[Openswan Users]

Andy Gay andy at andynet.net
Tue Aug 8 15:03:54 EDT 2006 

On Tue, 2006-08-08 at 15:43 -0700, Brian Sheets wrote:
> Ok, I upgraded my kernel and although the link comes up I can’t send
> packets bi-directionally
> 
>  
> 
> A quick rundown
> 
>  
> 
> 192.168.21.x <-> netscreen 5gt <internet> < openswan box> -
> <10.0.0.0/8>
> 
>  
> 
> And 
> 
>  
> 
> 192.168.23.x <-> netscreen 5gt <internet> openswan box  <-> 10.0.0.0/8
> 
>  
> 
> So before, kernel was 2.6.8 running openswan 2.2.0, and everything
> worked, just had issues with MTU, fast forward upgrade kernel to
> 2.6.16-2 and
> 
> Now, I can ping/ssh etc, from both 192.168.x networks to the
> 10.0.0.0/8 network, but not from the 10.0.0.0/8 network to the
> 192.168.x.x networks
> 
>  
> 
> It appears that all traffic that is initiated from the 10.x network
> tries to get send out of my default route, you will also note a
> 10.1.161.2 address, this is a roadwarrior and it has the same problem,
> I can route in, but packets to that address go out the default route

What's the source address of the packets you're sending out. If you're
connecting from the Openswan box itself you'll need to make sure the
source is in the 10.0.0.0/8 network. Easiest way is to add
'leftsourceip=<internal interface address> to your conn.
> 
>  
> 
> So we upgraded openswan to 2.4.5 but it didn’t fix the problem, what
> did I break by upgrading the kernel?

Do you have any iptables rules? You have to do some things differently
since 2.6.16.

> 
>  
BTW - please use 'ip route', to dump your routing table.
> 
>  
> 
> Kernel IP routing table
> 
> Destination     Gateway         Genmask         Flags   MSS Window
> irtt Iface
> 
> 10.1.161.2      0.0.0.0         255.255.255.255 UH        0 0
> 0 ppp0
> 
> 130.94.106.64   0.0.0.0         255.255.255.224 U         0 0
> 0 eth0
> 
> 192.168.23.0    198.172.205.1   255.255.255.0   UG        0 0
> 0 eth0
> 
> 198.172.205.0   0.0.0.0         255.255.255.0   U         0 0
> 0 eth0
> 
> 192.168.21.0    198.172.205.1   255.255.255.0   UG        0 0
> 0 eth0
> 
> 10.0.0.0        0.0.0.0         255.0.0.0       U         0 0
> 0 eth1
> 
> 0.0.0.0         198.172.205.1   0.0.0.0         UG        0 0
> 0 eth0
> 
>  
> 
>  
> 
> config setup
> 
>         interfaces=%defaultroute
> 
>         #nat_traversal=yes
> 
>         klipsdebug=none
> 
>         plutodebug=all
> 
>         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
> v4:192.168.0.0/16,%v4:!10.0.0.0/24
> 
>  
> 
> conn netscreen
> 
>         type=tunnel
> 
>         auto=start
> 
>         auth=esp
> 
>         esp=3des
> 
>         authby=secret
> 
>         keyexchange=ike
> 
>         keylife=1h
> 
>         keyingtries=0
> 
>         pfs=no
> 
>         rekey=yes
> 
>         left=198.172.205.1
> 
>         leftnexthop=198.172.205.1
> 
>         leftsubnet=10.0.0.0/8
> 
>         leftid=198.172.205.201
> 
>         right=72.67.33.13
> 
>         rightid=72.67.33.13
> 
>         rightsubnet=192.168.23.0/24
> 
>         rightnexthop=192.168.23.1
> 
> 
> 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean. 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list