[Openswan Users]
IPSec SA Established, Problem with pinging and other traffic
Martin Goldstone
nightofdarkness at hotmail.com
Fri Dec 10 14:22:02 CET 2004
Hi All,
I'm currently in the middle of setting up an IPSec connection which will
have a road warrior (running Windows XP) connecting to a Suse 9.1 box
(kernel 2.6.5, openswan 2.2.0) which is NATed.
Network wise it looks like this:
Road warrior --- Internet --- NAT Device (broadband router) --- Suse Box
I've had to put the Suse box in the DMZ of the broadband router, otherwise I
cannot even establish an IPSec SA (infact, the output of tcpdump shows no
traffic arriving at the Suse box on udp/500 or udp/4500 even though those
have been set up in the broadband router to be forwarded to the Suse box,
I'm guessing this is because the Windows XP box is not updated (it cant be
because its not had SP1 or SP2 applied), or the broadband router is playing
up).
I've set up the IPSec connection using the snap-in in MMC (I'd like to do
the l2tp connection eventually, but just using the add network connection
wizard did not work). When I ping from the Windows box, it shows
"Negotiating IP Security", followed by request timed out. It doesn't matter
how long I try, I keep getting request timed out. That is until I ping the
Windows box from the Suse box. At this point, pings in both directions work
properly.
To start with, I'd like to avoid this need to manually ping the Windows box.
This is mainly because its IP address is assigned by DHCP (although in
practice it seems to be static).
There are a few points on top of this. Currently, I'm using SSH to view
logs/change config options etc on the Suse box from the Windows box (port 22
is forwarded on the broadband router for this purpose). However, once I
establish the tunnel, I can no longer access the Suse box through anything
other than pinging it (I've tried through both the public address of the
broadband router, which is what I currently use, and through the private
address of the Suse box, which is used for the pinging, and which in my
understanding would send the traffic through the tunnel). After I un-assign
the IPSec policy in the MMC snap-in, I can connect through the public
address like I did before. This also applies to http requests to Apache2. I
got round the problem with SSH by using the leftprotoport and rightprotoport
options in ipsec.conf and their counterparts in windows to restrict the
IPSec tunnel to ICMP, but this is obviously useless, as then the only secure
packets sent will be ping packets and the like. As soon as I go back to
using 0/0 as the protocol/port settings, I get locked out again. Even if I
start pinging the windows box from the suse box before I initiate the ping
on the windows box to bring up the tunnel, I still get no joy. I receive
replies on the windows box, and from the windows side everything seems up,
but SSH, http requests and I assume everything else, still do not function.
I hope some one out there will have suggestions on solving this, as I'm
beginning to tear my hair out.
Thanks in advance,
Mart
More information about the Users
mailing list