[Openswan Users] Routing problem with NETKEY

Andy Gay andy at andynet.net
Thu Aug 3 21:52:33 EDT 2006

On Thu, 2006-08-03 at 14:26 +0300, Jani Joki wrote:
> Apologies if this subject has been discussed before, but I spent a few
> days going through the archives, and though I found similar problems,
> I could not find exactly the same as mine, nor did any of the proposed
> solutions help me.
> My setup is a simple network to network tunnel, from a openswan/netkey
> linux to a linksys rv042,

Which linux and Openswan versions?

> The tunnel comes up fine. However, I can only send packets from the left
> gateway ( to the right network ( Any
> packets sent from the left network to the right network go through normal 
> routing and are passed along unencrypted. Any packets sent from the right 
> network to the left network do arrive at the gateway machine, but
> after decryption they appear in the INPUT chain, not the FORWARD chain 
> and thus are not passed forward. (I checked this by MARKing the packets and 
> then adding match rules to both forward and input, and the input counter grew).
Of course the INPUT counter will grow - the encrypted packet goes
through it. But FORWARD should grow as well.
What linux kernel are you running? Since 2.6.16 incoming ESP packets
show up first in the INPUT chain as ip-in-ip (protocol 4) packets. If
you have a DROP policy those packets won't get any further. You have to
add an explicit ACCEPT for protocol 4. (I'm told it's a bug :)

> To make things really bizarre, any icmp traffic sent from the right
> network to the left network goes through the tunnel as it should. Same
> is true for the other direction. Only udp and tcp traffic (the only
> protocols I tried) fail to go through the tunnel as they should.
That could be a firewall problem as well. You should try a controlled
test without any iptables rules. If that fixes it some well-placed LOG
rules can help pin down where it's going wrong.

> My left setup is as follows:
> config setup
>         nat_traversal=yes
>         virtual_private=%v4:
> conn foo-bar
>         authby=secret
>         pfs=no
>         auto=add
>         keyingtries=3
>         rekey=no
>         left=%defaultroute
>         leftsubnet=
>         right=%any
>         rightsubnet=vnet:%priv,%no
> My left gateway has three interfaces,
> eth0
> eth1
> eth2
> The defaultgw, lies behind eth2. As may be apparent, 
> I use proxy arp. Just in case something got confused by the overlapping
> networks, I used IPs that can only be present in the internal network (eth0),
> such as .1 and .2 for testing.
> Any ideas would be greatly appreciated.
> -- 
>         Jani Joki        Senior Technical Manager   Futuremark Corporation
> jani.joki at futuremark.com     +358 20 759 8264         www.futuremark.com
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list