[Openswan Users] Tunnel up but no routing

Joern Seemann joern at aumund.org
Fri Feb 4 13:08:39 CET 2005


Hi there!

I'm struggling with a real simple test setup. I have two Debian Testing
machines both with kernel 2.6.8 and openswan 2.2. One of them has a fixed
address the other is dynamicaly connect via a dsl-line. It looks like that:

192.168.130.0/24
      |
      |
192.168.130.227 (eth0)
fixed adress    (eth1)
      |
      |
   internet
      |
      |
dynamic adress (ppp0)
192.168.0.5 (eth0)
     |
     |
192.168.0.0/24

Gateway config:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none

conn %default
        keyingtries=0
        disablearrivalcheck=no
        left=%defaultroute
        leftsubnet=192.168.130.0/24

conn n2n
        authby=secret
        right=%any
        rightsubnet=192.168.0.0/24
        pfs=yes
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

The other:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute

# Add connections here

conn n2n
        auto=start
        authby=secret
        left=%defaultroute
        leftsubnet=192.168.0.0/24
        right=213.23.124.193
        rightsubnet=192.168.130.0/24
        pfs=yes

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

When I initiate the connection from the dynamic gateway the tunnel comes
correctly up:

stadler:~# ipsec auto --up n2n
104 "n2n" #4: STATE_MAIN_I1: initiate
106 "n2n" #4: STATE_MAIN_I2: sent MI2, expecting MR2
108 "n2n" #4: STATE_MAIN_I3: sent MI3, expecting MR3
004 "n2n" #4: STATE_MAIN_I4: ISAKMP SA established
112 "n2n" #5: STATE_QUICK_I1: initiate
004 "n2n" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x8c09179a <0xaa0e5593}

But then the packets doesnt go through the tunnel. If I sniff on eth0 I seen
the packets but on ppp0/eth1 there ist nothing to see (I ping from hosts
inside the encryption domains not from the gateways). 

routing looks like this:

stadler:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.0.0.2        0.0.0.0         255.255.255.255 UH    0      0        0 ippp0
145.253.4.0     0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.130.0   145.253.4.0     255.255.255.0   UG    0      0        0 ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         145.253.4.0     0.0.0.0         UG    0      0        0 ppp0

iptables forward:

stadler:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  localnet/24         !192.168.130.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
stadler:~#

I even tested this with even no iptables rules but its always the same. I
see no encrypted packtes. Any hints?

Regards Joern
-- 
Wir ertrinken in Information, aber hungern nach Wissen - John Naisbitt
		Mein Weblog: http://horatio.aumund.org/


More information about the Users mailing list