RES: [Openswan Users] IPSec SA Established, Problem with pinging and other traffic

Giovani Moda - MR Informática giovani at
Fri Dec 10 18:29:46 CET 2004


It's been a long time since I (luckly) made a Windows XP SP1 box work as
a roadwarrior with openswan. As Jacco mentioned, Nate Carlson's page
( helped me A LOT.

As far as I can recall, after a few weeks of almost insanity trying to
make the damn thing work, I found out that the Windows XP box wouldn't
tunnel up because it was waiting for a specific package from the
Openswan box that, by default, was not being sent. I'm not sure if this
is your case, but my work around was to add the line
"leftsendcert=always" at the OpenSwan ipsec.conf, by the roadwarrior

After that, the tunnel went up, and everything worked. 

Anyway, I kinda dropped these tests, and last time I tryed to set up a
roadwarrior with WXP and OpenSwan, I couldn't make it work again. Guess
I ran out of luck.

Hope it helps.


-----Mensagem original-----
De: users-bounces at [mailto:users-bounces at] Em
nome de Martin Goldstone
Enviada em: sexta-feira, 10 de dezembro de 2004 12:22
Para: users at
Assunto: [Openswan Users] IPSec SA Established, Problem with pinging and
other traffic

Hi All,

I'm currently in the middle of setting up an IPSec connection which will

have a road warrior (running Windows XP) connecting to a Suse 9.1 box 
(kernel 2.6.5, openswan 2.2.0) which is NATed.

Network wise it looks like this:

Road warrior --- Internet --- NAT Device (broadband router) --- Suse Box

I've had to put the Suse box in the DMZ of the broadband router,
otherwise I 
cannot even establish an IPSec SA (infact, the output of tcpdump shows
traffic arriving at the Suse box on udp/500 or udp/4500 even though
have been set up in the broadband router to be forwarded to the Suse
I'm guessing this is because the Windows XP box is not updated (it cant
because its not had SP1 or SP2 applied), or the broadband router is

I've set up the IPSec connection using the snap-in in MMC (I'd like to
the l2tp connection eventually, but just using the add network
wizard did not work). When I ping from the Windows box, it shows 
"Negotiating IP Security", followed by request timed out. It doesn't
how long I try, I keep getting request timed out. That is until I ping
Windows box from the Suse box. At this point, pings in both directions

To start with, I'd like to avoid this need to manually ping the Windows
This is mainly because its IP address is assigned by DHCP (although in 
practice it seems to be static).

There are a few points on top of this. Currently, I'm using SSH to view 
logs/change config options etc on the Suse box from the Windows box
(port 22 
is forwarded on the broadband router for this purpose).  However, once I

establish the tunnel, I can no longer access the Suse box through
other than pinging it (I've tried through both the public address of the

broadband router, which is what I currently use, and through the private

address of the Suse box, which is used for the pinging, and which in my 
understanding would send the traffic through the tunnel).  After I
the IPSec policy in the MMC snap-in, I can connect through the public 
address like I did before. This also applies to http requests to
Apache2. I 
got round the problem with SSH by using the leftprotoport and
options in ipsec.conf and their counterparts in windows to restrict the 
IPSec tunnel to ICMP, but this is obviously useless, as then the only
packets sent will be ping packets and the like.  As soon as I go back to

using 0/0 as the protocol/port settings, I get locked out again. Even if
start pinging the windows box from the suse box before I initiate the
on the windows box to bring up the tunnel, I still get no joy. I receive

replies on the windows box, and from the windows side everything seems
but SSH, http requests and I assume everything else, still do not

I hope some one out there will have suggestions on solving this, as I'm 
beginning to tear my hair out.

Thanks in advance,


Users mailing list
Users at

More information about the Users mailing list