[Openswan Users] Ipsec connection doesn't work over PPP

Thu Nov 9 11:42:57 EST 2006

On Thu, 9 Nov 2006, Antony Gelberg wrote:

> I have a roadwarrior config on my laptop (roadwarrior-net in the logs),
> that works very well from outside the office, via ADSL connections,
> whether my laptop has a public or static IP.
>
> However, when I connect to the Internet via my mobile phone (ppp0 in the
> logs), everything works apart from openswan.  The SA comes up, but I
> can't ping or do anything else via the gateway.
>
> I've put a barf at http://static.wayforth.co.uk/ipsec_barf.  Hope

Some things I see:
- Enable IP forwarding
- Disable rp_filter on all interfaces
- REcompile kernel with Advanced routing enabled.

conn roadwarrior-net
        left=82.69.161.254
        leftcert=robert.wayforth.co.uk_cert.pem
        leftsubnet=192.168.168.0/24
        right=%defaultroute
        rightcert=myung.wayforth.local_cert.pem
        auto=start
        pfs=yes

I am somewhat confused wether I am looking at a client or server barf,
since you mentioned the client was a phone.

Can you change left and right. There might be a bug with right=%defaultroute
does not work as expected. If this is the server, it would need
right=%any, not right=%defaultroute.
You also need auto=add because you cannot initiate to %any, you need to wait
for them to initiate to you.

The logs show no problem, so it could be that ESP packets are being filtered.
Try adding "forceencaps=yes" to roadwarrior-net. It will cause NAT-T to kick
in and use ESPinUDP packets instead of ESP. Perhaps those are not filtered.

Paul