[Openswan Users] IPSec-tunnel does not works until a traceroute from the host to the roadwarrior

Michael P. Dobmeier dobmeier.michael at web.de
Wed Jun 16 23:10:20 CEST 2004


Dear experts,

as I have some strange problems with openswan under SuSE-Linux 9.1
(U2.1.2/K2.6.4-54.5 native) I hope you have an advice how to get Openswan to
work.

The Hardware-configuration is as follows:

Left-Side:
==========
                     DMZ
             192.168.2.2--
 (host:linux/openswan)    \
                           --192.168.2.1<->a.b.c.d(dynIP/dynDNS)-->Internet
                          /      DSL-WLAN-Router(SMC2804WBR)
           192.168.2.101--       (IPSec-Pass through,
     (RW1:WinXP/ebootis)          NAT: ext. UDP 500 <-> 192.168.2.2 UDP 500
                                       ext. TCP 22  <-> 192.168.2.2 TCP 22)

Right-Side:
=============
 Internet  <-->   e.f.g.h
          DialUp  (RW2:WinXP/ebootis)


It's no problem to get up a tunnel between the host and RW1. But I have some
problems to establish a tunnel between the host and RW2 even though the logs
don't show any errors - whether the /var/log/messages under linux nor the
oakley-log under Windows.

While pinging from RW2 to the host I get the following output:

Negotiating IP Security.
Negotiating IP Security.
Request timed out.
Request timed out.

Every new ping has the result "Request timed out." even though the IPsec SA
is established. I also have no access to the running services on the host
over the tunnel.

But I have found a possibility to get the tunnel work: the ping is not
successfull until I do a traceroute from the host to the RW2. As soon as the
traceroute has finished, the tunnel works and I have access to the services
on the host.

Now my question is, what's going wrong here. I think it would be a
possibility to create a script which is called by the "leftupdown"-command
which does the traceroute, however I would like to understand, what's the
process behind or exact fault!

Thankyou kindly in advance for any help!

Sincerely,

Michael




More information about the Users mailing list