Linux IPSEC with multiple networks on each connection

First thing to do is to make sure that routing of the packets is correct.

In the simplest form this means that the router of network A knows that packets to network C (192.168.66.0/24) should go to router of network B (through the tunnel). And reverse - router of network C should know that packets to network A should go to router of network B.

If you only have control of network A and B there is also an alternative - instead of routing to network A on router of network C you could also do SNAT on router of network B.

I have control of both networks.

I'm wondering if IPTABLES could be the problem but this is what I have done so far

route add -net 192.168.66.0 netmask 255.255.255.0 gw 192.168.88.1  on NETWORK A
route add -net 192.168.88.0 netmask 255.255.255.0 gw 192.168.77.2  on NETWORK B
route add -net 192.168.66.0 netmask 255.255.255.0 gw 192.168.77.2  on NETWORK C

Well yes - the second thing to make sure is that no firewalls cause blocking of packets.

What is your network topology? Which machine on each network is the default gw for that network? Which machine in each network has th e IPSEC tunnel to other networks. And on which machine were ther routing rules you posted added?

I'm asking all this because the roiuting rules you posted seem suspicious.

LINUX ROUTER NETWORK A

IP = 192.168.88.1
SUBNET = 255.255.255.0

ROUTES ADDED
route add -net 192.168.66.0 netmask 255.255.255.0 gw 192.168.88.1
route add -net 192.168.77.0 netmask 255.255.255.0 gw 192.168.88.1
route add -net 192.168.66.0 netmask 255.255.255.0 gw 192.168.88.1
route add -net 192.168.70.0 netmask 255.255.254.0 gw 192.168.88.1

LINUX ROUTER NETWORK B

IP = 192.168.77.2
SUBNET = 255.255.255.0

ROUTES ADDED
route add -net 192.168.88.0 netmask 255.255.255.0 gw 192.168.77.2
route add -net 192.168.66.0 netmask 255.255.255.0 gw 192.168.77.50
route add -net 192.168.70.0 netmask 255.255.254.0 gw 192.168.77.50
route add -net 192.168.44.0 netmask 255.255.255.0 gw 192.168.77.1


I assume you don't need the router configuration for 77.50 its a Cisco router all other routes are working fine.  I'm trying to migrate to linux, this is my first attempt and so far I can only get the linux system to connect the two local networks and not other networks

OK. A few questions:
Why do you have a double rule: route add -net 192.168.66.0 netmask 255.255.255.0 gw 192.168.88.1

What are the default gateways on each network (and on each router)?

How are networks B and C connected - is Cisco router 77.50 directly connected to network C?

The problem could well be in this Cisco router, so you should also post that routing table.


For example you wrote:
route add -net 192.168.66.0 netmask 255.255.255.0 gw 192.168.77.2  on NETWORK C
was this added on this Cisco router?

It should probably read (note the network address):
route add -net 192.168.88.0 netmask 255.255.255.0 gw 192.168.77.2  on NETWORK C

The IP addresses below under IP= are the default gateways for the private lans since they boxes are the routers.  I'm not sure if thats what you were asking for or not.    My friend owns an ISP and I have a rack in his data center.  Some family members are connected to a private vlan through DSL service through him.  In other words the DSL connections are not connected to the Internet at all, they are connected to a switch in my rack.  Up until now, I have been running everything under windows.   Some of the family members can not get DSL so they have cable and we have created L2TP connections using ISA/2004 between these locations.   Everything is working with the windows IPSEC connections.  I have migrated 1 cable modem family member over to the new linux router running with a static ip lets say the static ip is 10.0.0.182 and this would be the public interface on NETWORK B and the private is the 192.168.77.2 which is also the default gateway on the private side.  at the cable-modem site (HOME) I have another linux box lets say its ip address is 172.10.1.32 and this is the public interface on NETWORK A and the private is the 192.168.88.1 which is also the default gateway on the private network at the house.  

I have created in network-scripts ifcfg-ipsec0 and put the following information in the file on NETWORK A

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.88.1
DSTGW=192.168.77.2
SRCNET=192.168.88.0/24
DSTNET=192.168.77.0/24
DST=10.0.0.182

I also created keys-ipsec0 and put the following

IKE_PSK=12345678

I did the same on the network B

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.77.2
DSTGW=192.168.88.1
SRCNET=192.168.77.0/24
DSTNET=192.168.88.0/24
DST=172.10.1.32

I also created keys-ipsec0 and put the following

IKE_PSK=12345678

after all this I ran service network restart and boom the network restarts, the two networks are connected and I can ping between the both of them no problem.   The problem comes when I try and ping from NETWORK B to say NETWORK C.   NETWORK B & C are working perfectly.   NETWORK C sends ALL traffic to NETWORK B by default so in reality there is no ROUTES ADDED as the only route configuration is to route ALL traffic to NETWORK B and again its working with the windows systems.  I am not sure if its an IPTABLES connection or something else.   I was trying to avoid using openswan and trying to do this with the tools already provided with the OS.  The duplicate route I think you notice comes from the fact that NETWORK A & NETWORK B both have an entry for 192.168.66.0 this is because NETWORK B will route all traffic out on the cable modem if its not configured to go to the tunnel.   I was wondering if I needed to add another entry in this line DSTNET=192.168.88.0/24 locate in the ifcfg-ipsec0 however I am not sure how to go about this.  

