[Openswan Users] All of packets getting dropped at ipsec0

Wah Jong wahjong at gmail.com
Mon Jun 27 22:39:33 CEST 2005


Dear,

I'm failed to make vpn subnet to subnet even though I tried it for couple of 
weeks.

I've found all of packets in ipsec0 getting dropped when I ping from 
192.168.10.117 <http://192.168.10.117> to client at opposite subnet

my vpn diagram
192.168.10.0/24 <http://192.168.10.0/24> ---- [eth1 a.b.c.d eth0] ==== 
internet ==== [eth0 x.y.w.z eth1] ----- 192.168.15.0/24<http://192.168.15.0/24>

a.b.c.d gateway

/etc/ipsec.conf
conn L5
left=a.b.c.d
leftnexthop=61.10.102.1 <http://61.10.102.1>
leftsubnet=192.168.10.0/24 <http://192.168.10.0/24>
leftid=a.b.c.d
leftcert=wahj.crt
right=x.y.w.z
rightnexthop=61.10.64.1 <http://61.10.64.1>
rightsubnet=192.168.15.0/24 <http://192.168.15.0/24>
rightid=x.y.w.z
rightcert=hwwong.crt

/etc/init.d/iptables
echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
iptables -A POSTROUTING -t nat -o eth0 -d \!
192.168.15.0/24<http://192.168.15.0/24>-j MASQUERADE


x.y.w.z gateway

/etc/ipsec.conf
conn L5
left=a.b.c.d
leftnexthop=61.10.102.1 <http://61.10.102.1>
leftsubnet=192.168.10.0/24 <http://192.168.10.0/24>
leftid=a.b.c.d
leftcert=wahj.crt
right=x.y.w.z
rightnexthop=61.10.64.1 <http://61.10.64.1>
rightsubnet=192.168.15.0/24 <http://192.168.15.0/24>
rightid=x.y.w.z
rightcert=hwwong.crt

/etc/init.d/iptables
echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
iptables -A POSTROUTING -t nat -o eth0 -d \!
192.168.10.0/24<http://192.168.10.0/24>-j MASQUERADE

ipsec auto --up L5 --> IPsec SA established
ipsec verify --> everything are ok

ipsec auto --status
"L5": 
192.168.10.0/24===a.b.c.d:17/1701---61.10.102.1...61.10.64.1---x.y.w.z:17/1701===192.168.15.0/24<http://192.168.10.0/24===a.b.c.d:17/1701---61.10.102.1...61.10.64.1---x.y.w.z:17/1701===192.168.15.0/24>
"L5": ike_life: 1800s; ipsec_life: 1800s; rekey_margin: 1200s; rekey_fuzz: 
25%; keyingtries: 3
"L5": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL; interface: eth0; unrouted

netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
x.y.w.z 61.10.102.1 <http://61.10.102.1>
255.255.255.255<http://255.255.255.255>UGH 0 0 0 ipsec0
192.168.0.0 <http://192.168.0.0> 0.0.0.0 <http://0.0.0.0>
255.255.255.0<http://255.255.255.0>U 0 0 0 eth1
192.168.15.0 <http://192.168.15.0> 61.10.102.1 <http://61.10.102.1> 
255.255.255.0 <http://255.255.255.0> UG 0 0 0 ipsec0
192.168.10.0 <http://192.168.10.0> 0.0.0.0 <http://0.0.0.0>
255.255.255.0<http://255.255.255.0>U 0 0 0 eth1
61.10.102.0 <http://61.10.102.0> 0.0.0.0 <http://0.0.0.0>
255.255.254.0<http://255.255.254.0>U 0 0 0 eth0
61.10.102.0 <http://61.10.102.0> 0.0.0.0 <http://0.0.0.0>
255.255.254.0<http://255.255.254.0>U 0 0 0 ipsec0
127.0.0.0 <http://127.0.0.0> 0.0.0.0 <http://0.0.0.0>
255.0.0.0<http://255.0.0.0>U 0 0 0 lo
0.0.0.0 <http://0.0.0.0> 61.10.102.1 <http://61.10.102.1>
0.0.0.0<http://0.0.0.0>UG 0 0 0 eth0

tcpdump -n -i ipsec0 -vv
tcpdump: listening on ipsec0
18:36:09.377051 192.168.10.117 <http://192.168.10.117> >
192.168.15.1<http://192.168.15.1>:
icmp: echo request (ttl 31, id 10446, len 60)

ifconfig ipsec0
ipsec0 Link encap:Ethernet HWaddr 00:50:FC:3A:17:5C 
inet addr:a.b.c.d Mask:255.255.254.0 <http://255.255.254.0>
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:48 overruns:0 carrier:0
collisions:0 txqueuelen:10 


Kind regards,
Steve Jong
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050627/0f31d7d0/attachment.htm


More information about the Users mailing list