[Openswan Users] Half-Open tunnel ?

nils toedtmann openswan-users at nils.toedtmann.net
Tue Oct 5 19:29:40 CEST 2004

On Tue, Oct 05, 2004 at 03:12:46PM +0200, O-Zone wrote:
> [MyNET]----[GW]====(VPN)=====[GW]---[OtherNET]
> If, from OtherNET, i ping a machine in MyNET all work well. If, from MyNet, 
> ping an host inside OtherNET, it don't work.
> Some tests with TCPDUMP, if i ping from to (both alive):
> [On MyNET's GW]
> root at bastion:~# tcpdump -i ipsec0 dst
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ipsec0, link-type EN10MB (Ethernet), capture size 68 bytes
> 15:01:52.085904 IP GW > icmp 64: echo request seq 838
> 15:01:53.085738 IP GW > icmp 64: echo request seq 839
> 15:01:54.085595 IP GW > icmp 64: echo request seq 840

Why is the source-ip "GW" and not ""? If you mean the exterior
ip of GW: is there a masquerading/SNAT on GW's ipsec0 device (view
with "iptables -t nat -nvL POSTROUTING")? Or is the internal ip
of MyNET's GW? If so: did you ping with "-I"?

> [On OtherNET's GW]
> ...nothing...

Debug further: kill all traffic in the tunnel such that your test ping 
is the only traffic in that tunnel. tcpdump on the exterior ethX of
the gateways: Does MyNET's GW send ESP-encapsulated echo-requests? Do 
they arrive at OtherNET's GW?


there is no sig.

More information about the Users mailing list