[Openswan Users] Openswan not encapsulating packets.
Daniele Melosi
Mailing2004 at melosi.it
Tue May 23 16:18:12 CEST 2006
Leonardo Piras wrote:
> Hi there everyone,
> i have a problem which is causing me some headache:
>
> here is my ipsec.conf
>
> # DADA - Infoblu
> conn dada-infoblu
> authby=secret
> left=195.110.125.103
> leftsubnet=192.168.3.224/29
> leftnexthop=%defaultroute
> right=193.111.71.225
> rightsubnet=100.150.1.13/32
> pfs=yes
> auto=start
[cut]
> tiglio:~# tcpdump -i any host 193.111.71.225 or 100.150.1.13
>
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 96
> bytes
> 12:19:36.336614 IP 172.16.0.4 > 100.150.1.13: icmp 64: echo request seq
> 1
> 12:19:36.340207 IP tiglio.softecspa.it > 100.150.1.13: icmp 64: echo
> request seq 1
You're trying to ping from an incorrect src ip address (172.16.0.4, you
should use a 192.168.3.224/29 address), IPSEC doesn't recognize the src
ip address in the tunnel. You have 2 solutions:
1) change leftsubnet=172.16.0.0/16, or arternatively;
2) ping from a differente src ip address (a 192.168.3.224/29 address)
[cut]
> As you can see, i can only see clear text pings from one host to the
> other.
> Openswan is not encapsulating packets and it's not sending them through
> the ipsec tunnel.
openswan is not encapsulating packets because you don't tell him to
encapsulate (it expected packet from 192.168.3.224/29 network and you're
sending packet from 172.16.0.4).
And do not masq or nat packets to be tunneled (if on the server you are
using ip masq or nat you must exempt the packets you wish to tunnel (as
you can read in openswan wiki).
Daniele Melosi
More information about the Users
mailing list