[Openswan Users] problems routing to remote ipsec network

[Paul Wouters]

On Wed, 28 Sep 2005, Roland Gaboury wrote:

> Hi again... the continuing battle with ipsec.conf goes on.  I have an ipsec 
> connection with the following configuration:
>
> 000 "symantec": 
> 172.0.0.0/24===24.68.236.175---24.68.236.1...70.66.3.209===192.168.1.0/24; 
> erouted; eroute owner: #2
>
> Yes, I know that 172.0.0.0/24 is NOT a private subnet - this is beyond my 
> control and in the hands of 'qualified' IT staff... such is life.
>
> From the 192 subnet, I can ping anywhere on the 172 subnet... 70.66.3... is a 
> symantec ipsec gateway.
>
> From the 24.68 system (Openswan) and behind it (the 172 subnet), I can not 
> ping anywhere in the 192 subnet by doing an ordinary ping... HOWEVER - if i 
> ping -I eth1 192.168.1.1, everything seems to go through fine...

If that works, then the tunnel seems to be up (check the logs for IPsec SA established).
It seems that your openswan machine is not forwarding the packets and encrypting them
as expected. common causes:

- ip_forwarding is not enabled
- rp_filter is not disabled (also a setting in /etc/sysctl.conf or /proc)
- firewall rules on the incoming interface block the packets
- NAT/MASQ on the internal face is rewriting encrypted packets into oblivion.

'ipsec verify' should see some of these problems for you.

Paul