[Openswan Users] IPSec SA Established, Problem with pinging and other traffic

Martin Goldstone nightofdarkness at hotmail.com
Fri Dec 10 14:22:02 CET 2004



Hi All,

I'm currently in the middle of setting up an IPSec connection which will 
have a road warrior (running Windows XP) connecting to a Suse 9.1 box 
(kernel 2.6.5, openswan 2.2.0) which is NATed.

Network wise it looks like this:

Road warrior --- Internet --- NAT Device (broadband router) --- Suse Box

I've had to put the Suse box in the DMZ of the broadband router, otherwise I 
cannot even establish an IPSec SA (infact, the output of tcpdump shows no 
traffic arriving at the Suse box on udp/500 or udp/4500 even though those 
have been set up in the broadband router to be forwarded to the Suse box, 
I'm guessing this is because the Windows XP box is not updated (it cant be 
because its not had SP1 or SP2 applied), or the broadband router is playing 
up).

I've set up the IPSec connection using the snap-in in MMC (I'd like to do 
the l2tp connection eventually, but just using the add network connection 
wizard did not work). When I ping from the Windows box, it shows 
"Negotiating IP Security", followed by request timed out. It doesn't matter 
how long I try, I keep getting request timed out. That is until I ping the 
Windows box from the Suse box. At this point, pings in both directions work 
properly.

To start with, I'd like to avoid this need to manually ping the Windows box. 
This is mainly because its IP address is assigned by DHCP (although in 
practice it seems to be static).

There are a few points on top of this. Currently, I'm using SSH to view 
logs/change config options etc on the Suse box from the Windows box (port 22 
is forwarded on the broadband router for this purpose).  However, once I 
establish the tunnel, I can no longer access the Suse box through anything 
other than pinging it (I've tried through both the public address of the 
broadband router, which is what I currently use, and through the private 
address of the Suse box, which is used for the pinging, and which in my 
understanding would send the traffic through the tunnel).  After I un-assign 
the IPSec policy in the MMC snap-in, I can connect through the public 
address like I did before. This also applies to http requests to Apache2. I 
got round the problem with SSH by using the leftprotoport and rightprotoport 
options in ipsec.conf and their counterparts in windows to restrict the 
IPSec tunnel to ICMP, but this is obviously useless, as then the only secure 
packets sent will be ping packets and the like.  As soon as I go back to 
using 0/0 as the protocol/port settings, I get locked out again. Even if I 
start pinging the windows box from the suse box before I initiate the ping 
on the windows box to bring up the tunnel, I still get no joy. I receive 
replies on the windows box, and from the windows side everything seems up, 
but SSH, http requests and I assume everything else, still do not function.

I hope some one out there will have suggestions on solving this, as I'm 
beginning to tear my hair out.

Thanks in advance,

Mart




More information about the Users mailing list