[Openswan Users] help request - traffic not going through IPsectunnel

[David Forbis]

Just wanted to pass along an update with a working solution to the list.

To sum up, I think I had several problems getting OS 2.1.1 to work with
kernel 2.6.5.  The issue, along with the solution is summarized (along
with one open issue that I didn't solve, just worked around).

My client is a RedHat9.0 system running a 2.6.5 kernel.  Shorewall is my
firewall.  My local network is 10.90.105.152/29, and I was attempting to
tunnel to 10.0.0.0/8.  The IPsec tunnel seemed to establish correctly, but
I had trouble routing through it in either direction.

1) Could not ping or traceroute through the tunnel from my firewall,
located on 10.90.105.153.  Rereading the Freeswan troubleshooting
documentation for the 4th time, I finally realized that my firewall was
not part of the protected network.  Adding "leftsourceip=10.90.105.153" in
my ipsec.conf fixed that.

2) Next, I ran in to firewall trouble.  I could ping my LAN from the
remote network, but the pings were never answered - tcpdump showed ESP
packets arriving on eth0, but no replies were sent out.  This was caused
by my having the "norfc1918" option set on eth0 in my shorewall
"interfaces" file.  Removing this option fixed the problem.

3) With the tunnel established, routing was broken on my internal LAN.  Is
there a bug in the 2.6 IPsec implementation that doesn't allow a subnet of
the tunnel space to be local (see my address configurations above)? 
Although the routing table appeared correct, when the IPsec tunnel was
established, no routing between my firewall and LAN was possible.  My
workaround was to redefine my IPsec tunnel to a non-overlapping address
space, 10.90.101.0/24.  This was sufficient for my uses, but I wonder if
there is something fundamentally incorrect with the 2.6 implementation.


Hopefully these answers will help someone in the future.

Thanks again for the all the help, guys!
Dave