<html><head></head><body data-blackberry-caret-color="#00a8df" style="background-color: rgb(255, 255, 255); line-height: initial;"><div id="BB10_response_div" style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">There is no NAT. I think what happened is that both ends started tunnel initiation to the other side at the same time. Iptables is allowing related and established traffic back in. Both ends could talk and the tunnel gets created. It works until the UDP timeout elapses and the nodes need to rekey/do IPsec stuff again. </div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br></div> <div id="_signaturePlaceholder" style="font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">www.ariens.ca</div> <table width="100%" style="background-color:white;border-spacing:0px;"> <tbody><tr><td id="_persistentHeaderContainer" colspan="2" style="font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"> <div id="_persistentHeader" style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in; font-family: Tahoma, 'BB Alpha Sans', 'Slate Pro'; font-size: 10pt;"> <div><b>From: </b>Neal Murphy</div><div><b>Sent: </b>Thursday, June 27, 2013 8:29 PM</div><div><b>To: </b>users@openswan.org</div><div><b>Reply To: </b>neal.p.murphy@alum.wpi.edu</div><div><b>Subject: </b>Re: [Openswan Users] Established Tunnel Not Passing Traffic</div></div></td></tr></tbody></table><div id="_persistentHeaderEnd" style="border-style: solid none none; border-top-color: rgb(186, 188, 209); border-top-width: 1pt; font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"></div><br><div id="_originalContent" style="">On Thursday, June 27, 2013 07:04:15 PM Dave Ariens wrote:<br>> Could me trying to ping the other end have allowed the ESP protocol / UDP<br>> packets in somehow?<br><br>No, but allowing ESP/500/4500 *out* might've enabled the IPSEC netfilter <br>helper to allow certain things in (if NAT exists anywhere). That is, if one <br>end can get out on the correct ports/protos and the other lets them in, <br>there's a good chance things would just work. It's hard to tell without seeing <br>your network config(s) in minute detail (Where is NAT and any inbound <br>forwards? What's allowed out? What's allowed in? Are there other related <br>filters? What is routed where?<br><br>> <br>> On Thu, Jun 27, 2013 at 5:24 PM, Dave Ariens <dave@ariens.ca> wrote:<br>> > I checked my iptables on the two end points and I only had:<br>> > <br>> > -A INPUT -s 216.58.86.104/32 -i eth0 -p esp -j ACCEPT<br>> > -A INPUT -s 216.58.86.104/32 -i eth0 -p udp -m udp --sport 500 --dport<br>> > 500 -j ACCEPT<br>> > -A INPUT -s 216.58.86.104/32 -i eth0 -p udp -m udp --sport 4500 --dport<br>> > 4500 -j ACCEPT<br>> > <br>> > ...which was for the original tunnel that's been working fine not the one<br>> > between my two OpenSwan instances.<br>> > <br>> > Adding the other end of the tunnel seems to have restored connectivity<br>> > across the tunnel, although I don't see any logs from Pluto after I made<br>> > the change.<br>> > <br>> > How could the tunnel possibly have been established in the first place<br>> > without allowing esp/500/4500?<br>> > <br>> > On Thu, Jun 27, 2013 at 3:46 PM, Neal Murphy <br><neal.p.murphy@alum.wpi.edu>wrote:<br>> >> It may be nothing, but why don't I see states QUICK_I1/R1/I2/R2?<br>> >> Possibly mismatched params between the two ends? (Unless you method<br>> >> doesn't use them.)<br>_______________________________________________<br>Users@lists.openswan.org<br>https://lists.openswan.org/mailman/listinfo/users<br>Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>Building and Integrating Virtual Private Networks with Openswan:<br>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br></div></body></html>