[Openswan Users]

Cameron Davidson cam73 at aanet.com.au
Sun Jul 23 13:20:51 CEST 2006

Greg Scott wrote:
> I must be missing something basic here.  I am trying to a simple tunnel
> with 2 subnets.  Here is the scenario below.  Apologies if an emailer
> somewhere along the line butchers the line wrapping. 
> Roseville
> Lakeville
> Left
> Right
>                Left Firewall  <-Internet--> Right Firewall
>  eth1       eth0             eth0             eth1
> The left firewall and right firewall are running fc5 with the netkey
> stack and kernel from kernel.org.  
> When I watch /var/log/secure on both systems, I see a series of
> messages, ending with messages like this:
> Jul 22 18:17:02 lakeville-fw pluto[5492]: "Roseville-Lakeville" #5:
> transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 22 18:17:02 lakeville-fw pluto[5492]: "Roseville-Lakeville" #5:
> STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xad5f74c3}
> This tells me the SA is established between the subnets, so
> communication between the two subnets should go over the tunnel.  But
> that's not what happens.  When a host in either subnet tries to ping the
> other side, tcpdump on the sending firewall tells me the packets route
> in the clear out across the Internet.  I should see esp messages going
> to/from the other subnet.  But instead, I see icmp echo request messages
> coming from the sending subnet.  Yuck!
> snip...

yes, the routing table would be useful.

I find a useful tcpdump command to be:
tcpdump -i any -s 0 -w dump-filename icmp or \
        host <local-sender-ip> or host <remote-gw-ip>
the "icmp" is to trap "unreachable" messages from intermediate routers 
in case of mtu problems.

you should see a ping appear on internal interface, then an esp on the 
external i/f.
Return is different - you should see the ESP on the external i/f then 
the decrypted reply on the *external* interface, then the same packet 
going out the internal i/f.


More information about the Users mailing list