[Openswan Users] Ipsec connection doesn't work over PPP

Paul Overton paul at trusted-management.com
Fri Nov 24 02:35:15 EST 2006

Ipsec does work with Vodefone, however you need to be aware that
Vodefone use a small MTU. Not sure of the exact value, but we are
talking 1000 ish.

I have used that between WinXP and Openswan using native Ipsec.

Paul Overton

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Antony Gelberg
Sent: 23 November 2006 13:33
To: Antony Gelberg
Cc: users at openswan.org
Subject: Re: [Openswan Users] Ipsec connection doesn't work over PPP

> Paul Wouters wrote:
>> On Thu, 9 Nov 2006, Antony Gelberg wrote:
>>> I have a roadwarrior config on my laptop (roadwarrior-net in the 
>>> logs), that works very well from outside the office, via ADSL 
>>> connections, whether my laptop has a public or static IP.
>>> However, when I connect to the Internet via my mobile phone (ppp0 in

>>> the logs), everything works apart from openswan.  The SA comes up, 
>>> but I can't ping or do anything else via the gateway.
>>> I've put a barf at http://static.wayforth.co.uk/ipsec_barf.  Hope
>> Some things I see:
>> - Enable IP forwarding
>> - Disable rp_filter on all interfaces
>> - REcompile kernel with Advanced routing enabled.
> Hi Paul,
> Thanks for responding.  I don't see why I need to do this when the 
> same configuration works with another Internet connection e.g. ADSL
via eth0.
>> conn roadwarrior-net
>>         left=
>>         leftcert=robert.wayforth.co.uk_cert.pem
>>         leftsubnet=
>>         right=%defaultroute
>>         rightcert=myung.wayforth.local_cert.pem
>>         auto=start
>>         pfs=yes
>> I am somewhat confused wether I am looking at a client or server 
>> barf, since you mentioned the client was a phone.
> Little confusion there.  The client and server are both Linux-based.
> The phone is used merely for its UMTS modem which manifests as ppp0 on

> the client.  You are looking at a client barf.
>> Can you change left and right. There might be a bug with 
>> right=%defaultroute does not work as expected.

No difference.

>> If this is the server, it would need
>> right=%any, not right=%defaultroute.
>> You also need auto=add because you cannot initiate to %any, you need 
>> to wait for them to initiate to you.
>> The logs show no problem, so it could be that ESP packets are being 
>> filtered.
>> Try adding "forceencaps=yes" to roadwarrior-net. It will cause NAT-T 
>> to kick in and use ESPinUDP packets instead of ESP. Perhaps those are

>> not filtered.

Unfortunately this didn't help at all.

Is there any other option than to ask Vodafone?  Is anybody using
openswan over a Vodafone data link?


Users at openswan.org
Building and Integrating Virtual Private Networks with Openswan: 

This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

This message has been scanned for viruses and
dangerous content by Trusted Management Limited, and is
believed to be clean.

More information about the Users mailing list