[Openswan Users] Problem with ipsec routing

Ming-Ching Tiew mingching.tiew at redtone.com
Wed Aug 10 17:02:27 CEST 2005


Hi I am back to this list and now with a problem which I need it solved.

I have a configuration where I used OpenSWAN 2.3.1 with kernel 2.4.29 
and if I set left=%any on firewall machine A, it means it will not initiate
connection and it just waits for someone to connect to it.  The VPN can be 
established but the LAN packets from A side, is not routed properly into the 
ipsec0 device, pinging B-side LAN will not be routed into ipsec0 and 
hence unable to reach the remote. 

Whereas the IKE initiating counterpart B is able to route correct and hence 
able to ping the A-side LAN.

Running 'ipsec eroute' revealed that both sides has established proper 'eroute'
but tcpdump on machine A revealed that packets did not enter 'ipsec0' if
I do a ping from the A-side LAN.

I used to have this problem last time, but I was able to fixed it via re-run of
iptables scripts. However, recently it has gotten worse, re-running iptables
scripts will not fix the problem.

However if I remove the left=%any and change it to a fixed IP, and allow
A-side firewall to initiate the IKE negotiation, then this problem will not occur.

Any idea why is this happening ?






More information about the Users mailing list