Thanks for the help!

IPSec needs its own connection configuration for each network pair on both ends
means that you have to make 3 connection configurations on each side

to clarify then,  I would need to have 3 ipsec connections ipsec0 ipsec1 ipsec2 connecting to the same public ip addresses on each end?   Would you be able to provide any example?

Thanks in advance!

don't know how you use IPSec, with Free/SWAN StrongSwan or OpenSwan it is the conn directive in ipsec.conf

I was trying to avoid using the software that does it for you.

I have created 1 file in /etc/sysconfig/network-scripts/ifcfg-ipsec0

which I placed the data recorded above into this file.

I then created a /etc/sysconfig/network-scripts/keys-ipsec0

which I put the PSK key # in.

I then typed service network restart which shutdown and restart networking including the ifcfg-ipsec0 file I created.   If I type ifup ifcfg-ipsec0 the file exist and the connection is established.   /etc/racoon/ has a conf file with my destination public ip and everything is working great.


My problem is trying to figure out a way to connect from NETWORK A to NETWORK C through NETWORK B in Linux.

Would the traffic pass through the tunnel for Network C if I add a route properly and then arrive at its destination? I would assume so I think I just need to figure out how to add this correctly.    

Again I'm trying to avoid using the software that does the work for you and is very forgiving.  I'd like to figure out how to avoid using this and I know there has to be a way.   Besides Free/SWAN, StrongSwan, or OpenSwan is doing it for us so how does it do it?

As always, Thanks in advance!

-Will

ok, then you have to use ipsec
  ipsec auto add networkA
  ipsec auto add networkB
  ipsec manual --up networkA
  ipsec manual --up networkB
  ipsec eroute --add -src ... -dst ...

(where the connection settings for networkA and networkB are defined in ipsec.conf)

I just searched for ipsec.conf on both systems and was unable to locate them.  The only related file that I'm aware of if the ifcfg-ipsec0 file I created which currently contains the following information.   Would I need to modify this file and if so how?

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.88.1
DSTGW=192.168.77.2
SRCNET=192.168.88.0/24
DSTNET=192.168.77.0/24
DST=10.0.0.182

I'm not exactly sure which part of these steps fixed it or if all was required but this is what I finally did and now its working with one /etc/sysconfig/network-scripts/ifcfg-ipsec0 file on each side

LINUX ROUTER NETWORK A

IP = 192.168.88.1
SUBNET = 255.255.255.0

/etc/sysconfig/network-scripts/ifcfg-ipsec0 contains the following entries

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.88.1
DSTGW=192.168.77.2
SRCNET=192.168.88.0/24
DSTNET=192.168.44.0/24
DSTNET=192.168.66.0/24
DSTNET=192.168.70.0/24
DSTNET=192.168.77.0/24
DST=10.0.0.182
ip route add 192.168.44.0/24 via 192.168.88.1 dev eth1 src 192.168.88.1
ip route add 192.168.66.0/24 via 192.168.88.1 dev eth1 src 192.168.88.1
ip route add 192.168.70.0/24 via 192.168.88.1 dev eth1 src 192.168.88.1
ip route add 192.168.77.0/24 via 192.168.88.1 dev eth1 src 192.168.88.1

LINUX ROUTER NETWORK B

IP = 192.168.77.2
SUBNET = 255.255.255.0

/etc/sysconfig/network-scripts/ifcfg-ipsec0 contains the following entries

TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.77.2
DSTGW=192.168.88.1
SRCNET=192.168.44.0/24
SRCNET=192.168.66.0/24
SRCNET=192.168.70.0/24
SRCNET=192.168.77.0/24
DSTNET=192.168.88.0/24
DST=172.10.1.32

This configuration above allowed me to create a single /etc/sysconfig/network-scripts/ifcfg-ipsec0 config file on each connection using native ipsec built into linux and not the FreeSWAN or OPENSWAN software.   I can not see all the networks connected to NETWORKB from NETWORK A and visa-versa from the networks on B.   I did try creating ifcfg-ipsec0 ifcfg-ipsec1, etc and this did work however I didn't like this method.  I wanted to group them all to a singel config file.

PROBLEM SOLVED!!! Yipee!  Now I need to start on SAMBA my next project.

well done williamjnelson;-)
agree with PAQ

>Finally delete the --off-topic-- admin comments.

Will do.

>I think this way everybody can be happy ;-)

Achim - you are always the gentleman.

Cheers,
-Jon