[Openswan Users] Data from ipsec0 to eth2

Paul Wouters paul at xelerance.com
Sun Feb 6 18:42:46 CET 2005


On Sun, 6 Feb 2005, Trevor Morrison wrote:

> I am running IPCOP 1.4.2 which uses OpenSwan 1.0.7.  My problem is that the
> net-to-net tunnel shows as up on both ends both from the GUI as well as
> using tail -f /var/log/messages, but when I try to ping a machine on the
> other subnet I do not get any replies.  Now, I ran tcpdump -i on both ipsec0
> and eth2 at the same time and I do not see the traffic flowing from ipsec0
> to  the eth2 interface.  This the case for both tunnel endpoints.  I  know
> that I am missing something, but what?  I am including my ipsec.conf file
> below:

That all looks fine. Are you pinging from the net to the net, and host from
the gateway to somewhere or from somewhere to gateway?

> conn Hailix
>        right=xx.xx.xx.xx
>        rightsubnet=192.168.2.0/255.255.255.0
>        rightnexthop=%defaultroute
>        left=xx.xx.xx.xx
>        leftsubnet=192.168.111.0/24
>        leftnexthop=%defaultroute
>        dpddelay=30
>        dpdtimeout=120
>        dpdaction=hold
>        authby=secret
>        auto=start

You can try and add leftsourceip=192.168.2.X and rightsourceip=192.168.111.Y
where those IP's are the internal IP's of the security gateways. Then you
will be able to ping if using it from or to a gateway.

Other problems could be:
- NAT breaking packets
- no IP Forwarding enabled
- rp_filter anti-spoof protection enabled

Run 'ipsec verify' if that is available on ipcop to detect this.

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton



More information about the Users mailing list