I am trying to set up an ipsec net-to-net VPN and am having problems.
Here is a diagram of the setup:
LAN A --> Host A ----> Internet <---- Host B <-- LAN B
LAN A = 10.10.2.0/24
LAN A gateway = 10.10.2.254
Host A internal = 10.10.2.254
Host A external = xx.xx.xx.xx
Host B external (see below)
Host B internal = 10.10.1.10
LAN B = 10.10.1.0/24
LAN B gateway = 10.10.1.252 (F5 Big IP)
Host A is CentOS5 and is a router/firewall for LAN A. Host B is RHEL4 and
does not have a public IP. It is behind an F5 BigIP and the BigIP
forwards all traffic for yy.yy.yy.yy to Host B. Likewise it masks Host
B's outbound traffic as yy.yy.yy.yy.
I can get this tunnel to come up but seem to be having problems on the
Host A side. If I run 'tcpdump |grep -i esp' on Host A and ping a host on
LAN A from a host on LAN B (whose routing table was adjusted to go through
Host B for the 10.10.2.0 network), I see ESP traffic on Host A:
AH(spi=0x04c98137,seq=0x3): IP 10.10.1.10 > xx.xx.xx.xx:
ESP(spi=0x07b6bcd3,seq=0x3), length 116 (ipip-proto-4)
If I ping a host on LAN B from a host on LAN A I don't see any ESP traffic
on either Host A or Host B and the host doing the ping gets a 'Destination
Host Unreachable'. It seems like a problem with the routing on Host A.
Here is the result of setkey -D on both hosts:
Host A:
xx.xx.xx.xx yy.yy.yy.yy
esp mode=tunnel spi=169285624(0x0a1717f8) reqid=0(0x00000000)
E: 3des-cbc ce370c79 68e74da7 79ba58b9 1605f149 f3e98e5b 9984da9b
A: hmac-sha1 ea9dba47 cf6a4c04 7e949d4f a8f304f0 76e006c7
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 16 12:46:01 2009 current: Feb 16 12:47:13 2009
diff: 72(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=5198 refcnt=0
xx.xx.xx.xx yy.yy.yy.yy
ah mode=tunnel spi=173186772(0x0a529ed4) reqid=0(0x00000000)
A: hmac-sha1 82aaec77 11dfb67c 7fbb7f7c 152c2764 4445ad8e
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 16 12:46:01 2009 current: Feb 16 12:47:13 2009
diff: 72(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=5198 refcnt=0
yy.yy.yy.yy xx.xx.xx.xx
esp mode=tunnel spi=166536016(0x09ed2350) reqid=0(0x00000000)
E: 3des-cbc b63a5538 c6a2dd3b f449df6e c594cd16 644a59d4 cb45dfef
A: hmac-sha1 5d8d015c f8e8e12f d117dc5b fc64d2ed f3ca79b5
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 16 12:46:01 2009 current: Feb 16 12:47:13 2009
diff: 72(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=5198 refcnt=0
yy.yy.yy.yy xx.xx.xx.xx
ah mode=tunnel spi=84103999(0x0503533f) reqid=0(0x00000000)
A: hmac-sha1 022dbd45 248b1ffa 05d94068 22e3c530 5485a468
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 16 12:46:01 2009 current: Feb 16 12:47:13 2009
diff: 72(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=5198 refcnt=0
Host B:
xx.xx.xx.xx 10.10.1.10
esp mode=tunnel spi=169285624(0x0a1717f8) reqid=0(0x00000000)
E: 3des-cbc ce370c79 68e74da7 79ba58b9 1605f149 f3e98e5b 9984da9b
A: hmac-sha1 ea9dba47 cf6a4c04 7e949d4f a8f304f0 76e006c7
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 16 12:45:57 2009 current: Feb 16 12:47:35 2009
diff: 98(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=15049 refcnt=0
xx.xx.xx.xx 10.10.1.10
ah mode=tunnel spi=173186772(0x0a529ed4) reqid=0(0x00000000)
A: hmac-sha1 82aaec77 11dfb67c 7fbb7f7c 152c2764 4445ad8e
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 16 12:45:57 2009 current: Feb 16 12:47:35 2009
diff: 98(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=15049 refcnt=0
10.10.1.10 xx.xx.xx.xx
esp mode=tunnel spi=166536016(0x09ed2350) reqid=0(0x00000000)
E: 3des-cbc b63a5538 c6a2dd3b f449df6e c594cd16 644a59d4 cb45dfef
A: hmac-sha1 5d8d015c f8e8e12f d117dc5b fc64d2ed f3ca79b5
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 16 12:45:57 2009 current: Feb 16 12:47:35 2009
diff: 98(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=15049 refcnt=0
10.10.1.10 xx.xx.xx.xx
ah mode=tunnel spi=84103999(0x0503533f) reqid=0(0x00000000)
A: hmac-sha1 022dbd45 248b1ffa 05d94068 22e3c530 5485a468
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Feb 16 12:45:57 2009 current: Feb 16 12:47:35 2009
diff: 98(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=15049 refcnt=0
Here are the ifcfg-ipsec files for each host.
Host A:
TYPE=IPSEC
ONBOOT=NO
IKE_METHOD=PSK
SRCGW=10.10.2.254
DSTGW=10.10.1.10
SRCNET=10.10.2.0/24
DSTNET=10.10.1.0/24
DST=yy.yy.yy.yy
Host B:
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK
SRCGW=10.10.1.10
DSTGW=10.10.2.254
SRCNET=10.10.1.0/24
DSTNET=10.10.2.0/24
DST=xx.xx.xx.xx
Here are the routes from each host.
Host A:
10.10.1.0 10.10.2.254 255.255.255.0 UG 0 0 0 eth1
Host B:
10.10.2.0 yy.yy.yy.yy 255.255.255.0 UG 0 0 0 bond0
Let me know if I should post the racoon.conf files.
Thanks,
Brad