[Openswan Users] Linux Openswan U2.4.5/K2.6.16-2-686 (netkey) broke me

Brian Sheets brians at fl240.com
Tue Aug 8 10:43:14 EDT 2006


Ok, I upgraded my kernel and although the link comes up I can't send
packets bi-directionally

 

A quick rundown

 

192.168.21.x <-> netscreen 5gt <internet> < openswan box> - <10.0.0.0/8>

 

And 

 

192.168.23.x <-> netscreen 5gt <internet> openswan box  <-> 10.0.0.0/8

 

So before, kernel was 2.6.8 running openswan 2.2.0, and everything
worked, just had issues with MTU, fast forward upgrade kernel to
2.6.16-2 and

Now, I can ping/ssh etc, from both 192.168.x networks to the 10.0.0.0/8
network, but not from the 10.0.0.0/8 network to the 192.168.x.x networks

 

It appears that all traffic that is initiated from the 10.x network
tries to get send out of my default route, you will also note a
10.1.161.2 address, this is a roadwarrior and it has the same problem, I
can route in, but packets to that address go out the default route

 

So we upgraded openswan to 2.4.5 but it didn't fix the problem, what did
I break by upgrading the kernel?

 

 

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface

10.1.161.2      0.0.0.0         255.255.255.255 UH        0 0          0
ppp0

130.94.106.64   0.0.0.0         255.255.255.224 U         0 0          0
eth0

192.168.23.0    198.172.205.1   255.255.255.0   UG        0 0          0
eth0

198.172.205.0   0.0.0.0         255.255.255.0   U         0 0          0
eth0

192.168.21.0    198.172.205.1   255.255.255.0   UG        0 0          0
eth0

10.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0
eth1

0.0.0.0         198.172.205.1   0.0.0.0         UG        0 0          0
eth0

 

 

config setup

        interfaces=%defaultroute

        #nat_traversal=yes

        klipsdebug=none

        plutodebug=all

 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:
!10.0.0.0/24

 

conn netscreen

        type=tunnel

        auto=start

        auth=esp

        esp=3des

        authby=secret

        keyexchange=ike

        keylife=1h

        keyingtries=0

        pfs=no

        rekey=yes

        left=198.172.205.1

        leftnexthop=198.172.205.1

        leftsubnet=10.0.0.0/8

        leftid=198.172.205.201

        right=72.67.33.13

        rightid=72.67.33.13

        rightsubnet=192.168.23.0/24

        rightnexthop=192.168.23.1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060808/23cd4d1e/attachment-0001.htm


More information about the Users mailing list