[Openswan Users] One Side of Constructed Tunnels Broken

Jerry R. Keene jkeene at scsengineers.com
Fri Mar 18 14:23:06 CET 2005


I've properly set up vpns between a newly relocated office with a new ISP
and our home office. Both linux endpoints are using 2.4 kernels. The
Weston endpoint is running freeswan 2.06 and the Rinchester endpoint is
running openswan 2.30.

The new ISP is a small operation, and, while they have attempted to be
helpful, there seems to be a blockade on their cisco router that won't
allow 10. traffic to go through. The cause of this blockade seems outside
their experience.

I'm not giving a lot of specific information, because all the normail
specific information seems to be fine. I believe both freeswan and
openswan are doing what they are supposed to do.

Weston <---------------------------------->Rinchester
------------                            ------------- (eth0) (eth1) 192.168.206.(eth0) (eth1)

When the tunnels are up, traffic from Weston to the network is
fine with normal functionality for all tunnels.

On the Rinchester box, the ipsec0 virtual interface appears normal. When I
run "ipsec eroute" (see below), it shows four completed tunnels.

Most saliently though, on the Rinchester linux box, despite a proper
looking routing table (see below), when I try to traceroute from
Rinchester to, my traceroute goes via the internet rather than
via the proper tunnel. Obviously it fails.

>From my testing the problem seems to be with reaching Rinchester's address. My traceroutes from Weston to that address fail to
reach it. I can, however, ping that address. My ISP says he's not
filtering on the interface, but, if so, why can I do a
normal traceroute to it.

The linux box is entirely reachable, evidence that the ISP
is not filtering traffic for that address.

The IPS certainly wants to help, but can see anything on the Cisco side
that's blocking my Richester to Weston 10. traffic.

I'd appreciate any advice on the nature of the Cisco-side block here. I'm
not very familiar with Ciso configs, but I know both Freeswan and Openswan
are very interoperable with cisco routers...I'd think then that some
config options need tweaked on the cisco interface?

Kernel IP routing table (for Rinchester)
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface UH        0 0          0 eth0 UGH       0 0          0
ipsec0   U         0 0          0 eth1   U         0 0          0
ipsec0   UG        0 0          0
ipsec0   U         0 0          0 eth0       U         0 0          0 lo       U         0 0          0 eth0         UG        0 0          0 eth1

Results of Rinchester "ipsec eroute"

0       ->        =>
tun0x1032 at
0       ->   =>
tun0x1036 at
0   ->        =>
tun0x1038 at
0   ->   =>
tun0x1034 at

Jerry Keene

More information about the Users mailing list