[Openswan Users]

[Paul Wouters]

On Tue, 30 Nov 2004, Itai Tavor wrote:

> Both sides act as LAN gateways, left with a fixed IP, right connected to ADSL 
> with a dynamic IP. The connection (triggered from right) starts fine but 
> pings don't work in either direction. I tried both with the firewall on and 
> off on both sides, with identical results.

I don't see any established tunnels or attempts in the logs. you either ran a barf
without starting the conns or you cut it from the barf.

One thing I notice:

conn Tir-Na-Nogth-IM
          right=%defaultroute
          rightsubnet=10.0.1.0/24
          #
          left=210.229.239.65
          leftsubnet=10.0.2.0/24

Since that side also uses interfaces=%defaultroute, I would swap right and left
in that connection.

Other then that, why not run 2.4 or 2.6 on both ends? And why openswan 2.1.2? It's
a bit old.

I cannot tell you more without seeing more. All the kernel modules seem to have been
loaded, including xfrm4_tunnel. I do see you are doing lots of blocking of icmp packets,
which might break PMTU, while you are also doing tcp clamping. The drop rules have a match
for icmp 'invalid state', which I am not entirely sure what that means, since icmp consists
of packets, not of a stateful connection. You can try and allowing all icmp to see if that
helps. Also show us exactly how you are testing your 'ping' so we know it does not involve
wrong testing. In general, I don't look throgh firewall rules. You have MANY of them, you
might want to try to temporary insert an 'allow all' rule to see if that might be the cause.


Paul