<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
This won't work as your 172.21.0.0/20 subnet goes from 172.21.0.0 -
172.21.15.255 at one end of the tunnel, so includes the
172.21.2.0/24 subnet at the other end of the tunnel. One rule is
that the local and remote LAN must not overlap or traffic will fail
to pass through the VPN.<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 01/10/2014 16:29, Patrick Naubert
wrote:<br>
</div>
<blockquote
cite="mid:DA4BE140-4E8C-46D9-8F11-E52073333E65@xelerance.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
Rescued from the Spam bucket. Please remember to subscribe to the
mailing list before posting to it.<br>
<div><br>
<div>
<div style="margin-top: 0px; margin-right: 0px; margin-bottom:
0px; margin-left: 0px;"><span style="color: rgb(127, 127,
127);"><b>From: </b></span>"Peter McGill" <<a
moz-do-not-send="true" href="mailto:petermcgill@goco.net"
style="color: purple;">petermcgill@goco.net</a>></div>
<div>
<div link="blue" vlink="purple" style="font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" lang="EN-CA">
<div style="margin: 0px;"><span style="font-family:
Helvetica; color: rgb(127, 127, 127);"><b>Subject:<span
class="Apple-converted-space"> </span></b></span><span
style="font-family: Helvetica;"><b>When IPSec tunnel
up, cannot communicate with local LAN</b><br>
</span></div>
<div style="margin: 0px;"><span style="font-family:
Helvetica; color: rgb(127, 127, 127);"><b>Date:<span
class="Apple-converted-space"> </span></b></span><span
style="font-family: Helvetica;">October 1, 2014 at
10:56:55 AM GMT-4<br>
</span></div>
<div style="margin: 0px;"><span style="font-family:
Helvetica; color: rgb(127, 127, 127);"><b>To:<span
class="Apple-converted-space"> </span></b></span><span
style="font-family: Helvetica;"><<a
moz-do-not-send="true"
href="mailto:users@lists.openswan.org" style="color:
purple; text-decoration: underline;">users@lists.openswan.org</a>><br>
</span></div>
<br>
<br>
<div class="WordSection1" style="page: WordSection1;">
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">I’m running on
Debian Wheezy (Current Stable).<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">When I stop
openswan (service ipsec stop).<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">I can ping and
communicate with the local LAN 172.21.2.0/24<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">When I start
openswan (service ipsec start).<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">I can ping the
remote LAN but not the local LAN.<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">The remote LAN and
local LAN can communicate (through the openswan
server).<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">But the openswan
server cannot communicate with the local LAN.<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">It’s not firewall
related, it happens without any iptables rules.<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">I’ve had similar
configurations working in the past and I’m puzzled…<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">/etc/ipsec.conf:<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">version 2.0<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">config setup<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"> oe=off<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
protostack=netkey<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">conn goco<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
ike=aes128-sha1-modp1536<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
esp=aes128-sha1<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
left=162.53.19.209<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
leftsubnet=172.21.2.0/24<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
leftsourceip=172.21.2.1<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
right=207.223.232.56<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
rightsubnet=172.21.0.0/20<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"> dpddelay=30<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
dpdtimeout=120<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
dpdaction=restart<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
authby=secret<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"> auto=start<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">root@lark:~#
service ipsec stop<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">ipsec_setup:
Stopping Openswan IPsec...<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">root@lark:~# ip
route show<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">default via
162.53.19.1 dev eth0<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">10.176.0.0/18 dev
eth1 proto kernel scope link src 10.176.2.57<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span lang="PT-BR">10.176.0.0/12
via 10.176.0.1 dev eth1<o:p></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span lang="PT-BR">10.208.0.0/12
via 10.176.0.1 dev eth1<o:p></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">162.53.19.0/24 dev
eth0 proto kernel scope link src 162.53.19.209<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">172.21.2.0/24 dev
eth2 proto kernel scope link src 172.21.2.1<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">root@lark:~# ping
172.21.2.2<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">PING 172.21.2.2
(172.21.2.2) 56(84) bytes of data.<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">64 bytes from
172.21.2.2: icmp_req=1 ttl=64 time=3.88 ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">64 bytes from
172.21.2.2: icmp_req=2 ttl=64 time=0.825 ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">64 bytes from
172.21.2.2: icmp_req=3 ttl=64 time=0.498 ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">64 bytes from
172.21.2.2: icmp_req=4 ttl=64 time=0.548 ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">^C<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">--- 172.21.2.2 ping
statistics ---<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">4 packets
transmitted, 4 received, 0% packet loss, time 3002ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">rtt
min/avg/max/mdev = 0.498/1.438/3.882/1.416 ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">root@lark:~#
service ipsec start<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">ipsec_setup:
Starting Openswan IPsec U2.6.37/K3.2.0-4-amd64...<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">root@lark:~# ip
route show<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">default via
162.53.19.1 dev eth0<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">10.176.0.0/18 dev
eth1 proto kernel scope link src 10.176.2.57<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span lang="PT-BR">10.176.0.0/12
via 10.176.0.1 dev eth1<o:p></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span lang="PT-BR">10.208.0.0/12
via 10.176.0.1 dev eth1<o:p></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">162.53.19.0/24 dev
eth0 proto kernel scope link src 162.53.19.209<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">172.21.0.0/20 dev
eth0 scope link src 172.21.2.1<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">172.21.2.0/24 dev
eth2 proto kernel scope link src 172.21.2.1<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">root@lark:~# ping
172.21.1.32<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">PING 172.21.1.32
(172.21.1.32) 56(84) bytes of data.<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">64 bytes from
172.21.1.32: icmp_req=1 ttl=127 time=35.9 ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">64 bytes from
172.21.1.32: icmp_req=2 ttl=127 time=35.0 ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">64 bytes from
172.21.1.32: icmp_req=3 ttl=127 time=48.2 ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">^C<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">--- 172.21.1.32
ping statistics ---<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">3 packets
transmitted, 3 received, 0% packet loss, time 2002ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">rtt
min/avg/max/mdev = 35.015/39.735/48.267/6.048 ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">root@lark:~# ping
172.21.2.2<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">PING 172.21.2.2
(172.21.2.2) 56(84) bytes of data.<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">^C<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">--- 172.21.2.2 ping
statistics ---<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">3 packets
transmitted, 0 received, 100% packet loss, time 2015ms<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><span lang="FR">root@lark:~#
tail /var/log/syslog<o:p></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">Oct 1 10:37:39
lark kernel: [81702.608446] martian source 172.21.2.2
from 172.21.2.1, on dev eth0<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">Oct 1 10:37:39
lark kernel: [81702.608449] ll header:
bc:76:4e:20:00:a2:84:78:ac:57:15:c1:08:00<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">It appears that the
server is trying to route the local LAN packet out the
tunnel.<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">But I have no idea
why, the route’s look ok, the most specific route goes
to the local LAN (eth2).<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">Peter McGill<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">Systems Analyst and
Administrator<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">Gra Ham Energy
Limited<o:p></o:p></div>
<div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">519-284-3420 x204</div>
</div>
</div>
</div>
</div>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</body>
</html>