[Openswan Users] Gateway to gateway ping doesn't work

Jeremy Mann jmann at integracarehh.com
Sat Mar 12 16:03:27 CET 2005 

I have successfully connected a 3com device into my gentoo openswan 
box(running kernel 2.6).  The two subnets behind each device can ping 
each other, however the devices themselves(which have private ip 
addresses assigned to them) can't ping each other.  Here's a crude diagram.

192.168.191.0/24
|
|
192.168.191.1(3com device) which has a public internet IP of A.B.C.D
|
|
Internet
|
|
192.168.1.102(gentoo openswan) which has a public internet IP of E.F.G.H
|
|
192.168.1.0/24

pinging from 192.168.1.1 to 192.168.1.102 times out
pinging from 192.168.1.102 to 192.168.191.1 ttl exceeded
pinging behind each device works fine.

Here's the routes on my openswan box:
E.F.G.xxx        0.0.0.0    255.255.255.240    U    0    0    0    eth0
192.168.1.0     0.0.0.0   255.255.255.0        U    0     0    0    eth1
192.168.191.0   E.F.G.xxx(gateway IP) 255.255.255.0   UG    0      
0        0 eth0
192.168.0.0     192.168.1.1     255.255.240.0   UG    0      0        0 eth1
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         E.F.G.xxx(default gateway IP) 0.0.0.0         UG    
0      0        0 eth0


and here's iptables output:
iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 143K packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               
destination
   61  2928 DNAT       tcp  --  *      *       0.0.0.0/0            
E.F.G.H     tcp dpt:3389 to:192.168.1.63
   58  2784 DNAT       tcp  --  *      *       0.0.0.0/0            
192.168.1.103       tcp dpt:3389 to:192.168.1.63

Chain POSTROUTING (policy ACCEPT 47361 packets, 2990K bytes)
 pkts bytes target     prot opt in     out     source               
destination
   81  6009 SNAT       all  --  *      eth1    0.0.0.0/0            
0.0.0.0/0           to:192.168.1.102
   13  1685 SNAT       all  --  *      eth0    0.0.0.0/0           
!A.B.C.D       to:E.F.G.H

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination

iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination


Pinging produces this on the openswan box:

$ ping 192.168.191.1
PING 192.168.191.1 (192.168.191.1) 56(84) bytes of data.
 From 216.158.204.42 icmp_seq=1 Time to live exceeded
 From 216.158.204.42 icmp_seq=2 Time to live exceeded

I'm pretty sure this is an easy fix, but the wiki is down so I can't check.

More information about the Users mailing list