add:<br>leftsourceip=172.19.253.1<br><br>if this still not OK, remove:<br><br>leftnexthop=xxx<br><br>and try<br><br><div class="gmail_quote">2011/7/31 Imtiaz Rahi <span dir="ltr"><<a href="mailto:imtiaz.rahi@gmail.com">imtiaz.rahi@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Guys I still need your help. Please help and respond.<br>
<br>
Tunnel is definitely up and the otherside (router) can ping us but we can't.<br>
My iptables is empty, only 1 nat rule (MASQ) for private IP. other<br>
side does not have firewall rules blocking us.<br>
I checked mtr ( mtr --address 172.19.253.1 10.1.4.8 ) and it just<br>
tries to go through the default route of the server.<br>
How can I check / ensure that the IPsec tunnel added specific routes ???<br>
<br>
Just today learned that IPsec (netkey) add things in "ip xfrm". But I<br>
have no knowledge about XFRM farmework and no other doc found except<br>
for the "man".<br>
<br>
Here are the XFRM outputs:<br>
<br>
sudo ip xfrm state<br>
src 203.112.xxx.xx dst 210.4.xx.xxx<br>
proto esp spi 0x6e7ff7ae reqid 16385 mode tunnel<br>
replay-window 32<br>
auth hmac(md5) 0x6ec07b7259a38c05ae759cb5d1de996a<br>
enc cbc(des3_ede) 0x3fe779cd9ddb27eabe7d84a12f9f2af8918cc6e94f27fcac<br>
sel src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
src 210.4.xx.xxx dst 203.112.xxx.xx<br>
proto esp spi 0x1c50e944 reqid 16385 mode tunnel<br>
replay-window 32<br>
auth hmac(md5) 0x866f8931c93ad884eba2bea0471b5222<br>
enc cbc(des3_ede) 0x8e2ecaece87a81612e2a7efb7e64949f739d35810165b827<br>
sel src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
<br>
sudo ip xfrm policy<br>
src <a href="http://172.19.253.0/29" target="_blank">172.19.253.0/29</a> dst <a href="http://10.1.4.0/24" target="_blank">10.1.4.0/24</a><br>
dir out priority 2184<br>
tmpl src 210.4.xx.xxx dst 203.112.xxx.xx<br>
proto esp reqid 16385 mode tunnel<br>
src <a href="http://10.1.4.0/24" target="_blank">10.1.4.0/24</a> dst <a href="http://172.19.253.0/29" target="_blank">172.19.253.0/29</a><br>
dir fwd priority 2184<br>
tmpl src 203.112.xxx.xx dst 210.4.xx.xxx<br>
proto esp reqid 16385 mode tunnel<br>
src <a href="http://10.1.4.0/24" target="_blank">10.1.4.0/24</a> dst <a href="http://172.19.253.0/29" target="_blank">172.19.253.0/29</a><br>
dir in priority 2184<br>
tmpl src 203.112.xxx.xx dst 210.4.xx.xxx<br>
proto esp reqid 16385 mode tunnel<br>
src <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
dir 4 priority 0<br>
.......................... (lots)<br>
<br>
<br>
cheers // Imtiaz Rahi<br>
<div><div></div><div class="h5"><br>
<br>
On Wed, Jul 27, 2011 at 3:19 PM, Willie Gillespie<br>
<<a href="mailto:wgillespie%2Bopenswan@es2eng.com">wgillespie+openswan@es2eng.com</a>> wrote:<br>
> If the tunnel is up, it could be a firewall issue.<br>
> Can you test with iptables off? And try pinging from both sides?<br>
><br>
> On 7/27/2011 2:50 AM, Imtiaz Rahi wrote:<br>
>> Anyone please respond and help me.<br>
>><br>
>> cheers // Imtiaz Rahi<br>
>><br>
>><br>
>> On Mon, Jul 25, 2011 at 7:19 PM, Imtiaz Rahi<<a href="mailto:imtiaz.rahi@gmail.com">imtiaz.rahi@gmail.com</a>> wrote:<br>
>>> Hi People,<br>
>>><br>
>>> I am a first timer with IPsec VPN and Openswan.<br>
>>> I am setting up an IPsec VPN from a Linux box to Cisco router.<br>
>>> Linux: Ubuntu 10.04 LTS Openswan U2.6.23/K2.6.32-30-server (netkey)<br>
>>> Cisco: Cisco 2821<br>
>>><br>
>>> Here is the IPsec network diagram<br>
>>> <a href="http://172.19.253.0/29" target="_blank">172.19.253.0/29</a> === 210.4.xx.xxx --- 210.4.xx.xxx ... 203.112.xxx.xx<br>
>>> --- 203.112.xxx.xx === <a href="http://10.1.4.0/24" target="_blank">10.1.4.0/24</a>;<br>
>>> Linux VPN box<br>
>>> Cisco router<br>
>>><br>
>>><br>
>>> "ipsec status" says my tunnel is up and some eroutes exist. But I can<br>
>>> not reach the destination network.<br>
>>> I am trying to ping 10.1.4.8 like below and unsuccessful;<br>
>>><br>
>>> ping 10.1.4.8 -I 172.19.253.1<br>
>>> PING 10.1.4.8 (10.1.4.8) from 172.19.253.1 : 56(84) bytes of data.<br>
>>><br>
>>> ^C<br>
>>> --- 10.1.4.8 ping statistics ---<br>
>>> 14 packets transmitted, 0 received, 100% packet loss, time 13007ms<br>
>>><br>
>>> Please help me here.<br>
>>><br>
>>> Cheers // Imtiaz Rahi<br>
>>><br>
>>><br>
>>> P.S. Here is the ipsec.conf for reference<br>
>>><br>
>>> ==================================================<br>
>>> version 2.0<br>
>>><br>
>>> config setup<br>
>>> nat_traversal=yes<br>
>>> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a><br>
>>> oe=off<br>
>>> protostack=netkey<br>
>>> interfaces=%defaultroute<br>
>>><br>
>>> conn teletalk-vpn<br>
>>> type=tunnel<br>
>>> authby=secret<br>
>>> left=210.4.xx.xxx<br>
>>> leftnexthop=210.4.xx.xxx<br>
>>> leftsubnet=<a href="http://172.19.253.1/29" target="_blank">172.19.253.1/29</a><br>
>>> leftupdown=/usr/lib/ipsec/_updown<br>
>>> right=203.112.xxx.xx # Cisco 2821<br>
>>> rightnexthop=203.112.xxx.xx<br>
>>> rightsubnet=<a href="http://10.1.4.0/24" target="_blank">10.1.4.0/24</a><br>
>>> keyexchange=ike<br>
>>> keylife=1h<br>
>>> ike=3des-md5-modp1024<br>
>>> phase2alg=3des-md5<br>
>>> pfs=no<br>
>>> auto=start<br>
_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</div></div></blockquote></div><br>