[Openswan Users] Cannot ping the vpn gateway
paul at xelerance.com
Tue Jul 12 17:23:27 CEST 2005
On Tue, 12 Jul 2005, Gömöri Zoltán wrote:
Either add leftsourceip=internalIPofGateway or
build for vpn connections:
net-net (which you have now)
The last three are the same as the first, except they need to
have a different name and they are missing one or both *subnet=
> Date: Tue, 12 Jul 2005 15:21:49 +0200
> From: "[iso-8859-2] Gömöri Zoltán" <suf at freemail.hu>
> To: users at openswan.org
> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
> Anybody has any idea on solving this problem?
>> -----Original Message-----
>> From: users-bounces at openswan.org
>> [mailto:users-bounces at openswan.org] On Behalf Of Gömöri Zoltán
>> Sent: Friday, July 08, 2005 9:52 AM
>> To: users at openswan.org
>> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
>> That is true, but if I can't ping the gateway it cause deeper
>> I checked the logs (actually I generated packet logs with
>> iptables rules),
>> and found that
>> any packet initated on the vpn gateway's local interface and
>> has target
>> address in the local
>> subnet hading to the wrong direction.
>> This packets ar going out on the internet interface instead
>> of the local
>> 1. If I have any service listening on the local interface
>> will be unusable
>> from the local subnet.
>> 2. This behaviour brakes the PMTU discovery mechanism. In
>> detail a machine
>> on the local subnet
>> send an 1500 byte length packet thru the gateway, with the DF
>> bit set. The
>> packet can't fit into
>> the IPSEC tunnel (max MTU 1444 Byte). In the normal behaviour
>> the gateway
>> send back an ICMP
>> type 3 code 4 packet telling to the originator, to lower the
>> packet size.
>> The originator
>> resend a lower size packet or the original packet with DF bit clear.
>> In our case unfortunatelly the ICMP packet menitoned above
>> goes out on the
>> internet interface
>> and therefore the originator never gets it, therefore it will try to
>> continue sending 1500 Byte
>> packets until it gives up.
>>> From what I've heard about this issue I have to establish an
>> connection, but I've no clue
>> what need to be in it.
>>> -----Original Message-----
>>> From: temmink [mailto:temmink at vrisned.com]
>>> Sent: Friday, July 08, 2005 8:28 AM
>>> To: 'Gömöri Zoltán'
>>> Subject: RE: [Openswan Users] Cannot ping the vpn gateway
>>> You cannot ping the vpn gateway, but you can ping the systems
>>> behind the
>>> So actually you can ping through the vpn-machine itself.
>>> M. Temmink
>>> -----Oorspronkelijk bericht-----
>>> Van: users-bounces at openswan.org
>>> [mailto:users-bounces at openswan.org] Namens
>>> Gömöri Zoltán
>>> Verzonden: vrijdag 8 juli 2005 7:36
>>> Aan: users at openswan.org
>>> Onderwerp: [Openswan Users] Cannot ping the vpn gateway
>>> I'm using OpenS/WAN 2.3.1 and kernel 126.96.36.199 with native IPSEC
>>> I've the following setting in the ipsec.conf:
>>> include /etc/ipsec.d/examples/no_oe.conf
>>> conn Test
>>>> From the point when I establish the Test connection I'm
>> not able to
>>>> ping the
>>> right vpn gateway's internal ip (10.15.14.1) from the right
>>> local subnet.
>>> Can anybody tell me, how can I solve this?
>>> thank you
>>> Users mailing list
>>> Users at openswan.org
>> Users mailing list
>> Users at openswan.org
> Users mailing list
> Users at openswan.org
"I am not even supposed to be here today!" -- Clerk
More information about the Users