[Openswan Users] net-to-net cannot ping

Wed Aug 31 04:51:25 CEST 2005

dear list,

i have a pretty straightforward setup on debian sarge, kernel 2.6.12, openswan
ver 2.2.0-8.

192.168.249.0/24===1.2.3.4[@gw]---208.57.234.1...208.57.234.1---5.6.7.8[@gw2]===192.168.248.0/24

conn net-to-net
    left=1.2.3.4
    leftsubnet=192.168.249.0/24
    leftid=@gw
    leftrsasigkey=0sAQOOC3WHMwGDaNt6HzIL7Bk+VDY7KxcgyU/0/0sJyEsWPpoatGQ4a8msKKy
    leftnexthop=%defaultroute
    right=5.6.8.7
    rightsubnet=192.168.248.0/24
    rightid=@gw2
    rightrsasigkey=0sAQNyrnIlNBK1xAb66Bzwxymn+9kUmSkIQ+QWhVVcXBTJEdB5rqKLMZ+JmP
    rightnexthop=%defaultroute
    auto=start

the logs says:

Aug 30 18:11:40 gw ipsec__plutorun: Starting Pluto subsystem...
Aug 30 18:11:40 gw pluto[2771]: Starting Pluto (Openswan Version 2.2.0
X.509-1.5.4 PLUTO_USES_KEYRR)
Aug 30 18:11:40 gw pluto[2771]:   including NAT-Traversal patch (Version 0.6c)
[disabled]
Aug 30 18:11:40 gw pluto[2771]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Aug 30 18:11:40 gw pluto[2771]: Using Linux 2.6 IPsec interface code
Aug 30 18:11:40 gw pluto[2771]: Changing to directory '/etc/ipsec.d/cacerts'
Aug 30 18:11:40 gw pluto[2771]: Could not change to directory '/etc/ipsec.d/aacerts'
Aug 30 18:11:40 gw pluto[2771]: Changing to directory '/etc/ipsec.d/ocspcerts'
Aug 30 18:11:40 gw pluto[2771]: Changing to directory '/etc/ipsec.d/crls'
Aug 30 18:11:40 gw pluto[2771]:   Warning: empty directory
Aug 30 18:11:40 gw pluto[2771]: added connection description "net-to-net"
Aug 30 18:11:40 gw pluto[2771]: listening for IKE messages
Aug 30 18:11:40 gw pluto[2771]: adding interface eth1/eth1 1.2.3.4
Aug 30 18:11:40 gw pluto[2771]: adding interface lo/lo 127.0.0.1
Aug 30 18:11:40 gw pluto[2771]: adding interface eth0/eth0 192.168.249.254
Aug 30 18:11:40 gw pluto[2771]: loading secrets from "/etc/ipsec.secrets"
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: initiating Main Mode
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: I did not send a certificate
because I do not have one.
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: Peer ID is ID_FQDN: '@gw2'
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #1: ISAKMP SA established
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 30 18:11:40 gw pluto[2771]: "net-to-net" #2: sent QI2, IPsec SA established
{ESP=>0x984ffa19 <0x0e088b65}

so it seems everything is fine. on 1.2.3.4 i have az iptables firewall, but
hopefully all needed connections are accepted:

iptables -A INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A FORWARD -p udp --sport 500 --dport 500 -j ACCEPT

iptables -A INPUT  -p 50 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT
iptables -A FORWARD -p 50 -j ACCEPT

iptables -A INPUT  -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
iptables -A FORWARD -p 51 -j ACCEPT

iptables -A FORWARD -s 192.168.249.0/24 -d 192.168.248.0/24 -j ACCEPT
iptables -A FORWARD -s 192.168.248.0/24 -d 192.168.249.0/24 -j ACCEPT

iptables -A INPUT -s 192.168.249.0/24 -d 192.168.248.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.248.0/24 -d 192.168.249.0/24 -j ACCEPT

iptables -A OUTPUT -s 192.168.249.0/24 -d 192.168.248.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.248.0/24 -d 192.168.249.0/24 -j ACCEPT

iptables -A INPUT -s 192.168.248.0/24 -j ACCEPT
iptables -A OUTPUT -s 192.168.249.0/24 -j ACCEPT

yes, it does NAT, but excluded all the tunneled addresses.

iptables -t nat -A POSTROUTING -s 192.168.249.$a ! -d 192.168.248.0/24 -o eth1 -j
SNAT --to-source $EXTERNAL_IP

however i just cannot ping any of the gateways. nothing can be pinged neither the
gw's nor the hosts behind them.

does anyone have a clue what can be wrong?

TIA,
regards,
Peter