[Openswan Users] Simple setup but its not working

Sun Jan 16 20:35:18 CET 2005

I have a fairly simple setup, but have yet to be able to have any
success. I have to networks, 192.168.0.0 and 192.168.3.0, and am
trying to tunnel between them.  The two firewall (endpoints of the
tunnel) are both running Fedora Core 3.  I am using the exact same
ipsec.conf files from the www.ipsec-howto.org for the tunnel setup,
except for the relevant changes to represent my network.

192.168.0.0/24 -----------
222.222.222.222..............111.111.111.111----------192.168.3.0/24

So after creating the /etc/ipsec.conf file on 222..., i simply copied
it to 111. and swapped the two policy's direction (in for out, etc). 
I then run setkey -f /etc/ipsec.conf on each machine.  Now, from a
machine on either subnet, i can ping all hosts on the other subnets
fine, so it seems the tunnel is up.  However, nothing else works. 
Telnet, ssh, http, etc, do not work.  So I tried a few dumps at
various places, but find this to be the most annoying.

Sitting on 192.168.0.1, i run tcpdump with "tcpdump -i eth0 src host
192.168.3.1", and wait.  Then from the same machine i also try a
telnet session to 192.168.3.1.   I then see the replies coming back
for the telnet session!!  So the packet makes it all the way to the
other side and back, but the telnet application just hangs at "Escape
character is '^]'".   SSH hangs similarly as well.

Now I'm not quite sure how else to tell what's happening to the
packets.  Here's a two lines from the output of tcpdump that show the
packet leaving and returning.  But why don't the application level
programs succeed?

19:46:53.259908 192.168.0.1.40355 > 192.168.3.1.telnet: F 25:25(0) ack
1 win 5840 <nop,nop,timestamp 46629187 28194232> (DF) [tos 0x10]
19:46:53.331437 192.168.3.1 > 192.168.0.1.40355: FP 13:28(15) ack 26
win 5792 <nop,nop,timestamp 28194612 46629187> (DF) [tos 0x10]

I've had this problem as well before with the same machines, but
trying to interface openswan with freeswan.  But now it's stock FC3
kernels (no updates), with the same ipsec.conf from the howto (with
the same testing keys as well).  Maybe the packets are getting
corrupted.  Why would ping work but everything else doesn't?

Any ideas where to go from here would be much appreciated.

-- 
We are all sufferers from history, but the paranoid is a double
sufferer, since he is afflicted not only by the real world, with the
rest of us, but by his fantasies as well.