<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Rescued from the Spam box. Please remember to subscribe to the mailing list before posting to it.</div><div><br><div>Begin forwarded message:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="color: rgb(127, 127, 127); "><b>From: </b></span>Christien Rioux <<a href="mailto:crioux@gmail.com">crioux@gmail.com</a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><b>Re: routing problem</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica'; font-size:medium;">4 December, 2012 5:23:52 PM EST<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br></span></div><br><br><br><div>The problem was this is all being done on an Amazon VPC and there's a little magic in there that nobody's talked about:</div><div><div><br></div><div>The problem wasn't my routing table. The problem was the 'gateway' box running the openswan client had "source/dest checking" turned on. Go to the instance in the VPC, right click on it and hit "change source/dest checking" and turn that OFF. Things will NOT ROUTE from TO AND FROM your gateway without it turned OFF.</div>
<div><br></div><div>This only applies to VPC and not normal EC2 instances, and I doubt anyone knows that this is relevant as it's not discussed in ANY tutorials online.</div></div><div><br></div><div>--chris</div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Tue, Dec 4, 2012 at 11:05 AM, Christien Rioux <span dir="ltr"><<a href="mailto:crioux@gmail.com" target="_blank">crioux@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'll make this quick:<div><br></div><div><br></div><div><span style="font-family:'courier new',monospace"> </span><br></div><div><font face="courier new, monospace">172.16.0.16 ->NAT(1.2.3.4) -> INTERNET <- (4.3.2.1) <- </font><span style="font-family:'courier new',monospace">10.1.0.100</span></div>
<div><font face="courier new, monospace"> ^ </font></div><div><font face="courier new, monospace">172.16.0.50 </font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">I have two networks <a href="http://172.16.0.0/16" target="_blank">172.16.0.0/16</a> and <a href="http://10.1.0.0/24" target="_blank">10.1.0.0/24</a> that i want to bridge via site-to-site vpn.</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">I have successfully built an IPSEC tunnel with openswan client on fedora on 172.16.0.16 (with a public amazon eip at 1.2.3.4), through to a cisco ASA at 4.3.2.1 </font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">Machine 172.16.0.16 can ping 10.1.0.100</font></div><div><font face="courier new, monospace">Machine 10.1.0.100 can ping 172.16.0.16</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">Note this indicates that the ASA at 4.3.2.1 is routing correctly.</font></div><div><font face="courier new, monospace"><br>
</font></div><div><font face="courier new, monospace">Pings from 10.1.0.100 do not reach 172.16.0.50 despite the fact that:</font></div><div><font face="courier new, monospace">1. tcpdump sees the ping come over ipsec</font></div>
<div><font face="courier new, monospace">2. ip forwarding is turned on on 172.16.0.16</font></div><div><font face="courier new, monospace">3. latest openswan is in use </font><span style="font-family:'courier new',monospace">on 172.16.0.16</span></div>
<div><font face="courier new, monospace">4. no amount of iptables seem to help, in fact i have completely removed them from 172.16.0.16 to ensure nothing is getting in the way.</font></div><div><font face="courier new, monospace">5. ip xfrm policy looks 'okay' to me but that stuff is wicked poorly documented.</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">So unlike the 4.3.2.1 box, the openswan box is not routing happily.</font></div><div><font face="courier new, monospace"><br>
</font></div><div><font face="courier new, monospace">A tcpdump on 172.16.0.50 sees no icmp despite 172.16.0.16 seeing it and clearly identifying that it is for 172.16.0.50, it doesn't get sent back out the interface and on to its final destination.</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">The reverse also does not work, pinging from 172.16.0.50 to 10.1.0.100. I expect for similar reasons, despite a specific route added to make it go to the right machine.</font></div>
<div><br></div><div>Any thoughts on this problem would be greatly appreciated.</div><div><br></div><div>--chris</div>
</blockquote></div><br></div>
<br><br></blockquote></div><br></body></html>