[SOLVED] Routing for a VPN Gateway Setup

salukibob · 12-17-2010, 10:10 AM

Hello,

I've been trying to setup an IPSec connection between two routers, but am having trouble with the actual packet routing.

My setup currently is two local networks (192.168.1.0/24[netLANA] and 192.168.0.0/24[netLANB]) that are connected to their own routers (192.168.1.1 and 192.168.0.1 respectively). The routers are both connected to the 194.26.1.0/24[netWAN] network. I wish to setup an IPSec connection between the two routers, to act in tunnel mode between the two local networks.

The first router is a linux box (on the netLANA network) that I am setting up using the ipsec-tools, and the other is a Netgear ProSafe FVS318G (on the netLANB). I've set them both up to have the same configuration for IPSec. Also, on the linux router I have setup a route like this:

Code:

$ route add -net 192.168.1.0/24 wlan0

So that all traffic destined for the netLANB network will be routed to the wlan0 interface (netWAN in this case, and therefore over the tunnel).

My problem is that if I ping from any host on netLANA, I can see the ICMP reply comes back to the linux router, but it doesn't get back to the original host.

From the linux router, here is the tcpdump of the ping:

Code:

$ tcpdump -n -S -i any
17:06:26.308353 IP 192.168.0.5 > 192.168.1.4: ICMP echo request, id 1036, seq 1, length 64
17:06:26.308780 IP 194.16.1.6 > 194.16.1.5: ESP(spi=0x0ea08914,seq=0x2f), length 116
17:06:26.316287 IP 194.16.1.5 > 194.16.1.6: ESP(spi=0x0be1036c,seq=0x2f), length 116
17:06:26.316287 IP 192.168.1.4 > 192.168.0.5: ICMP echo reply, id 1036, seq 1, length 64

So it looks like the vpn tunnel is working properly, just not my routing. Here is my routing table:

Code:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 wlan0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
194.16.1.0      0.0.0.0         255.255.255.0   U     0      0        0 wlan0
0.0.0.0         194.16.1.1      0.0.0.0         UG    0      0        0 wlan0

On the linux router, the interfaces are setup as:
eth0 = 192.168.1.1 (netLANA)
wlan0 = 194.16.1.6 (netWAN)

Can anyone suggest what route entry I need to add to make this all work smoothly?

Thanks for any help with this,
Regards
Rob Smith

nini09 · 12-17-2010, 03:08 PM

You can monitor eth0 interface only to check whether ping reply send out on eth0 interface and check destination MAC address.

salukibob · 12-20-2010, 05:02 AM

Thanks very much for your reply. Thankfully, I have finally found the problem, and of course, it was a simple typo.

I had setup my policies for setkey as:

Code:

spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec esp/tunnel/194.16.1.6-194.16.1.5/require;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/194.16.1.5-194.16.1.6/require;

An eagle eyed person will notice that the second line should by '-P in' instead of '-P out'. Therein was my mistake. It needed fresh weekend-rested eyes to spot that one!

Cheers
Rob