[Openswan Users] can ping to road warrior, cannot ping the other way

Joseph Commisso commisj at cs.sunyit.edu
Thu Nov 11 23:09:04 CET 2004


Hi,

I have linux 2.4 kernel with openswan 2.2.0 and the tunnel is up!
There are two gateway/firewalls running openswan.
I can ping from behind our static ip to the road warrior fine, but when I 
ping from behind the road warrior to a box behind the static ip address, 
no go:

# ping -I 192.168.192.1 192.168.3.7
PING 192.168.3.7 (192.168.3.7) from 192.168.192.1 : 56(84) bytes of data.
64 bytes from 192.168.3.7: icmp_seq=1 ttl=127 time=33.8 ms
64 bytes from 192.168.3.7: icmp_seq=2 ttl=127 time=13.3 ms
64 bytes from 192.168.3.7: icmp_seq=3 ttl=127 time=15.9 ms
64 bytes from 192.168.3.7: icmp_seq=4 ttl=127 time=17.7 ms

--- 192.168.3.7 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3032ms
rtt min/avg/max/mdev = 13.322/20.195/33.807/8.015 ms

But, look at the other direction:

# ping -I 192.168.3.1 192.168.192.10
PING 192.168.192.10 (192.168.192.10) from 192.168.3.1 : 56(84) bytes of 
data.

--- 192.168.192.10 ping statistics ---
29 packets transmitted, 0 received, 100% packet loss, time 28013ms

Also, here is the output of "ipsec verify":

# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path 
[OK]
Linux Openswan cvs2002Mar11_19:19:03 (klips)
Checking for IPsec support in kernel 
[OK]
Checking for RSA private key (/etc/ipsec.secrets) 
[OK]
Checking that pluto is running 
[OK]
Two or more interfaces found, checking IP forwarding 
[OK]
Checking NAT and MASQUERADEing
Checking tun0x1006 at 24.39.245.142 from 192.168.3.0/24 to 192.168.192.0/24 
[FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
         [FAILED]
SNAT from 192.168.3.0/24 to 0.0.0.0/0 kills tunnel 192.168.3.0/24 -> 
192.168.192.0/24
Checking for 'ip' command 
[OK]
Checking for 'iptables' command 
[OK]

Opportunistic Encryption DNS checks:
    Looking for TXT in forward dns zone: george.tahan.com 
[MISSING]
    Does the machine have at least one non-private address? 
[OK]
    Looking for TXT in reverse dns zone: 213.43.58.24.in-addr.arpa. 
[MISSING]

The other end of the tunnel gives the same output (it just has a different 
ip that it references), but it is the exact same failure.

The ping does work from one end, though.
Any suggestions would be greatly appreciated.

TIA,
Joe Commisso


More information about the Users mailing list