[Openswan dev] Odd connectivity issue
Kevan Benson
kbenson at a-1networks.com
Thu Apr 21 14:29:21 CEST 2005
I'm posting this to both users and dev, because I'm not quite sure at this
point where the problem lies, but it seems that it might be sufficiently high
level enough that a code chane might be required if it is indeed a bug.
I have an issue with some end hosts behind openswan ipsec boxes with a tunnel
being unable to communicate in certain instances. In these instances, the
hosts in question can contact all other hosts on both ends of the tunnel,
just not eachother, where there was no problem beforehand.
Site A has a dedicated T1, site B has a somewhat spotty DSL connection. There
is an Active Directory Server at site A that serves clients at both site A
and site B. Occasionally a host at site B that is normally in frequent
contact with the ADS will be unable to access it. No traffic whatsoever will
pass between the boxes, either direction, yet the hosts can still contact
other machines on both networks. A tcpdump of the real interface and the
ipsec interface on both sides shows information passing throguh the real
interface to the ipsec interface from the originating side, but no traffic is
winessed on the other end. This seems to happen more frequently with hosts
that are left on over night, and are connected and possibly passing traffic
when the spotty DSL connection goes down.
Downing the tunnel and bringing it back up on either or both of the ipsec
boxes does not solve the problem, but a service ipsec restart at site B will
solve the issues, doing a restart of the ipsec service at site A only hasn't
been tried yet.
The machines are both Via CV860A's running Mandrake 10.1 with a custom
compiled 2.4.29 kernel. Openswan is compiled from source and is version
2.3.0 with the natt patch.
Site A is running the single iptables rule:
iptables -A POSTROUTING -s 192.168.200.0/255.255.255.0 -d !
192.168.0.0/255.255.0.0 -j MASQUERADE
Site B is running the single iptables rule:
iptables -A POSTROUTING -s 192.168.210.0/255.255.255.0 -d !
192.168.0.0/255.255.0.0 -j MASQUERADE
I would gladly provide any more info requested from normal or degraded
operation; tcpdumps, dumps of /prc/net/ipsec/*, just let me know what's
needed.
-Kevan Benson
More information about the Dev
mailing list