[Openswan Users] help request - traffic not going through IPsec tunnel

Paul Wouters paul at xtdnet.nl
Tue Apr 13 22:31:34 CEST 2004 

On Tue, 13 Apr 2004, David Forbis wrote:

> For privacy's sake, I've removed some of the ip addresses in the
> reports below.  I hope that didn't confuse everything.  "x.x.x.x" denotes
> a remote address, "y.y.y.y" denotes a local address.  For brevity's sake,
> I did not attach an ipsec barf, but one may be found at:
> http://www.forbis.org/ipsecbarf.txt

>From the barf I saw:

all/rp_filter:0
default/rp_filter:1
eth0/rp_filter:1
eth1/rp_filter:1

I'd recommend disabling all of rp_filter in /etc/sysctl.conf

I'm not convinced that your NAT is not causing problems. It looks a bit complex, and I do
not see the nat exclusion for packets. You seem to match them for source first, and then
hand them down a chain and skip masq only for destination.

# CONFIG_IP_ADVANCED_ROUTER is not set

I am not sure if this is still optional or mandatory. It won't hurt, and I recommend enabling
the advanced router features.

CONFIG_INET_IPCOMP=y

There are some interop issues between native 2.6 pfkey (and KAME) and Openswan/Freeswan KLIPS code.
Depending on the other end of the connection (eg if it is klips) then you might have problems too.
Freeswan/Openswan does not yet allow for disabling compression (only the disabling of advertising it).
So either you need to ensure that compression isn't asked for at the other end (which it cannot if it is
KLIPS), or you are better of leaving this out of your kernel for now.

I am not sure if you have af_key or xfrm_user. We need to adjust the barf to catch those as well, but
I assume you do, since you do get conns going and no pf_write failures.

Note that dforbis-common is not loaded as a seperate conn, which I think you intended to do. You
probably got a warning about a double auto= line in dforbis-vpn1

Do something like:

conn dforbis-host
	also=dforbis-base
	auto=start
conn dforbis-vpn1
	also=dforbis-base
	rightsubnet=10.90.101.0/24
	auto=start
conn dforbis-base
	...
		
This way, both will start.

Perhaps that is the mixture of packets you are seeing, the difference between the host and the
subnet conn?

Paul

More information about the Users mailing list