IPsec - not propagating routes

[Crypty]

Hi,

I have installed the IPsec connection between zentyal server and another router. The VPN is established:
192.168.10.0/24 --- LAN --- Zentyal 192.168.131.32 --- Router 192.168.131.80 --- LAN 192.168.36.0/24

But, the "ping" doesn't work.

Routes from the router:

Code: [Select]

/etc/ipsec.d $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.131.0   0.0.0.0         255.255.255.0   U     0      0        0 lan2
192.168.36.0    0.0.0.0         255.255.255.0   U     0      0        0 lan1
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 lan2
0.0.0.0         192.168.131.254 0.0.0.0         UG    0      0        0 lan2
Routes from the Zentyal:
root@zentyal:~# route -n

Code: [Select]

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.131.0   0.0.0.0         255.255.255.0   U     0      0        0 eth3
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
When i manually add a route to the zentyal:

Code: [Select]

ip r a 192.168.36.0/24 via 192.168.131.80
root@zentyal:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.131.0   0.0.0.0         255.255.255.0   U     0      0        0 eth3
192.168.36.0    192.168.131.80  255.255.255.0   UG    0      0        0 eth3
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
Now, the ping "works". I added quotes, because the ping from the Router/LAN works using ESP (seen in the tcpdump), but the opposite connection doesn't use the ESP (only direct eth interface, without ESP header).

1) How can I force zentyal to use IPsec/ESP?
2) How can I set IPsec correctly to propagate routes?

Here are several files to include:
The router ipsec.conf:

Code: [Select]

  authby=secret
  keyingtries=%forever
  aggrmode=yes
  left=%defaultroute
  leftsubnet=192.168.36.0/24
  leftid=192.168.131.80
  right=192.168.131.32
  rightsubnet=192.168.10.0/24
  rightid=192.168.131.32
  ike=3des-md5-modp1536
  ikelifetime=86400s
  auth=esp
  esp=3des-md5
  keylife=28800s
  pfs=yes
  dpddelay=30
  dpdtimeout=61
  dpdaction=hold
  auto=start
The zentyal ipsec.conf:

Code: [Select]

# VPN: lan10 : 192.168.131.32 <=> 192.168.131.80
conn lan10
        left=192.168.131.32
        leftsubnet=192.168.10.0/24
        right=192.168.131.80
        rightsubnet=192.168.36.0/24
        authby=secret
        auto=start
        auth=esp
        rekey=yes
        keyingtries=0
        keyexchange=ike
        ike=3des-md5
        ikelifetime=86400s
        esp=3des-md5;modp1536
        keylife=28800s
        pfs=yes
Thank you for your time and help.

Tomas (Crypty)

----

(the IPsec is run by "ipsec setup start" command)

[danicastro]

Hi,

The problem is that the same zentyal can not ping to the remote VPN. But you can ping between the computers of the two networks.
This is the missing option of ipsec.conf file:
leftsourceip=192.168.10.1 #IP LAN zentyal

-Try do a ping from the PC (not zentyal) 192.168.10.0/24 to PC 192.168.36.0/24.
-Try do a ping from zentyal to IP private router (or other machine):
 ping 192.168.36.0 -I eth1 (eth1 this is interface from LAN zentyal).

Regards.