TransWikia.com

racoon Road Warrior VPN Client - Tunnel Established but no ping

Server Fault Asked by hazaki on December 21, 2020

I’m trying to configure a road warrior VPN client on a Linux distribution.

Here my configuraiton :

Client VPN LINUX – 1.1.1.1 – INTERNET – 2.2.2.2 – FireWall – 10.0.0.0/8

I wish to create a tunnel between the remote network 10.0.0.0/8 and the VPN client which will have the address 172.16.0.3

I already configured this with TheGreenBow and It worked well so the problem I’m having is from my client configuration and not my firewall.

To make this configuration on Linux I will use racoon.

I changed the file /etc/racoon/racoon.conf :

log notify;
path certificate "/etc/racoon/certs";

remote 2.2.2.2 {
    exchange_mode main;

    ca_type x509 "cacert.pem";
    certificate_type x509 "cert.pem" "priv.key";

    my_identifier asn1dn;
    peers_identifier asn1dn;

    doi ipsec_doi;

    verify_cert on;
    ike_frag on;

    proposal_check obey;

    mode_cfg off;
    nat_traversal on;
    lifetime time 21600 sec;

    proposal {
        encryption_algorithm aes256;
        hash_algorithm sha2_256;
        authentication_method rsasig;
        dh_group 5;
    }
    generate_policy off;
}

sainfo anonymous {
    lifetime time 3600 sec;
    pfs_group 2;
    encryption_algorithm aes256;
    authentication_algorithm hmac_sha256;
    compression_algorithm deflate;
}

`

I changed /etc/ipsec-tools.conf

spdadd 172.16.0.3/32[any] 10.0.0.0/8[any] any -P out ipsec
    esp/tunnel/1.1.1.1-2.2.2.2/require;

spdadd 10.0.0.0/8[any] 172.16.0.3/32[any] any -P in ipsec
    esp/tunnel/2.2.2.2-1.1.1.1/require;

Next, I configured a virtual interface to redirect the whole flow going to the remote network :

ip link add link eth1 name vlan0 type vlan id 1
ip addr add 172.16.0.3/24 brd 172.16.0.255 dev vlan0
route add -net 10.0.0.0/8 gw 172.16.0.3 dev vlan0

Here what I got when I do “ifconfig”

eth1      Link encap:Ethernet  HWaddr 0c:54:a5:3a:4a:30  
      inet adr:1.1.1.1  Bcast:1.1.1.255  Masque:255.255.255.0
      adr inet6: fe80::e54:a5ff:fe3a:4a30/64 Scope:Lien
      UP BROADCAST RUNNING MULTICAST  MTU:1300  Metric:1
      Packets reçus:20775 erreurs:0 :0 overruns:0 frame:0
      TX packets:17957 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 lg file transmission:1000 
      Octets reçus:15271974 (15.2 MB) Octets transmis:2688417 (2.6 MB)
      Interruption:17 Mémoire:f7d00000-f7d20000 

lo        Link encap:Boucle locale  
      inet adr:127.0.0.1  Masque:255.0.0.0
      adr inet6: ::1/128 Scope:Hôte
      UP LOOPBACK RUNNING  MTU:65536  Metric:1
      Packets reçus:611 erreurs:0 :0 overruns:0 frame:0
      TX packets:611 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 lg file transmission:0 
      Octets reçus:71525 (71.5 KB) Octets transmis:71525 (71.5 KB)

vlan0     Link encap:Ethernet  HWaddr 0c:54:a5:3a:4a:30  
      inet adr:172.16.0.3  Bcast:172.16.0.255  Masque:255.255.255.0
      adr inet6: fe80::e54:a5ff:fe3a:4a30/64 Scope:Lien
      UP BROADCAST RUNNING MULTICAST  MTU:1300  Metric:1
      Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
      TX packets:142 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 lg file transmission:0 
      Octets reçus:0 (0.0 B) Octets transmis:24137 (24.1 KB)

What I got white “route”

Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
default         1.1.1.1         0.0.0.0         UG    0      0        0 eth1
10.0.0.0        172.16.0.3      255.0.0.0       UG    0      0        0 vlan0
172.16.0.0      *               255.255.255.0   U     0      0        0 vlan0
1.1.1.1         *               255.255.255.0   U     1      0        0 eth1

The firewall tells me that the tunnel is well open (Phase 2 established).

However I can’t ping the remote network (but it worked on windows).

When I watch what’s happening on the firewall, I see that the ESP packets arrive to the external interface but they are not forwarded to the internal interface (what is done with the windows VPN).

Do you have any idea why Y have this problem ?

One Answer

Instead:

route add -net 10.0.0.0/8 gw 172.16.0.3 dev vlan0


try:

ip route add to 10.0.0.0/8 via 172.16.0.3 dev vlan0 src 172.16.0.3

Answered by Mattie on December 21, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP