IPSec linux doesn't route SIP connection to trunk

Question

Im trying to connect to SIP trunk with Asterisk through IPSec Tunnel and it seems that it doesn't route ok... As I'm coming from OpenVPN I was thinking that IPSec enables some interface and puts traffic through.

I will list here my IP-s as X,Y,Z...

My configuration for IPSec is:

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        dumpdir=/var/run/pluto/
        interfaces="%defaultroute"
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=netkey
        # Use this to log to a file, or disable logging on embedded systems (like openwrt)
        #plutostderrlog=/dev/null
conn sTest01
        type=tunnel
        connaddrfamily=ipv4
        left=XXX.XXX.XXX.XXX
        leftnexthop=%defaultroute
        leftsourceip=XXX.XXX.XXX.XXX
        right=YYY.YYY.YYY.YYY
        rightid=YYY.YYY.YYY.YYY
        rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/32
        #rightsubnet=0.0.0.0/0
        pfs=no
        keyingtries=4
        rekeymargin=15m
        authby=secret
        ike=aes256-sha1;modp1536
        phase2alg=aes256-sha1;modp1536
        lifetime=28800s
        auto=start

conn sTest02
        type=tunnel
        connaddrfamily=ipv4
        left=XXX.XXX.XXX.XXX
        leftnexthop=%defaultroute
        leftsourceip=XXX.XXX.XXX.XXX
        right=YYY.YYY.YYY.YYY
        rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/32 
        #rightsubnet=0.0.0.0/0
        pfs=no
        keyingtries=4
        rekeymargin=15m
        authby=secret
        ike=aes256-sha1;modp1536
        phase2alg=aes256-sha1;modp1536
        lifetime=28800s
        auto=start

My routing table:

    root@lix ~ # netstat -rn
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0
1 Trunk XXX.XXX.XXX.XXX 0.0.0.0         255.255.255.255 UH        0 0          0 eth0
2 Trunk XXX.XXX.XXX.XXX 0.0.0.0         255.255.255.255 UH        0 0          0 eth0
    84.XXX.XXX.0    0.0.0.0         255.255.192.0   U         0 0          0 eth0
    192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan0

ipsec verify

root@lix ~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.12.28+ (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
    [OK]
    [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

When I restart ipsec in log i don't see anything out of the ordinary.

SysLog:

Feb  9 16:22:35 lix ipsec_starter[4050]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:35 lix ipsec_starter[4050]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:35 lix ipsec_setup: Stopping Openswan IPsec...
Feb  9 16:22:39 lix kernel: [ 1066.612566] NET: Unregistered protocol family 15
Feb  9 16:22:39 lix ipsec_setup: ...Openswan IPsec stopped
Feb  9 16:22:39 lix ipsec_starter[4125]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:39 lix ipsec_starter[4125]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:39 lix kernel: [ 1066.965557] NET: Registered protocol family 15
Feb  9 16:22:39 lix ipsec_setup: Starting Openswan IPsec U2.6.37/K3.12.28+...
Feb  9 16:22:40 lix ipsec_setup: Using NETKEY(XFRM) stack
Feb  9 16:22:40 lix ipsec_setup: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:40 lix ipsec_starter[4209]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:40 lix ipsec_setup: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:40 lix ipsec_starter[4209]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_setup: ...Openswan IPsec started
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_starter[4220]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_starter[4220]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix pluto: adjusting ipsec.d to /etc/ipsec.d
Feb  9 16:22:41 lix ipsec_starter[4221]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_starter[4221]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_starter[4222]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_starter[4222]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:42 lix ipsec__plutorun: 002 added connection description "sTest01"
Feb  9 16:22:42 lix ipsec__plutorun: 002 added connection description "sTest02"
Feb  9 16:22:42 lix ipsec__plutorun: 104 "sTest01" #1: STATE_MAIN_I1: initiate

Whack

root@lix ~ # ipsec whack --name sTest01 --initiate
002 "sTest01" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:ea6824a9 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sTest01" #4: STATE_QUICK_I1: initiate
002 "sTest01" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sTest01" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x2caadd64 <0x69b0a0e0 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}

root@lix ~ # ipsec whack --name sTest02 --initiate
002 "sTest02" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:956ccc0e proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sTest02" #5: STATE_QUICK_I1: initiate
002 "sTest02" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sTest02" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6e58c948 <0x7177b9ed xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Asterisk CLI:

lix*CLI> sip show peers
Name/username             Host                                    Dyn Forcerport ACL Port     Status     
peer                      80.XX.XXX.149                                N             5060     UNREACHABLE

If anyone please can help, I can post additional info if anyone needs them,,,

thanks

score 0 · Accepted Answer · answered Feb 10 '15 at 07:37

0

You need restart asterisk AFTER tunnel setup done.

You have set localnet or externip to your vpn address.

Sorry, no way help you becuase you wildcarded too much info.

answered Feb 10 '15 at 07:37

arheops

15,544
1
21
27

IPSec linux doesn't route SIP connection to trunk

1 Answers1