[Openswan Users] Ipsec connection doesn't work over PPP

Antony Gelberg antony at wayforth.co.uk
Thu Nov 9 12:44:40 EST 2006 

Paul Wouters wrote:
> On Thu, 9 Nov 2006, Antony Gelberg wrote:
> 
>> I have a roadwarrior config on my laptop (roadwarrior-net in the logs),
>> that works very well from outside the office, via ADSL connections,
>> whether my laptop has a public or static IP.
>>
>> However, when I connect to the Internet via my mobile phone (ppp0 in the
>> logs), everything works apart from openswan.  The SA comes up, but I
>> can't ping or do anything else via the gateway.
>>
>> I've put a barf at http://static.wayforth.co.uk/ipsec_barf.  Hope
> 
> Some things I see:
> - Enable IP forwarding
> - Disable rp_filter on all interfaces
> - REcompile kernel with Advanced routing enabled.
> 

Hi Paul,

Thanks for responding.  I don't see why I need to do this when the same 
configuration works with another Internet connection e.g. ADSL via eth0.

> conn roadwarrior-net
>         left=82.69.161.254
>         leftcert=robert.wayforth.co.uk_cert.pem
>         leftsubnet=192.168.168.0/24
>         right=%defaultroute
>         rightcert=myung.wayforth.local_cert.pem
>         auto=start
>         pfs=yes
> 
> I am somewhat confused wether I am looking at a client or server barf,
> since you mentioned the client was a phone.
> 

Little confusion there.  The client and server are both Linux-based. 
The phone is used merely for its UMTS modem which manifests as ppp0 on 
the client.  You are looking at a client barf.

> Can you change left and right. There might be a bug with right=%defaultroute
> does not work as expected. If this is the server, it would need
> right=%any, not right=%defaultroute.
> You also need auto=add because you cannot initiate to %any, you need to wait
> for them to initiate to you.
> 
> The logs show no problem, so it could be that ESP packets are being filtered.
> Try adding "forceencaps=yes" to roadwarrior-net. It will cause NAT-T to kick
> in and use ESPinUDP packets instead of ESP. Perhaps those are not filtered.
> 

I'll try that and report back, thank you.

Antony

More information about the Users mailing list