[Openswan Users] Routing problem with NETKEY

Paul Wouters paul at xelerance.com
Fri Aug 4 12:25:00 EDT 2006


On Fri, 4 Aug 2006, Andy Gay wrote:

> > I did some tcpdumping, and I can
> >
> >  - see the esp packets coming in from eth2
> >
> > 19:43:46.402321 IP 27.127.49.158 > 22.236.122.253: ESP(spi=0x8b5ff54d,seq=0x76), length 468
> >
> >  - I can see the decrypted packets appear in eth2, with the correct
> >    origin and destination addresses
> >
> > 19:43:46.402321 IP 10.10.1.1.netinfo-local > 22.236.122.1.syslog: SYSLOG daemon.notice, length: 409
> >
> >    - Still, these never appear in the forward chain
> >  - and thus, I don't see them in the internal interface
> >
> > Except for icmp packets. They appear everywhere just like they should.
>
> That's why I'd suspect your iptables rules. That's really the only place
> where packets get treated differently depending on their type.

Or it could be MTU issues. Try lowering the mtu, either on both sides, or the
remote side (eg not this end), or try disabling path MTU discovery on both
ends using: echo "0" > /proc/sys/net/ipv4/ip_no_pmtu_disc

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list