[Openswan Users] Openswan on 2.6 kernel routing problems - Destination Host Unreachable

Roland Gaboury gabouryr at shaw.ca
Thu Sep 22 16:49:32 CEST 2005 

I'm not sure what information for dumps/barfs/listings you would like to
see for this, but I'm having the following problem:

I am at wits' end - I can, from Arthur, ping any address up to
192.168.1.1 - the internal interface of the other end of the vpn chain,
but I cannot ping through to Zaphod.  I get Destination Host
unreachable:
PING 10.0.0.148 (10.0.0.148) 56(84) bytes of data.
>From 70.66.0.80 icmp_seq=2 Destination Host Unreachable
>From 70.66.0.80 icmp_seq=3 Destination Host Unreachable
>From 70.66.0.80 icmp_seq=4 Destination Host Unreachable

Similarly, from the other end, I can not get to LanA from LanB, just up
to eth1 on Marvin. 

I also have iptables with MASQ running on both O/S machines, but have
tried turning them off to no avail... same problem.  

Can anyone explain what is going on or how to rectify this?

Cheers, 
Roland Gaboury

I have the following network:

Lan A =========== Openswan A ------------- Openswan B ============ Lan B
(Arthur)          (Marvin)                  (Ford)             (Zaphod)
               eth1       eth0           eth1       eth0 
      10.0.0.0/24                                     192.168.1.0/24
10.0.0.148    10...1   70.66.0.80     70.66.9.201  192...1     192...151
I have established a vpn tunnel between the two networks. The following
is my ipsec.conf on each machine.


config setup
	# everything is commented out for defaults

conn net-to-net
        left=           70.66.9.201
        leftsubnet=     10.0.0.0/24
        right=          70.66.0.80
        rightsubnet=    192.168.1.0/24
        type=           tunnel
        keyexchange=    ike
        auto=           add
        auth=           esp
        pfs=            yes
        keylife=        8.0h
        rekey=          yes
        rekeymargin=    9m
        keyingtries=    3
        ikelifetime=    8h
        disablearrivalcheck=no
        authby=         secret
        esp=            3des-sha1-96

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf

Kernel routing information for Marvin is:
Kernel IP routing table
Destination     Gateway    Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *          255.255.255.0   U     0      0        0 eth1
192.168.1.0     *          255.255.255.0   U     0      0        0 eth0
192.168.1.0     *          255.255.255.0   U     0      0        0 eth1
70.66.0.0       *          255.255.252.0   U     0      0        0 eth1
link-local      *          255.255.0.0     U     0      0        0 eth0
loopback        *          255.0.0.0       U     0      0        0 lo
default         70.66.0.1  0.0.0.0         UG    0      0        0 eth1

and for Arthur:
Kernel IP routing table
Destination     Gateway    Genmask         Flags Metric Ref    Use Iface
10.0.0.0        *          255.255.255.0   U     0      0        0 eth1
192.168.1.0     *          255.255.255.0   U     0      0        0 eth0
70.66.8.0       *          255.255.252.0   U     0      0        0 eth0
link-local      *          255.255.0.0     U     0      0        0 eth0
loopback        *          255.0.0.0       U     0      0        0 lo
default         70.66.8.1  0.0.0.0         UG    0      0        0 eth0

More information about the Users mailing list