[Openswan Users] Problem with ipsec routing
Ming-Ching Tiew
mingching.tiew at redtone.com
Wed Aug 10 17:02:27 CEST 2005
Hi I am back to this list and now with a problem which I need it solved.
I have a configuration where I used OpenSWAN 2.3.1 with kernel 2.4.29
and if I set left=%any on firewall machine A, it means it will not initiate
connection and it just waits for someone to connect to it. The VPN can be
established but the LAN packets from A side, is not routed properly into the
ipsec0 device, pinging B-side LAN will not be routed into ipsec0 and
hence unable to reach the remote.
Whereas the IKE initiating counterpart B is able to route correct and hence
able to ping the A-side LAN.
Running 'ipsec eroute' revealed that both sides has established proper 'eroute'
but tcpdump on machine A revealed that packets did not enter 'ipsec0' if
I do a ping from the A-side LAN.
I used to have this problem last time, but I was able to fixed it via re-run of
iptables scripts. However, recently it has gotten worse, re-running iptables
scripts will not fix the problem.
However if I remove the left=%any and change it to a fixed IP, and allow
A-side firewall to initiate the IKE negotiation, then this problem will not occur.
Any idea why is this happening ?
More information about the Users
mailing list