8e8e12f d117dc5b fc64d2ed f3ca79b5 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Feb 16 12:45:57 2009 current: Feb 16 12:47:35 2009 diff: 98(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=15049 refcnt=0 10.10.1.10 xx.xx.xx.xx ah mode=tunnel spi=84103999(0x0503533f) reqid=0(0x00000000) A: hmac-sha1 022dbd45 248b1ffa 05d94068 22e3c530 5485a468 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Feb 16 12:45:57 2009 current: Feb 16 12:47:35 2009 diff: 98(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=15049 refcnt=0
Here are the ifcfg-ipsec files for each host.
Host A:
TYPE=IPSEC ONBOOT=NO IKE_METHOD=PSK SRCGW=10.10.2.254 DSTGW=10.10.1.10 SRCNET=10.10.2.0/24 DSTNET=10.10.1.0/24 DST=yy.yy.yy.yy
Host B:
TYPE=IPSEC ONBOOT=no IKE_METHOD=PSK SRCGW=10.10.1.10 DSTGW=10.10.2.254 SRCNET=10.10.1.0/24 DSTNET=10.10.2.0/24 DST=xx.xx.xx.xx
Here are the routes from each host.
Host A: 10.10.1.0 10.10.2.254 255.255.255.0 UG 0 0 0 eth1
Host B: 10.10.2.0 yy.yy.yy.yy 255.255.255.0 UG 0 0 0 bond0
Let me know if I should post the racoon.conf files.
Thanks,
Brad