[Openswan Users] Cannot ping hosts behind OpenSWAN host

[Jason Martin]

Hello,

I've started setting up an OpenSWAN 2.4.5rc4 host and I am having trouble 
understanding why it is not working the way I want it to.

I have a test setup now that looks like this:

Intranet---OpenSWAN machine-- "Public" Windows XP machine

Intranet settings - 192.168.1.0/24
OpenSWAN settings - eth0: 192.168.1.212; eth1: 1.1.1.1 ("public" interface)
Windows XP machine - 1.1.1.2

The OpenSWAN and XP machines are directly connected with a crossover cable for 
now. (Maybe this is where my problem is? Should I try this on an established 
network?)

I've been using Nate Carlson's page for getting OpenSWAN working between a 
Linux host and Windows roadwarrior with certificates 
(http://www.natecarlson.com/linux/ipsec-x509.php). I've set up the 
"roadwarrior" and "roadwarrior-net" connections on both machines, as in his 
instructions. Currently, I can connect from the roadwarrior to the OpenSWAN 
after pinging 1.1.1.1 from 1.1.1.2 (it does say "Negotiating IP Security" 
once or twice, then I get ping replies). However, if I try pinging anything 
on the intranet, then I see "Negotiating IP Security", then Request timed 
out.

If I tcpdump -i eth1 during pinging of an intranet machine, I see an arp 
request for the DNS name of the machine I'm pinging, and to let 1.1.1.2 know, 
but I see nothing on eth0 regarding the ping.

One thing I am confused about is if OpenSWAN handles all NAT transversal and 
knows how to route traffic to the proper interface on its own, or if iptables 
does need to be set up to do ipmasqing, because that appears to be the 
problem, although I've set up basic ipmasqing and it still does not work 
properly.

I did leave out my config files, but I assure you they are exactly what Nate 
has on his site.

Thank you very much in advance.

-- 
Jason Martin
Metrix Matrix, Inc.
785 Elmgrove Road, Building 1, Rochester, NY 14624
Office: 888-865-0065 Ext. 202
Mobile: (585) 721-8679