[Openswan Users] Can't Ping across VPN

James House jhouse at pronetit.com
Thu May 4 11:52:52 CEST 2006

Here's ipsec verify

[root at JMH-LINUX ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.16-1.2096_FC5 (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                [DISABLED]
[root at JMH-LINUX ~]#

We're using PSK, so I think it's OK that the RSA key failed. Could you offer
some more info on "check forwarding, rp_filter, firewall, nat rules" ?
I still don't have a good grasp of IP tables.
James House

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Thursday, May 04, 2006 9:54 AM
To: James House
Cc: OpenSWAN Users List
Subject: Re: [Openswan Users] Can't Ping across VPN

On Thu, 4 May 2006, James House wrote:

> I'm trying to setup a net-net vpn with a friend. We live in the same
> apartment complex and both have cable modems. We both have Linux machines
> our firewall/gateway. Mine is FC5 and his is Kubuntu. Here's the result of
> "ipsec auto -status"

run ipsec verify

> 000 #14: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 12481s; newest IPSEC; eroute owner

Looks established, but the ISP might be filtering IPsec packets.

> It looks like the VPN is up, but we can't ping anything on the other side.
> We've both looked everywhere for something that addresses this issue, but
> can't find any help. Could you help us?

check forwarding, rp_filter, firewall, nat rules and if that all didnt help
try  using forceencaps=yes on both ends.

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list