<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7226.0">
<TITLE>Roadwarrior unable to ping beyond Gateway</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">Hi,</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I'm trying to set up an OpenSwan - OpenSwan roadwarrior connection:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">192.168.1.2 Roadwarrior</FONT>
<BR><FONT SIZE=2 FACE="Arial"> |</FONT>
<BR><FONT SIZE=2 FACE="Arial">82.X.X.21 NAT Router</FONT>
<BR><FONT SIZE=2 FACE="Arial"> |</FONT>
<BR><FONT SIZE=2 FACE="Arial">Internet</FONT>
<BR><FONT SIZE=2 FACE="Arial"> |</FONT>
<BR><FONT SIZE=2 FACE="Arial">81.X.X.133 Router</FONT>
<BR><FONT SIZE=2 FACE="Arial"> |</FONT>
<BR><FONT SIZE=2 FACE="Arial">81.X.X.135 IpSec Gateway (External IP address)</FONT>
<BR><FONT SIZE=2 FACE="Arial">2.3.2.9 IpSec Gateway (Internal IP address)</FONT>
<BR><FONT SIZE=2 FACE="Arial"> |</FONT>
<BR><FONT SIZE=2 FACE="Arial">2.0.0.0/8 LAN</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Currently I can establish the connection and ping the gateway's LAN IP address but no further. The ipsec.conf files for the roadwarrior and router are as follows:</FONT></P>
<P><FONT SIZE=2 FACE="Arial">**************************************</FONT>
<BR><FONT SIZE=2 FACE="Arial"># Roadwarrior:</FONT>
<BR><FONT SIZE=2 FACE="Arial">config setup</FONT>
<BR><FONT SIZE=2 FACE="Arial"> klipsdebug=all</FONT>
<BR><FONT SIZE=2 FACE="Arial"> plutodebug=all</FONT>
<BR><FONT SIZE=2 FACE="Arial"> nat_traversal=yes</FONT>
<BR><FONT SIZE=2 FACE="Arial"> virtual_private=%v4:192.168.1.0/24</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">conn road</FONT>
<BR><FONT SIZE=2 FACE="Arial"> left=%defaultroute</FONT>
<BR><FONT SIZE=2 FACE="Arial"> leftid=@rw1.myvpn</FONT>
<BR><FONT SIZE=2 FACE="Arial"> leftsubnet=192.168.1.0/24</FONT>
<BR><FONT SIZE=2 FACE="Arial"> leftrsasigkey=0s - Left public key</FONT>
<BR><FONT SIZE=2 FACE="Arial"> right=81.X.X.135</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rightid=@sg1.myvpn</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rightsubnet=2.0.0.0/8</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rightnexthop=81.X.X.133</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rightrsasigkey=0s - Right public key</FONT>
<BR><FONT SIZE=2 FACE="Arial"> auto=add</FONT>
<BR><FONT SIZE=2 FACE="Arial"> authby=rsasig</FONT>
<BR><FONT SIZE=2 FACE="Arial">*******************************************</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">*******************************************</FONT>
<BR><FONT SIZE=2 FACE="Arial"># Gateway</FONT>
<BR><FONT SIZE=2 FACE="Arial">config setup</FONT>
<BR><FONT SIZE=2 FACE="Arial"> klipsdebug=all</FONT>
<BR><FONT SIZE=2 FACE="Arial"> plutodebug=all</FONT>
<BR><FONT SIZE=2 FACE="Arial"> nat_traversal=yes</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">conn %default</FONT>
<BR><FONT SIZE=2 FACE="Arial"> keyingtries=3</FONT>
<BR><FONT SIZE=2 FACE="Arial"> compress=yes</FONT>
<BR><FONT SIZE=2 FACE="Arial"> disablearrivalcheck=no</FONT>
<BR><FONT SIZE=2 FACE="Arial"> ikelifetime=20m</FONT>
<BR><FONT SIZE=2 FACE="Arial"> keylife=1h</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">conn road</FONT>
<BR><FONT SIZE=2 FACE="Arial"> forceencaps=yes</FONT>
<BR><FONT SIZE=2 FACE="Arial"> left=0.0.0.0</FONT>
<BR><FONT SIZE=2 FACE="Arial"> leftid=@rw1.myvpn</FONT>
<BR><FONT SIZE=2 FACE="Arial"> leftsubnet=192.168.1.0/24</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rightrsasigkey=0s - Right Public key</FONT>
<BR><FONT SIZE=2 FACE="Arial"> right=81.X.X.135</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rightid=@sg1.myvpn</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rightsubnet=2.0.0.0/8</FONT>
<BR><FONT SIZE=2 FACE="Arial"> leftrsasigkey=0s - Left public key</FONT>
<BR><FONT SIZE=2 FACE="Arial"> auto=add</FONT>
<BR><FONT SIZE=2 FACE="Arial"> authby=rsasig</FONT>
<BR><FONT SIZE=2 FACE="Arial"> leftnexthop=81.X.X.133</FONT>
<BR><FONT SIZE=2 FACE="Arial"> rightnexthop=2.4.2.4</FONT>
<BR><FONT SIZE=2 FACE="Arial">********************************************</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">ipsec verify shows, on the roadwarrior:</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking your system to see if IPsec got installed and started correctly:</FONT>
<BR><FONT SIZE=2 FACE="Arial">Version check and ipsec on-path [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Linux Openswan U2.4.5rc5/K2.6.14.6 (netkey)</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking for IPsec support in kernel [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">NETKEY detected, testing for disabled ICMP send_redirects [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">NETKEY detected, testing for disabled ICMP accept_redirects [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking for RSA private key (/etc/ipsec.secrets) [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking that pluto is running [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Two or more interfaces found, checking IP forwarding [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking NAT and MASQUERADEing [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking for 'ip' command [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking for 'iptables' command [OK]</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">and on the gateway:</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking your system to see if IPsec got installed and started correctly:</FONT>
<BR><FONT SIZE=2 FACE="Arial">Version check and ipsec on-path [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Linux Openswan U2.2.0/K2.6.11.4-21.11-smp (native)</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking for IPsec support in kernel [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking for RSA private key (/etc/ipsec.secrets) [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking that pluto is running [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Two or more interfaces found, checking IP forwarding [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking NAT and MASQUERADEing</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking for 'ip' command [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking for 'iptables' command [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking for 'curl' command for CRL fetching [OK]</FONT>
