[Openswan Users] multiple tunnel fails after upgrade

Vik Heyndrickx vik.heyndrickx at edchq.com
Sun Sep 5 11:32:51 CEST 2004


Hi all,

After upgrade from Freeswan 2.0.x to Openswan 2.1.4 (fc2), only one tunnel appears to work even though multiple tunnels were and are configured correctly.

I had two hosts both running Freeswan 2.0.x (I think it is 2.0.4), that connected three networks behind these tunnel end points, one behind the left gateway, let us call it LGNW, and two not directly connected behind the right gateway, RGNW1 and RGNW2. OE is configured to be off.

I replace the right gateway with an FC2 (kernel 2.6.8-1.521)+Openswan 2.1.4 server, with EXACTLY the same ipsec.conf and ipsec.secrets. When I restart ipsec, both tunnels come up (both gateways agree upon that in /proc/net/ipsec_eroute and ipsec auto --status respectively). 

However, when i ping from a host on LGNW to a host on RGNW1 and RGNW2, only a host on one of those networks will respond. The other not. Now, if I bring up only one tunnel at a time, I can ping the host on that tunnelled network on the right hand side; and this applies to both RGNW1 and RGNW2.

rp_filter is 0 for all interfaces, ip_forward is on. No firewalling was applied during the setup and tests, so as far as the netfilter codes is concerned packets were allowed to flow freely.

When both tunnels are up, only one network is reachable. I know that, for the failing network, that the echo-request (ping) packet is being received by the left gateway, that it is tunnelled, and that the tunnelled packet is being received by the right gateway; and there it vanishes. Strange. Oh, yes, compress is on for _both_ tunnels, on both sides, and for the sake of completeness I tried it also with compress _off_ for both tunnels on the two sides with the same results.

So, I checked the ip routing table "ip route show table all", and both destination networks have exactly the same entries (differing only in the network address). If I ping directly from the right gateway, I can reach both RGNW1 and RGW2 without a problem, but If i do so from a host on the LGNW, I can reach exactly one other network, and not both.

Any ideas?

-- 
Vik Heyndrickx



More information about the Users mailing list