[Openswan Users] Data from ipsec0 to eth2
Paul Wouters
paul at xelerance.com
Sun Feb 6 18:42:46 CET 2005
On Sun, 6 Feb 2005, Trevor Morrison wrote:
> I am running IPCOP 1.4.2 which uses OpenSwan 1.0.7. My problem is that the
> net-to-net tunnel shows as up on both ends both from the GUI as well as
> using tail -f /var/log/messages, but when I try to ping a machine on the
> other subnet I do not get any replies. Now, I ran tcpdump -i on both ipsec0
> and eth2 at the same time and I do not see the traffic flowing from ipsec0
> to the eth2 interface. This the case for both tunnel endpoints. I know
> that I am missing something, but what? I am including my ipsec.conf file
> below:
That all looks fine. Are you pinging from the net to the net, and host from
the gateway to somewhere or from somewhere to gateway?
> conn Hailix
> right=xx.xx.xx.xx
> rightsubnet=192.168.2.0/255.255.255.0
> rightnexthop=%defaultroute
> left=xx.xx.xx.xx
> leftsubnet=192.168.111.0/24
> leftnexthop=%defaultroute
> dpddelay=30
> dpdtimeout=120
> dpdaction=hold
> authby=secret
> auto=start
You can try and add leftsourceip=192.168.2.X and rightsourceip=192.168.111.Y
where those IP's are the internal IP's of the security gateways. Then you
will be able to ping if using it from or to a gateway.
Other problems could be:
- NAT breaking packets
- no IP Forwarding enabled
- rp_filter anti-spoof protection enabled
Run 'ipsec verify' if that is available on ipcop to detect this.
Paul
--
"At best it is a theory, at worst a fantasy" -- Michael Crichton
More information about the Users
mailing list