[Openswan Users]
Only getting traffic oneway from Openswan to Cisco VPN3060
Shane Hickey
shane at howsyournetwork.com
Fri Feb 11 10:49:50 CET 2005
Allright, I'm sure this has to be something simple, but I can't find it anywhere. Here's my setup.
My side)
Gentoo laptop running 2.6.7-hardened-r17 (with no other kernel patches), openswan-2.3.0
cat /etc/ipsec/ipsec.conf | grep -v ^#
version 2.0 # conforms to second version of ipsec.conf specification
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=all
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
interfaces=%defaultroute
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn vpn3000-192
left=$MY_STATIC_IP
leftsubnet=10.252.238.0/24
leftnexthop=$MY_STATIC_IP
right=$CONCENTRATOR_IP
rightsubnet=192.168.0.0/16
auto=start
authby=secret
type=tunnel
keyexchange=ike
auth=esp
esp=3des-md5-96
pfs=no
compress=no
conn vpn3000-10
left=$MY_STATIC_IP
leftsubnet=10.252.238.0/24
leftnexthop=$MY_STATIC_IP
right=$CONCENTRATOR_IP
rightsubnet=10.250.0.0/16
auto=start
authby=secret
type=tunnel
keyexchange=ike
auth=esp
esp=3des-md5-96
pfs=no
compress=no
Remote Side)
Cisco VPN 3060 running vpn3000-4.1.5.A-k9.bin.
I created an IPSec LAN-to-LAN connection with the following information.
Connection Type: Bi-directional
Peers: $MY_STATIC_IP
Using PSK
Authentication: ESP/MD5/HMAC-128
Encryption: 3DES-168
IKE Proposal: IKE-3DES-MD5
IPSec NAT-T [checked]
Local Network: 10.250.0.0/16 192.168.0.0/16
Remote Network: 10.252.238.0
SYMPTOMS: Any traffic that is originated from my side works fine. So, I can ssh/web/whatever to anything in the 10.250 or 192.168 networks behind the concentrator. However, nothing behind the concentrator can initiate a new connection to my network. They can't ping 10.252.238 or do anything else to that network. I don't believe it's my iptables rules on the firewall, but to test it, I ran ethereal on the laptop firewall box and had it capture all ICMP packets. It sees pings that originate from my network, but it doesn't see anything that was originated from behind the concentrator. So, I don't believe the packets from that side are making it here.
I'm sure I've done something foolish, so any help would be greatly appreciated.
Thanks,
Shane
--
Shane Hickey <shane at howsyournetwork.com>: Network/System Consultant
GPG KeyID: 777CBF3F
Key fingerprint: 254F B2AC 9939 C715 278C DA95 4109 9F69 777C BF3F
More information about the Users
mailing list