[Openswan Users] Routing problem with NETKEY

Paul Wouters paul at xelerance.com
Thu Aug 3 15:48:47 EDT 2006

On Thu, 3 Aug 2006, Jani Joki wrote:

> The tunnel comes up fine. However, I can only send packets from the left
> gateway ( to the right network ( Any
> packets sent from the left network to the right network go through normal
> routing and are passed along unencrypted.

Are you sure you're not NATing packets that needed encryption on left?
Can you put an 'ipsec barf' output somewhere on website and give us the
link to it? Do you have ip forwarding enabled on left?

> Any packets sent from the right
> network to the left network do arrive at the gateway machine, but
> after decryption they appear in the INPUT chain, not the FORWARD chain
> and thus are not passed forward. (I checked this by MARKing the packets and
> then adding match rules to both forward and input, and the input counter grew).

netkey does some weird things with packets, and some behaviour changed some
where in 2.6.17 as well. I am not entirely sure of the netkey flow at this
point. If you use KLIPS, the flow of packets is more clear. You can
see a digram in openswan-2.x.y/docs/diagrams/klips-packetflow.jpg

> To make things really bizarre, any icmp traffic sent from the right
> network to the left network goes through the tunnel as it should. Same
> is true for the other direction. Only udp and tcp traffic (the only
> protocols I tried) fail to go through the tunnel as they should.

So this looks more like you are running into MTU issues. Try lowering
the MTU on the internal interfaces of both ends to say 1300.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list