[Openswan Users] Ipsec connection doesn't work over PPP

Antony Gelberg antony at wayforth.co.uk
Thu Nov 23 08:32:47 EST 2006 

> Paul Wouters wrote:
>> On Thu, 9 Nov 2006, Antony Gelberg wrote:
>>
>>> I have a roadwarrior config on my laptop (roadwarrior-net in the logs),
>>> that works very well from outside the office, via ADSL connections,
>>> whether my laptop has a public or static IP.
>>>
>>> However, when I connect to the Internet via my mobile phone (ppp0 in
>>> the
>>> logs), everything works apart from openswan.  The SA comes up, but I
>>> can't ping or do anything else via the gateway.
>>>
>>> I've put a barf at http://static.wayforth.co.uk/ipsec_barf.  Hope
>>
>> Some things I see:
>> - Enable IP forwarding
>> - Disable rp_filter on all interfaces
>> - REcompile kernel with Advanced routing enabled.
>>
>
> Hi Paul,
>
> Thanks for responding.  I don't see why I need to do this when the same
> configuration works with another Internet connection e.g. ADSL via eth0.
>
>> conn roadwarrior-net
>>         left=82.69.161.254
>>         leftcert=robert.wayforth.co.uk_cert.pem
>>         leftsubnet=192.168.168.0/24
>>         right=%defaultroute
>>         rightcert=myung.wayforth.local_cert.pem
>>         auto=start
>>         pfs=yes
>>
>> I am somewhat confused wether I am looking at a client or server barf,
>> since you mentioned the client was a phone.
>>
>
> Little confusion there.  The client and server are both Linux-based.
> The phone is used merely for its UMTS modem which manifests as ppp0 on
> the client.  You are looking at a client barf.
>
>> Can you change left and right. There might be a bug with
>> right=%defaultroute
>> does not work as expected.

No difference.

>> If this is the server, it would need
>> right=%any, not right=%defaultroute.
>> You also need auto=add because you cannot initiate to %any, you need to
>> wait
>> for them to initiate to you.
>>
>> The logs show no problem, so it could be that ESP packets are being
>> filtered.
>> Try adding "forceencaps=yes" to roadwarrior-net. It will cause NAT-T to
>> kick
>> in and use ESPinUDP packets instead of ESP. Perhaps those are not
>> filtered.
>>

Unfortunately this didn't help at all.

Is there any other option than to ask Vodafone?  Is anybody using openswan
over a Vodafone data link?

Antony

More information about the Users mailing list