ipsec-tools/racoon/ipsec routing problem

Bill Campbell linux-sxs at celestial.com
Fri Jul 18 12:37:30 PDT 2008 

I have been trying to get ipsec connecting various CentOS 5.1
systems, and gotten things working -- almost with some help from
people on a CentOS mailing list.  The issue I have now is that it
appears that the tunnel between the systems is complete, and I
can ping and connect with ssh from one machine to the other, but
not the other way around.

The /etc/sysconfig/network-scripts/*-ipsec0 files on each
machine are essentially the same with the SRC and DST values
reversed and the DST set to point to the public interface of the
other machine.  The /etc/racoon files look reasonable, as doe the
output of ``netstat -rn'' or ``ip route list'' with the route to
the remote LAN pointing the the IP of the private NIC in each.

Both machines have public IP addresses (no NAT), but the machine
that cannot ping or connect to the other is doing NAT for its
private network.

I have flushed all rules from iptables to be sure that traffic is
not being blocked.

It appears to be a routing problem on the machine that cannot
connect as ping or ssh attempts from it to the other system
result in ``No route to host'' or ``Network not available'', even
when I have an ipsec connection from the remote end to that
machine.

I have compared ``lsmod'' output from the systems, and the only
thing that looks suspicious are these modules which are found on
the system that cannot get out to its remote partner.  NAT is not
active while testing in at least one case, having been turned off
when flushing the normal iptables rules we use.  This suggests to
me that some specific iptables rules may be necessary to get the
outbound routing corrrect.

	ip_conntrack
	ip_nat
	ipt_MASQUERADE
	ipt_REDIRECT
	iptable_mangle
	iptable_nat

FWIW, I did one test after making a connection to a machine where
I ran ``ipdown ipsec0'' on the machine to which the connections
worked, and could still ping it from the remote even though the
route had been dropped.  An active ssh connection stopped working
when the route went down, but worked again after ``ifup ipsec0''
on the remote.

Can anybody on this august list shed some light on this?

Bill
-- 
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:          (206) 236-1676  Mercer Island, WA 98040-0820
Fax:            (206) 232-9186

It is our duty still to endeavor to avoid war; but if it shall actually
take place, no matter by whom brought on, we must defend ourselves. If our
house be on fire, without inquiring whether it was fired from within or
without, we must try to extinguish it.
    -- Thomas Jefferson to James Lewis, Jr., 1798.

More information about the Linux-users mailing list