[Openswan Users]

[Paul Wouters]

On Fri, 20 Jan 2006, Joern Bredereck wrote:

> The following doesn't work:
>
> firegate is the central frees/wan router:
> kah is the ipsec-router of the 192.168.200.0/24 net
> leo is the ipsec-router of the 192.168.27.0/24 net
>
>
>
> 			"firegate"
> 			/	\
> 		ipsec1		ipsec1
> 		|		|
> 		eth1		eth1
> 		|		|
> ----------------------------------------------------------------
> 		INTERNET	INTERNET
> ----------------------------------------------------------------
> 		|		|
> 		eth2		eth0
> 		|		|
> 		ipsec0		ipsec0
> 		|		|
> 		"kah"		"leo"
> 		|		|
>  eth1 (192.168.200.0/24)	eth1 (192.168.27.0/24)
>
>
> Hosts of the 192.168.200.0/24-network cannot reach ony hosts on the
> 192.168.27.0/24-network and vice versa.
>
> The same problem with other tunnels which are connected via ipsec1.

And you do have:
a) an ipsec tunnel on "kah" to "firegate" for 192.168.200.0/24 <===> 192.168.0.0/16 (or 192.168.27.0/24)
b) an ipsec tunnel on "leo" to "firegate" for 192.168.27.0/24 <===> 192.168.0.0/16 (or 192.168.200.0/24)
c) ip_forwarding enabled and no firewalling and rp_filter disabled on firegate?
d) if firegate is a 2.6 kernel, that it is NOT sending/soliciting icmp redirect packets since it
   is receiveing / sending the packets over the same interface

You should verify:

a) kah is sending encrypted packet to firegate for the leo network (tcpdump on eth2)
b) firegate is decrypting these packets (tcpdump on ipsec1)
c) firegate is re-encrypting these packets (tcpdump on ipsec1)
d) firegate is sending encrypted packets (tcpdump on eth1)
e) leo is receiving encrypted packets (tcpdump on eth0)
f) leo is decrypting these packets (tcpdump on ipsec0)
g) leo is forwarding these packets (tcpdump on eth1)

> 4. ICMP-echo-requests come in via ipsec1 but are not being forwarded to the
> destination network via ipsec1.

This could be rp_filter or 2.6's bogus redirect packets.

Paul