[Openswan Users] Roadwarrior and route troubles
Paul Wouters
paul at xelerance.com
Thu Sep 1 15:53:50 CEST 2005
On Thu, 1 Sep 2005, Vincent SCHULTZ wrote:
>> conn roadwarrior
>> left=152.18.31.45
>> leftsubnet=10.10.45.0/24
>> leftrsasigkey=%cert
>> leftcert=sgw1-crt.pem
>> right=%any
>> rightsubnet=vhost:%priv
>> rightrsasigkey=%cert
>> auto=add
>> conn roadwarrior
>> left=%defaultroute
>> leftsubnet=192.168.10.222/32
>> leftrsasigkey=%cert
>> leftcert=mclient1-crt.pem
>> right=152.18.31.45
>> rightsubnet=10.10.45.0/24
>> rightrsasigkey=%cert
>> rightcert=sgw1-crt.pem
>> auto=add
The subnet definitions still do not match. It might
accidentally work with NAT-T right now, but it is not the
proper setup. the leftsubnet should not be defined.
>>
>>> From the mobile I can ping the SGW :
>>
>> # ping 152.18.31.45
>> PING 152.18.31.45 (152.18.31.45) 56(84) bytes of data.
>> 64 bytes from 152.18.31.45: icmp_seq=0 ttl=63 time=1.40 ms
>> 64 bytes from 152.18.31.45: icmp_seq=1 ttl=63 time=0.249 ms
>>
>> When I start the connexion on the mobile computer :
>> 004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x77d63dbc <0x9c8c9dea xfrm=AES_0-HMAC_SHA1}
>>
>> But I cannot ping a client in the 10.10.45.0 LAN, the paquet does not reach the SGW.
check with 'ipsec verify'. disable firewall rules, enable ip_forwarding,
disable rp_filter.
>> On the SGW :
>>
>> # more /proc/sys/net/ipv4/conf/all/rp_filter
>> 0
did you set this before the interfaces appeared? Otherwise
/proc/sys/net/ipv4/conf/ethS/rp_filter might still be set wrong.
>> # more /proc/sys/net/ipv4/ip_forward
>> 1
Ok.
You will have to run tcpdump to see what happens. If using netkey, you
will need to sniff on th ebox upstream, or hook things up in a hub.
Paul
More information about the Users
mailing list