[Openswan Users] OpenSwan + NETKEY

Fabio Corazza fabio at newbay.com
Mon Jun 12 19:11:02 CEST 2006


Sorry to bother all of you on a very well-known subject, I'm just trying
how to debug a problem on my tunnel.

I've established successfully a tunnel between me (initiator, Linux
2.6.15, OpenSwan 2.4.5) and a Netscreen 5xt.

This is the flow:

(internal box)
192.168.2.52
[eth0]
  |
  |
[eth2]192.168.2.10
(Openswan linux 2.6.15)
xx.xx.xx.xx[ppp0]
  |
  |
xx.xx.xx.xx[PublicIf]
(Netscreen 5xt)



Actually the problem is that I can't ping from the internal box a
machine behind the Netscreen. The problem is that I'm unable to address
the problem in my side or theirs (this is a customer and I can't access
to their system).

The way NETKEY obfuscate (sorry for the term) where traffic goes and
not, makes things pretty difficult to understand when you have to debug
something. Actually I'm unable to use tcpdump to do this.

I'm wondering if I have any firewall issue but seems not. The remote
firewall is configure to receive requests from my internal box
(192.168.2.52), that's why I configured this is in ipsec.conf:

leftsubnet="192.168.2.52/32"

Infact if I try to reach the remote server from the VPN box I get routed
from the ISP internet connection, but I try the same from the internal
box the routing seems to be different:

# traceroute xx.xx.xx.xx
traceroute to xx.xx.xx.xx (xx.xx.xx.xx), 30 hops max, 38 byte packets
 1  192.168.2.10 (192.168.2.10)  0.216 ms  0.204 ms  0.233 ms
 2  * * *


Seems like that the packets are dropped in the other end, but since the
NETKEY stack is no more able to show the traffic through the ipsecXX
interface I'm stuck in this state and have no access to the remote VPN
server.

Anybody of you has a clue regarding this issue or some consideration to
point me out?

Any help greatly appreciated.


Thanks,
Fabio


More information about the Users mailing list