[Openswan Users] Only getting traffic oneway from Openswan to Cisco VPN3060

Shane Hickey shane at howsyournetwork.com
Fri Feb 11 10:49:50 CET 2005


Allright, I'm sure this has to be something simple, but I can't find it anywhere.  Here's my setup.

My side)
	Gentoo laptop running 2.6.7-hardened-r17 (with no other kernel patches), openswan-2.3.0
	
cat /etc/ipsec/ipsec.conf | grep -v ^#

version 2.0     # conforms to second version of ipsec.conf specification
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
         klipsdebug=all
         plutodebug=all
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        interfaces=%defaultroute

conn block
    auto=ignore
conn private
    auto=ignore
conn private-or-clear
    auto=ignore
conn clear-or-private
    auto=ignore
conn clear
    auto=ignore
conn packetdefault
    auto=ignore

conn vpn3000-192
        left=$MY_STATIC_IP
        leftsubnet=10.252.238.0/24
        leftnexthop=$MY_STATIC_IP
        right=$CONCENTRATOR_IP
        rightsubnet=192.168.0.0/16
        auto=start
        authby=secret
        type=tunnel
        keyexchange=ike
        auth=esp
        esp=3des-md5-96
        pfs=no
        compress=no
conn vpn3000-10
        left=$MY_STATIC_IP
        leftsubnet=10.252.238.0/24
        leftnexthop=$MY_STATIC_IP
        right=$CONCENTRATOR_IP
        rightsubnet=10.250.0.0/16
        auto=start
        authby=secret
        type=tunnel
        keyexchange=ike
        auth=esp
        esp=3des-md5-96
        pfs=no
        compress=no

Remote Side)	
	Cisco VPN 3060 running vpn3000-4.1.5.A-k9.bin.

I created an IPSec LAN-to-LAN connection with the following information.

Connection Type: Bi-directional
Peers: $MY_STATIC_IP
Using PSK
Authentication: ESP/MD5/HMAC-128
Encryption: 3DES-168
IKE Proposal: IKE-3DES-MD5
IPSec NAT-T [checked]
Local Network: 10.250.0.0/16 192.168.0.0/16
Remote Network: 10.252.238.0


SYMPTOMS: Any traffic that is originated from my side works fine.  So, I can ssh/web/whatever to anything in the 10.250 or 192.168 networks behind the concentrator.  However, nothing behind the concentrator can initiate a new connection to my network.  They can't ping 10.252.238 or do anything else to that network.  I don't believe it's my iptables rules on the firewall, but to test it, I ran ethereal on the laptop firewall box and had it capture all ICMP packets.  It sees pings that originate from my network, but it doesn't see anything that was originated from behind the concentrator.  So, I don't believe the packets from that side are making it here.

I'm sure I've done something foolish, so any help would be greatly appreciated.

Thanks,

Shane

-- 
Shane Hickey <shane at howsyournetwork.com>: Network/System Consultant
GPG KeyID: 777CBF3F
Key fingerprint: 254F B2AC 9939 C715 278C  DA95 4109 9F69 777C BF3F


More information about the Users mailing list