[Openswan Users] Routing problem with NETKEY

Jani Joki demi at futuremark.com
Thu Aug 3 09:26:53 EDT 2006 

Apologies if this subject has been discussed before, but I spent a few
days going through the archives, and though I found similar problems,
I could not find exactly the same as mine, nor did any of the proposed
solutions help me.

My setup is a simple network to network tunnel, from a openswan/netkey
linux to a linksys rv042,

22.236.122.0/24===22.236.122.253---22.236.122.254...27.127.49.158[27.126.59.249]===10.10.1.0/24

The tunnel comes up fine. However, I can only send packets from the left
gateway (22.236.122.253) to the right network (10.10.1.0/24). Any
packets sent from the left network to the right network go through normal 
routing and are passed along unencrypted. Any packets sent from the right 
network to the left network do arrive at the gateway machine, but
after decryption they appear in the INPUT chain, not the FORWARD chain 
and thus are not passed forward. (I checked this by MARKing the packets and 
then adding match rules to both forward and input, and the input counter grew).

To make things really bizarre, any icmp traffic sent from the right
network to the left network goes through the tunnel as it should. Same
is true for the other direction. Only udp and tcp traffic (the only
protocols I tried) fail to go through the tunnel as they should.

My left setup is as follows:

config setup
        nat_traversal=yes
        virtual_private=%v4:10.10.1.0/24

conn foo-bar
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        left=%defaultroute
        leftsubnet=22.236.122.0/24
        right=%any
        rightsubnet=vnet:%priv,%no

My left gateway has three interfaces,

eth0 22.236.122.0/24
eth1 22.236.122.32/27
eth2 22.236.122.253/30

The defaultgw, 22.236.122.254 lies behind eth2. As may be apparent, 
I use proxy arp. Just in case something got confused by the overlapping
networks, I used IPs that can only be present in the internal network (eth0),
such as .1 and .2 for testing.

Any ideas would be greatly appreciated.

-- 
        Jani Joki        Senior Technical Manager   Futuremark Corporation
jani.joki at futuremark.com     +358 20 759 8264         www.futuremark.com

More information about the Users mailing list