[Openswan Users] Tunnel up but no routing
Joern Seemann
joern at aumund.org
Fri Feb 4 13:08:39 CET 2005
Hi there!
I'm struggling with a real simple test setup. I have two Debian Testing
machines both with kernel 2.6.8 and openswan 2.2. One of them has a fixed
address the other is dynamicaly connect via a dsl-line. It looks like that:
192.168.130.0/24
|
|
192.168.130.227 (eth0)
fixed adress (eth1)
|
|
internet
|
|
dynamic adress (ppp0)
192.168.0.5 (eth0)
|
|
192.168.0.0/24
Gateway config:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
conn %default
keyingtries=0
disablearrivalcheck=no
left=%defaultroute
leftsubnet=192.168.130.0/24
conn n2n
authby=secret
right=%any
rightsubnet=192.168.0.0/24
pfs=yes
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
The other:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
# Add connections here
conn n2n
auto=start
authby=secret
left=%defaultroute
leftsubnet=192.168.0.0/24
right=213.23.124.193
rightsubnet=192.168.130.0/24
pfs=yes
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
When I initiate the connection from the dynamic gateway the tunnel comes
correctly up:
stadler:~# ipsec auto --up n2n
104 "n2n" #4: STATE_MAIN_I1: initiate
106 "n2n" #4: STATE_MAIN_I2: sent MI2, expecting MR2
108 "n2n" #4: STATE_MAIN_I3: sent MI3, expecting MR3
004 "n2n" #4: STATE_MAIN_I4: ISAKMP SA established
112 "n2n" #5: STATE_QUICK_I1: initiate
004 "n2n" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x8c09179a <0xaa0e5593}
But then the packets doesnt go through the tunnel. If I sniff on eth0 I seen
the packets but on ppp0/eth1 there ist nothing to see (I ping from hosts
inside the encryption domains not from the gateways).
routing looks like this:
stadler:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 ippp0
145.253.4.0 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.130.0 145.253.4.0 255.255.255.0 UG 0 0 0 ppp0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 145.253.4.0 0.0.0.0 UG 0 0 0 ppp0
iptables forward:
stadler:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- localnet/24 !192.168.130.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
stadler:~#
I even tested this with even no iptables rules but its always the same. I
see no encrypted packtes. Any hints?
Regards Joern
--
Wir ertrinken in Information, aber hungern nach Wissen - John Naisbitt
Mein Weblog: http://horatio.aumund.org/
More information about the Users
mailing list