[Openswan Users] IPSec SA established, but cant ping

[Martin Goldstone]

Hi All,

I'm currently having a problem, and I'm hoping someone on this list can 
provide a solution.

The situation is this: I want to set up a VPN between a Windows XP 
(original) box and my Suse 9.1 box (kernel 2.6.5), running openswan 2.2.0.  
The trick is, my Suse box is sitting behind a broadband router, so there is 
NAT involved.

So it looks like this:

Suse box ---- NAT/router ---- Internet ---- Windows box


IPs are as follows:

Suse box: 192.168.2.28
NAT private side: 192.168.2.1
NAT public side: 213.106.102.20 (assigned by DHCP, in practice remains 
static)
Windows Box: 81.97.144.210 (assigned by DHCP, in practice remains static)

After much research through Google, this mailing list and others, I managed 
to get the IPSec SA established (previous to this, I had problems doing 
this, getting error messages such as no connection found etc).


  At one point, I was able to ping the Suse box from the windows box 
sucessfully, however, I changed a setting and upon changing it back the ping 
ceased to work.  From the windows box, when I ping 192.168.2.28, I get:

Negotiating IP Security
Request timed out
Request timed out
Request timed out

If I use the -t option with ping, I just get Request timed out repeated 
continuously. I will at this point mention that the windows box has a norton 
personal firewall installed on it, and the first time I tried pinging, it 
complained of an invalid ICMP type, however upon disabling the firewall, it 
is still not working.

I also want to mention that on the windows box, I set IPSec up using IP 
Security Policies snap-in on MMC. To begin with, I had it set on the default 
settings, which tunnel every protocol. As this caused problems with SSH (its 
unproductive to have to run between 2 pcs to check the log files, so I 
prefer to use SSH), I set it up to only tunnel ICMP messages. The ping 
time-out problem is evident in both setups.

I had thought that maybe my router was causing problems. I had already set 
it to forward UDP ports 500 and 4500, as well as tcp port 22, so i decided 
to put my Suse box into the DMZ, thereby causing all traffic to be forwarded 
to it.  Its worth noting that my router has no options or documentation with 
reference to IPSec, and it seems that the only traffic directed at the 
public IP of my router that I can identify which does not get forwarded to 
the Suse box in the DMZ are http requests on Port 88 (admin interface for 
the router) and ping requests. However, this still did not cure the problem.

Running tcpdump on the suse box shows me activity on udp port 500 (as far as 
i can tell its the IKE stuff and setting up of the IPSec SA).  However, 
there appears to be no activity on IP protocol 50, or udp port 4500.

If needs be, I'll email my ipsec.conf file, the contents of 
/var/logs/secure, output of ipsec barf, screenshots of the windows or 
anything else.  I'm on the virge of pulling my hair out on this.

To make matters worse, I cant install the IPSec update for Windows, as the 
Windows box isn't even running SP1, and its owner does not want to update as 
they fear it may cause them problems. Additionally, the cannot find their 
Windows CD, and so I cannot install the Windows Support Tools.  I've 
attempted to download them from the MS website, however they appear to be 
SP2 specific when it comes to the IPSec stuff, as I just get an error saying 
"Ordinal 79 could not be found in IPSEC.DLL" when I try to run ipseccmd.exe, 
and unfortunately netdiag /test:ipsec /v or /debug provides the same output 
as the plain netdiag command, providing very limited IPSec information.

I really hope someone can help me out with a suggestion here.

Thanks in advance,

Mart