[Openswan Users] openswan not encapsulating packets
Brian Candler
B.Candler at pobox.com
Mon May 22 13:22:12 CEST 2006
On Mon, May 22, 2006 at 12:56:42PM +0200, Leonardo Piras wrote:
> conn dada-infoblu
> authby=secret
> left=195.110.125.103
> leftsubnet=192.168.3.224/29
> leftnexthop=%defaultroute
> right=193.111.71.225
> rightsubnet=100.150.1.13/32
> pfs=yes
> auto=start
...
> BUT, "dada-infoblu" tunnel is not working, though connected.
> I can't even see ESP packets flowing:
>
> tiglio:~# tcpdump -i any host 193.111.71.225 or 100.150.1.13
>
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 96
> bytes
> 12:19:36.336614 IP 172.16.0.4 > 100.150.1.13: icmp 64: echo request seq
> 1
> 12:19:36.340207 IP tiglio.softecspa.it > 100.150.1.13: icmp 64: echo
> request seq 1
> 12:19:37.335878 IP 172.16.0.4 > 100.150.1.13: icmp 64: echo request seq
> 2
> 12:19:37.335920 IP tiglio.softecspa.it > 100.150.1.13: icmp 64: echo
> request seq 2
You are sending pings with a source IP of 172.16.0.4, but the 'leftsubnet'
declaration is for 192.168.3.224/29, so the packets don't match the policy.
If your client machine actually has an address on 192.168.3.224/29, then use
this as the source: e.g.
ping -I 192.168.3.225 100.150.1.13
(Hint: if you add '-n' to your tcpdump command, this will stop reverse DNS
lookups, which will make it clearer in this case I think)
Brian.
More information about the Users
mailing list