[Openswan Users]

Paul Wouters paul at xelerance.com
Sun Dec 19 22:35:25 CET 2004

On Sun, 19 Dec 2004, Martin Temmink wrote:

[ please, next time post a URL to  your barf. It doesn't make much sense to send
   a 500kb email to every list subscriber ]

> The tunnel established correct, but I cannot ping anything on the othersite.

> My packets shows up in TCPDUMP as clear text and are not going through the
> tunnel.

> Linux Openswan U2.3.0dr4/K2.6.8-24.5-default (native)

You are using NETKEY from the 2.6 kernel. You just think it leaves in plaintext,
beause you are observing from an IPsec endpoint machine. Sniff the traffic
from a machine between the two endpoints, and you will see that traffic is

> conn net-to-net
>        left=xx.xx.x.217
>        leftsubnet=
>        leftnexthop=xx.xx.x.1
>        leftsourceip=xx.xx.x.217
>        leftid=@xxxx
>        leftrsasigkey=dasfsdfsadfasdfasf
>        right=yy.yy.yy.227
>        rightsubnet=
>        rightnexthop=yy.yy.yy.1
>        rightid=@linux
>        rightrsasigkey=dasfdasfsdfaf
>        auto=start

>        rp_filter= 1

This might bite you. You should disable rp_filter, since it's simplistic
in-build anti-spoofing rules have no idea about IPsec.

>        pfs=no

for openswan-openswan, you should always use pfs=yes (the default)

> + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter
> lo/rp_filter
> all/rp_filter:1
> default/rp_filter:1
> eth0/rp_filter:1
> eth1/rp_filter:1
> lo/rp_filter:1

Definately, changfe that rp_filter value.

Are you sure you are not pinging from teh gateway without -I 192.168.x.1 ?
Are you sure your firewall rules are not blocking traffic?
Are you sure nothing is NATing packets?


More information about the Users mailing list