[Openswan Users] Problem with ipsec routing

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Aug 10 07:27:06 CEST 2005 

On Wed, 2005-08-10 at 16:02 +0800, Ming-Ching Tiew wrote:
> Hi I am back to this list and now with a problem which I need it solved.
> 
> I have a configuration where I used OpenSWAN 2.3.1 with kernel 2.4.29 
> and if I set left=%any on firewall machine A, it means it will not initiate
> connection and it just waits for someone to connect to it.  The VPN can be 
> established but the LAN packets from A side, is not routed properly into the 
> ipsec0 device, pinging B-side LAN will not be routed into ipsec0 and 
> hence unable to reach the remote. 
> 
> Whereas the IKE initiating counterpart B is able to route correct and hence 
> able to ping the A-side LAN.
> 
> Running 'ipsec eroute' revealed that both sides has established proper 'eroute'
> but tcpdump on machine A revealed that packets did not enter 'ipsec0' if
> I do a ping from the A-side LAN.
> 
> I used to have this problem last time, but I was able to fixed it via re-run of
> iptables scripts. However, recently it has gotten worse, re-running iptables
> scripts will not fix the problem.
> 
> However if I remove the left=%any and change it to a fixed IP, and allow
> A-side firewall to initiate the IKE negotiation, then this problem will not occur.
> 
> Any idea why is this happening ?
<snip>
Nothing jumps to mind.  I wondered if you perhaps had a more specific
route to the destination than the route through the ipsec interface but
that wouldn't explain why it works with a fixed IP.

I thought you could place logging rules in your iptables rule set to see
where the packet stops but, again, why would changing to a fixed IP fix
it.  Although I wonder if there is, perhaps, a rule using some script
variable and the variable is the problem.  Perhaps when the A side
initiates, the variable is set properly.  When it does not, the variable
is set to some other value or is unset.

Are the packets from side A to side B dropped or misrouted? In other
words, do they come out the other end but are just not in the tunnel or
do they never make it through the VPN gateway at all? - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

More information about the Users mailing list