<BR><FONT SIZE=2 FACE="Arial">Checking for 'setkey' command for native IPsec stack support [OK]</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">tcpdump on the gateway shows pings to the internal network arriving but not getting any further (I can't see them leaving eth1 on the LAN side) but, as mentioned I can ping the LAN side of the gateway:</FONT></P>
<P><FONT SIZE=2 FACE="Arial">13:43:47.492842 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:47.492842 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 1</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:47.492842 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 1</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:48.505737 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:48.505737 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 2</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:48.505737 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 2</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:49.506640 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:49.506640 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 3</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:49.506640 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 3</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:49.937455 IP 82.X.X.21.4500 > 81.X.X.135.4500: UDP, length: 1</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:49.953568 IP 82.X.X.21.4500 > 81.X.X.135.4500: UDP, length: 384</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:50.506544 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:50.506544 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 4</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:50.506544 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 4</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:51.505948 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:51.505948 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 5</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:51.505948 IP 192.168.1.2 > 2.6.4.3: icmp 64: echo request seq 5</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:53.761322 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:53.761322 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 1</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:53.761322 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 1</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:53.761436 IP 81.X.X.135.4500 > 82.X.X.21.4500: UDP, length: 132</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:54.766098 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:54.766098 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 2</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:54.766098 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 2</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:54.766191 IP 81.X.X.135.4500 > 82.X.X.21.4500: UDP, length: 132</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:55.769748 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:55.769748 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 3</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:55.769748 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 3</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:55.769830 IP 81.X.X.135.4500 > 82.X.X.21.4500: UDP, length: 132</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:55.954605 IP 81.X.X.135.4500 > 82.X.X.21.4500: UDP, length: 1</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:56.773650 IP 82.X.X.21 > 81.X.X.135: ESP(spi=0x11941194,seq=0x8c0000)</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:56.773650 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 4</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:56.773650 IP 192.168.1.2 > 2.3.2.9: icmp 64: echo request seq 4</FONT>
<BR><FONT SIZE=2 FACE="Arial">13:43:56.773740 IP 81.X.X.135.4500 > 82.X.X.21.4500: UDP, length: 132</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">route -n on the gateway gives:</FONT>
<BR><FONT SIZE=2 FACE="Arial">Kernel IP routing table</FONT>
<BR><FONT SIZE=2 FACE="Arial">Destination Gateway Genmask Flags Metric Ref Use Iface</FONT>
<BR><FONT SIZE=2 FACE="Arial">81.X.X.132 0.0.0.0 255.255.255.248 U 0 0 0 eth0</FONT>
<BR><FONT SIZE=2 FACE="Arial">192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0</FONT>
<BR><FONT SIZE=2 FACE="Arial">2.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1</FONT>
<BR><FONT SIZE=2 FACE="Arial">127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo</FONT>
<BR><FONT SIZE=2 FACE="Arial">0.0.0.0 81.X.X.134 0.0.0.0 UG 0 0 0 eth0</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I guess I'm missing something simple (at least I hope so). Can anyone give me an idea where I'm going wrong with this configuration.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Thanks in advance.</FONT>
</P>
<P><SPAN LANG="en-us"><FONT COLOR="#9900CC" SIZE=2 FACE="Arial">Mike Peters</FONT></SPAN>
</P>
<P><SPAN LANG="en-gb"><I><FONT SIZE=1 FACE="Arial">This message is intended for the named recipient only and may be privileged and/or confidential. If you are not the intended or named recipient or have received this email in error then you should not copy forward or disclose it to any other persons. If you have received this email in error you should destroy it and contact the sender so that we may take appropriate action. The views and opinions expressed in this email may not represent the views and opinions of Misys plc or any of its subsidiaries and are made without prejudice and subject to contract</FONT></I><FONT SIZE=1 FACE="Arial">. </FONT><I> <FONT SIZE=1 FACE="Arial">The</FONT> <FONT SIZE=1 FACE="Arial">Company</FONT><FONT SIZE=1 FACE="Arial"> Reserves the right to intercept and review all email communications.</FONT></I></SPAN></P>
<BR>
</BODY>
</HTML>