<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=504243014-12032008><FONT face=Arial
color=#0000ff size=2>You cannot use route add or ip route add with openswan,
you</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=504243014-12032008><FONT face=Arial
color=#0000ff size=2>must specify the traffic which uses the tunnel in
left/rightsubnet(s).</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=504243014-12032008><FONT face=Arial
color=#0000ff size=2>To clarify where are you pinging/telneting
from?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=504243014-12032008><FONT face=Arial
color=#0000ff size=2>A ping from 10.5.125.105 to 10.8.13.113 and vise-versa
should work.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=504243014-12032008><FONT face=Arial
color=#0000ff size=2>A ping from 10.5.125.100 or 58.58.58.58 will not work
because you</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=504243014-12032008><FONT face=Arial
color=#0000ff size=2>have not included them in leftsubnet.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=504243014-12032008><FONT face=Arial
color=#0000ff size=2>Likewise a ping from 202.202.202.202 or ?.?.?.? to
10.5.. will not work.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=504243014-12032008><FONT face=Arial
color=#0000ff size=2>Pings to 58... and 202... will work but not encrypted,
plain internet.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=504243014-12032008><FONT face=Arial
color=#0000ff size=2>If you want your gateway to be able to communicate with
remote private</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=504243014-12032008><FONT face=Arial
color=#0000ff size=2>also, then change your conn as follows:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=504243014-12032008> <FONT
face=Arial color=#0000ff size=2>leftsourceip=10.5.125.100 # gw will use this
instead of 58... to talk to rem. priv.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=504243014-12032008> <FONT
face=Arial color=#0000ff size=2>leftsubnet=10.5.125.96/28 # you'll need to
change subnet on cisco too</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Khan, Hammad Aslam
[mailto:raohammad@gmail.com] <BR><B>Sent:</B> March 12, 2008 2:11
AM<BR><B>To:</B> petermcgill@goco.net<BR><B>Cc:</B>
users@openswan.org<BR><B>Subject:</B> Re: [Openswan Users] Packets not passing
through Tunnel<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>I already have enabled ip forwarding; </DIV>
<DIV>My Setup is like;<BR><BR><SPAN style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">my
private
my gateway
<<pub</SPAN>lic>> remote gw (cisco
vpn
3000)
remote private</SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">--------
-----------------------------------------</SPAN>
-------------------------------
----------------------</SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">
|
|
| </SPAN>
|
|
|
|</SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)"> <A
href="http://10.5.125.105">10.5.125.105</A> === 10.5.125.100(eth1)
(eth0)58.58.58.58 >></SPAN><B
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">></SPAN><</B><SPAN
style="COLOR: rgb(102,0,204)"><< <A
href="http://202.202.202.202">202.202.202.202</A>
?.?.?.? ==== <A href="http://10.8.13.113">10.8.13.113</A>
|</SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"> <SPAN
style="COLOR: rgb(255,102,0)">
|
|
| </SPAN>
|
|
|
| </SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">-------
----------------------------------------- </SPAN>
------------------------------
----------------------</SPAN><BR style="COLOR: rgb(102,0,204)"><BR><BR><B>My
Config file</B><BR>config setup<BR>
interfaces="ipsec0=eth0"<BR>
plutodebug="all"<BR>
nat_traversal=yes<BR><BR>conn
nattelenor<BR>
type=tunnel<BR>
authby=secret
# secret key<BR>
auth=esp<BR>
pfs=no<BR>
keylife=28800<BR>
keyingtries=3<BR>
auto=add<BR>
ike=3des-md5-modp1024<BR>
esp=3des-md5<BR> left=<A
href="http://58.58.58.58">58.58.58.58</A>
# my
external, internet-routable ip address, provided by NAT
box=<BR> leftsubnet=<A
href="http://10.5.125.105/32">10.5.125.105/32</A><BR>
right=<A href="http://202.202.202.202">202.202.202.202</A>
# my
peer's external, internet-routable ip
address=<BR> rightsubnet=<A
href="http://10.8.13.113/32">10.8.13.113/32</A><BR>
<BR>#Disable Opportunistic Encryption<BR>include
/etc/ipsec.d/examples/no_oe.conf<BR><BR><B>My ipsec verify
result</B><BR><BR>Checking your system to see if IPsec got installed and
started correctly:<BR>Version check and ipsec
on-path
[OK]<BR>Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)<BR>Checking for
IPsec support in
kernel
[OK]<BR>NETKEY detected, testing for disabled ICMP
send_redirects [FAILED]<BR><BR>
Please disable /proc/sys/net/ipv4/conf/*/send_redirects<BR> or NETKEY
will cause the sending of bogus ICMP redirects!<BR><BR>NETKEY detected,
testing for disabled ICMP accept_redirects
[FAILED]<BR><BR> Please disable
/proc/sys/net/ipv4/conf/*/accept_redirects<BR> or NETKEY will accept
bogus ICMP redirects!<BR><BR>Checking for RSA private key
(/etc/ipsec.secrets)
[OK]<BR>Checking that pluto is
running
[OK]<BR>Two or more interfaces found, checking IP
forwarding
[OK]<BR>Checking NAT and
MASQUERADEing
[OK]<BR>Checking for 'ip'
command
[OK]<BR>Checking for 'iptables'
command
[OK]<BR>Opportunistic Encryption
Support
[DISABLED]<BR><BR><BR>Regards,<BR>Hammad<BR><BR><BR></DIV>
<DIV class=gmail_quote>On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <<A
href="mailto:petermcgill@goco.net">petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Did you
add leftsourceip=leftlanip and rightsourceip=rightlanip?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Without
them you can only ping hosts other than the ipsec
gateway,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>on the
remote lan, and only from hosts on the local lan not the
local</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>ipsec
gateway.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Show us
your ipsec.conf and ipsec verify.</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> <A
href="mailto:users-bounces@openswan.org"
target=_blank>users-bounces@openswan.org</A> [mailto:<A
href="mailto:users-bounces@openswan.org"
target=_blank>users-bounces@openswan.org</A>] <B>On Behalf Of </B>Khan,
Hammad Aslam<BR><B>Sent:</B> March 11, 2008 1:45 PM<BR><B>To:</B> <A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B> [Openswan Users]
Packets not passing through Tunnel<BR></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c>
<DIV></DIV>Hello everyone,<BR>My tunnel has been successfully established
(both ISAKMP and IPSEC are UP);<BR>but when I try to ping/telnet remote
end's private network PC i dont get any response.,<BR><BR>Using <B>tcpdump
-i eth0 </B>(which is my public interface of GW) it shows that GW is
querying internet for remote-private-nw using ARP. No ESP packets are
seen...<BR><BR>I added a route of <BR># route add
<remote-private-ip> gw <remote-public-ip><BR>...but still, i
see the same result?<BR><BR>Please
help.<BR><BR>Regards,<BR>Hammad<BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>