[Openswan Users] Only getting traffic oneway from Openswan to Cisco VPN3060

Eaton, Andy Andy at seas.wustl.edu
Fri Feb 11 12:03:52 CET 2005


I think you are going to have enable rip on your internal interface of
the cisco 3060 and then under the routing section of the lan-to-lan do
RRI, reverse route injection.  That will give the cisco a route to your
network. You can check it under monitoring and then routing table.  Got
this from the cisco documentation.

On a side note, I am running 4.1.7.B-k9.bin. I establish a connection
with the vpn concentrator but my tunnels show unrouted with ipsec auto
--status and no tunnels up with /etc/init.d/ipsec status. I still have
no idea why this won't work.

You are one step ahead of me....
Let me know if this works for you.


Andrew Eaton
 


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Shane Hickey
Sent: Friday, February 11, 2005 11:50 AM
To: users at openswan.org
Subject: [Openswan Users] Only getting traffic oneway from Openswan to
Cisco VPN3060

Allright, I'm sure this has to be something simple, but I can't find it
anywhere.  Here's my setup.

My side)
	Gentoo laptop running 2.6.7-hardened-r17 (with no other kernel
patches), openswan-2.3.0
	
cat /etc/ipsec/ipsec.conf | grep -v ^#

version 2.0     # conforms to second version of ipsec.conf specification
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
         klipsdebug=all
         plutodebug=all
        nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        interfaces=%defaultroute

conn block
    auto=ignore
conn private
    auto=ignore
conn private-or-clear
    auto=ignore
conn clear-or-private
    auto=ignore
conn clear
    auto=ignore
conn packetdefault
    auto=ignore

conn vpn3000-192
        left=$MY_STATIC_IP
        leftsubnet=10.252.238.0/24
        leftnexthop=$MY_STATIC_IP
        right=$CONCENTRATOR_IP
        rightsubnet=192.168.0.0/16
        auto=start
        authby=secret
        type=tunnel
        keyexchange=ike
        auth=esp
        esp=3des-md5-96
        pfs=no
        compress=no
conn vpn3000-10
        left=$MY_STATIC_IP
        leftsubnet=10.252.238.0/24
        leftnexthop=$MY_STATIC_IP
        right=$CONCENTRATOR_IP
        rightsubnet=10.250.0.0/16
        auto=start
        authby=secret
        type=tunnel
        keyexchange=ike
        auth=esp
        esp=3des-md5-96
        pfs=no
        compress=no

Remote Side)	
	Cisco VPN 3060 running vpn3000-4.1.5.A-k9.bin.

I created an IPSec LAN-to-LAN connection with the following information.

Connection Type: Bi-directional
Peers: $MY_STATIC_IP
Using PSK
Authentication: ESP/MD5/HMAC-128
Encryption: 3DES-168
IKE Proposal: IKE-3DES-MD5
IPSec NAT-T [checked]
Local Network: 10.250.0.0/16 192.168.0.0/16
Remote Network: 10.252.238.0


SYMPTOMS: Any traffic that is originated from my side works fine.  So, I
can ssh/web/whatever to anything in the 10.250 or 192.168 networks
behind the concentrator.  However, nothing behind the concentrator can
initiate a new connection to my network.  They can't ping 10.252.238 or
do anything else to that network.  I don't believe it's my iptables
rules on the firewall, but to test it, I ran ethereal on the laptop
firewall box and had it capture all ICMP packets.  It sees pings that
originate from my network, but it doesn't see anything that was
originated from behind the concentrator.  So, I don't believe the
packets from that side are making it here.

I'm sure I've done something foolish, so any help would be greatly
appreciated.

Thanks,

Shane

-- 
Shane Hickey <shane at howsyournetwork.com>: Network/System Consultant
GPG KeyID: 777CBF3F
Key fingerprint: 254F B2AC 9939 C715 278C  DA95 4109 9F69 777C BF3F
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users


More information about the Users mailing list